Skip to content

Terraform Modules Overview

Our infrastructure-as-code (IaC) foundation is built with reusable, secure, and composable Terraform modules tailored for DevSecOps operations on Microsoft Azure. These modules streamline provisioning, ensure compliance, and promote operational consistency.

Module: aks-cluster

Purpose: Provisions a hardened Azure Kubernetes Service (AKS) cluster with secure networking, diagnostics, and policy enforcement.

Features: - Role-based access control (RBAC) and Azure AD integration. - Custom VNet integration with private cluster support. - Log Analytics & diagnostics automatically enabled.

Inputs: 

1
2
3
4
name           = "cse-devsecops-aks"
resource_group = "cse-devsecops-rg"
node_count     = 3
vm_size        = "Standard_D2s_v3"
Outputs: - kube_config - cluster_name

Module: keyvault

Purpose: Deploys a centralized Key Vault for secrets, certificates, and key management.

Features: - RBAC + managed identity access. - Soft-delete and purge protection enabled. - Diagnostic logging to Azure Monitor.

Inputs: 

1
2
3
name              = "cse-keyvault"
resource_group    = "cse-core-rg"
enabled_for_deployment = true
Outputs: - vault_uri

Module: networking

Purpose: Establishes a secure virtual network and subnets for workload isolation.

Features: - Custom address spaces. - Network Security Groups (NSGs) with locked-down rules. - Optional Private DNS zones.

Inputs: 

1
2
3
vnet_name       = "cse-vnet"
address_space   = ["10.10.0.0/16"]
subnet_configs  = [{ name = "aks", cidr = "10.10.1.0/24" }]
Outputs: - subnet_ids - vnet_id

Module: container_registry

Purpose: Deploys Azure Container Registry (ACR) with secure image storage.

Features: - Premium SKU with geo-replication. - Admin disabled, RBAC enforced. - Scanner integration optional (e.g., Trivy, Dockle).

Inputs: 

1
2
3
name              = "teamcsedevtestcr"
resource_group    = "cse-container-rg"
sku               = "Premium"
Outputs: - login_server

Module Composition & Usage

Each module follows the standard Terraform structure (main.tf, variables.tf, outputs.tf) and is versioned and published to a private module registry or GitHub source.

1
2
3
4
5
module "aks" {
  source = "../modules/aks-cluster"
  name   = "devsecops"
  ...
}

Module Directory Structure

1
2
3
4
5
6
terraform/
  modules/
    aks-cluster/
    keyvault/
    networking/
    container_registry/

Testing & Validation

  • Each module includes a test/ directory with sample use cases.
  • Validated with terraform validate, tflint, and checkov.

Documentation

Every module has its own README.md describing usage, input/output variables, diagrams, and compliance notes.

Contributions

Please open pull requests against the develop branch when updating or proposing modules. Review is enforced.

Related: Platform Architecture | CI/CD Pipelines