v1.0.0 - First Stable Release

v1.0.0 - Stable Release

terraform-common-modules · 9 April 2026

This is the first stable release of terraform-common-modules.

All module interfaces are now considered stable and tested end-to-end via terraform plan against live Azure subscriptions through the reference implementation terraform-landing-zone-demo.

Breaking changes from this point forward will increment the major version or minor version.

---

🔧 What Changed Since v0.2.0

Bug Fixes

• connectivity/spoke_vnet

  • Replaced deprecated disable_bgp_route_propagation with bgp_route_propagation_enabled
  • Fixed typo in variable name propogation → propagation
  • Fixed configuration_aliases syntax (quoted string → bare reference)

• connectivity/private_dns

  • Fixed resource_group_name referencing incorrect resource

• app_platform/key_vault

  • Fixed validation regex to allow hyphens

• app_platform/storage

  • Fixed regex quantifier typo {3-24} → {3,24}
  • Fixed account_tier validation referencing wrong variable

• app_platform/aks_cluster

  • Fixed resource type typo
    azurerm_monitoring_diagnostic_setting → azurerm_monitor_diagnostic_setting
  • Fixed unquoted string in sku_tier validation

---

📦 Complete Module Inventory

Connectivity

Module	Description
connectivity/hub_vnet	Hub VNet with ManagementSubnet, optional GatewaySubnet, route tables
connectivity/spoke_vnet	Spoke VNet with AKS, App Gateway and Private Endpoint subnets, bidirectional peering, UDR
connectivity/private_dns	Private DNS zones with hub and spoke VNet links

---

Management

Module	Description
management/log_analytics	Log Analytics workspace with ContainerInsights and SecurityInsights

---

App Platform

Module	Description
app_platform/acr	Azure Container Registry with optional AcrPull role assignment
app_platform/key_vault	Key Vault with RBAC mode, soft delete, optional role assignments and diagnostics
app_platform/storage	StorageV2 with blob containers, lifecycle policy, soft delete and diagnostics
app_platform/aks_cluster	AKS with Azure CNI, AGIC, workload identity, OIDC, OMS agent and diagnostics
app_platform/app_gateway_waf_agic	App Gateway WAF v2 with OWASP 3.2, standalone policy, AGIC lifecycle and diagnostics

---

🔧 Provider Requirements

Provider	Constraint
hashicorp/azurerm	>= 3.90.0, < 4.0.0
Terraform	>= 1.6.0

---

📥 How to Reference This Release

module "log_analytics" {
  source = "github.com/devsocket/terraform-common-modules//modules/management/log_analytics?ref=v1.0.0"
}

module "hub_vnet" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/hub_vnet?ref=v1.0.0"
}

module "spoke_vnet" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/spoke_vnet?ref=v1.0.0"
}

module "private_dns" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/private_dns?ref=v1.0.0"
}

module "acr" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/acr?ref=v1.0.0"
}

module "key_vault" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/key_vault?ref=v1.0.0"
}

module "storage" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/storage?ref=v1.0.0"
}

module "aks" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/aks_cluster?ref=v1.0.0"
}

module "app_gateway" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/app_gateway_waf_agic?ref=v1.0.0"
}

v0.2.0 - Module Expansion Release

v0.2.0 — Module Expansion Release

terraform-common-modules · April 2026

This release completes the core module set required for the full Azure Landing Zone demo stack. It delivers the remaining app platform and connectivity modules planned in v0.1.0, along with breaking changes to naming consistency and provider aliasing.

All modules in this release have been tested via terraform validate and terraform plan against the reference implementation terraform-landing-zone-demo.

A v1.0.0 stable release will follow after end-to-end deployment verification.

---

🆕 What's New Since v0.1.0

New Modules

Module	Description
connectivity/spoke_vnet	Spoke VNet with AKS, App Gateway and Private Endpoint subnets, bidirectional hub peering, and UDR skeleton
connectivity/private_dns	Private DNS zones for ACR, Key Vault and Storage with hub and spoke VNet links
app_platform/storage	StorageV2 with blob containers, lifecycle policy, blob soft delete, versioning and diagnostic settings
app_platform/aks_cluster	AKS with Azure CNI, AGIC add-on, workload identity, OIDC issuer, OMS agent and control plane diagnostics
app_platform/app_gateway_waf_agic	Application Gateway WAF v2 with standalone WAF policy (OWASP 3.2), public IP and AGIC lifecycle management

---

⚠️ Breaking Changes from v0.1.0

Module	Change	Action Required
app_platform/key_vault	Renamed from app_platform/keyvault	Update all source references
connectivity/spoke_vnet	Requires azurerm.connectivity provider alias	Add providers block in module calls
management/log_analytics	retention_days → retention_in_days	Update variable references

---

✅ Complete Module Inventory

Connectivity

Module	Description
connectivity/hub_vnet	Hub VNet with ManagementSubnet, optional GatewaySubnet, route tables
connectivity/spoke_vnet	✨ Spoke VNet with AKS, App Gateway, Private Endpoint subnets
connectivity/private_dns	✨ Private DNS zones with hub and spoke VNet links

---

Management

Module	Description
management/log_analytics	Log Analytics workspace with ContainerInsights and SecurityInsights

---

App Platform

Module	Description
app_platform/acr	Azure Container Registry with optional AcrPull role assignment
app_platform/key_vault	⚠️ RENAMED — Key Vault with RBAC mode, soft delete, diagnostics
app_platform/storage	✨ StorageV2 with containers, lifecycle policies, diagnostics
app_platform/aks_cluster	✨ AKS with Azure CNI, AGIC, workload identity, OIDC
app_platform/app_gateway_waf_agic	✨ App Gateway WAF v2 with OWASP 3.2

---

🔧 Provider Versions

Provider	Version Constraint
hashicorp/azurerm	>= 3.90.0, < 4.0.0
Terraform Core	>= 1.6.0

---

🏗️ Notable Design Decisions

• Two-identity pattern for AKS
  Separate cluster_identity and kubelet_identity for proper RBAC isolation.

• AGIC lifecycle ignore
  Prevents Terraform drift due to AGIC-managed changes.

• Workload Identity + OIDC enforced together
  Must be enabled as a pair.

• Diagnostics on all modules
  Controlled via log_analytics_workspace_id.

• Key Vault purge protection disabled by default
  For demo destroy cycles (override in production).

---

📦 How to Reference This Release

# Connectivity
module "hub_vnet" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/hub_vnet?ref=v0.2.0"
}

module "spoke_vnet" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/spoke_vnet?ref=v0.2.0"
}

module "private_dns" {
  source = "github.com/devsocket/terraform-common-modules//modules/connectivity/private_dns?ref=v0.2.0"
}

# Management
module "log_analytics" {
  source = "github.com/devsocket/terraform-common-modules//modules/management/log_analytics?ref=v0.2.0"
}

# App Platform
module "acr" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/acr?ref=v0.2.0"
}

module "key_vault" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/key_vault?ref=v0.2.0"
}

module "storage" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/storage?ref=v0.2.0"
}

module "aks" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/aks_cluster?ref=v0.2.0"
}

module "app_gateway" {
  source = "github.com/devsocket/terraform-common-modules//modules/app_platform/app_gateway_waf_agic?ref=v0.2.0"
}

---

⚠️ Pre-GA Caveats

• End-to-end deployment still in progress
• v1.0.0 will be tagged after full validation
• Always pin to ?ref=v0.2.0 — never use master

---

⏭️ Planned for v1.0.0

• Full end-to-end deployment validation
• Stable input/output contracts
• Breaking change freeze (semver compliance)

v0.1.0 — Initial Alpha Release

v0.1.0 — Initial Alpha Release

terraform-common-modules 15 March 2026

This is the first public release of terraform-common-modules — a reusable Terraform module library for Azure Landing Zone patterns, built around the Microsoft Cloud Adoption Framework (CAF).

This alpha release establishes the module structure, provider contracts, and core connectivity + platform modules. It is consumed by terraform-landing-zone-demo as a reference implementation.

---

✅ Modules Included

Connectivity

Module	Description
connectivity/hub_vnet	Hub VNet with subnets and route tables for hub-spoke topology
connectivity/spoke_vnet	Spoke VNet with subnets, VNet peering, and UDR to hub
connectivity/private_dns	Private DNS zones with VNet links for PaaS service resolution

App Platform

Module	Description
app_platform/acr	Azure Container Registry with private endpoint and public access disabled
app_platform/keyvault	App-level Key Vault with private endpoint and RBAC-based access model

Management

Module	Description
management/log_analytics	Log Analytics workspace with configurable retention and solution support

---

🔧 Provider Versions

Provider	Version Constraint
hashicorp/azurerm	>= 3.90.0, < 4.0.0
hashicorp/azuread	>= 2.0.0
Terraform core	>= 1.6.0

---

🏗️ Design Decisions in This Release

Private endpoints on all PaaS modules
ACR and Key Vault are provisioned with private endpoints enabled and public network access disabled by default. This is intentional for regulated workload compatibility — overridable via input variables.

RBAC over access policies for Key Vault
app_platform/keyvault uses Azure RBAC (enable_rbac_authorization = true) rather than legacy vault access policies. This aligns with current Microsoft recommendations and works cleanly with workload identity and managed identities.

Hub-spoke as first-class pattern
hub_vnet and spoke_vnet are designed as a pair — spoke peering and UDR configuration assumes a hub exists. Standalone spoke deployment without a hub is not a supported pattern in this release.

Log Analytics as shared observability backbone
The log_analytics module outputs its workspace ID and workspace key, intended to be passed as inputs to diagnostic settings across all other modules. Fragmented per-workload workspaces are explicitly avoided.

---

⚠️ Alpha Caveats

• Input/output variable contracts may change in v0.2.0 as additional modules are added
• The following modules are planned but not yet implemented, so there might be changed in planned activities: governance/policy_set, governance/role_assignments, identity/workload_identity, connectivity/peering, connectivity/bastion, app_platform/aks_cluster, app_platform/app_gateway_waf_agic, app_platform/storage, monitoring/diagnostic_settings, monitoring/alerts
• No automated test suite yet — terraform validate and terraform plan are the current verification mechanisms
• Always pin to ?ref=v0.1.0 when referencing from other repos — do not reference master directly

---

📦 How to Reference This Release

module "log_analytics" {
  source = "github.com/devsocket/terraform-common-modules//modules/management/log_analytics?ref=v0.1.0"

  workspace_name      = "law-platform-prod-001"
  resource_group_name = azurerm_resource_group.mgmt.name
  location            = var.location
  retention_days      = 7
  tags                = var.tags
}

---

🗺️ Roadmap — Coming in v0.2.0

• connectivity/peering — Standalone bidirectional VNet peering module
• governance/policy_set — Azure Policy initiative assignments at management group scope
• identity/workload_identity — Federated workload identity for AKS pods
• app_platform/aks_cluster — AKS cluster with AGIC, workload identity, and Azure Monitor integration
• monitoring/diagnostic_settings — Reusable diagnostic settings module consumable by all resource modules

---

👤 Author

Sudheer Kumar — Senior Technical Lead | Azure Solutions Architect (AZ-104, AZ-305)
GitHub | LinkedIn