@meshxdata/fops 0.1.45 → 0.1.46

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-terraform.js

@@ -0,0 +1,1032 @@
+/**
+ * azure-aks-terraform.js - Terraform HCL generation from live cluster state
+ *
+ * Depends on: azure-aks-naming.js, azure-aks-state.js
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import {
+  OK, DIM,
+  banner, hint, kvLine, subArgs,
+  lazyExeca, ensureAzCli, ensureAzAuth,
+} from "./azure.js";
+import { requireCluster } from "./azure-aks-state.js";
+
+// ── aks terraform ─────────────────────────────────────────────────────────────
+
+export async function aksTerraform(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
+
+  banner(`AKS Terraform: ${clusterName}`);
+  hint("Fetching cluster details from Azure…");
+
+  const { stdout: showJson } = await execa("az", [
+    "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
+    ...subArgs(sub),
+  ], { timeout: 30000 });
+  const cluster = JSON.parse(showJson);
+
+  // Fetch resource group details for location
+  let rgLocation = cluster.location;
+  try {
+    const { stdout: rgJson } = await execa("az", [
+      "group", "show", "--name", rg, "--output", "json", ...subArgs(sub),
+    ], { timeout: 15000 });
+    rgLocation = JSON.parse(rgJson).location || rgLocation;
+  } catch { /* use cluster location */ }
+
+  // Discover companion resources in parallel
+  hint("Discovering companion resources…");
+  const serverName = `fops-${clusterName}-psql`;
+  const vaultName = `fops-${clusterName}-kv`.replace(/[^a-zA-Z0-9-]/g, "").slice(0, 24);
+
+  const [pgResult, kvResult, fluxExtResult, fluxCfgResult, storageResult, acrResult] = await Promise.allSettled([
+    execa("az", [
+      "postgres", "flexible-server", "show",
+      "--name", serverName, "--resource-group", rg,
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+    execa("az", [
+      "keyvault", "show", "--name", vaultName,
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+    execa("az", [
+      "k8s-extension", "show",
+      "--resource-group", rg, "--cluster-name", clusterName,
+      "--cluster-type", "managedClusters", "--name", "flux",
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+    execa("az", [
+      "k8s-configuration", "flux", "list",
+      "--resource-group", rg, "--cluster-name", clusterName,
+      "--cluster-type", "managedClusters",
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+    execa("az", [
+      "storage", "account", "list",
+      "--resource-group", rg,
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+    execa("az", [
+      "acr", "list",
+      "--resource-group", rg,
+      "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 30000 }),
+  ]);
+
+  const pgServer = pgResult.status === "fulfilled" && pgResult.value.exitCode === 0 && pgResult.value.stdout?.trim()
+    ? JSON.parse(pgResult.value.stdout) : null;
+  const keyVault = kvResult.status === "fulfilled" && kvResult.value.exitCode === 0 && kvResult.value.stdout?.trim()
+    ? JSON.parse(kvResult.value.stdout) : null;
+  const fluxExt = fluxExtResult.status === "fulfilled" && fluxExtResult.value.exitCode === 0 && fluxExtResult.value.stdout?.trim()
+    ? JSON.parse(fluxExtResult.value.stdout) : null;
+  const fluxConfigs = fluxCfgResult.status === "fulfilled" && fluxCfgResult.value.exitCode === 0 && fluxCfgResult.value.stdout?.trim()
+    ? JSON.parse(fluxCfgResult.value.stdout) : [];
+  const storageAccounts = storageResult.status === "fulfilled" && storageResult.value.exitCode === 0 && storageResult.value.stdout?.trim()
+    ? JSON.parse(storageResult.value.stdout) : [];
+  const containerRegistries = acrResult.status === "fulfilled" && acrResult.value.exitCode === 0 && acrResult.value.stdout?.trim()
+    ? JSON.parse(acrResult.value.stdout) : [];
+
+  const hcl = generateAksTerraform(cluster, { rg, rgLocation, pgServer, keyVault, fluxExt, fluxConfigs, storageAccounts, containerRegistries });
+
+  console.log(OK("  ✓ Terraform HCL generated from live cluster state\n"));
+
+  if (opts.output) {
+    fs.mkdirSync(path.dirname(path.resolve(opts.output)), { recursive: true });
+    fs.writeFileSync(path.resolve(opts.output), hcl, "utf8");
+    console.log(OK(`  ✓ Written to ${opts.output}\n`));
+  } else {
+    console.log(hcl);
+  }
+}
+
+// ── Generate Terraform HCL ────────────────────────────────────────────────────
+
+export function generateAksTerraform(cluster, { rg, rgLocation, pgServer, keyVault, fluxExt, fluxConfigs, storageAccounts = [], containerRegistries = [] }) {
+  const sku = cluster.sku || {};
+  const netProfile = cluster.networkProfile || {};
+  const identity = cluster.identity || {};
+  const pools = cluster.agentPoolProfiles || [];
+  const defaultPool = pools.find((p) => p.mode === "System") || pools[0];
+  const extraPools = pools.filter((p) => p !== defaultPool);
+  const apiAccess = cluster.apiServerAccessProfile || {};
+  const autoUpgrade = cluster.autoUpgradeProfile || {};
+
+  const tfName = (cluster.name || "aks").replace(/[^a-zA-Z0-9_]/g, "_");
+
+  const lines = [];
+  const w = (s = "") => lines.push(s);
+
+  // ── variables ──────────────────────────────────────────────────────────────
+
+  w(`# ─── Variables ────────────────────────────────────────────────────────────────`);
+  w();
+  w(`variable "resource_group_name" {`);
+  w(`  description = "Name of the Azure resource group"`);
+  w(`  type        = string`);
+  w(`  default     = "${rg}"`);
+  w(`}`);
+  w();
+  w(`variable "location" {`);
+  w(`  description = "Azure region"`);
+  w(`  type        = string`);
+  w(`  default     = "${rgLocation}"`);
+  w(`}`);
+  w();
+  w(`variable "cluster_name" {`);
+  w(`  description = "AKS cluster name"`);
+  w(`  type        = string`);
+  w(`  default     = "${cluster.name}"`);
+  w(`}`);
+  w();
+  w(`variable "kubernetes_version" {`);
+  w(`  description = "Kubernetes version"`);
+  w(`  type        = string`);
+  w(`  default     = "${cluster.kubernetesVersion}"`);
+  w(`}`);
+  w();
+  w(`variable "dns_prefix" {`);
+  w(`  description = "DNS prefix for the cluster"`);
+  w(`  type        = string`);
+  w(`  default     = "${cluster.dnsPrefix || cluster.name}"`);
+  w(`}`);
+  w();
+  w(`variable "sku_tier" {`);
+  w(`  description = "AKS SKU tier (Free, Standard, Premium)"`);
+  w(`  type        = string`);
+  w(`  default     = "${sku.tier || "Standard"}"`);
+  w(`}`);
+  w();
+
+  if (defaultPool) {
+    w(`variable "default_node_pool_vm_size" {`);
+    w(`  description = "VM size for the default node pool"`);
+    w(`  type        = string`);
+    w(`  default     = "${defaultPool.vmSize}"`);
+    w(`}`);
+    w();
+    w(`variable "default_node_pool_count" {`);
+    w(`  description = "Node count for the default pool"`);
+    w(`  type        = number`);
+    w(`  default     = ${defaultPool.count}`);
+    w(`}`);
+    w();
+    if (defaultPool.enableAutoScaling) {
+      w(`variable "default_node_pool_min_count" {`);
+      w(`  description = "Autoscaler minimum node count"`);
+      w(`  type        = number`);
+      w(`  default     = ${defaultPool.minCount}`);
+      w(`}`);
+      w();
+      w(`variable "default_node_pool_max_count" {`);
+      w(`  description = "Autoscaler maximum node count"`);
+      w(`  type        = number`);
+      w(`  default     = ${defaultPool.maxCount}`);
+      w(`}`);
+      w();
+    }
+  }
+
+  if (pgServer) {
+    w(`variable "postgres_admin_login" {`);
+    w(`  description = "Postgres administrator login"`);
+    w(`  type        = string`);
+    w(`  default     = "${pgServer.administratorLogin || "fopsadmin"}"`);
+    w(`}`);
+    w();
+    w(`variable "postgres_admin_password" {`);
+    w(`  description = "Postgres administrator password"`);
+    w(`  type        = string`);
+    w(`  sensitive   = true`);
+    w(`}`);
+    w();
+  }
+
+  if (fluxConfigs?.length) {
+    w(`variable "flux_github_token" {`);
+    w(`  description = "GitHub PAT for Flux HTTPS access"`);
+    w(`  type        = string`);
+    w(`  sensitive   = true`);
+    w(`  default     = ""`);
+    w(`}`);
+    w();
+  }
+
+  if (keyVault) {
+    w(`variable "tenant_id" {`);
+    w(`  description = "Azure AD tenant ID for Key Vault"`);
+    w(`  type        = string`);
+    w(`  default     = "${keyVault.properties?.tenantId || ""}"`);
+    w(`}`);
+    w();
+    w(`variable "auth0_client_id" {`);
+    w(`  description = "Auth0 application client ID"`);
+    w(`  type        = string`);
+    w(`  default     = ""`);
+    w(`}`);
+    w();
+    w(`variable "auth0_client_secret" {`);
+    w(`  description = "Auth0 application client secret"`);
+    w(`  type        = string`);
+    w(`  sensitive   = true`);
+    w(`  default     = ""`);
+    w(`}`);
+    w();
+    w(`variable "auth0_domain" {`);
+    w(`  description = "Auth0 tenant domain (e.g., your-tenant.auth0.com)"`);
+    w(`  type        = string`);
+    w(`  default     = ""`);
+    w(`}`);
+    w();
+    w(`variable "auth0_audience" {`);
+    w(`  description = "Auth0 API audience (e.g., https://api.meshx.app)"`);
+    w(`  type        = string`);
+    w(`  default     = ""`);
+    w(`}`);
+    w();
+  }
+
+  w(`variable "cloudflare_api_token" {`);
+  w(`  description = "Cloudflare API token for DNS management"`);
+  w(`  type        = string`);
+  w(`  sensitive   = true`);
+  w(`  default     = ""`);
+  w(`}`);
+  w();
+  w(`variable "dns_zone_name" {`);
+  w(`  description = "Cloudflare DNS zone name (e.g., meshx.app)"`);
+  w(`  type        = string`);
+  w(`  default     = ""`);
+  w(`}`);
+  w();
+  w(`variable "dns_hostname" {`);
+  w(`  description = "DNS hostname for the cluster ingress (e.g., demo.meshx.app)"`);
+  w(`  type        = string`);
+  w(`  default     = ""`);
+  w(`}`);
+  w();
+
+  // ── provider ───────────────────────────────────────────────────────────────
+
+  w(`# ─── Provider ─────────────────────────────────────────────────────────────────`);
+  w();
+  w(`terraform {`);
+  w(`  required_providers {`);
+  w(`    azurerm = {`);
+  w(`      source  = "hashicorp/azurerm"`);
+  w(`      version = "~> 4.0"`);
+  w(`    }`);
+  w(`    cloudflare = {`);
+  w(`      source  = "cloudflare/cloudflare"`);
+  w(`      version = "~> 4.0"`);
+  w(`    }`);
+  w(`    random = {`);
+  w(`      source  = "hashicorp/random"`);
+  w(`      version = "~> 3.0"`);
+  w(`    }`);
+  w(`  }`);
+  w(`}`);
+  w();
+  w(`provider "azurerm" {`);
+  w(`  features {}`);
+  w(`}`);
+  w();
+  w(`provider "cloudflare" {`);
+  w(`  api_token = var.cloudflare_api_token`);
+  w(`}`);
+  w();
+
+  // ── resource group ─────────────────────────────────────────────────────────
+
+  w(`# ─── Resource Group ──────────────────────────────────────────────────────────`);
+  w();
+  w(`resource "azurerm_resource_group" "aks" {`);
+  w(`  name     = var.resource_group_name`);
+  w(`  location = var.location`);
+  w(`}`);
+  w();
+
+  // ── AKS cluster ────────────────────────────────────────────────────────────
+
+  w(`# ─── AKS Cluster ─────────────────────────────────────────────────────────────`);
+  w();
+  w(`resource "azurerm_kubernetes_cluster" "${tfName}" {`);
+  w(`  name                = var.cluster_name`);
+  w(`  location            = azurerm_resource_group.aks.location`);
+  w(`  resource_group_name = azurerm_resource_group.aks.name`);
+  w(`  dns_prefix          = var.dns_prefix`);
+  w(`  kubernetes_version  = var.kubernetes_version`);
+  w(`  sku_tier            = var.sku_tier`);
+  w();
+
+  if (apiAccess.authorizedIpRanges?.length) {
+    w(`  api_server_access_profile {`);
+    w(`    authorized_ip_ranges = [${apiAccess.authorizedIpRanges.map((r) => `"${r}"`).join(", ")}]`);
+    w(`  }`);
+    w();
+  }
+
+  if (autoUpgrade.upgradeChannel) {
+    w(`  automatic_upgrade_channel = "${autoUpgrade.upgradeChannel}"`);
+    w();
+  }
+
+  if (identity.type) {
+    const identityType = identity.type === "SystemAssigned" ? "SystemAssigned" : "UserAssigned";
+    w(`  identity {`);
+    w(`    type = "${identityType}"`);
+    w(`  }`);
+    w();
+  }
+
+  if (defaultPool) {
+    w(`  default_node_pool {`);
+    w(`    name                = "${defaultPool.name}"`);
+    w(`    vm_size             = var.default_node_pool_vm_size`);
+    w(`    node_count          = var.default_node_pool_count`);
+    if (defaultPool.enableAutoScaling) {
+      w(`    auto_scaling_enabled = true`);
+      w(`    min_count           = var.default_node_pool_min_count`);
+      w(`    max_count           = var.default_node_pool_max_count`);
+    }
+    if (defaultPool.maxPods) {
+      w(`    max_pods            = ${defaultPool.maxPods}`);
+    }
+    if (defaultPool.osDiskSizeGb) {
+      w(`    os_disk_size_gb     = ${defaultPool.osDiskSizeGb}`);
+    }
+    if (defaultPool.osDiskType && defaultPool.osDiskType !== "Managed") {
+      w(`    os_disk_type        = "${defaultPool.osDiskType}"`);
+    }
+    if (defaultPool.vnetSubnetId) {
+      w(`    vnet_subnet_id      = "${defaultPool.vnetSubnetId}"`);
+    }
+    if (defaultPool.availabilityZones?.length) {
+      w(`    zones               = [${defaultPool.availabilityZones.map((z) => `"${z}"`).join(", ")}]`);
+    }
+    w(`  }`);
+    w();
+  }
+
+  if (netProfile.networkPlugin) {
+    w(`  network_profile {`);
+    w(`    network_plugin     = "${netProfile.networkPlugin}"`);
+    // Only emit network_policy if it's a valid value (not "none")
+    if (netProfile.networkPolicy && netProfile.networkPolicy !== "none") {
+      w(`    network_policy     = "${netProfile.networkPolicy}"`);
+    }
+    if (netProfile.serviceCidr) w(`    service_cidr       = "${netProfile.serviceCidr}"`);
+    if (netProfile.dnsServiceIp) w(`    dns_service_ip     = "${netProfile.dnsServiceIp}"`);
+    if (netProfile.loadBalancerSku) w(`    load_balancer_sku  = "${netProfile.loadBalancerSku}"`);
+    w(`  }`);
+    w();
+  }
+
+  if (cluster.oidcIssuerProfile?.enabled) {
+    w(`  oidc_issuer_enabled       = true`);
+  }
+  if (cluster.securityProfile?.workloadIdentity?.enabled) {
+    w(`  workload_identity_enabled = true`);
+  }
+
+  const tags = cluster.tags || {};
+  const tagEntries = Object.entries(tags);
+  if (tagEntries.length) {
+    w();
+    w(`  tags = {`);
+    for (const [k, v] of tagEntries) {
+      w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+    }
+    w(`  }`);
+  }
+
+  w(`}`);
+  w();
+
+  // ── extra node pools ───────────────────────────────────────────────────────
+
+  for (const pool of extraPools) {
+    const poolTf = pool.name.replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`resource "azurerm_kubernetes_cluster_node_pool" "${poolTf}" {`);
+    w(`  name                  = "${pool.name}"`);
+    w(`  kubernetes_cluster_id = azurerm_kubernetes_cluster.${tfName}.id`);
+    w(`  vm_size               = "${pool.vmSize}"`);
+    w(`  node_count            = ${pool.count}`);
+    if (pool.enableAutoScaling) {
+      w(`  auto_scaling_enabled  = true`);
+      w(`  min_count             = ${pool.minCount}`);
+      w(`  max_count             = ${pool.maxCount}`);
+    }
+    if (pool.maxPods) {
+      w(`  max_pods              = ${pool.maxPods}`);
+    }
+    if (pool.mode) {
+      w(`  mode                  = "${pool.mode}"`);
+    }
+    if (pool.osDiskSizeGb) {
+      w(`  os_disk_size_gb       = ${pool.osDiskSizeGb}`);
+    }
+    if (pool.scaleSetPriority === "Spot") {
+      w(`  priority              = "Spot"`);
+      w(`  eviction_policy       = "${pool.scaleSetEvictionPolicy || "Delete"}"`);
+      if (pool.spotMaxPrice != null && pool.spotMaxPrice !== -1) {
+        w(`  spot_max_price        = ${pool.spotMaxPrice}`);
+      }
+    }
+    if (pool.vnetSubnetId) {
+      w(`  vnet_subnet_id        = "${pool.vnetSubnetId}"`);
+    }
+    if (pool.availabilityZones?.length) {
+      w(`  zones                 = [${pool.availabilityZones.map((z) => `"${z}"`).join(", ")}]`);
+    }
+    const poolTags = pool.tags || {};
+    const poolTagEntries = Object.entries(poolTags);
+    if (poolTagEntries.length) {
+      w();
+      w(`  tags = {`);
+      for (const [k, v] of poolTagEntries) {
+        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+      }
+      w(`  }`);
+    }
+    w(`}`);
+    w();
+  }
+
+  // ── Postgres Flexible Server ───────────────────────────────────────────────
+
+  if (pgServer) {
+    const pgTf = (pgServer.name || "psql").replace(/[^a-zA-Z0-9_]/g, "_");
+    const pgSku = pgServer.sku || {};
+    const pgStorage = pgServer.storage || {};
+    w(`# ─── Postgres Flexible Server ─────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_postgresql_flexible_server" "${pgTf}" {`);
+    w(`  name                          = "${pgServer.name}"`);
+    w(`  resource_group_name           = azurerm_resource_group.aks.name`);
+    w(`  location                      = azurerm_resource_group.aks.location`);
+    w(`  version                       = "${pgServer.version || "16"}"`);
+    w(`  administrator_login           = var.postgres_admin_login`);
+    w(`  administrator_password        = var.postgres_admin_password`);
+    // Terraform expects sku_name in format "{tier_prefix}_Standard_{size}" e.g. "B_Standard_B2ms"
+    // Azure API returns sku.name as "Standard_B2ms" and sku.tier as "Burstable"
+    if (pgSku.name && pgSku.tier) {
+      const tierPrefix = pgSku.tier === "Burstable" ? "B" : pgSku.tier === "GeneralPurpose" ? "GP" : pgSku.tier === "MemoryOptimized" ? "MO" : pgSku.tier;
+      const skuName = pgSku.name.startsWith(`${tierPrefix}_`) ? pgSku.name : `${tierPrefix}_${pgSku.name}`;
+      w(`  sku_name                      = "${skuName}"`);
+    } else if (pgSku.name) {
+      w(`  sku_name                      = "${pgSku.name}"`);
+    }
+    if (pgSku.tier) w(`  zone                          = "${pgServer.availabilityZone || "1"}"`);
+    if (pgStorage.storageSizeGb) {
+      w(`  storage_mb                    = ${pgStorage.storageSizeGb * 1024}`);
+    }
+    if (pgServer.delegatedSubnetArguments?.subnetArmResourceId) {
+      w(`  delegated_subnet_id           = "${pgServer.delegatedSubnetArguments.subnetArmResourceId}"`);
+    }
+    if (pgServer.network?.privateDnsZoneArmResourceId) {
+      w(`  private_dns_zone_id           = "${pgServer.network.privateDnsZoneArmResourceId}"`);
+    }
+    const pgTags = pgServer.tags || {};
+    const pgTagEntries = Object.entries(pgTags);
+    if (pgTagEntries.length) {
+      w();
+      w(`  tags = {`);
+      for (const [k, v] of pgTagEntries) {
+        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+      }
+      w(`  }`);
+    }
+    w(`}`);
+    w();
+  }
+
+  // ── Key Vault ──────────────────────────────────────────────────────────────
+
+  if (keyVault) {
+    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Key Vault ────────────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_key_vault" "${kvTf}" {`);
+    w(`  name                       = "${keyVault.name}"`);
+    w(`  resource_group_name        = azurerm_resource_group.aks.name`);
+    w(`  location                   = azurerm_resource_group.aks.location`);
+    w(`  tenant_id                  = var.tenant_id`);
+    w(`  sku_name                   = "${keyVault.properties?.sku?.name || "standard"}"`);
+    w(`  rbac_authorization_enabled = ${keyVault.properties?.enableRbacAuthorization ?? true}`);
+    if (keyVault.properties?.enableSoftDelete !== undefined) {
+      w(`  soft_delete_retention_days = ${keyVault.properties?.softDeleteRetentionInDays || 90}`);
+    }
+    if (keyVault.properties?.enablePurgeProtection) {
+      w(`  purge_protection_enabled  = true`);
+    }
+    w();
+    w(`  # Network access: private (VNet service endpoint)`);
+    w(`  network_acls {`);
+    w(`    default_action             = "Deny"`);
+    w(`    bypass                     = "AzureServices"`);
+    if (defaultPool?.vnetSubnetId) {
+      w(`    virtual_network_subnet_ids = [azurerm_kubernetes_cluster.${tfName}.default_node_pool[0].vnet_subnet_id]`);
+    }
+    w(`  }`);
+    const kvTags = keyVault.tags || {};
+    const kvTagEntries = Object.entries(kvTags);
+    if (kvTagEntries.length) {
+      w();
+      w(`  tags = {`);
+      for (const [k, v] of kvTagEntries) {
+        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+      }
+      w(`  }`);
+    }
+    w(`}`);
+    w();
+
+    w(`resource "azurerm_role_assignment" "kv_kubelet_secrets_user" {`);
+    w(`  scope                = azurerm_key_vault.${kvTf}.id`);
+    w(`  role_definition_name = "Key Vault Secrets User"`);
+    w(`  principal_id         = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+    w(`}`);
+    w();
+
+    w(`resource "azurerm_role_assignment" "kv_kubelet_secrets_officer" {`);
+    w(`  scope                = azurerm_key_vault.${kvTf}.id`);
+    w(`  role_definition_name = "Key Vault Secrets Officer"`);
+    w(`  principal_id         = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+    w(`}`);
+    w();
+
+    // Vault auto-unseal key and role assignment
+    w(`# ─── Vault Auto-Unseal Key ─────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_key_vault_key" "vault_unseal" {`);
+    w(`  name         = "vault-unseal"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  key_type     = "RSA"`);
+    w(`  key_size     = 2048`);
+    w();
+    w(`  key_opts = [`);
+    w(`    "wrapKey",`);
+    w(`    "unwrapKey",`);
+    w(`  ]`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+
+    w(`resource "azurerm_role_assignment" "kv_kubelet_crypto_user" {`);
+    w(`  scope                = azurerm_key_vault.${kvTf}.id`);
+    w(`  role_definition_name = "Key Vault Crypto User"`);
+    w(`  principal_id         = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+    w(`}`);
+    w();
+  }
+
+  // ── Key Vault Secrets ────────────────────────────────────────────────────
+
+  if (keyVault) {
+    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    const firstStorage = storageAccounts[0];
+    const saTf = firstStorage ? (firstStorage.name || "storage").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+
+    w(`# ─── Key Vault Secrets ─────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "random_password" "postgres" {`);
+    w(`  length  = 32`);
+    w(`  special = false # URL-safe for connection strings`);
+    w(`}`);
+    w();
+    w(`resource "random_password" "secret_key" {`);
+    w(`  length  = 64`);
+    w(`  special = false`);
+    w(`}`);
+    w();
+    w(`resource "random_password" "auth0_session" {`);
+    w(`  length  = 64`);
+    w(`  special = false`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_key_vault_secret" "foundation_secrets" {`);
+    w(`  name         = "foundation-secrets"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    password                = random_password.postgres.result`);
+    w(`    secret_key              = random_password.secret_key.result`);
+    w(`    "auth0.client_id"       = var.auth0_client_id`);
+    w(`    "auth0.client_secret"   = var.auth0_client_secret`);
+    w(`    "auth0.secret"          = random_password.auth0_session.result`);
+    w(`    "auth0.domain"          = var.auth0_domain`);
+    w(`    "auth0.audience"        = var.auth0_audience`);
+    w(`    "auth0.issuer_base_url" = var.auth0_domain != "" ? "https://\${var.auth0_domain}" : ""`);
+    w(`    "auth0.base_url"        = var.dns_hostname != "" ? "https://\${var.dns_hostname}" : ""`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_key_vault_secret" "auth0" {`);
+    w(`  name         = "auth0"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    client_id     = var.auth0_client_id`);
+    w(`    client_secret = var.auth0_client_secret`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_key_vault_secret" "foundation_trino_jwt" {`);
+    w(`  name         = "foundation-trino-jwt"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    "jwt-secret.pem" = random_password.secret_key.result`);
+    w(`    secret_key       = random_password.secret_key.result`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_key_vault_secret" "foundation_nats" {`);
+    w(`  name         = "foundation-nats"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    "nkeys-secret" = random_password.secret_key.result`);
+    w(`    secret_key     = random_password.secret_key.result`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_key_vault_secret" "foundation_scheduler" {`);
+    w(`  name         = "foundation-scheduler-secrets"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    secretKey = random_password.secret_key.result`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+
+    if (saTf) {
+      w(`resource "azurerm_key_vault_secret" "foundation_storage_engine_secrets" {`);
+      w(`  name         = "foundation-storage-engine-secrets"`);
+      w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+      w(`  content_type = "application/json"`);
+      w(`  value = jsonencode({`);
+      w(`    AZURE_ACCOUNT_NAME = azurerm_storage_account.${saTf}.name`);
+      w(`    AZURE_ACCOUNT_KEY  = azurerm_storage_account.${saTf}.primary_access_key`);
+      w(`    AZURE_SAS_TOKEN    = ""`);
+      w(`  })`);
+      w();
+      w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+      w(`}`);
+      w();
+    }
+
+    w(`resource "azurerm_key_vault_secret" "foundation_storage_engine_auth" {`);
+    w(`  name         = "foundation-storage-engine-auth"`);
+    w(`  key_vault_id = azurerm_key_vault.${kvTf}.id`);
+    w(`  content_type = "application/json"`);
+    w(`  value = jsonencode({`);
+    w(`    AUTH_IDENTITY   = "foundation"`);
+    w(`    AUTH_CREDENTIAL = random_password.secret_key.result`);
+    w(`  })`);
+    w();
+    w(`  depends_on = [azurerm_role_assignment.kv_kubelet_secrets_officer]`);
+    w(`}`);
+    w();
+  }
+
+  // ── Storage Accounts ──────────────────────────────────────────────────────
+
+  for (const sa of storageAccounts) {
+    const saTf = (sa.name || "storage").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Storage Account: ${sa.name} ───────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_storage_account" "${saTf}" {`);
+    w(`  name                     = "${sa.name}"`);
+    w(`  resource_group_name      = azurerm_resource_group.aks.name`);
+    w(`  location                 = azurerm_resource_group.aks.location`);
+    w(`  account_tier             = "${sa.sku?.tier || "Standard"}"`);
+    w(`  account_replication_type = "${(sa.sku?.name || "Standard_LRS").replace(/^(Standard|Premium)_/, "")}"`);
+    w(`  account_kind             = "${sa.kind || "StorageV2"}"`);
+    if (sa.allowBlobPublicAccess === false) {
+      w(`  allow_nested_items_to_be_public = false`);
+    }
+    if (sa.minimumTlsVersion) {
+      w(`  min_tls_version         = "${sa.minimumTlsVersion}"`);
+    }
+    w();
+    w(`  # Network access: private (VNet service endpoint)`);
+    w(`  network_rules {`);
+    w(`    default_action             = "Deny"`);
+    w(`    bypass                     = ["AzureServices"]`);
+    if (defaultPool?.vnetSubnetId) {
+      w(`    virtual_network_subnet_ids = [azurerm_kubernetes_cluster.${tfName}.default_node_pool[0].vnet_subnet_id]`);
+    }
+    w(`  }`);
+    const saTags = sa.tags || {};
+    const saTagEntries = Object.entries(saTags);
+    if (saTagEntries.length) {
+      w();
+      w(`  tags = {`);
+      for (const [k, v] of saTagEntries) {
+        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+      }
+      w(`  }`);
+    }
+    w(`}`);
+    w();
+
+    w(`resource "azurerm_role_assignment" "storage_${saTf}_blob_contributor" {`);
+    w(`  scope                = azurerm_storage_account.${saTf}.id`);
+    w(`  role_definition_name = "Storage Blob Data Contributor"`);
+    w(`  principal_id         = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+    w(`}`);
+    w();
+  }
+
+  // ── Container Registries (ACR) ────────────────────────────────────────────
+
+  for (const acr of containerRegistries) {
+    const acrTf = (acr.name || "acr").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Container Registry: ${acr.name} ───────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_container_registry" "${acrTf}" {`);
+    w(`  name                = "${acr.name}"`);
+    w(`  resource_group_name = azurerm_resource_group.aks.name`);
+    w(`  location            = azurerm_resource_group.aks.location`);
+    w(`  sku                 = "${acr.sku?.name || "Basic"}"`);
+    if (acr.adminUserEnabled) {
+      w(`  admin_enabled      = true`);
+    }
+    const acrTags = acr.tags || {};
+    const acrTagEntries = Object.entries(acrTags);
+    if (acrTagEntries.length) {
+      w();
+      w(`  tags = {`);
+      for (const [k, v] of acrTagEntries) {
+        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+      }
+      w(`  }`);
+    }
+    w(`}`);
+    w();
+
+    w(`resource "azurerm_role_assignment" "acr_${acrTf}_pull" {`);
+    w(`  scope                = azurerm_container_registry.${acrTf}.id`);
+    w(`  role_definition_name = "AcrPull"`);
+    w(`  principal_id         = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+    w(`}`);
+    w();
+  }
+
+  // ── Flux extension ─────────────────────────────────────────────────────────
+
+  if (fluxExt) {
+    w(`# ─── Flux ─────────────────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_kubernetes_cluster_extension" "flux" {`);
+    w(`  name           = "flux"`);
+    w(`  cluster_id     = azurerm_kubernetes_cluster.${tfName}.id`);
+    w(`  extension_type = "microsoft.flux"`);
+    w(`}`);
+    w();
+  }
+
+  // ── Flux GitOps configurations ─────────────────────────────────────────────
+
+  for (const cfg of (fluxConfigs || [])) {
+    const cfgTf = (cfg.name || "flux_system").replace(/[^a-zA-Z0-9_]/g, "_");
+    const gitRepo = cfg.gitRepository || {};
+    const kustomizations = cfg.kustomizations || {};
+
+    w(`resource "azurerm_kubernetes_flux_configuration" "${cfgTf}" {`);
+    w(`  name       = "${cfg.name}"`);
+    w(`  cluster_id = azurerm_kubernetes_cluster.${tfName}.id`);
+    w(`  namespace  = "${cfg.namespace || "flux-system"}"`);
+    w(`  scope      = "${cfg.scope || "cluster"}"`);
+    w();
+    if (gitRepo.url) {
+      w(`  git_repository {`);
+      w(`    url             = "${gitRepo.url}"`);
+      w(`    reference_type  = "branch"`);
+      w(`    reference_value = "${gitRepo.repositoryRef?.branch || "main"}"`);
+      if (gitRepo.httpsUser) {
+        w(`    https_user       = "${gitRepo.httpsUser}"`);
+        w(`    https_key_base64 = base64encode(var.flux_github_token)`);
+      }
+      w(`  }`);
+      w();
+    }
+    for (const [ksName, ks] of Object.entries(kustomizations)) {
+      w(`  kustomizations {`);
+      w(`    name = "${ksName}"`);
+      if (ks.path) w(`    path = "${ks.path}"`);
+      if (ks.prune != null) w(`    garbage_collection_enabled = ${ks.prune}`);
+      w(`  }`);
+      w();
+    }
+
+    w(`  depends_on = [azurerm_kubernetes_cluster_extension.flux]`);
+    w(`}`);
+    w();
+  }
+
+  // ── Workload Identity ─────────────────────────────────────────────────────
+
+  w(`# ─── Workload Identity ────────────────────────────────────────────────────────`);
+  w();
+  w(`resource "azurerm_user_assigned_identity" "workload" {`);
+  w(`  name                = "\${var.cluster_name}-workload-identity"`);
+  w(`  resource_group_name = azurerm_resource_group.aks.name`);
+  w(`  location            = azurerm_resource_group.aks.location`);
+  w(`}`);
+  w();
+
+  w(`resource "azurerm_federated_identity_credential" "external_secrets" {`);
+  w(`  name      = "external-secrets"`);
+  w(`  parent_id = azurerm_user_assigned_identity.workload.id`);
+  w(`  audience  = ["api://AzureADTokenExchange"]`);
+  w(`  issuer    = azurerm_kubernetes_cluster.${tfName}.oidc_issuer_url`);
+  w(`  subject   = "system:serviceaccount:external-secrets:external-secrets"`);
+  w(`}`);
+  w();
+
+  w(`resource "azurerm_federated_identity_credential" "cert_manager" {`);
+  w(`  name      = "cert-manager"`);
+  w(`  parent_id = azurerm_user_assigned_identity.workload.id`);
+  w(`  audience  = ["api://AzureADTokenExchange"]`);
+  w(`  issuer    = azurerm_kubernetes_cluster.${tfName}.oidc_issuer_url`);
+  w(`  subject   = "system:serviceaccount:cert-manager:cert-manager"`);
+  w(`}`);
+  w();
+
+  w(`resource "azurerm_federated_identity_credential" "vault" {`);
+  w(`  name      = "vault"`);
+  w(`  parent_id = azurerm_user_assigned_identity.workload.id`);
+  w(`  audience  = ["api://AzureADTokenExchange"]`);
+  w(`  issuer    = azurerm_kubernetes_cluster.${tfName}.oidc_issuer_url`);
+  w(`  subject   = "system:serviceaccount:foundation:vault"`);
+  w(`}`);
+  w();
+
+  if (keyVault) {
+    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`resource "azurerm_role_assignment" "kv_workload_secrets_user" {`);
+    w(`  scope                = azurerm_key_vault.${kvTf}.id`);
+    w(`  role_definition_name = "Key Vault Secrets User"`);
+    w(`  principal_id         = azurerm_user_assigned_identity.workload.principal_id`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_role_assignment" "kv_workload_crypto_user" {`);
+    w(`  scope                = azurerm_key_vault.${kvTf}.id`);
+    w(`  role_definition_name = "Key Vault Crypto User"`);
+    w(`  principal_id         = azurerm_user_assigned_identity.workload.principal_id`);
+    w(`}`);
+    w();
+  }
+
+  // ── Cloudflare DNS ────────────────────────────────────────────────────────
+
+  w(`# ─── Cloudflare DNS ──────────────────────────────────────────────────────────`);
+  w();
+  w(`data "cloudflare_zone" "main" {`);
+  w(`  count = var.dns_zone_name != "" ? 1 : 0`);
+  w(`  name  = var.dns_zone_name`);
+  w(`}`);
+  w();
+  w(`resource "cloudflare_record" "ingress" {`);
+  w(`  count   = var.dns_hostname != "" && var.dns_zone_name != "" ? 1 : 0`);
+  w(`  zone_id = data.cloudflare_zone.main[0].id`);
+  w(`  name    = var.dns_hostname`);
+  w(`  content = "" # Set to ingress IP after cluster creation`);
+  w(`  type    = "A"`);
+  w(`  ttl     = 1`);
+  w(`  proxied = true`);
+  w();
+  w(`  lifecycle {`);
+  w(`    ignore_changes = [content] # IP managed externally`);
+  w(`  }`);
+  w(`}`);
+  w();
+  w(`resource "cloudflare_zone_settings_override" "ssl" {`);
+  w(`  count   = var.dns_zone_name != "" ? 1 : 0`);
+  w(`  zone_id = data.cloudflare_zone.main[0].id`);
+  w();
+  w(`  settings {`);
+  w(`    ssl = "full"`);
+  w(`  }`);
+  w(`}`);
+  w();
+  w(`resource "cloudflare_ruleset" "origin_rules" {`);
+  w(`  count   = var.dns_hostname != "" && var.dns_zone_name != "" ? 1 : 0`);
+  w(`  zone_id = data.cloudflare_zone.main[0].id`);
+  w(`  name    = "fops origin rules"`);
+  w(`  kind    = "zone"`);
+  w(`  phase   = "http_request_origin"`);
+  w();
+  w(`  rules {`);
+  w(`    action      = "route"`);
+  w(`    expression  = "(http.host eq \\"\${var.dns_hostname}\\")"`);
+  w(`    description = "fops: \${var.dns_hostname} → port 443"`);
+  w(`    enabled     = true`);
+  w();
+  w(`    action_parameters {`);
+  w(`      origin {`);
+  w(`        port = 443`);
+  w(`      }`);
+  w(`    }`);
+  w(`  }`);
+  w(`}`);
+  w();
+
+  // ── outputs ────────────────────────────────────────────────────────────────
+
+  w(`# ─── Outputs ─────────────────────────────────────────────────────────────────`);
+  w();
+  w(`output "cluster_name" {`);
+  w(`  value = azurerm_kubernetes_cluster.${tfName}.name`);
+  w(`}`);
+  w();
+  w(`output "cluster_fqdn" {`);
+  w(`  value = azurerm_kubernetes_cluster.${tfName}.fqdn`);
+  w(`}`);
+  w();
+  w(`output "kube_config" {`);
+  w(`  value     = azurerm_kubernetes_cluster.${tfName}.kube_config_raw`);
+  w(`  sensitive = true`);
+  w(`}`);
+  w();
+  if (pgServer) {
+    w(`output "postgres_fqdn" {`);
+    const pgTf = (pgServer.name || "psql").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`  value = azurerm_postgresql_flexible_server.${pgTf}.fqdn`);
+    w(`}`);
+    w();
+  }
+  if (keyVault) {
+    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`output "key_vault_uri" {`);
+    w(`  value = azurerm_key_vault.${kvTf}.vault_uri`);
+    w(`}`);
+    w();
+    w(`output "key_vault_name" {`);
+    w(`  value = azurerm_key_vault.${kvTf}.name`);
+    w(`}`);
+    w();
+    w(`output "vault_unseal_key_name" {`);
+    w(`  description = "Key Vault key name for Vault auto-unseal"`);
+    w(`  value       = azurerm_key_vault_key.vault_unseal.name`);
+    w(`}`);
+    w();
+  }
+  for (const sa of storageAccounts) {
+    const saTf = (sa.name || "storage").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`output "storage_${saTf}_blob_endpoint" {`);
+    w(`  value = azurerm_storage_account.${saTf}.primary_blob_endpoint`);
+    w(`}`);
+    w();
+  }
+
+  // ── Identity outputs ────────────────────────────────────────────────────────
+
+  w(`output "kubelet_identity_object_id" {`);
+  w(`  description = "Object ID of AKS kubelet managed identity (for role assignments)"`);
+  w(`  value       = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].object_id`);
+  w(`}`);
+  w();
+  w(`output "kubelet_identity_client_id" {`);
+  w(`  description = "Client ID of AKS kubelet managed identity (for ExternalSecrets)"`);
+  w(`  value       = azurerm_kubernetes_cluster.${tfName}.kubelet_identity[0].client_id`);
+  w(`}`);
+  w();
+  w(`output "oidc_issuer_url" {`);
+  w(`  description = "OIDC issuer URL for workload identity federation"`);
+  w(`  value       = azurerm_kubernetes_cluster.${tfName}.oidc_issuer_url`);
+  w(`}`);
+  w();
+  w(`output "workload_identity_client_id" {`);
+  w(`  description = "Client ID of workload identity (for pod annotations)"`);
+  w(`  value       = azurerm_user_assigned_identity.workload.client_id`);
+  w(`}`);
+  w();
+  w(`output "workload_identity_principal_id" {`);
+  w(`  description = "Principal ID of workload identity (for role assignments)"`);
+  w(`  value       = azurerm_user_assigned_identity.workload.principal_id`);
+  w(`}`);
+  w();
+
+  return lines.join("\n");
+}