Ensure input/output descriptions exist and consistent with README

modules/provision/main.tf

@@ -142,5 +142,6 @@ resource "azapi_resource_action" "enable_encryption_at_host" {
 }
 
 output "client_id" {
-  value = azurerm_user_assigned_identity.athenz.client_id
+  description = "Azure AD application (client) id of the user-assigned managed identity used by Athenz."
+  value       = azurerm_user_assigned_identity.athenz.client_id
 }

modules/provision/variables.tf

@@ -3,17 +3,19 @@ variable "tenant_name" {
   type        = string
 }
 
+// Version string of this template in MAJOR.MINOR.PATCH format.
 variable "template_version" {
-  type = string
+  description = "Internal, do not override."
+  type        = string
   validation {
     condition     = can(regex("^\\d+\\.\\d+\\.\\d+$", var.template_version))
     error_message = "Enclave template version expected to be in MAJOR.MINOR.PATCH format."
   }
 }
 
-// This variable is used by Vespa.ai internally for testing and development purposes.
+// See variables.tf in root module
 variable "all_zones" {
-  description = "All Azure Vespa Cloud zones"
+  description = "Internal, do not override."
   type = list(object({
     environment   = string
     physical_zone = string
@@ -23,8 +25,9 @@ variable "all_zones" {
   ]
 }
 
+// See variables.tf in root module
 variable "issuer_url" {
-  description = "Issuer URL for federated identity credentials (Athenz ZTS)."
+  description = "Internal, do not override."
   type        = string
   default     = "https://zts.athenz.vespa-cloud.com:4443/zts/v1"
 }

outputs.tf

@@ -16,16 +16,17 @@ locals {
 }
 
 output "zones" {
-  description = "Available zones are listed at https://cloud.vespa.ai/en/reference/zones.html . You reference a zone with `[environment].[region with - replaced by _]` (e.g `prod.azure_eastus_az1`)."
+  description = "Map of available Vespa Cloud zones grouped by environment. Available zones are listed at https://cloud.vespa.ai/en/reference/zones.html. Reference a zone with `[environment].[region with - replaced by _]` (e.g. `prod.azure_eastus_az1`)."
   value = {
     for environment, zones in local.zones_by_env :
-    environment => { for zone in zones : replace(zone.region, "-", "_") => zone }
+    environment => { for z in zones : replace(z.region, "-", "_") => z }
   }
 }
 
 data "azurerm_subscription" "current" {}
 
 output "enclave_config" {
+  description = "Configuration values that must be shared with the Vespa team to finalize the enclave setup: Azure AD application (client) id for Athenz, subscription id and tenant id."
   value = {
     "client_id" : module.provision.client_id,
     "subscription_id" : data.azurerm_subscription.current.subscription_id,

variables.tf

@@ -1,11 +1,11 @@
 variable "tenant_name" {
-  description = "The tenant owner running enclave account"
+  description = "The Vespa Cloud tenant name that will operate in this subscription."
   type        = string
 }
 
-// This variable is used by Vespa.ai internally for testing and development purposes.
+// Default list of Azure Vespa Cloud zones, used for testing and development.
 variable "__all_zones" {
-  description = "All Azure Vespa Cloud zones"
+  description = "Internal, do not override."
   type = list(object({
     environment   = string
     physical_zone = string
@@ -15,8 +15,9 @@ variable "__all_zones" {
   ]
 }
 
+// Issuer (Athenz ZTS) URL for federated identity credentials (either 'prod' or 'cd').
 variable "__athenz_env" {
-  description = "Athenz environment selector for ZTS issuer URL. One of: 'prod', 'cd'."
+  description = "Internal, do not override."
   type        = string
   default     = "prod"
   validation {