[Feature Request]: Terraform Module - "mcp-gateway-azure" supporting AKS and ACA

[crivetimihai]

🧭 Epic

Title: Terraform Module – "mcp-gateway-azure"

---

Goal

Publish an official Terraform module (terraform-azurerm-mcpgateway) that provisions a production-ready MCP Gateway on Microsoft Azure with one terraform apply.
The module must support both AKS (Kubernetes) and Azure Container Apps (ACA) targets, ship sane defaults, and remain purely optional for users who deploy by other means.

Registry target: registry.terraform.io/ibm-mcp-gateways/mcpgateway/azurerm

---

🧭 Type of Feature

• Infrastructure-as-Code
• Operator tooling

---

🛠 Module Features & Inputs

Variable	Type / Default	Description
platform	"aks" | "aca" | "none"	AKS cluster (managed nodepools) or Azure Container Apps.
gateway_version	string (default "latest")	Docker tag to deploy.
replicas	number (default 2)	Deployment replica count (AKS Deployment or ACA revision scale).
db_engine	"azure-postgresql" | "cosmos-mongo" | "sqlite"	Choose Azure Database for PostgreSQL Flexible Server, Cosmos DB (Mongo API) or in-pod SQLite.
enable_redis	bool (default true)	Provision Azure Cache for Redis for rate-limiting & sessions.
custom_domain	string	Azure DNS zone; creates HTTPS Front Door + certificate.
policy_bundle_blob_url	string	(optional) URL to Rego bundle in Azure Blob Storage for Policy-as-Code engine.
observability	object	Toggle Azure Monitor Log Analytics workspace + pre-built Workbook dashboards.
tags	map(string)	Resource tags.

Outputs: Front Door URL, AKS kubeconfig or ACA revision name, PostgreSQL endpoint, Managed Identity IDs.

---

🙋‍♂️ User Stories & Acceptance Criteria

Story 1 – Minimal AKS Deploy

Scenario: Spin up Gateway on AKS with defaults
Given `az login` is authenticated and subscription selected
When I write:
  module "gateway" {
    source         = "ibm-mcp-gateways/mcpgateway/azurerm"
    platform       = "aks"
    custom_domain  = "api.demo.contoso.com"
    tags           = { env = "demo", team = "platform" }
  }
And run "terraform apply"
Then an HTTPS Front Door endpoint responds 200 to GET /health
And GET /version returns the deployed gateway_version

Story 2 – ACA with Cosmos DB & Redis

Scenario: ACA + Cosmos
Given variables platform="aca" db_engine="cosmos-mongo"
When apply completes
Then Cosmos DB account is Healthy
And ACA logs show "Connected to Cosmos ✔"

Story 3 – Policy Bundle from Blob Storage

Scenario: Attach Rego bundle
Given blob https://mystorage.blob.core.windows.net/policies/bundle.tar.gz exists
And policy_bundle_blob_url is set to that URL
When tasks start
Then gateway logs "Loaded policy bundle (v1)" within 60 s

Story 4 – Destroy Keeps Existing VNet (optional flag)

Scenario: Preserve VNet
Given variable create_vnet=false
When apply then destroy
Then my existing VNet vnet-prod remains

---

📐 Reference Architecture (PlantUML)

@startuml
skinparam componentStyle rectangle
package "Azure" {
  [Azure Front Door] --> [AKS Deployment] : 443
  [Azure Front Door] --> [Container Apps] : 443
  [AKS Deployment] --> [Azure DB for PostgreSQL]
  [Container Apps] --> [Azure DB for PostgreSQL]
  [AKS Deployment] --> [Azure Cache for Redis]
  [Container Apps] --> [Azure Cache for Redis]
}
note left of "Azure Front Door"
  Optional Azure WAF
end note
@enduml

---

📂 Repository Layout

terraform-azurerm-mcpgateway/
├── main.tf
├── variables.tf
├── outputs.tf
├── versions.tf
├── modules/
│   ├── aks/
│   ├── aca/
│   ├── postgres/
│   └── redis/
├── examples/
│   ├── aks_minimal/
│   └── aca_full/
└── docs/
    ├── README.md
    ├── advanced.md
    └── architecture.puml

---

📋 Global Acceptance Checklist

• terraform validate and tflint pass; checkov shows no high/critical issues.
• Example configs deploy cleanly to East US; /health returns 200.
• Module published to Terraform Registry with inputs/outputs tables & diagrams.
• CI workflow runs terraform init -backend=false && terraform validate && terraform fmt -check.
• README shows cost estimate table (AKS node-hours, Front Door, Redis, DB).
• Supports Terraform ≥ 1.6, AzureRM provider ≥ 3.100.
• Policy bundle fetched from Blob if policy_bundle_blob_url provided.
• Log Analytics workspace & Workbook dashboard created when observability.enabled=true.

---

🔄 Roll-Out Plan

1. Scaffold repo terraform-azurerm-mcpgateway.
2. Implement ACA path; add Postgres & Cosmos sub-modules.
3. Port to AKS with system node-pool + autoscaler.
4. Provide examples and CI validation workflow.
5. Integrate optional Workbook JSON export.
6. Publish to Terraform Registry; tag v0.1.0.
7. Add demo GIF & link from main project README.

---