zopdev · gizmo-rt · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/account-setup/azure/main.tf b/account-setup/azure/main.tf
diff --git a/account-setup/azure/outputs.tf b/account-setup/azure/outputs.tf
@@ -1,3 +1,58 @@
 output "vnet" {
-  value     = try(azurerm_virtual_network.vnet[0].address_space,0)
-}
+  description = "Map of VNet names to their IDs"
+  value = {
+    for k, v in azurerm_virtual_network.vnet : k => v.id
+  }
+}
+
+output "private_subnets" {
+  description = "List of private subnet names"
+  value       = [for subnet in azurerm_subnet.private : subnet.name]
+}
+
+output "database_subnets" {
+  description = "List of database subnet names (includes both PostgreSQL and MySQL subnets)"
+  value = concat(
+    [for subnet in azurerm_subnet.postgresql : subnet.name],
+    [for subnet in azurerm_subnet.mysql : subnet.name]
+  )
+}
+
+output "postgresql_subnets" {
+  description = "List of PostgreSQL subnet names"
+  value       = [for subnet in azurerm_subnet.postgresql : subnet.name]
+}
+
+output "mysql_subnets" {
+  description = "List of MySQL subnet names"
+  value       = [for subnet in azurerm_subnet.mysql : subnet.name]
+}
+
+output "private_subnet_ids" {
+  description = "Map of private subnet names to their IDs"
+  value = {
+    for k, v in azurerm_subnet.private : v.name => v.id
+  }
+}
+
+output "database_subnet_ids" {
+  description = "Map of database subnet names to their IDs (includes both PostgreSQL and MySQL)"
+  value = merge(
+    { for k, v in azurerm_subnet.postgresql : v.name => v.id },
+    { for k, v in azurerm_subnet.mysql : v.name => v.id }
+  )
+}
+
+output "postgresql_subnet_ids" {
+  description = "Map of PostgreSQL subnet names to their IDs"
+  value = {
+    for k, v in azurerm_subnet.postgresql : v.name => v.id
+  }
+}
+
+output "mysql_subnet_ids" {
+  description = "Map of MySQL subnet names to their IDs"
+  value = {
+    for k, v in azurerm_subnet.mysql : v.name => v.id
+  }
+}
diff --git a/account-setup/azure/vars.tf b/account-setup/azure/vars.tf
@@ -4,14 +4,20 @@ variable "resource_group_name" {
   default     = ""
 }
 
-variable "vnet" {
-  description = "Name of the virtual network where the AKS will deploy"
+# For ostronaut compatibility
+variable "vpc_configs" {
+  description = "Legacy VPC name as string (for backward compatibility). Use vnet_config instead."
   type        = string
   default     = ""
 }
 
-variable "address_space" {
-  description = "The address space that is used the virtual network"
-  type        = list(string)
-  default     = ["10.0.0.0/16"]
+variable "vnet_config" {
+  description = "VNet configuration - map of VNet names to their configuration. Note: database_subnets_cidr should have even number of entries (even indices for PostgreSQL, odd for MySQL)"
+  type = map(object({
+    address_space         = list(string)
+    private_subnets_cidr  = list(string)
+    database_subnets_cidr = optional(list(string))
+    redis_subnets_cidr    = optional(list(string))
+  }))
+  default = {}
 }
diff --git a/artifact/aws/main.tf b/artifact/aws/main.tf
@@ -1,7 +1,9 @@
 resource "aws_ecr_repository" "ecr_repo" {
   for_each = toset(var.services)
-  name                 = each.value
-  image_tag_mutability = "MUTABLE"
+
+  name = each.value
+
+  image_tag_mutability = var.immutable_image_tags ? "IMMUTABLE" : "MUTABLE"
 
   image_scanning_configuration {
     scan_on_push = true

diff --git a/artifact/aws/vars.tf b/artifact/aws/vars.tf
@@ -3,4 +3,10 @@ variable "services" {
   description = "List of services to be deployed within the namespace"
   type        = list(string)
   default     = []
+}
+
+variable "immutable_image_tags" {
+  description = "Specifies the ECR image tags are immutable"
+  type        = bool
+  default     = true
 }
diff --git a/artifact/gcp/main.tf b/artifact/gcp/main.tf
@@ -13,6 +13,10 @@ resource "google_artifact_registry_repository" "gcr_repo" {
   description   = "${each.value} docker repository"
   format        = "DOCKER"
 
+  docker_config {
+    immutable_tags = var.immutable_image_tags
+  }
+
   depends_on = [google_project_service.enable_artifact_registry]
 }
 

diff --git a/artifact/gcp/vars.tf b/artifact/gcp/vars.tf
@@ -16,4 +16,10 @@ variable "registry_permissions" {
     users = list(string)
   }))
   default     = {}
+}
+
+variable "immutable_image_tags" {
+  description = "Specifies whether the GAR image tags are immutable"
+  type        = bool
+  default     = true
 }
diff --git a/k8s/aws/eks/autoscale.tf b/k8s/aws/eks/autoscale.tf
@@ -1,10 +1,12 @@
-data "template_file" "autoscale_template" {
-  template = file("./templates/cluster-auto-scaler-values.yaml")
-  vars = {
-    CLUSTER_REGION = var.app_region
-    CLUSTER_NAME   = local.cluster_name
-    ACCOUNT_ID     = data.aws_caller_identity.current.account_id
-  }
+locals {
+  autoscale_template = templatefile(
+    "${path.module}/templates/cluster-auto-scaler-values.yaml",
+    {
+      CLUSTER_REGION = var.app_region
+      CLUSTER_NAME   = local.cluster_name
+      ACCOUNT_ID     = data.aws_caller_identity.current.account_id
+    }
+  )
 }
 
 resource "helm_release" "auto_scaler" {
@@ -14,7 +16,7 @@ resource "helm_release" "auto_scaler" {
   namespace  = "kube-system"
   version    = "9.50.0"
 
-  values = [data.template_file.autoscale_template.rendered]
+  values = [local.autoscale_template]
 
   depends_on = [null_resource.wait_for_cluster]
 }
diff --git a/k8s/aws/eks/cert-manager.tf b/k8s/aws/eks/cert-manager.tf
@@ -1,3 +1,37 @@
+locals {
+  cert_manager_template = templatefile(
+    "${path.module}/templates/cert-manager-values.yaml",
+    {
+      CLUSTER_NAME = local.cluster_name
+      role_arn    = aws_iam_role.cluster_issuer_role.arn
+    }
+  )
+
+  cluster_wildcard_issuer = templatefile(
+    "${path.module}/templates/cluster-issuer.yaml",
+    {
+      dns             = local.domain_name
+      cert_issuer_url = try(
+          var.cert_issuer_config.env == "stage"
+          ? "https://acme-staging-v02.api.letsencrypt.org/directory"
+          : "https://acme-v02.api.letsencrypt.org/directory",
+        "https://acme-staging-v02.api.letsencrypt.org/directory"
+      )
+      location    = var.app_region
+      zone_id     = data.aws_route53_zone.zone.0.zone_id
+      secret_name = "${local.cluster_name}-cluster-issuer-creds"
+      email       = var.cert_issuer_config.email
+    }
+  )
+
+  cluster_wildcard_certificate = templatefile(
+    "${path.module}/templates/cluster-certificate.yaml",
+    {
+      dns = local.domain_name
+    }
+  )
+}
+
 resource "null_resource" "wait_for_cluster" {
   provisioner "local-exec" {
     command = "sleep 60"  # Adjust the duration as needed
@@ -6,14 +40,6 @@ resource "null_resource" "wait_for_cluster" {
   depends_on = [module.eks]
 }
 
-data "template_file" "cert_manager_template" {
-  template = file("./templates/cert-manager-values.yaml")
-  vars     = {
-    CLUSTER_NAME    = local.cluster_name
-    role_arn        = aws_iam_role.cluster_issuer_role.arn
-  }
-}
-
 resource "helm_release" "cert-manager" {
   name             = "cert-manager"
   repository       = "https://charts.jetstack.io"
@@ -27,7 +53,7 @@ resource "helm_release" "cert-manager" {
     value = "true"
   }
 
-  values = [data.template_file.cert_manager_template.rendered]
+  values = [local.cert_manager_template]
 
   depends_on = [null_resource.wait_for_cluster]
 }
@@ -113,33 +139,14 @@ resource "kubernetes_secret" "cluster_issuer_credentials" {
   depends_on = [helm_release.cert-manager]
 }
 
-data "template_file" "cluster_wildcard_issuer" {
-  template = file("./templates/cluster-issuer.yaml")
-  vars     = {
-    dns             = local.domain_name
-    cert_issuer_url = try(var.cert_issuer_config.env == "stage" ? "https://acme-staging-v02.api.letsencrypt.org/directory" : "https://acme-v02.api.letsencrypt.org/directory","https://acme-staging-v02.api.letsencrypt.org/directory")
-    location        = var.app_region
-    zone_id         = data.aws_route53_zone.zone.0.zone_id
-    secret_name     = "${local.cluster_name}-cluster-issuer-creds"
-    email           = var.cert_issuer_config.email
-  }
-  depends_on = [helm_release.cert-manager,kubernetes_namespace.monitoring]
-}
-
 resource "kubectl_manifest" "cluster_wildcard_issuer" {
-  yaml_body = data.template_file.cluster_wildcard_issuer.rendered
-}
-
-data "template_file" "cluster_wildcard_certificate" {
-  template = file("./templates/cluster-certificate.yaml")
-  vars     = {
-    dns       = local.domain_name
-  }
-  depends_on = [kubectl_manifest.cluster_wildcard_issuer]
+  yaml_body  = local.cluster_wildcard_issuer
+  depends_on = [kubernetes_secret.cluster_issuer_credentials]
 }
 
 resource "kubectl_manifest" "cluster_wildcard_certificate" {
-  yaml_body = data.template_file.cluster_wildcard_certificate.rendered
+  yaml_body  = local.cluster_wildcard_certificate
+  depends_on = [kubectl_manifest.cluster_wildcard_issuer]
 }
 
 resource "kubernetes_secret_v1" "certificate_replicator" {

diff --git a/k8s/aws/eks/fluentbit.tf b/k8s/aws/eks/fluentbit.tf
@@ -114,30 +114,32 @@ data "aws_iam_policy_document" "fluent_bit_policy" {
   }
 }
 
-data template_file "fluent-bit"{
-  count    = local.fluent_bit_enable ? 1 : 0
-  template = file("./templates/fluent-bit-values.yaml")
-  vars     = {
-    "CLUSTER_NAME"    = local.cluster_name
-    "AWS_REGION"      = var.app_region
-    "TAGS"            = join(",", [for key, value in local.common_tags : "${key}=${value}"])
-
-    "HTTP_SERVER" = "On"
-    "HTTP_PORT"   = "2020"
-
-    "READ_FROM_HEAD" = "Off"
-    "READ_FROM_TAIL" = "On"
-
-    fluent_bit_cloud_watch_enable = local.fluent_bit_cloud_watch_enable
-    fluent_bit_loki_outputs = jsonencode(local.fluent_bit_loki_outputs)
-    fluent_bit_http_outputs = jsonencode(local.fluent_bit_http_outputs)
-    fluent_bit_splunk_outputs = jsonencode(local.fluent_bit_splunk_outputs)
-    fluent_bit_datadog_outputs = jsonencode(local.fluent_bit_datadog_outputs)
-    fluent_bit_newrelic_outputs = jsonencode(local.fluent_bit_newrelic_outputs)
-    fluent_bit_slack_outputs = jsonencode(local.fluent_bit_slack_outputs)
-  }
+locals {
+  fluent_bit = local.fluent_bit_enable ? templatefile(
+    "${path.module}/templates/fluent-bit-values.yaml",
+    {
+      CLUSTER_NAME    = local.cluster_name
+      AWS_REGION      = var.app_region
+      TAGS            = join(",", [for key, value in local.common_tags : "${key}=${value}"])
+
+      HTTP_SERVER     = "On"
+      HTTP_PORT       = "2020"
+
+      READ_FROM_HEAD  = "Off"
+      READ_FROM_TAIL  = "On"
+
+      fluent_bit_cloud_watch_enable = local.fluent_bit_cloud_watch_enable
+      fluent_bit_loki_outputs       = jsonencode(local.fluent_bit_loki_outputs)
+      fluent_bit_http_outputs       = jsonencode(local.fluent_bit_http_outputs)
+      fluent_bit_splunk_outputs     = jsonencode(local.fluent_bit_splunk_outputs)
+      fluent_bit_datadog_outputs    = jsonencode(local.fluent_bit_datadog_outputs)
+      fluent_bit_newrelic_outputs   = jsonencode(local.fluent_bit_newrelic_outputs)
+      fluent_bit_slack_outputs      = jsonencode(local.fluent_bit_slack_outputs)
+    }
+  ) : null
 }
 
+
 resource "helm_release" "fluntbit-config" {
   count    = local.fluent_bit_enable ? 1 : 0
   repository = "https://fluent.github.io/helm-charts"
@@ -147,7 +149,7 @@ resource "helm_release" "fluntbit-config" {
   namespace  = kubernetes_namespace.monitoring.metadata.0.name
 
   values = [
-    data.template_file.fluent-bit[0].rendered
+    local.fluent_bit
   ]
   depends_on = [
     kubernetes_namespace.monitoring