Skip to content

Rewrite docs to remove FIPS; fully renumber REQUIREMENTS.md with traceability #7

Open
Open
Rewrite docs to remove FIPS; fully renumber REQUIREMENTS.md with traceability#7
Labels
cleanupDead code / cruft removaldocumentationImprovements or additions to documentationfips-removalRemove FIPS build/endpoint logic
@ausbru87

Description

@ausbru87
ausbru87
opened on May 10, 2026

Context

Part of the FIPS-removal effort. See REMOVE_FIPS_PLAN.md for the full plan and premise.

Premise: Coder is not a FIPS boundary component. Upstream LBs/proxies handle FIPS-validated TLS. Docs must stop describing Coder-internal FIPS builds and FIPS-endpoint toggles.

Keep: GovCloud portability (us-gov-west-1, aws-us-gov partition, GovCloud AZs, backend rename). All non-FIPS compliance features (KMS, TLS-in-transit, IAM, VPC Flow Logs, encrypted Terraform state).

Scope

Rewrite all FIPS-mentioning docs, delete the dedicated FIPS build guide, and fully renumber docs/REQUIREMENTS.md with a traceability table so external citations can map old IDs → new IDs or REMOVED.

Files to delete

  • docs/CODER_FIPS_BUILD.md — entire FIPS build guide (no non-FIPS content).

Files to edit

README.md

  • Title + lead paragraph: drop FIPS framing.
  • "Rename Checklist" row covering "FIPS endpoint details": drop.
  • "What's Included" table: delete FIPS images row; delete ECR row (ECR repos are deleted by the Terraform cleanup).
  • "Compliance Features": remove FIPS bullets; keep KMS / TLS-in-transit / IAM / VPC Flow Logs / encrypted TF state.
  • "Repo Structure" tree: drop docs/CODER_FIPS_BUILD.md and images/*fips entries.
  • Remove any link to deleted docs/CODER_FIPS_BUILD.md.

docs/ARCHITECTURE.md

  • Lead sentence: drop "FIPS-compliant".
  • RDS ASCII box: drop "+ FIPS".
  • Outputs table: drop ecr_repo_urls row.
  • Delete entire "FIPS Compliance" section.
  • rds.force_ssl mentioned elsewhere: keep, but reframe as "TLS enforcement," not FIPS.

docs/OPERATIONS.md

  • Rename Checklist: update/remove the GitHub Actions secrets row (secrets cleanup is a separate committed script).
  • "Deploying to GovCloud": delete the "FIPS endpoints" sub-bullet; renumber subsequent sub-bullets.
  • "Security Notes": delete the "FIPS 140-3" subsection.
  • Keep the rest of the "Deploying to GovCloud" section content.

docs/DEPLOYMENT_RUNBOOK.md

  • Layer 2 description: remove base-fips, desktop-fips, and coder from the ECR-repos sentence.
  • Remove "ECR stores the FIPS container images" line.
  • Delete the entire "Phase D — CI/CD (GitHub Actions → ECR)" section.
  • Order summary: renumber / update so Layer 2 no longer lists ECR + CI.

docs/TROUBLESHOOTING.md

  • Delete section "2. FIPS endpoint errors".
  • Renumber sections 3–10 → 2–9.

docs/REQUIREMENTS.md — FULL RENUMBER + TRACEABILITY

  1. Purpose paragraph: drop FIPS 140-3 compliance framing.

  2. In Scope list: drop "ECR for FIPS container images" and "FIPS 140-3 compliance at all layers" bullets.

  3. Delete INFRA-003 (Use FIPS-validated AWS API endpoints by default).

  4. Delete SEC-001 (Enable FIPS crypto policy on all compute).

  5. Delete the entire IMG section (IMG-001..IMG-004).

  6. Fully renumber the remaining IDs in affected sections so numbering is gap-free:

    • INFRA: 004→003, 005→004, 006→005, 007→006, 008→007, 009→008, 010→009.
    • SEC: 002→001, 003→002, 004→003, 005→004.
    • EKS / KARP / CDR / PROV / SM sections: unchanged.

  7. Add a "Traceability" table at the top of the Requirements section mapping every old ID → new ID or REMOVED with reason. Minimum content:

    Old ID New ID Status Reason
    INFRA-001 INFRA-001 unchanged
    INFRA-002 INFRA-002 unchanged
    INFRA-003 REMOVED FIPS endpoints dropped; Coder is not a FIPS boundary component
    INFRA-004 INFRA-003 renumbered
    INFRA-005 INFRA-004 renumbered
    INFRA-006 INFRA-005 renumbered
    INFRA-007 INFRA-006 renumbered
    INFRA-008 INFRA-007 renumbered
    INFRA-009 INFRA-008 renumbered
    INFRA-010 INFRA-009 renumbered
    SEC-001 REMOVED FIPS crypto policy dropped; handled by upstream LB/proxy
    SEC-002 SEC-001 renumbered
    SEC-003 SEC-002 renumbered
    SEC-004 SEC-003 renumbered
    SEC-005 SEC-004 renumbered
    IMG-001..IMG-004 REMOVED Custom FIPS images dropped; upstream ghcr.io/coder/coder is used

  8. Keep CDR-006 (GovCloud telemetry — not FIPS).

  9. Resolved Decisions table: edit decision Remove FIPS endpoint toggles, ECR repos, and CI IAM role from Terraform #5 rationale — "Secrets Manager is FIPS-validated" → reword as "AWS-native, simpler, GovCloud-available."

Acceptance criteria

  • grep -rin fips docs/ README.md returns zero.
  • docs/REQUIREMENTS.md has no ID gaps; grep -oE '(INFRA|EKS|KARP|CDR|PROV|SEC|SM)-[0-9]+' docs/REQUIREMENTS.md | sort -u shows a contiguous sequence per section starting at -001.
  • A Traceability table exists mapping every removed or renumbered old ID.
  • No in-repo references to deleted or renumbered IDs are orphaned: grep -rE '(INFRA|SEC|IMG)-[0-9]+' clusters/ infra/ templates/ scripts/ turns up nothing that wasn't updated.
  • All doc-internal Markdown links resolve (including removing the README link to deleted CODER_FIPS_BUILD.md).
  • Deleted sections' numbered lists are cleanly re-sequenced.

Dependencies

Soft — prefer merging after the Terraform issue so docs don't briefly reference already-removed outputs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    cleanupDead code / cruft removaldocumentationImprovements or additions to documentationfips-removalRemove FIPS build/endpoint logic

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions