diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 32dbfb49..82756de2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -138,7 +138,7 @@ jobs: name: Terraform Lint uses: ./.github/workflows/terraform-lint.yml with: - soft-fail: true + soft-fail: false permissions: contents: read diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 73bcdc3b..0e9ccabf 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -158,7 +158,7 @@ jobs: name: Terraform Lint uses: ./.github/workflows/terraform-lint.yml with: - soft-fail: true + soft-fail: false permissions: contents: read diff --git a/infrastructure/terraform/modules/automation/tests/setup/main.tf b/infrastructure/terraform/modules/automation/tests/setup/main.tf index 48ac07c8..097897b7 100644 --- a/infrastructure/terraform/modules/automation/tests/setup/main.tf +++ b/infrastructure/terraform/modules/automation/tests/setup/main.tf @@ -30,22 +30,27 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location } output "resource_group" { + description = "Mock resource group object for test input." value = { id = local.resource_group_id name = local.resource_group_name @@ -54,6 +59,7 @@ output "resource_group" { } output "aks_cluster" { + description = "Mock AKS cluster reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.ContainerService/managedClusters/${local.aks_cluster_name}" name = local.aks_cluster_name @@ -61,5 +67,6 @@ output "aks_cluster" { } output "runbook_script_path" { - value = "./tests/setup/scripts/stub.ps1" + description = "Path to stub runbook script for test execution." + value = "./tests/setup/scripts/stub.ps1" } diff --git a/infrastructure/terraform/modules/dataviewer/tests/setup/main.tf b/infrastructure/terraform/modules/dataviewer/tests/setup/main.tf index 2748a06b..6cd7c9d9 100644 --- a/infrastructure/terraform/modules/dataviewer/tests/setup/main.tf +++ b/infrastructure/terraform/modules/dataviewer/tests/setup/main.tf @@ -32,22 +32,27 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location } output "resource_group" { + description = "Mock resource group object for test input." value = { id = local.resource_group_id name = local.resource_group_name @@ -56,6 +61,7 @@ output "resource_group" { } output "virtual_network" { + description = "Mock virtual network reference for test input." value = { id = local.vnet_id name = local.vnet_name @@ -63,18 +69,21 @@ output "virtual_network" { } output "network_security_group" { + description = "Mock network security group reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Network/networkSecurityGroups/nsg-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "nat_gateway" { + description = "Mock NAT gateway reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Network/natGateways/ng-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "log_analytics_workspace" { + description = "Mock Log Analytics workspace reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.OperationalInsights/workspaces/log-${local.resource_prefix}-${local.environment}-${local.instance}" workspace_id = "00000000-0000-0000-0000-000000000002" @@ -82,6 +91,7 @@ output "log_analytics_workspace" { } output "container_registry" { + description = "Mock container registry reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.ContainerRegistry/registries/acr${local.resource_prefix}${local.environment}${local.instance}" name = "acr${local.resource_prefix}${local.environment}${local.instance}" @@ -90,6 +100,7 @@ output "container_registry" { } output "storage_account" { + description = "Mock storage account reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Storage/storageAccounts/${local.storage_account_name}" name = local.storage_account_name diff --git a/infrastructure/terraform/modules/platform/security.tf b/infrastructure/terraform/modules/platform/security.tf index b6514f34..1a214d52 100644 --- a/infrastructure/terraform/modules/platform/security.tf +++ b/infrastructure/terraform/modules/platform/security.tf @@ -28,6 +28,10 @@ resource "azurerm_key_vault" "main" { // Allow public access when enabled, otherwise deny (PE-only) default_action = var.should_enable_public_network_access ? "Allow" : "Deny" } + + lifecycle { + prevent_destroy = true + } } // ============================================================ diff --git a/infrastructure/terraform/modules/platform/storage.tf b/infrastructure/terraform/modules/platform/storage.tf index cd16428e..1a8748a8 100644 --- a/infrastructure/terraform/modules/platform/storage.tf +++ b/infrastructure/terraform/modules/platform/storage.tf @@ -32,6 +32,10 @@ resource "azurerm_storage_account" "main" { days = 7 } } + + lifecycle { + prevent_destroy = true + } } // ============================================================ @@ -43,6 +47,10 @@ resource "azurerm_storage_container" "ml_workspace" { name = "ml-workspace" storage_account_id = azurerm_storage_account.main.id container_access_type = "private" + + lifecycle { + prevent_destroy = true + } } // ============================================================ @@ -105,6 +113,10 @@ resource "azurerm_storage_management_policy" "main" { } // Note: No lifecycle policy for checkpoints/ prefix — model checkpoints retained indefinitely in Hot tier + + lifecycle { + prevent_destroy = true + } } // ============================================================ diff --git a/infrastructure/terraform/modules/platform/tests/setup/main.tf b/infrastructure/terraform/modules/platform/tests/setup/main.tf index 8fe7169e..def12856 100644 --- a/infrastructure/terraform/modules/platform/tests/setup/main.tf +++ b/infrastructure/terraform/modules/platform/tests/setup/main.tf @@ -29,22 +29,27 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location } output "resource_group" { + description = "Mock resource group object for test input." value = { id = local.resource_group_id name = local.resource_group_name @@ -53,5 +58,6 @@ output "resource_group" { } output "current_user_oid" { - value = "00000000-0000-0000-0000-000000000001" + description = "Stub user object ID for RBAC test assignments." + value = "00000000-0000-0000-0000-000000000001" } diff --git a/infrastructure/terraform/modules/sil/tests/setup/main.tf b/infrastructure/terraform/modules/sil/tests/setup/main.tf index 2eea2ae0..d5e06e4a 100644 --- a/infrastructure/terraform/modules/sil/tests/setup/main.tf +++ b/infrastructure/terraform/modules/sil/tests/setup/main.tf @@ -31,22 +31,27 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location } output "resource_group" { + description = "Mock resource group object for test input." value = { id = local.resource_group_id name = local.resource_group_name @@ -55,10 +60,12 @@ output "resource_group" { } output "current_user_oid" { - value = "00000000-0000-0000-0000-000000000001" + description = "Stub user object ID for RBAC test assignments." + value = "00000000-0000-0000-0000-000000000001" } output "virtual_network" { + description = "Mock virtual network reference for test input." value = { id = local.vnet_id name = local.vnet_name @@ -66,6 +73,7 @@ output "virtual_network" { } output "subnets" { + description = "Mock subnet references for test input." value = { main = { id = "${local.vnet_id}/subnets/snet-${local.resource_prefix}-${local.environment}-${local.instance}" @@ -79,18 +87,21 @@ output "subnets" { } output "network_security_group" { + description = "Mock network security group reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Network/networkSecurityGroups/nsg-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "nat_gateway" { + description = "Mock NAT gateway reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Network/natGateways/ng-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "log_analytics_workspace" { + description = "Mock Log Analytics workspace reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.OperationalInsights/workspaces/log-${local.resource_prefix}-${local.environment}-${local.instance}" workspace_id = "00000000-0000-0000-0000-000000000002" @@ -98,6 +109,7 @@ output "log_analytics_workspace" { } output "container_registry" { + description = "Mock container registry reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.ContainerRegistry/registries/acr${local.resource_prefix}${local.environment}${local.instance}" name = "acr${local.resource_prefix}${local.environment}${local.instance}" @@ -106,6 +118,7 @@ output "container_registry" { } output "private_dns_zones" { + description = "Mock private DNS zone references for test input." value = { aks = { id = "${local.resource_group_id}/providers/Microsoft.Network/privateDnsZones/privatelink.${local.location}.azmk8s.io" @@ -115,18 +128,21 @@ output "private_dns_zones" { } output "monitor_workspace" { + description = "Mock Azure Monitor workspace reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Monitor/accounts/azmon-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "data_collection_endpoint" { + description = "Mock data collection endpoint reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.Insights/dataCollectionEndpoints/dce-${local.resource_prefix}-${local.environment}-${local.instance}" } } output "osmo_workload_identity" { + description = "Mock OSMO workload identity reference for test input." value = { id = "${local.resource_group_id}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-osmo-${local.resource_prefix}-${local.environment}-${local.instance}" principal_id = "00000000-0000-0000-0000-000000000003" diff --git a/infrastructure/terraform/modules/vpn/tests/setup/main.tf b/infrastructure/terraform/modules/vpn/tests/setup/main.tf index ed9bb333..7f909e48 100644 --- a/infrastructure/terraform/modules/vpn/tests/setup/main.tf +++ b/infrastructure/terraform/modules/vpn/tests/setup/main.tf @@ -31,22 +31,27 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location } output "resource_group" { + description = "Mock resource group object for test input." value = { id = local.resource_group_id name = local.resource_group_name @@ -55,6 +60,7 @@ output "resource_group" { } output "virtual_network" { + description = "Mock virtual network reference for test input." value = { id = local.vnet_id name = local.vnet_name diff --git a/infrastructure/terraform/tests/setup/main.tf b/infrastructure/terraform/tests/setup/main.tf index 8ebc74f7..4ba6bb69 100644 --- a/infrastructure/terraform/tests/setup/main.tf +++ b/infrastructure/terraform/tests/setup/main.tf @@ -26,17 +26,21 @@ locals { } output "resource_prefix" { - value = local.resource_prefix + description = "Generated resource naming prefix for test isolation." + value = local.resource_prefix } output "environment" { - value = local.environment + description = "Environment identifier for test configuration." + value = local.environment } output "instance" { - value = local.instance + description = "Instance identifier for test configuration." + value = local.instance } output "location" { - value = local.location + description = "Azure region for test resources." + value = local.location }