chore: update module

chore: update module

Author: florianow

modules/AGENTS.md

@@ -55,18 +55,25 @@ aws/
 
 ## Provider Version Strategy
 
-**Pinning Guidelines:**
-- **Use `~>` for stable APIs:** AWS (`~> 5.0`), Azure (`~> 3.116.0`)
-- **Use exact versions for frequent breaking changes:** Google (`6.12.0`)
-- **Review provider versions quarterly** to stay current with security patches
-- **Exception:** Pin to exact versions when a specific feature is required
-
-**Current Latest Versions:**
-- AWS Provider: `~> 5.0`
-- Azure Provider: `~> 3.116.0`
-- Google Provider: `6.12.0` (exact due to API volatility)
-- SAP BTP Provider: `~> 1.8.0`
-- Time Provider: `~> 0.11.1`
+**Provider versions are module-specific, not repository-wide.** Each module should declare the minimum provider version it requires based on testing and feature needs.
+
+**Version Selection Criteria:**
+
+When choosing a provider version for a module, consider:
+
+1. **Feature Requirements** - Does the module need specific APIs/resources from newer versions?
+2. **Testing Validation** - Which version has been tested with this module?
+3. **Breaking Changes** - Are there known breaking changes to avoid?
+4. **Stability** - Prefer versions with `~>` for patch updates unless there's a specific reason
+5. **Backwards Compatibility** - Will this work with existing deployments?
+
+**Version Constraint Best Practices:**
+
+- **Use `~> X.Y.Z`** to allow patch updates (recommended for most cases)
+- **Use exact versions** (`X.Y.Z`) only for providers with frequent breaking changes
+- **Document in the module's README** why a specific version is required
+- **Test against specific versions** - Each module should be validated with the provider version it declares
+- **Review provider versions quarterly** to stay current with security patches and new features
 
 ## Terraform Version Requirements
 
@@ -226,4 +233,4 @@ category: storage
 - [ ] Shared responsibility matrix documented
 - [ ] Cross-provider consistency maintained
 
-This comprehensive guide ensures consistency and quality across all building block modules in the multi-cloud platform.
+This comprehensive guide ensures consistency and quality across all building block modules in the multi-cloud platform.

modules/azure/aks/backplane/README.md

@@ -12,8 +12,8 @@ across all subscriptions underneath a management group (typically the top-level
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.36.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4.36.0 |
 
 ## Modules
 
@@ -23,8 +23,8 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/role_definition) | resource |
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 
 ## Inputs
 

modules/azure/aks/backplane/main.tf

@@ -5,15 +5,46 @@ resource "azurerm_role_definition" "buildingblock_deploy" {
 
   permissions {
     actions = [
-      "Microsoft.ContainerService/managedClusters/*",
-      "Microsoft.ContainerService/managedClusters/accessProfiles/*",
-      "Microsoft.Network/virtualNetworks/*",
+      "Microsoft.ContainerService/managedClusters/read",
+      "Microsoft.ContainerService/managedClusters/write",
+      "Microsoft.ContainerService/managedClusters/delete",
+      "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
+      "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
+      "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
+      "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
+      "Microsoft.ContainerService/managedClusters/accessProfiles/read",
+      "Microsoft.ContainerService/managedClusters/agentPools/read",
+      "Microsoft.ContainerService/managedClusters/agentPools/write",
+      "Microsoft.ContainerService/managedClusters/agentPools/delete",
+      "Microsoft.Network/virtualNetworks/read",
+      "Microsoft.Network/virtualNetworks/write",
+      "Microsoft.Network/virtualNetworks/delete",
+      "Microsoft.Network/virtualNetworks/subnets/read",
+      "Microsoft.Network/virtualNetworks/subnets/write",
+      "Microsoft.Network/virtualNetworks/subnets/delete",
+      "Microsoft.Network/virtualNetworks/subnets/join/action",
       "Microsoft.Network/networkInterfaces/read",
-      "Microsoft.Network/networkSecurityGroups/*",
-      "Microsoft.Resources/deployments/*",
-      "Microsoft.Resources/subscriptions/resourceGroups/*",
-      "Microsoft.OperationalInsights/*",
-      "Microsoft.Insights/diagnosticSettings/*",
+      "Microsoft.Network/networkSecurityGroups/read",
+      "Microsoft.Network/networkSecurityGroups/write",
+      "Microsoft.Network/networkSecurityGroups/delete",
+      "Microsoft.Network/publicIPAddresses/read",
+      "Microsoft.Network/publicIPAddresses/write",
+      "Microsoft.Network/publicIPAddresses/delete",
+      "Microsoft.Network/loadBalancers/read",
+      "Microsoft.Network/loadBalancers/write",
+      "Microsoft.Network/loadBalancers/delete",
+      "Microsoft.Resources/deployments/read",
+      "Microsoft.Resources/deployments/write",
+      "Microsoft.Resources/deployments/delete",
+      "Microsoft.Resources/subscriptions/resourceGroups/read",
+      "Microsoft.Resources/subscriptions/resourceGroups/write",
+      "Microsoft.Resources/subscriptions/resourceGroups/delete",
+      "Microsoft.OperationalInsights/workspaces/read",
+      "Microsoft.OperationalInsights/workspaces/write",
+      "Microsoft.OperationalInsights/workspaces/delete",
+      "Microsoft.Insights/diagnosticSettings/read",
+      "Microsoft.Insights/diagnosticSettings/write",
+      "Microsoft.Insights/diagnosticSettings/delete",
       "Microsoft.Authorization/roleAssignments/read"
     ]
   }

modules/azure/aks/backplane/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.36.0" # oder aktuelle getestete Version
+      version = "~> 4.36.0"
     }
   }
 }

modules/azure/aks/buildingblock/APP_TEAM_README.md

@@ -0,0 +1,80 @@
+# Azure Kubernetes Service (AKS)
+
+## Description
+This building block provides a production-grade Azure Kubernetes Service (AKS) cluster with integrated security, monitoring, and networking features. It delivers a fully managed Kubernetes environment with Azure AD authentication, workload identity support, and comprehensive observability through Log Analytics.
+
+## Usage Motivation
+This building block is for application teams that need to deploy containerized applications on a secure, scalable, and managed Kubernetes platform. The AKS cluster comes pre-configured with enterprise-grade security features, eliminating the operational complexity of managing Kubernetes infrastructure while maintaining the flexibility to run any containerized workload.
+
+## 🚀 Usage Examples
+- A development team deploys microservices-based applications using Kubernetes deployments, services, and ingress controllers.
+- A data engineering team runs distributed data processing workloads using Kubernetes jobs and cron jobs.
+- An operations team manages multi-tenant applications with namespace isolation and resource quotas.
+- A DevOps team implements GitOps-based continuous deployment pipelines targeting the AKS cluster.
+
+## 🔄 Shared Responsibility
+
+| Responsibility | Platform Team | Application Team |
+|----------------|--------------|-----------------|
+| Provisioning and configuring the AKS cluster | ✅ | ❌ |
+| Managing cluster upgrades and patches | ✅ | ❌ |
+| Configuring Azure AD authentication and RBAC | ✅ | ❌ |
+| Setting up Log Analytics and monitoring infrastructure | ✅ | ❌ |
+| Managing virtual network and subnet configuration | ✅ | ❌ |
+| Deploying and managing applications and workloads | ❌ | ✅ |
+| Configuring application-level resource limits and quotas | ❌ | ✅ |
+| Managing Kubernetes namespaces and RBAC within the cluster | ❌ | ✅ |
+| Monitoring application performance and logs | ❌ | ✅ |
+| Implementing application security policies (Network Policies, Pod Security) | ❌ | ✅ |
+
+## 💡 Best Practices for Secure and Efficient AKS Usage
+
+### Security
+- **Use Workload Identity**: Leverage Azure AD Workload Identity for secure authentication to Azure resources without storing credentials
+- **Implement Network Policies**: Define Kubernetes Network Policies to control pod-to-pod communication
+- **Enable Pod Security Standards**: Apply Kubernetes Pod Security Standards to enforce security best practices
+- **Use Azure Key Vault**: Store secrets in Azure Key Vault and inject them into pods using CSI Secret Store driver
+- **Scan container images**: Regularly scan container images for vulnerabilities before deployment
+
+### Performance & Scalability
+- **Set resource requests and limits**: Always define CPU and memory requests/limits for predictable scheduling and resource management
+- **Use Horizontal Pod Autoscaler (HPA)**: Implement HPA to automatically scale applications based on metrics
+- **Optimize container images**: Use multi-stage builds and minimal base images to reduce image size and startup time
+- **Implement health probes**: Configure liveness and readiness probes for reliable application health monitoring
+
+### Operations & Monitoring
+- **Use structured logging**: Implement structured logging (JSON) for better log analysis in Log Analytics
+- **Monitor cluster metrics**: Regularly review cluster metrics in Azure Monitor for capacity planning
+- **Implement GitOps**: Use GitOps tools like Flux or ArgoCD for declarative application deployment
+- **Tag resources**: Use labels and annotations consistently for resource organization and cost allocation
+
+### Networking
+- **Use Ingress controllers**: Deploy an Ingress controller for HTTP/HTTPS routing instead of multiple LoadBalancer services
+- **Implement egress control**: Use Azure Firewall or Network Security Groups to control outbound traffic
+- **Enable service mesh**: Consider using a service mesh (like Istio or Linkerd) for advanced traffic management and observability
+
+## Cluster Features
+
+### Authentication & Authorization
+- **Azure AD Integration**: Cluster uses Azure AD for authentication, enabling centralized identity management
+- **OIDC Issuer**: Workload Identity enabled for secure pod-to-Azure-resource authentication
+
+### Monitoring & Logging
+- **Log Analytics Workspace**: Centralized logging for cluster and application logs
+- **Container Insights**: Integrated monitoring for container performance and health
+- **Diagnostic Settings**: Cluster metrics and logs forwarded to Log Analytics
+
+### Networking
+- **Custom VNet**: Dedicated virtual network and subnet for cluster isolation
+- **Azure CNI**: Advanced networking capabilities with pod-level networking
+
+### Auto-Scaling
+- **Cluster Autoscaler**: Automatically adjusts node count based on resource requirements
+- **System Node Pool**: Dedicated node pool for system workloads with auto-scaling enabled
+
+## Getting Started
+
+1. **Access the cluster**: Use `az aks get-credentials` to configure kubectl access
+2. **Verify connectivity**: Run `kubectl get nodes` to confirm cluster connectivity
+3. **Deploy your application**: Use `kubectl apply` or Helm to deploy applications
+4. **Monitor your workloads**: View logs and metrics in Azure Monitor or Log Analytics