[AVM Module Issue]: Support for Separate Terraform States for vWAN and Secure Hubs by Environment

[mofaizal]

Check for previous/existing GitHub issues

• [X] I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

(Optional) Module Version

0.5.0

(Optional) Correlation Id

No response

Description

Summary:

The customer requires a flexible deployment strategy for Single Azure Virtual WAN (vWAN) and multiple Secure Hubs across environments, adhering to their security and process requirements. This includes managing separate Terraform states for each environment to allow independent deployment pipelines and prevent process conflicts during production freezes.

Request:

• Deploy a single vWAN with multiple Secure Hubs.
• As a first step, create the vWAN in Resource Group A and manage its Terraform state separately.
• For each environment (e.g., Prod, Non-Prod), create a Secure Hub in its respective resource group and maintain a separate Terraform state for each (e.g., store state in separate folders).
• This approach allows different deployment pipelines to be run by environment and better manage Terraform states individually.
• Due to security requirements and deployment processes (e.g., during production deployment freezes), customers need the ability to test and deploy changes to Dev or Non-Prod Secure Hubs independently, ensuring no impact on the production environment.

Proposed Resource Group Structure:

• rg-central-vwan
  • central-vwan
• rg-virtualhub-prod
  • virtualhub-prod
• rg-virtualhub-non-prod
  • virtualhub-non-prod

This setup helps in managing distinct Terraform states by environment and supports streamlined deployment processes across Dev, Non-Prod, and Prod environments.

[jaredfholgate]

We could potentially support this by moving the virtual hubs into a submodule. Then you can choose how you deploy them and break up the module as desired. We won't ever provide orchestration around AVM that creates the state, etc so won't be part of the module. That is up to you to decide. But we can make it easier by allowing direct access to child resources via submodules.

[khushal08]

@jaredfholgate I agree with you. Submodule is the safest.