Environments
Terraform environments define the cloud infrastructure configuration for each deployment target. Each environment has its own state file, variable values, and provider configuration.
Source: infrastructure/terraform/environments/
Available Environments
| Environment | Path | Cloud | Purpose |
|---|---|---|---|
| azure-matihlabs | environments/azure-matihlabs/ | Azure | Primary development environment |
Environment Structure
environments/azure-matihlabs/
main.tf -- Root module, module composition
variables.tf -- Input variable definitions
outputs.tf -- Output definitions
terraform.tfvars -- Variable values (no secrets)
providers.tf -- Azure provider configuration
backend.tf -- Remote state configurationAzure MatiH Labs Environment
Module Composition
The root main.tf composes the following modules:
| Module | Purpose |
|---|---|
azure/networking | VNet, subnets, DNS zones |
azure/kubernetes/control-plane | AKS cluster |
azure/keyvault | Key Vault for secrets |
azure/storage | Storage accounts |
azure/monitoring | Log Analytics workspace |
azure/cognitive-services | Azure OpenAI |
azure/governance | Policy assignments |
platform/credentials | Cross-module credential management |
Output Values
Terraform outputs are consumed by subsequent CD pipeline stages:
| Output | Description | Consumer |
|---|---|---|
acr_name | Container Registry name | Image build and deploy stages |
acr_login_server | ACR FQDN | Helm values for image.repository |
aks_cluster_name | AKS cluster name | kubectl credential retrieval |
resource_group_name | Resource group | Azure CLI commands |
key_vault_name | Key Vault name | ESO configuration |
dns_zone_name | DNS zone | Ingress configuration |
State Management
| Setting | Value |
|---|---|
| Backend | Azure Storage (azurerm) |
| State file | terraform.tfstate in a blob container |
| Locking | Azure Blob lease-based locking |
| Encryption | Server-side encryption enabled |
Adding a New Environment
- Create a new directory under
environments/ - Copy the structure from an existing environment
- Update
terraform.tfvarswith environment-specific values - Configure the remote backend for state storage
- Run
terraform initandterraform plan
Security
| Rule | Implementation |
|---|---|
| No secrets in tfvars | Use random_password + Key Vault |
| State encryption | Azure Storage SSE |
| Access control | Azure RBAC on state storage |
| Plan review | Required before apply in CI/CD |
Related Pages
- Azure Modules -- Azure module documentation
- Stage 00: Terraform -- Terraform execution in CD pipeline
- Tenant Modules -- Per-tenant infrastructure