fix(infrastructure): resolve TFLint violations and enable hard-fail

.github/workflows/main.yml

@@ -138,7 +138,7 @@ jobs:
     name: Terraform Lint
     uses: ./.github/workflows/terraform-lint.yml
     with:
-      soft-fail: true
+      soft-fail: false
     permissions:
       contents: read
 

.github/workflows/pr-validation.yml

@@ -158,7 +158,7 @@ jobs:
     name: Terraform Lint
     uses: ./.github/workflows/terraform-lint.yml
     with:
-      soft-fail: true
+      soft-fail: false
     permissions:
       contents: read
 

infrastructure/terraform/modules/automation/tests/setup/main.tf

@@ -30,22 +30,27 @@ locals {
 }
 
 output "resource_prefix" {
-  value = local.resource_prefix
+  description = "Generated resource naming prefix for test isolation."
+  value       = local.resource_prefix
 }
 
 output "environment" {
-  value = local.environment
+  description = "Environment identifier for test configuration."
+  value       = local.environment
 }
 
 output "instance" {
-  value = local.instance
+  description = "Instance identifier for test configuration."
+  value       = local.instance
 }
 
 output "location" {
-  value = local.location
+  description = "Azure region for test resources."
+  value       = local.location
 }
 
 output "resource_group" {
+  description = "Mock resource group object for test input."
   value = {
     id       = local.resource_group_id
     name     = local.resource_group_name
@@ -54,12 +59,14 @@ output "resource_group" {
 }
 
 output "aks_cluster" {
+  description = "Mock AKS cluster reference for test input."
   value = {
     id   = "${local.resource_group_id}/providers/Microsoft.ContainerService/managedClusters/${local.aks_cluster_name}"
     name = local.aks_cluster_name
   }
 }
 
 output "runbook_script_path" {
-  value = "./tests/setup/scripts/stub.ps1"
+  description = "Path to stub runbook script for test execution."
+  value       = "./tests/setup/scripts/stub.ps1"
 }

infrastructure/terraform/modules/dataviewer/tests/setup/main.tf

@@ -32,22 +32,27 @@ locals {
 }
 
 output "resource_prefix" {
-  value = local.resource_prefix
+  description = "Generated resource naming prefix for test isolation."
+  value       = local.resource_prefix
 }
 
 output "environment" {
-  value = local.environment
+  description = "Environment identifier for test configuration."
+  value       = local.environment
 }
 
 output "instance" {
-  value = local.instance
+  description = "Instance identifier for test configuration."
+  value       = local.instance
 }
 
 output "location" {
-  value = local.location
+  description = "Azure region for test resources."
+  value       = local.location
 }
 
 output "resource_group" {
+  description = "Mock resource group object for test input."
   value = {
     id       = local.resource_group_id
     name     = local.resource_group_name
@@ -56,32 +61,37 @@ output "resource_group" {
 }
 
 output "virtual_network" {
+  description = "Mock virtual network reference for test input."
   value = {
     id   = local.vnet_id
     name = local.vnet_name
   }
 }
 
 output "network_security_group" {
+  description = "Mock network security group reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Network/networkSecurityGroups/nsg-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "nat_gateway" {
+  description = "Mock NAT gateway reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Network/natGateways/ng-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "log_analytics_workspace" {
+  description = "Mock Log Analytics workspace reference for test input."
   value = {
     id           = "${local.resource_group_id}/providers/Microsoft.OperationalInsights/workspaces/log-${local.resource_prefix}-${local.environment}-${local.instance}"
     workspace_id = "00000000-0000-0000-0000-000000000002"
   }
 }
 
 output "container_registry" {
+  description = "Mock container registry reference for test input."
   value = {
     id           = "${local.resource_group_id}/providers/Microsoft.ContainerRegistry/registries/acr${local.resource_prefix}${local.environment}${local.instance}"
     name         = "acr${local.resource_prefix}${local.environment}${local.instance}"
@@ -90,6 +100,7 @@ output "container_registry" {
 }
 
 output "storage_account" {
+  description = "Mock storage account reference for test input."
   value = {
     id   = "${local.resource_group_id}/providers/Microsoft.Storage/storageAccounts/${local.storage_account_name}"
     name = local.storage_account_name

infrastructure/terraform/modules/platform/security.tf

@@ -28,6 +28,10 @@ resource "azurerm_key_vault" "main" {
     // Allow public access when enabled, otherwise deny (PE-only)
     default_action = var.should_enable_public_network_access ? "Allow" : "Deny"
   }
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 // ============================================================

infrastructure/terraform/modules/platform/storage.tf

@@ -32,6 +32,10 @@ resource "azurerm_storage_account" "main" {
       days = 7
     }
   }
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 // ============================================================
@@ -43,6 +47,10 @@ resource "azurerm_storage_container" "ml_workspace" {
   name                  = "ml-workspace"
   storage_account_id    = azurerm_storage_account.main.id
   container_access_type = "private"
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 // ============================================================
@@ -105,6 +113,10 @@ resource "azurerm_storage_management_policy" "main" {
   }
 
   // Note: No lifecycle policy for checkpoints/ prefix — model checkpoints retained indefinitely in Hot tier
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 // ============================================================

infrastructure/terraform/modules/platform/tests/setup/main.tf

@@ -29,22 +29,27 @@ locals {
 }
 
 output "resource_prefix" {
-  value = local.resource_prefix
+  description = "Generated resource naming prefix for test isolation."
+  value       = local.resource_prefix
 }
 
 output "environment" {
-  value = local.environment
+  description = "Environment identifier for test configuration."
+  value       = local.environment
 }
 
 output "instance" {
-  value = local.instance
+  description = "Instance identifier for test configuration."
+  value       = local.instance
 }
 
 output "location" {
-  value = local.location
+  description = "Azure region for test resources."
+  value       = local.location
 }
 
 output "resource_group" {
+  description = "Mock resource group object for test input."
   value = {
     id       = local.resource_group_id
     name     = local.resource_group_name
@@ -53,5 +58,6 @@ output "resource_group" {
 }
 
 output "current_user_oid" {
-  value = "00000000-0000-0000-0000-000000000001"
+  description = "Stub user object ID for RBAC test assignments."
+  value       = "00000000-0000-0000-0000-000000000001"
 }

infrastructure/terraform/modules/sil/tests/setup/main.tf

@@ -31,22 +31,27 @@ locals {
 }
 
 output "resource_prefix" {
-  value = local.resource_prefix
+  description = "Generated resource naming prefix for test isolation."
+  value       = local.resource_prefix
 }
 
 output "environment" {
-  value = local.environment
+  description = "Environment identifier for test configuration."
+  value       = local.environment
 }
 
 output "instance" {
-  value = local.instance
+  description = "Instance identifier for test configuration."
+  value       = local.instance
 }
 
 output "location" {
-  value = local.location
+  description = "Azure region for test resources."
+  value       = local.location
 }
 
 output "resource_group" {
+  description = "Mock resource group object for test input."
   value = {
     id       = local.resource_group_id
     name     = local.resource_group_name
@@ -55,17 +60,20 @@ output "resource_group" {
 }
 
 output "current_user_oid" {
-  value = "00000000-0000-0000-0000-000000000001"
+  description = "Stub user object ID for RBAC test assignments."
+  value       = "00000000-0000-0000-0000-000000000001"
 }
 
 output "virtual_network" {
+  description = "Mock virtual network reference for test input."
   value = {
     id   = local.vnet_id
     name = local.vnet_name
   }
 }
 
 output "subnets" {
+  description = "Mock subnet references for test input."
   value = {
     main = {
       id   = "${local.vnet_id}/subnets/snet-${local.resource_prefix}-${local.environment}-${local.instance}"
@@ -79,25 +87,29 @@ output "subnets" {
 }
 
 output "network_security_group" {
+  description = "Mock network security group reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Network/networkSecurityGroups/nsg-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "nat_gateway" {
+  description = "Mock NAT gateway reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Network/natGateways/ng-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "log_analytics_workspace" {
+  description = "Mock Log Analytics workspace reference for test input."
   value = {
     id           = "${local.resource_group_id}/providers/Microsoft.OperationalInsights/workspaces/log-${local.resource_prefix}-${local.environment}-${local.instance}"
     workspace_id = "00000000-0000-0000-0000-000000000002"
   }
 }
 
 output "container_registry" {
+  description = "Mock container registry reference for test input."
   value = {
     id           = "${local.resource_group_id}/providers/Microsoft.ContainerRegistry/registries/acr${local.resource_prefix}${local.environment}${local.instance}"
     name         = "acr${local.resource_prefix}${local.environment}${local.instance}"
@@ -106,6 +118,7 @@ output "container_registry" {
 }
 
 output "private_dns_zones" {
+  description = "Mock private DNS zone references for test input."
   value = {
     aks = {
       id   = "${local.resource_group_id}/providers/Microsoft.Network/privateDnsZones/privatelink.${local.location}.azmk8s.io"
@@ -115,18 +128,21 @@ output "private_dns_zones" {
 }
 
 output "monitor_workspace" {
+  description = "Mock Azure Monitor workspace reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Monitor/accounts/azmon-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "data_collection_endpoint" {
+  description = "Mock data collection endpoint reference for test input."
   value = {
     id = "${local.resource_group_id}/providers/Microsoft.Insights/dataCollectionEndpoints/dce-${local.resource_prefix}-${local.environment}-${local.instance}"
   }
 }
 
 output "osmo_workload_identity" {
+  description = "Mock OSMO workload identity reference for test input."
   value = {
     id           = "${local.resource_group_id}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-osmo-${local.resource_prefix}-${local.environment}-${local.instance}"
     principal_id = "00000000-0000-0000-0000-000000000003"

infrastructure/terraform/modules/vpn/tests/setup/main.tf

@@ -31,22 +31,27 @@ locals {
 }
 
 output "resource_prefix" {
-  value = local.resource_prefix
+  description = "Generated resource naming prefix for test isolation."
+  value       = local.resource_prefix
 }
 
 output "environment" {
-  value = local.environment
+  description = "Environment identifier for test configuration."
+  value       = local.environment
 }
 
 output "instance" {
-  value = local.instance
+  description = "Instance identifier for test configuration."
+  value       = local.instance
 }
 
 output "location" {
-  value = local.location
+  description = "Azure region for test resources."
+  value       = local.location
 }
 
 output "resource_group" {
+  description = "Mock resource group object for test input."
   value = {
     id       = local.resource_group_id
     name     = local.resource_group_name
@@ -55,6 +60,7 @@ output "resource_group" {
 }
 
 output "virtual_network" {
+  description = "Mock virtual network reference for test input."
   value = {
     id   = local.vnet_id
     name = local.vnet_name