Tenant Modules
Tenant Terraform modules provision per-tenant cloud resources, primarily cloud AI services. These modules are invoked by the TenantService/InfrastructureService during tenant provisioning, not during the main CD pipeline.
Source: infrastructure/terraform/modules/tenant/
Module Inventory
| Module | Path | Description |
|---|---|---|
| Cloud AI (router) | tenant/cloud-ai/ | Routes to provider-specific module |
| Azure OpenAI | tenant/cloud-ai/azure-openai/ | Azure OpenAI Service deployment |
| AWS Bedrock | tenant/cloud-ai/aws-bedrock/ | Amazon Bedrock model access |
| GCP Vertex AI | tenant/cloud-ai/gcp-vertex-ai/ | Google Vertex AI endpoint |
| Azure Tenant | tenant/azure/ | Azure-specific tenant resources |
Cloud AI Router Module
The router module selects the correct provider-specific module based on the tenant's cloud configuration:
# infrastructure/terraform/modules/tenant/cloud-ai/main.tf
module "azure_openai" {
source = "./azure-openai"
count = var.cloud_provider == "azure" ? 1 : 0
# ...
}
module "aws_bedrock" {
source = "./aws-bedrock"
count = var.cloud_provider == "aws" ? 1 : 0
# ...
}
module "gcp_vertex_ai" {
source = "./gcp-vertex-ai"
count = var.cloud_provider == "gcp" ? 1 : 0
# ...
}Azure OpenAI Module
Provisions an Azure OpenAI Service resource with model deployments:
| Resource | Purpose |
|---|---|
azurerm_cognitive_account | Azure OpenAI service instance |
azurerm_cognitive_deployment | Model deployment (GPT-4o, etc.) |
| Key Vault secret | Store API key in tenant Key Vault |
AWS Bedrock Module
Configures access to Amazon Bedrock foundation models:
| Resource | Purpose |
|---|---|
| IAM policy | Grant model invocation access |
| Logging configuration | Enable invocation logging |
GCP Vertex AI Module
Provisions Vertex AI model endpoints:
| Resource | Purpose |
|---|---|
google_vertex_ai_endpoint | Model serving endpoint |
| IAM binding | Service account access |
Provisioning Flow
Tenant Creation (TenantService)
|
v
InfrastructureService.provisionCloudAI()
|
v
Terraform apply (tenant/cloud-ai module)
|
v
Store credentials in Key Vault / Secret Manager
|
v
Sync to K8s Secret via ESO
|
v
AI Service reads secret for LLM callsVariables
| Variable | Type | Description |
|---|---|---|
tenant_id | string | Unique tenant identifier |
cloud_provider | string | azure, aws, or gcp |
region | string | Deployment region |
models | list | LLM models to deploy |
tier | string | Tenant subscription tier |
Related Pages
- Azure Modules -- Platform Azure infrastructure
- AWS Modules -- Platform AWS infrastructure
- GCP Modules -- Platform GCP infrastructure