Add module files

Author: spy86

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+## code changes will send PR to following users
+* @Think-Cube/think-cube

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'terraform'
+    directory: '/'
+    schedule:
+      interval: 'daily'

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 ThinkCube
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,60 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.27.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.27.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_cognitive_account.main](https://registry.terraform.io/providers/hashicorp/azurerm/4.27.0/docs/resources/cognitive_account) | resource |
+| [azurerm_cognitive_deployment.main](https://registry.terraform.io/providers/hashicorp/azurerm/4.27.0/docs/resources/cognitive_deployment) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.27.0/docs/data-sources/client_config) | data source |
+| [azurerm_resource_group.rg](https://registry.terraform.io/providers/hashicorp/azurerm/4.27.0/docs/data-sources/resource_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cognitive_account_custom_subdomain_name"></a> [cognitive\_account\_custom\_subdomain\_name](#input\_cognitive\_account\_custom\_subdomain\_name) | Custom subdomain name for the Azure OpenAI Service, if applicable. | `string` | n/a | yes |
+| <a name="input_cognitive_account_kind"></a> [cognitive\_account\_kind](#input\_cognitive\_account\_kind) | The type of Cognitive Service Account to create (e.g., OpenAI, ComputerVision). Changing this triggers resource recreation. | `string` | `"OpenAI"` | no |
+| <a name="input_cognitive_account_name"></a> [cognitive\_account\_name](#input\_cognitive\_account\_name) | The name of the Azure Cognitive Service Account. Changing this triggers resource recreation. | `string` | n/a | yes |
+| <a name="input_cognitive_account_public_network_access_enabled"></a> [cognitive\_account\_public\_network\_access\_enabled](#input\_cognitive\_account\_public\_network\_access\_enabled) | Controls whether public network access is enabled for the Azure OpenAI Service. | `bool` | `true` | no |
+| <a name="input_cognitive_account_sku_name"></a> [cognitive\_account\_sku\_name](#input\_cognitive\_account\_sku\_name) | The pricing tier (SKU) for the Azure OpenAI Service (e.g., S0). | `string` | `"S0"` | no |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of key-value pairs to tag resources for organization and management. | `map(any)` | n/a | yes |
+| <a name="input_deployment"></a> [deployment](#input\_deployment) | Configures Cognitive Services Account deployments with the following attributes:<br>  - name: The deployment name. Changing this triggers resource recreation.<br>  - model\_format: The model format (e.g., OpenAI). Changing this triggers resource recreation.<br>  - model\_name: The name of the deployment model. Changing this triggers resource recreation.<br>  - model\_version: The version of the deployment model.<br>  - scale\_type: The deployment scale type (e.g., Standard). Changing this triggers resource recreation.<br>  - rai\_policy\_name: Optional Responsible AI policy name. Changing this triggers resource recreation.<br>  - capacity: Optional Tokens-per-Minute (TPM) capacity, defaults to 1 (1000 tokens/min).<br>  - version\_upgrade\_option: Optional model version upgrade policy (e.g., OnceNewDefaultVersionAvailable, OnceCurrentVersionExpired, NoAutoUpgrade). | <pre>map(object({<br>    name                   = string<br>    model_format           = string<br>    model_name             = string<br>    model_version          = string<br>    scale_type             = string<br>    rai_policy_name        = optional(string)<br>    capacity               = optional(number)<br>    version_upgrade_option = optional(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Defines the environment type for the backend container (e.g., dev, prod, staging). | `string` | `"dev"` | no |
+| <a name="input_identity_enabled"></a> [identity\_enabled](#input\_identity\_enabled) | Enables or disables managed identity for the Cognitive Service Account. | `bool` | `false` | no |
+| <a name="input_identity_type"></a> [identity\_type](#input\_identity\_type) | Specifies the managed identity type (e.g., SystemAssigned, UserAssigned). | `string` | `"SystemAssigned"` | no |
+| <a name="input_network_acls_default_action"></a> [network\_acls\_default\_action](#input\_network\_acls\_default\_action) | Sets the default action for network ACLs (e.g., Allow or Deny). | `string` | `"Deny"` | no |
+| <a name="input_network_acls_enabled"></a> [network\_acls\_enabled](#input\_network\_acls\_enabled) | Enables or disables network Access Control Lists (ACLs) for the Cognitive Service Account. | `bool` | `false` | no |
+| <a name="input_network_acls_ip_rules"></a> [network\_acls\_ip\_rules](#input\_network\_acls\_ip\_rules) | A list of IP addresses or CIDR blocks allowed in network ACLs. | `list(string)` | `[]` | no |
+| <a name="input_network_acls_virtual_network_rules"></a> [network\_acls\_virtual\_network\_rules](#input\_network\_acls\_virtual\_network\_rules) | A list of virtual network rules for network ACLs, specifying subnet ID and optional service endpoint settings. | <pre>list(object({<br>    subnet_id                            = string<br>    ignore_missing_vnet_service_endpoint = optional(bool)<br>  }))</pre> | `[]` | no |
+| <a name="input_region"></a> [region](#input\_region) | The Azure region where resources will be deployed (e.g., 'weu' for West Europe). | `string` | `"weu"` | no |
+| <a name="input_resource_group_location"></a> [resource\_group\_location](#input\_resource\_group\_location) | The Azure region for creating the resource group. Changing this triggers resource recreation. | `string` | `"West Europe"` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the Azure resource group where resources will be provisioned. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cognitive_account_endpoint"></a> [cognitive\_account\_endpoint](#output\_cognitive\_account\_endpoint) | The endpoint URL of the Azure Cognitive Service Account. |
+| <a name="output_cognitive_account_id"></a> [cognitive\_account\_id](#output\_cognitive\_account\_id) | The resource ID of the Azure Cognitive Service Account. |
+| <a name="output_cognitive_account_location"></a> [cognitive\_account\_location](#output\_cognitive\_account\_location) | The Azure region where the Cognitive Service Account is deployed. |
+| <a name="output_cognitive_account_name"></a> [cognitive\_account\_name](#output\_cognitive\_account\_name) | The name of the Azure Cognitive Service Account. |
+| <a name="output_cognitive_account_primary_access_key"></a> [cognitive\_account\_primary\_access\_key](#output\_cognitive\_account\_primary\_access\_key) | The primary access key for the Azure Cognitive Service Account. |
+| <a name="output_cognitive_account_resource_group_name"></a> [cognitive\_account\_resource\_group\_name](#output\_cognitive\_account\_resource\_group\_name) | The name of the resource group containing the Cognitive Service Account. |
+| <a name="output_cognitive_account_secondary_access_key"></a> [cognitive\_account\_secondary\_access\_key](#output\_cognitive\_account\_secondary\_access\_key) | The secondary access key for the Azure Cognitive Service Account. |
+| <a name="output_cognitive_deployment_ids"></a> [cognitive\_deployment\_ids](#output\_cognitive\_deployment\_ids) | A map of deployment names to their respective resource IDs for the Cognitive Service Account deployments. |

backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.27.0"
+    }
+  }
+  required_version = ">= 1.6.3"
+}

cognitive_account.tf

@@ -0,0 +1,39 @@
+resource "azurerm_cognitive_account" "main" {
+  name                          = "${var.environment}-${var.cognitive_account_name}-${var.region}-oai"
+  location                      = data.azurerm_resource_group.rg.location
+  resource_group_name           = data.azurerm_resource_group.rg.name
+  kind                          = var.cognitive_account_kind
+  custom_subdomain_name         = var.cognitive_account_custom_subdomain_name
+  sku_name                      = var.cognitive_account_sku_name
+  public_network_access_enabled = var.cognitive_account_public_network_access_enabled
+  tags                          = var.default_tags
+
+  dynamic "identity" {
+    for_each = var.identity_enabled ? [1] : []
+    content {
+      type = var.identity_type
+    }
+  }
+
+  dynamic "network_acls" {
+    for_each = var.network_acls_enabled ? [1] : []
+    content {
+      default_action = var.network_acls_default_action
+      ip_rules       = var.network_acls_ip_rules
+
+      dynamic "virtual_network_rules" {
+        for_each = var.network_acls_virtual_network_rules
+        content {
+          subnet_id                            = virtual_network_rules.value.subnet_id
+          ignore_missing_vnet_service_endpoint = lookup(virtual_network_rules.value, "ignore_missing_vnet_service_endpoint", false)
+        }
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}

cognitive_deployment.tf

@@ -0,0 +1,19 @@
+resource "azurerm_cognitive_deployment" "main" {
+  for_each = var.deployment
+
+  cognitive_account_id   = azurerm_cognitive_account.main.id
+  name                   = each.value.name
+  rai_policy_name        = each.value.rai_policy_name
+  version_upgrade_option = each.value.version_upgrade_option
+
+  sku {
+    name     = each.value.scale_type
+    capacity = try(each.value.capacity, 1)
+  }
+
+  model {
+    format  = each.value.model_format
+    name    = each.value.model_name
+    version = each.value.model_version
+  }
+}

main.tf

@@ -0,0 +1,5 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}

output.tf

@@ -0,0 +1,47 @@
+output "cognitive_account_id" {
+  value       = azurerm_cognitive_account.main.id
+  description = "The resource ID of the Azure Cognitive Service Account."
+  sensitive   = false
+}
+
+output "cognitive_account_location" {
+  value       = azurerm_cognitive_account.main.location
+  description = "The Azure region where the Cognitive Service Account is deployed."
+  sensitive   = false
+}
+
+output "cognitive_account_name" {
+  value       = azurerm_cognitive_account.main.name
+  description = "The name of the Azure Cognitive Service Account."
+  sensitive   = false
+}
+
+output "cognitive_account_resource_group_name" {
+  value       = azurerm_cognitive_account.main.resource_group_name
+  description = "The name of the resource group containing the Cognitive Service Account."
+  sensitive   = false
+}
+
+output "cognitive_account_endpoint" {
+  value       = azurerm_cognitive_account.main.endpoint
+  description = "The endpoint URL of the Azure Cognitive Service Account."
+  sensitive   = false
+}
+
+output "cognitive_account_primary_access_key" {
+  value       = azurerm_cognitive_account.main.primary_access_key
+  description = "The primary access key for the Azure Cognitive Service Account."
+  sensitive   = true
+}
+
+output "cognitive_account_secondary_access_key" {
+  value       = azurerm_cognitive_account.main.secondary_access_key
+  description = "The secondary access key for the Azure Cognitive Service Account."
+  sensitive   = true
+}
+
+output "cognitive_deployment_ids" {
+  value       = { for k, v in azurerm_cognitive_deployment.main : k => v.id }
+  description = "A map of deployment names to their respective resource IDs for the Cognitive Service Account deployments."
+  sensitive   = false
+}