microsoft · WilliamBerryiii · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
@@ -177,7 +177,7 @@ Run `npm install` (or `npm ci`) before any `npm run` lint commands. `shellcheck`
 | File Type | Validation Commands |
 | --- | --- |
 | `*.md` | `npm run lint:md`, `npm run spell-check`, `npm run format:tables` |
-| `*.tf`, `*.tfvars` | `terraform fmt -check`, `terraform validate`, `terraform plan` |
+| `*.tf`, `*.tfvars` | `npm run lint:tf`, `npm run lint:tf:validate`, `terraform plan` |
 | `*.sh` | `shellcheck <file>` |
 | `*.ps1` | `npm run lint:ps` |
 | `*.yml` (GitHub Actions) | `npm run lint:yaml` |
@@ -196,13 +196,10 @@ Run `npm install` (or `npm ci`) before any `npm run` lint commands. `shellcheck`
 
 Terraform validation is per-directory — each deployment directory has its own provider configuration and state:
 
-* `terraform fmt -check -recursive infrastructure/terraform/` — formatting compliance (recursive across all directories)
-* `terraform validate` — run inside each deployment directory individually:
-  * `infrastructure/terraform/`
-  * `infrastructure/terraform/vpn/`
-  * `infrastructure/terraform/dns/`
-  * `infrastructure/terraform/automation/`
+* `npm run lint:tf` — TFLint recursive linting across all directories
+* `npm run lint:tf:validate` — `terraform fmt -check -recursive` + `terraform init -backend=false && terraform validate` per deployment directory (`.`, `vpn/`, `dns/`, `automation/`)
 * `terraform plan -var-file=terraform.tfvars` — validates configuration against provider APIs (requires `source infrastructure/terraform/prerequisites/az-sub-init.sh` first)
+* CI: `.github/workflows/terraform-validation.yml` reusable workflow runs `lint:tf:validate` with `soft-fail: true`
 
 ### Shell Scripts
 

@@ -122,6 +122,15 @@ jobs:
     permissions:
       contents: read
 
+  # Terraform format and validate checks
+  terraform-validation:
+    name: Terraform Validation
+    uses: ./.github/workflows/terraform-validation.yml
+    with:
+      soft-fail: true
+    permissions:
+      contents: read
+
   # CodeQL security analysis
   codeql-analysis:
     name: CodeQL Analysis
@@ -147,6 +156,7 @@ jobs:
       - pytest-tests
       - python-lint
       - terraform-lint
+      - terraform-validation
       - codeql-analysis
     name: Release Please
     runs-on: ubuntu-latest

@@ -147,6 +147,16 @@ jobs:
     permissions:
       contents: read
 
+  # Terraform format and validate checks
+  terraform-validation:
+    name: Terraform Validation
+    uses: ./.github/workflows/terraform-validation.yml
+    with:
+      soft-fail: true
+      changed-files-only: true
+    permissions:
+      contents: read
+
   # CodeQL security analysis
   codeql-analysis:
     name: CodeQL Analysis

@@ -0,0 +1,60 @@
+name: Terraform Validation
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on Terraform validation failures'
+        required: false
+        type: boolean
+        default: false
+      changed-files-only:
+        description: 'Only validate directories with changed Terraform files'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: pwsh
+
+jobs:
+  terraform-validation:
+    name: Terraform Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: ${{ inputs.changed-files-only && '0' || '1' }}
+
+      - name: Create logs directory
+        run: New-Item -ItemType Directory -Force -Path logs | Out-Null
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_wrapper: false
+
+      - name: Run Terraform Validation
+        continue-on-error: ${{ inputs.soft-fail }}
+        run: |
+          $params = @{}
+          if ('${{ inputs.changed-files-only }}' -eq 'true') {
+            $params['ChangedFilesOnly'] = $true
+          }
+          shared/ci/linting/Invoke-TerraformValidation.ps1 @params
+
+      - name: Upload Terraform validation results
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: terraform-validation-results
+          path: logs/terraform-validation-results.json
+          retention-days: 30
diff --git a/.gitignore b/.gitignore
@@ -463,6 +463,7 @@ venv/
 .hypothesis/
 **/out/*
 .copilot-tracking/*
+dependency-pinning-artifacts/
 
 .DS_Store
 .beads/

diff --git a/dependency-pinning-artifacts/gha-test.json b/dependency-pinning-artifacts/gha-test.json
@@ -1,3 +1,3 @@
 ---
 sidebar_position: 1
 title: Contributing to Physical AI Toolchain
@@ -174,16 +174,15 @@
 
 | Level                   | What                                                                   | When to Use                  | Cost   |
 |-------------------------|------------------------------------------------------------------------|------------------------------|--------|
-| **Level 1: Static**     | `terraform fmt`, `terraform validate`, `shellcheck`, `npm run lint:md` | Every contribution           | $0     |
+| **Level 1: Static**     | `npm run lint:tf:validate`, `shellcheck`, `npm run lint:md`            | Every contribution           | $0     |
 | **Level 2: Plan**       | `terraform plan` with documented output                                | Terraform changes            | $0     |
 | **Level 3: Deployment** | Full deployment in dev subscription                                    | Major infrastructure changes | $25-50 |
 | **Level 4: Workflow**   | Training job execution                                                 | Script/workflow changes      | $5-30  |
 
 Static validation is required for all PRs:
 
 ```bash
-terraform fmt -check -recursive infrastructure/terraform/
-terraform validate infrastructure/terraform/
+npm run lint:tf:validate
 shellcheck infrastructure/**/*.sh scripts/**/*.sh
 npm run lint:md
 ```

@@ -22,8 +22,7 @@ Required for all contributions before submitting PR.
 
 ```bash
 # Terraform formatting and validation
-terraform fmt -check -recursive infrastructure/terraform/
-terraform validate infrastructure/terraform/
+npm run lint:tf:validate
 
 # Shell script linting
 shellcheck infrastructure/**/*.sh scripts/**/*.sh
@@ -130,8 +129,7 @@ Copy this template to PR description:
 ## Validation Performed
 
 **Static Validation:**
-- [ ] terraform fmt -check
-- [ ] terraform validate
+- [ ] npm run lint:tf:validate
 - [ ] shellcheck (if applicable)
 - [ ] npm run lint:md (if docs changed)
 

@@ -20,14 +20,14 @@ Infrastructure code follows strict conventions for consistency, security, and ma
 # Format all Terraform files before committing
 terraform fmt -recursive infrastructure/terraform/
 
-# Validate syntax
-terraform validate infrastructure/terraform/
+# Validate formatting and syntax across all deployment directories
+npm run lint:tf:validate
 ```
 
 ### Variable Naming
 
 * Use descriptive snake_case: `gpu_node_pool_vm_size` not `vm_sku`
-* Prefix booleans with `enable_` or `is_`: `enable_private_endpoints`, `is_production`
+* Prefix booleans with `should_`: `should_enable_private_endpoints`, `should_deploy_vpn`
 * Group related variables with prefixes: `aks_cluster_name`, `aks_node_count`, `aks_version`
 
 ### Module Structure

diff --git a/package.json b/package.json
@@ -15,6 +15,7 @@
     "lint:links": "pwsh -File shared/ci/linting/Invoke-LinkLanguageCheck.ps1",
     "lint:yaml": "pwsh -File shared/ci/linting/Invoke-YamlLint.ps1",
     "lint:tf": "pwsh -File shared/ci/linting/Invoke-TFLint.ps1",
+    "lint:tf:validate": "pwsh -File shared/ci/linting/Invoke-TerraformValidation.ps1",
     "lint:all": "npm run lint:md && npm run lint:ps && npm run lint:links && npm run lint:yaml && npm run lint:tf",
     "format:tables": "markdown-table-formatter \"**/*.md\"",
     "test:ps": "pwsh -File ./shared/ci/tests/Invoke-PesterTests.ps1",