Blueprints¶
Blueprints are reference compositions showing which modules belong to each maturity tier and how they connect. Each blueprint is a complete root stack pattern — copy it into envs/<your-env>/ as a starting point.
Documentation Artifacts
Blueprints are not executable Terraform stacks. They are annotated reference files that mirror the real module composition pattern used by every TenantZero environment stack.
Tier Model¶
Each tier is additive — Enterprise extends Foundation, Regulated extends Enterprise.
Foundation
└── VNet, private endpoints, OpenAI, AI Search, data, Key Vault, Log Analytics
Enterprise (adds)
└── Policy baseline, cost-center tags, full diagnostics, governance hooks
Regulated (adds)
└── Private AKS, CMK encryption, 365-day retention, strict policy flags
Tier Comparison¶
| Capability | Foundation | Enterprise | Regulated |
|---|---|---|---|
| VNet + private endpoints | Yes | Yes | Yes |
| Azure OpenAI + AI Search | Yes | Yes | Yes |
| Data profile (Cosmos/Postgres) | Yes | Yes | Yes |
| Key Vault (RBAC, purge protection) | Yes | Yes | Yes |
| Log Analytics + diagnostics | Yes | Yes | Yes |
| Policy baseline | - | Yes | Yes |
| Cost-center tag | - | Yes | Yes |
| Customer-managed keys (CMK) | - | - | Yes |
| Private AKS | - | - | Yes |
| 365-day log retention | - | - | Yes |
| Explicit policy flags | - | - | Yes |
Composition Pattern¶
Every blueprint follows the same composition pattern:
- Service module creates the Azure resource (e.g.,
module "openai") - PE module wires a private endpoint to it (e.g.,
module "pe_openai") - The PE module references the service module's
resource_idoutput - DNS zone IDs come from the shared
private_dnsmodule
The root stack is the only place that knows how modules connect. Modules never reference each other directly.
Blueprints¶
- Foundation Tier — Minimum viable private AI deployment
- Enterprise Tier — Governance, policy, full observability
- Regulated Tier — CMK, private compute, compliance retention