feat(terraform): CIDR-sourcing module + tests + CI

[bhavink]

Summary

Adds a Terraform module at terraform/ that exposes Databricks CIDRs (per cloud, per region) as a sorted, deduplicated list. The module owns CIDR sourcing only — customers write their own target resources (managed prefix lists, IP groups, storage account network rules, etc.) using whatever provider versions they already have. Keeps the module ~50 HCL lines and avoids per-target version-pin maintenance hell.

Why this shape

The hard part is sourcing region-scoped CIDRs from a stable, versioned location. Everything past that — aws_ec2_managed_prefix_list, azurerm_storage_account_network_rules, etc. — is one-resource HCL the customer already knows how to write. Don't ship target code. Ship a CIDR module.

Documented as a deliberate non-goal in terraform/README.md.

Module surface

Inputs

• cloud (validated: aws/azure/gcp)
• regions (regex-validated lowercase+digits+hyphens)
• source_base_url (URL mode, default GitHub Pages)
• source_files (airgapped/vendored mode)
• min_cidr_count (lockout guard, default 1)

Outputs

• cidrs (sorted + distinct list)
• cidr_count
• source (diagnostic — what was actually read)

Fail-closed behaviour — every error is actionable, names the bad value, points at the fix:

• Empty feed → preflight fails (lockout guard)
• Non-CIDR content (HTML / JSON-by-mistake) → preflight fails
• HTTP non-200 → fetch fails with cause + fix hint
• Invalid cloud / region format → input validation fails

Tests

9 native terraform test runs covering: happy path, multi-file union, comment/blank stripping, deduplication, input validation rejections, lockout guard (on and off), non-CIDR rejection. All use local fixtures — no network, no cloud creds, runs in seconds.

tests/module.tftest.hcl... in progress
  run "happy_path_single_file"... pass
  run "multi_file_union"... pass
  run "strips_comments_and_blanks"... pass
  run "deduplicates"... pass
  run "rejects_invalid_cloud"... pass
  run "rejects_invalid_region_format"... pass
  run "rejects_below_min_cidr_count"... pass
  run "min_cidr_count_zero_allows_empty"... pass
  run "rejects_non_cidr_content"... pass
Success! 9 passed, 0 failed.

CI

.github/workflows/terraform.yml runs fmt -check, validate, and test on every PR that touches terraform/.

Docs

terraform/README.md — no-nonsense: quickstart, inputs/outputs tables, per-cloud examples (AWS prefix list, Azure IP Group + Storage Account, GCP Cloud SQL, airgapped vendoring), debugging table for common errors, pinning guidance, explicit non-goals. Root README and the firewall-automation-guide GitOps section now point at the module.

Test plan

• terraform fmt -check -recursive passes
• terraform validate passes
• terraform test 9/9 passing locally
• CI runs same on this PR (added .github/workflows/terraform.yml)
• Smoke-test from a downstream consumer module by SHA-pinning
• Tag v2026.05.05 after merge so README's ?ref= examples are valid

Follow-up (separate PR)

Security plumbing — SHA256SUMS manifest, signed tags, branch protection, hash verification in the module, SECURITY.md threat model.