AI-powered Terraform Module Diagram Automation

[mamu0]

This PR introduces a fully automated mechanism for generating and maintaining architecture diagrams for Terraform modules using AI. Key changes include:

• Added the custom GitHub Action convert-mermaid-into-svg for converting Mermaid diagrams to SVG.
• Updated the download-artifact action to make file_path optional.
• Created two new CI/CD workflows for automatic graph generation:
  • CI workflow: detects changed .dot files, uses Azure Foundry (GPT-4o mini) to convert Terraform-generated DOT graphs into Mermaid diagrams, and posts results as Artifact.
  • CD workflow: Download the artifact when PR is closed, injects generated Mermaid diagrams into the corresponding README.md files and opens a new PR with the updates.
• Modified the subrepo push workflow to use the new SVG conversion action (Terraform Registry don't support Mermaid so it convert it into an image automatically by CLI command).
• Added a script (generate-terraform-graphs.sh) to generate .dot files for changed modules, integrated into the pre-commit hook.
• Updated all module README.md files to include a dedicated "Diagram" section with trigger for the generated Mermaid diagrams.
• Added first .dot for each module, so when this PR will be merged all generated mermaid will be added into a new PR.

Resolves: CES-1166

[changeset-bot]

🦋 Changeset detected

Latest commit: 145e93d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 28 packages

Name	Type
github_selfhosted_runner_on_container_app_jobs	Patch
github_selfhosted_runner_on_codebuild	Patch
azure_federated_identity_with_github	Patch
azure_github_environment_bootstrap	Patch
azure_app_service_plan_autoscaler	Patch
aws_github_environment_bootstrap	Patch
azure_container_app_environment	Patch
github_environment_bootstrap	Patch
azure_service_bus_namespace	Patch
azure_core_values_exporter	Patch
azure_function_app_exposed	Patch
azure_app_service_exposed	Patch
aws_core_values_exporter	Patch
azure_service_bus_alerts	Patch
azure_naming_convention	Patch
azure_app_service_plan	Patch
azure_role_assignments	Patch
azure_postgres_server	Patch
azure_storage_account	Patch
azure_api_management	Patch
azure_cosmos_account	Patch
azure_container_app	Patch
azure_function_app	Patch
azure_app_service	Patch
azure_core_infra	Patch
azure_event_hub	Patch
aws_core_infra	Patch
azure_cdn	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

Diagram preview for module in infra/modules/azure_federated_identity_with_github

graph LR
  subgraph Continuous Deployment
    cdFedCred["Federated Identity Credential CD GitHub"]
    cdIdentity["User Assigned Identity CD"]
    cdRoleRg["Role Assignment CD Resource Group"]
    cdRoleSub["Role Assignment CD Subscription"]
    cdRg["Resource Group CD Details"]
  end

  subgraph Continuous Integration
    ciFedCred["Federated Identity Credential CI GitHub"]
    ciIdentity["User Assigned Identity CI"]
    ciRoleRg["Role Assignment CI Resource Group"]
    ciRoleSub["Role Assignment CI Subscription"]
    ciRg["Resource Group CI Details"]
  end

  cdFedCred --> cdIdentity
  cdRoleRg --> cdRg
  cdRoleRg --> cdIdentity
  cdRoleSub --> cdIdentity

  ciFedCred --> ciIdentity
  ciRoleRg --> ciRg
  ciRoleRg --> ciIdentity
  ciRoleSub --> ciIdentity

Loading

[github-actions]

📋 Pre-commit Output Log

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Lock Terraform Registry modules..................................(no files to check)Skipped
Terraform Providers Lock (on staged .terraform.lock.hcl files).......................Passed
- hook id: terraform_providers_lock_staged
- duration: 0.08s

No .terraform.lock.hcl files to process.

Generate Terraform Graph.............................................................Passed
Terraform fmt....................................................(no files to check)Skipped
terraform_docs on modules............................................................Passed
terraform_docs on resources......................................(no files to check)Skipped
Terraform validate with tflint...................................(no files to check)Skipped
Terraform validate...............................................(no files to check)Skipped
Terraform validate with trivy....................................(no files to check)Skipped

_{Generated on Fri Sep 26 15:22:12 UTC 2025
Run all checks on modified files}

[github-actions]

Diagram preview for module in infra/modules/azure_function_app

graph LR

subgraph Function Apps
  FunctionApp["Linux Function App"]
  FunctionAppSlot["Linux Function App Slot"]
  ServicePlan["Service Plan"]
end

subgraph Storage Accounts
  DurableFunctionStorage["Durable Function Storage"]
  StandardStorage["Storage Account"]
  NetworkRulesStandardStorage["Storage Account Network Rules"]
  NetworkRulesDurableStorage["Durable Function Storage Network Rules"]
end

subgraph Networking
  VirtualNetwork["Virtual Network"]
  Subnet["Subnet"]
  PrivateEndpointFunctionSites["Private Endpoint Function Sites"]
  PrivateEndpointStorageBlob["Private Endpoint Storage Blob"]
  PrivateEndpointStorageFile["Private Endpoint Storage File"]
  PrivateEndpointStorageQueue["Private Endpoint Storage Queue"]
  PrivateEndpointStagingFunctionSites["Private Endpoint Staging Function Sites"]
  PrivateEndpointDurableBlob["Private Endpoint Durable Function Blob"]
  PrivateEndpointDurableFile["Private Endpoint Durable Function File"]
  PrivateEndpointDurableQueue["Private Endpoint Durable Function Queue"]
  PrivateEndpointDurableTable["Private Endpoint Durable Function Table"]
end

subgraph DNS Zones
  DNSFunctionApp["Private DNS Zone Function App"]
  DNSStorageBlob["Private DNS Zone Storage Blob"]
  DNSStorageFile["Private DNS Zone Storage File"]
  DNSStorageQueue["Private DNS Zone Storage Queue"]
  DNSStorageTable["Private DNS Zone Storage Table"]
end

subgraph Monitoring
  AlertFunctionAppHealth["Metric Alert Function App Health Check"]
  AlertStorageHealth["Metric Alert Storage Account Health Check"]
end

subgraph Role Assignments
  RAFSDurableBlobContributor["Durable Function Storage Blob Data Contributor"]
  RAFSDurableQueueContributor["Durable Function Storage Queue Data Contributor"]
  RAFSDurableTableContributor["Durable Function Storage Table Data Contributor"]
  RAFunctionStorageAccountContributor["Function Storage Account Contributor"]
  RAFSBlobDataOwner["Function Storage Blob Data Owner"]
  RAFSQueueContributor["Function Storage Queue Data Contributor"]
  RAFSStagingDurableBlobContributor["Staging Durable Function Storage Blob Data Contributor"]
  RAFSStagingDurableQueueContributor["Staging Durable Function Storage Queue Data Contributor"]
  RAFSStagingDurableTableContributor["Staging Durable Function Storage Table Data Contributor"]
  RAFSStagingStorageAccountContributor["Staging Function Storage Account Contributor"]
  RAFSStagingBlobDataOwner["Staging Function Storage Blob Data Owner"]
  RAFSStagingQueueDataContributor["Staging Function Storage Queue Data Contributor"]
end

FunctionApp --> PrivateEndpointStorageBlob
FunctionApp --> PrivateEndpointStorageFile
FunctionApp --> PrivateEndpointStorageQueue
FunctionApp --> ServicePlan
FunctionApp --> DurableFunctionStorage
FunctionApp --> Subnet

FunctionAppSlot --> FunctionApp

AlertFunctionAppHealth --> FunctionApp
AlertStorageHealth --> StandardStorage

PrivateEndpointFunctionSites --> DNSFunctionApp
PrivateEndpointFunctionSites --> FunctionApp

PrivateEndpointStorageBlob --> DNSStorageBlob
PrivateEndpointStorageBlob --> StandardStorage

PrivateEndpointStorageFile --> DNSStorageFile
PrivateEndpointStorageFile --> StandardStorage

PrivateEndpointStorageQueue --> DNSStorageQueue
PrivateEndpointStorageQueue --> StandardStorage

PrivateEndpointStagingFunctionSites --> DNSFunctionApp
PrivateEndpointStagingFunctionSites --> FunctionAppSlot

PrivateEndpointDurableBlob --> DNSStorageBlob
PrivateEndpointDurableBlob --> DurableFunctionStorage

PrivateEndpointDurableFile --> DNSStorageFile
PrivateEndpointDurableFile --> DurableFunctionStorage

PrivateEndpointDurableQueue --> DNSStorageQueue
PrivateEndpointDurableQueue --> DurableFunctionStorage

PrivateEndpointDurableTable --> DNSStorageTable
PrivateEndpointDurableTable --> DurableFunctionStorage

RAFSDurableBlobContributor --> FunctionApp
RAFSDurableQueueContributor --> FunctionApp
RAFSDurableTableContributor --> FunctionApp
RAFunctionStorageAccountContributor --> FunctionApp
RAFSBlobDataOwner --> FunctionApp
RAFSQueueContributor --> FunctionApp

RAFSStagingDurableBlobContributor --> FunctionAppSlot
RAFSStagingDurableQueueContributor --> FunctionAppSlot
RAFSStagingDurableTableContributor --> FunctionAppSlot
RAFSStagingStorageAccountContributor --> FunctionAppSlot
RAFSStagingBlobDataOwner --> FunctionAppSlot
RAFSStagingQueueDataContributor --> FunctionAppSlot

NetworkRulesStandardStorage --> FunctionApp
NetworkRulesDurableStorage --> FunctionApp

Subnet --> VirtualNetwork

Loading