feat(long_term_retention): add long term retention Terraform module

[asarkar157]

Summary

long_term_retention

Motivation

Closes #2

What's included

• New module at modules/long_term_retention
  • M README.md
  • M main.tf
  • A modules/long_term_retention/README.md
  • A modules/long_term_retention/main.tf
  • A modules/long_term_retention/outputs.tf
  • A modules/long_term_retention/variables.tf
  • A modules/long_term_retention/versions.tf
  • M variables.tf

Terraform resources

• See *.tf files in the module directory

Validation

Check	Result
terraform fmt	✅ PASS
terraform validate	✅ PASS
terraform test	✅ PASS
Module quality	PASS

Reviewer notes

• Generated by the terraform-module-update workflow (StackGen terraform-bot).
• Please confirm variable defaults, security constraints, and any org-specific wiring before merge.

[asarkar157]

Module Review — Grade: 🟡 C

Grade C — The module is functional and follows several best practices (resource naming with this, no provider/backend blocks, all variables and outputs have descriptions, sensitive password marked correctly, TLS 1.2 enforced). However, it has moderate-to-significant issues that prevent org-wide distribution readiness: (1) No tests exist at all — this alone caps the grade below B; (2) Root module is missing versions.tf with required_version and required_providers constraints; (3) Workspace-specific defaults (resource_group_name = "se-rg") make the module non-portable; (4) Security posture gaps — public network access defaults to enabled, no auditing/threat detection, no deletion protection; (5) 10+ variables lack validation blocks; (6) Dead code in submodule (database_id variable never referenced); (7) Tags not applied to database resource and no locals merge pattern.

---

📋 Variable Classification

Root Module (14 variables: 3 required, 11 optional)

Variable	Type	Classification	Issue	Status
server_name	string	REQUIRED	Missing validation block (1-63 chars, lowercase alphanumeric + hyphens)	⚠️
database_name	string	OPTIONAL (default: "workshopdb")	Environment-specific default — consider making REQUIRED	⚠️
resource_group_name	string	OPTIONAL (default: "se-rg")	Workspace/team-specific default — breaks org distribution	❌
location	string	OPTIONAL (default: "westus2")	Hardcoded region default; missing validation block	⚠️
admin_login	string	REQUIRED	Missing validation block for Azure SQL naming constraints	⚠️
admin_password	string	REQUIRED	Correctly marked sensitive = true	✅
sku_name	string	OPTIONAL (default: "Basic")	Missing validation block for known SKU values	⚠️
max_size_gb	number	OPTIONAL (default: 2)	Missing validation block (min > 0)	⚠️
tags	map(string)	OPTIONAL (default: {})	—	✅
long_term_retention_enabled	bool	OPTIONAL (default: true)	—	✅
long_term_retention_weekly	string	OPTIONAL (default: null)	Missing validation for ISO 8601 duration	⚠️
long_term_retention_monthly	string	OPTIONAL (default: "P13M")	Missing validation for ISO 8601 duration	⚠️
long_term_retention_yearly	string	OPTIONAL (default: null)	Missing validation for ISO 8601 duration	⚠️
long_term_retention_week_of_year	number	OPTIONAL (default: null)	Missing validation (must be 1-52 when set)	⚠️

Submodule modules/long_term_retention (6 variables)

Variable	Type	Classification	Issue	Status
enabled	bool	OPTIONAL (default: true)	—	✅
database_id	string	OPTIONAL (default: null)	Dead code — declared but never referenced	❌
weekly_retention	string	OPTIONAL (default: null)	Missing validation for ISO 8601 duration	⚠️
monthly_retention	string	OPTIONAL (default: "P13M")	Missing validation for ISO 8601 duration	⚠️
yearly_retention	string	OPTIONAL (default: null)	Missing validation for ISO 8601 duration	⚠️
week_of_year	number	OPTIONAL (default: null)	Missing validation (must be 1-52 when set)	⚠️

---

🏗️ Module Structure

Check	Status	Detail
Resource naming (this)	✅ PASS	Both root resources use this (azurerm_mssql_server.this, azurerm_mssql_database.this)
Single-resource pattern	✅ PASS	Root manages tightly-coupled azurerm_mssql_server + azurerm_mssql_database pair
No provider blocks	✅ PASS	No provider blocks in any module file
No backend blocks	✅ PASS	No terraform { backend } blocks
Tags via locals merge	❌ FAIL	Tags passed directly as var.tags; no local.tags = merge(...) pattern; azurerm_mssql_database has no tags at all
Outputs useful attrs	⚠️ WARN	Missing server_name output; LTR policy status not exposed at root
Outputs have descriptions	✅ PASS	All outputs documented in root and submodule
README exists	⚠️ WARN	Root README has stray LTR line appended without proper section header
Tests exist	❌ FAIL	No tests/ directory; no .tftest.hcl files anywhere — significant gap for a new module
No hardcoded IDs	⚠️ WARN	SQL server version = "12.0" hardcoded; workspace-specific defaults present
Data sources / dynamic lookups	✅ PASS	N/A — module creates resources directly

---

🔒 Security Defaults

Check	Status	Detail
TLS version	✅ PASS	minimum_tls_version = "1.2" correctly set
Admin password sensitive	✅ PASS	admin_password marked sensitive = true
IAM no wildcards	✅ PASS	No IAM policies defined
Security groups no open	✅ PASS	No firewall rules defined
Encryption at rest	⚠️ WARN	TDE not explicitly declared (relies on Azure default)
Public access denied	⚠️ WARN	public_network_access_enabled not set — defaults to public
Logging / monitoring	⚠️ WARN	No auditing_policy, threat_detection_policy, or diagnostic settings
Deletion protection	⚠️ WARN	No lifecycle { prevent_destroy = true } on stateful resources

---

🌐 Org-Distribution Readiness

Check	Status	Detail
Self-contained	✅ PASS	Submodule uses relative ./modules/long_term_retention source
Required vars described	✅ PASS	All 3 required variables have descriptions
Outputs described	✅ PASS	All outputs documented
No workspace assumptions	❌ FAIL	resource_group_name = "se-rg" (team-specific); database_name = "workshopdb" (env-specific)
Version constraints	❌ FAIL	Root module has NO versions.tf — missing required_version and required_providers. Submodule has it; root does not

---

✅ Functional Validation

Check	Result
tofu fmt -check -recursive	✅ PASS
tofu init -backend=false	✅ PASS (azurerm v4.76.0)
tofu validate	✅ PASS
tofu test	⏭️ SKIPPED (no tests directory)

---

🎯 Findings Summary

🔴 Critical (2)

• No tests (.tftest.hcl) — new module ships without any test coverage
• Root module missing versions.tf entirely

🟠 Significant (7)

• resource_group_name default "se-rg" is workspace-specific — breaks org distribution
• Submodule database_id is dead code — declared, never referenced
• No locals merge pattern for tags; database resource has no tags
• SQL server public_network_access_enabled not set — defaults to public
• No auditing or threat detection configured
• No lifecycle prevent_destroy on stateful resources
• Workspace-specific defaults (se-rg, workshopdb)

🟡 Moderate (5)

• Missing validation blocks on 10+ variables (ISO 8601 durations, server name, week_of_year range)
• Root README has stray LTR line without proper section
• SQL server version "12.0" hardcoded without variable/local
• TDE not explicitly declared (relies on Azure default)
• LTR policy status not exposed at root level

🟢 Cosmetic (1)

• Submodule is values-only config object — could be locals in root (architectural preference)

---

📊 Counts

• Total violations: 19
• Auto-fixable: 10
• Need human review: 9

---

Automated review by terraform-module-pr-review workflow. Label applied: platform-review-suggested.

[asarkar157]

Automated module review posted as a PR comment. Grade: C. See the detailed review comment for findings.