Releases: devsocket/terraform-common-modules
v0.1.0 — Initial Alpha Release
v0.1.0 — Initial Alpha Release
terraform-common-modules 15 March 2026
This is the first public release of terraform-common-modules — a reusable Terraform module library for Azure Landing Zone patterns, built around the Microsoft Cloud Adoption Framework (CAF).
This alpha release establishes the module structure, provider contracts, and core connectivity + platform modules. It is consumed by terraform-landing-zone-demo as a reference implementation.
✅ Modules Included
Connectivity
| Module | Description |
|---|---|
connectivity/hub_vnet |
Hub VNet with subnets and route tables for hub-spoke topology |
connectivity/spoke_vnet |
Spoke VNet with subnets, VNet peering, and UDR to hub |
connectivity/private_dns |
Private DNS zones with VNet links for PaaS service resolution |
App Platform
| Module | Description |
|---|---|
app_platform/acr |
Azure Container Registry with private endpoint and public access disabled |
app_platform/keyvault |
App-level Key Vault with private endpoint and RBAC-based access model |
Management
| Module | Description |
|---|---|
management/log_analytics |
Log Analytics workspace with configurable retention and solution support |
🔧 Provider Versions
| Provider | Version Constraint |
|---|---|
hashicorp/azurerm |
>= 3.90.0, < 4.0.0 |
hashicorp/azuread |
>= 2.0.0 |
| Terraform core | >= 1.6.0 |
🏗️ Design Decisions in This Release
Private endpoints on all PaaS modules
ACR and Key Vault are provisioned with private endpoints enabled and public network access disabled by default. This is intentional for regulated workload compatibility — overridable via input variables.
RBAC over access policies for Key Vault
app_platform/keyvault uses Azure RBAC (enable_rbac_authorization = true) rather than legacy vault access policies. This aligns with current Microsoft recommendations and works cleanly with workload identity and managed identities.
Hub-spoke as first-class pattern
hub_vnet and spoke_vnet are designed as a pair — spoke peering and UDR configuration assumes a hub exists. Standalone spoke deployment without a hub is not a supported pattern in this release.
Log Analytics as shared observability backbone
The log_analytics module outputs its workspace ID and workspace key, intended to be passed as inputs to diagnostic settings across all other modules. Fragmented per-workload workspaces are explicitly avoided.
⚠️ Alpha Caveats
- Input/output variable contracts may change in
v0.2.0as additional modules are added - The following modules are planned but not yet implemented, so there might be changed in planned activities:
governance/policy_set,governance/role_assignments,identity/workload_identity,connectivity/peering,connectivity/bastion,app_platform/aks_cluster,app_platform/app_gateway_waf_agic,app_platform/storage,monitoring/diagnostic_settings,monitoring/alerts - No automated test suite yet —
terraform validateandterraform planare the current verification mechanisms - Always pin to
?ref=v0.1.0when referencing from other repos — do not referencemasterdirectly
📦 How to Reference This Release
module "log_analytics" {
source = "github.com/devsocket/terraform-common-modules//modules/management/log_analytics?ref=v0.1.0"
workspace_name = "law-platform-prod-001"
resource_group_name = azurerm_resource_group.mgmt.name
location = var.location
retention_days = 7
tags = var.tags
}🗺️ Roadmap — Coming in v0.2.0
connectivity/peering— Standalone bidirectional VNet peering modulegovernance/policy_set— Azure Policy initiative assignments at management group scopeidentity/workload_identity— Federated workload identity for AKS podsapp_platform/aks_cluster— AKS cluster with AGIC, workload identity, and Azure Monitor integrationmonitoring/diagnostic_settings— Reusable diagnostic settings module consumable by all resource modules
👤 Author
Sudheer Kumar — Senior Technical Lead | Azure Solutions Architect (AZ-104, AZ-305)
GitHub | LinkedIn