Access contracts¶

Shared infrastructure exposes non-sensitive outputs via Terraform state. Downstream project repositories consume these outputs to connect to shared resources.

Current outputs¶

From terraform/envs/shared:

Output	Description
`resource_group_name`	Shared resource group name
`server_name`	PostgreSQL server name
`server_fqdn`	PostgreSQL server fully qualified domain name
`database_names`	List of provisioned database names

From terraform/envs/site:

Output	Description
`resource_group_name`	Site resource group name
`swa_name`	Static Web App resource name
`swa_default_host_name`	SWA default hostname

Consumption¶

Downstream repos can read outputs through Terraform remote state:

data "terraform_remote_state" "shared" {
  backend = "azurerm"
  config = {
    resource_group_name  = "rg-jersal-projects-shared"
    storage_account_name = "stjersalprojcore"
    container_name       = "tfstate-shared"
    key                  = "shared.tfstate"
    use_azuread_auth     = true
  }
}

# Usage
locals {
  db_fqdn = data.terraform_remote_state.shared.outputs.server_fqdn
}

For local development, reference hostnames directly rather than reading remote state.

Secrets

Shared infrastructure exposes only non-sensitive outputs. Secrets (database passwords, API tokens) should be stored in Azure Key Vault when added later. Never expose secrets through Terraform outputs.