# Current Azure/Entra ID context — provides tenant_id used in outputs data "azurerm_client_config" "current" {} # ─── Resource Group ─────────────────────────────────────────────────── resource "azurerm_resource_group" "main" { name = var.resource_group_name location = var.location tags = var.tags } resource "azurerm_management_lock" "main" { count = var.enable_delete_lock ? 1 : 0 name = "${var.prefix}-delete-lock" scope = azurerm_resource_group.main.id lock_level = "CanNotDelete" notes = "Prevents accidental deletion of production resources" } # ─── Networking ─────────────────────────────────────────────────────── resource "azurerm_virtual_network" "main" { name = "${var.prefix}-vnet" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location address_space = [var.vnet_address_space] tags = var.tags } # AKS nodes subnet resource "azurerm_subnet" "aks" { name = "${var.prefix}-aks-subnet" resource_group_name = azurerm_resource_group.main.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = [var.aks_subnet_cidr] } # ─── AKS Cluster ────────────────────────────────────────────────────── resource "azurerm_kubernetes_cluster" "main" { name = "${var.prefix}-aks" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location dns_prefix = replace(var.prefix, "-", "") kubernetes_version = var.aks_kubernetes_version tags = var.tags default_node_pool { name = "system" node_count = var.aks_node_count vm_size = var.aks_node_vm_size vnet_subnet_id = azurerm_subnet.aks.id node_labels = { prefix = var.prefix role = "worker" env = lookup(var.tags, "Environment", "dev") } } identity { type = "SystemAssigned" } network_profile { network_plugin = "azure" network_policy = "azure" } # Enable Workload Identity for keyless Azure service access (MSI) oidc_issuer_enabled = true workload_identity_enabled = true }