Add env terraform/bicep settings schema

[ytimocin]

Description

• Add Radius.Core terraformSettings/bicepSettings TypeSpec resources, wire new env properties, and generate the preview SDK/OpenAPI/types.
• TerraformSettings matches the terraformrc/backend/env/logging shape in the design doc.
• BicepSettings now supports per-registry auth blocks for Basic (username/password secret), Azure Workload Identity (clientId/tenantId/secret), and AWS IRSA (roleArn/secret), with matching Go datamodels. (Codegen for the new Bicep auth shape still needs to be rerun.)

Examples:

resource corpTerraformSettings 'Radius.Core/terraformSettings@2025-08-01-preview' = {
  name: 'corpTerraformSettings'
  properties: {
    terraformrc: {
      provider_installation: {
        network_mirror: {
          url: 'https://mirror.corp.example.com/terraform/providers'
          include: ['*']
          exclude: ['hashicorp/azurerm']
        }
        direct: {
          exclude: ['hashicorp/azurerm']
        }
      }
      credentials: {
        'app.terraform.io': {
          secret: '/planes/radius/local/providers/Radius.Security/secrets/tfc-token'
        }
      }
    }
    backend: {
      type: 'kubernetes'
      config: {
        secret_suffix: 'prod-terraform-state'
        namespace: 'radius-system'
      }
    }
    env: {
      TF_LOG: 'TRACE'
      TF_REGISTRY_CLIENT_TIMEOUT: '15'
    }
    logging: {
      level: 'TRACE'
    }
  }
}

resource corpBicepSettings 'Radius.Core/bicepSettings@2025-08-01-preview' = {
  name: 'corpBicepSettings'
  properties: {
    authentication: {
      registries: {
        'bicep.azurecr.io': {
          basic: {
            username: 'bicep-user'
            secret: '/planes/radius/local/providers/Radius.Security/secrets/azurecr-creds'
          }
        }
        'modules.aws.corp.example.com': {
          awsIrsa: {
            roleArn: 'arn:aws:iam::123456789012:role/RadiusBicepModules'
            secret: '/planes/radius/local/providers/Radius.Security/secrets/aws-irsa-token'
          }
        }
        'internal.corp.example.com': {
          azureWorkloadIdentity: {
            clientId: '00000000-0000-0000-0000-000000000123'
            tenantId: '11111111-1111-1111-1111-111111111111'
            secret: '/planes/radius/local/providers/Radius.Security/secrets/internal-wi-token'
          }
        }
      }
    }
  }
}

Type of change

• This pull request adds or changes features of Radius and has an approved issue (issue link required).

Fixes: #issue_number

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document PR is created in the design-notes repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable
• A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
  • Yes
  • Not applicable

[kachawla]

@ytimocin could you share a link to the design doc for this, if we have one? If not, then github issue link where expected user experience is defined would be great!

[ytimocin]

@ytimocin could you share a link to the design doc for this, if we have one? If not, then github issue link where expected user experience is defined would be great!

radius-project/design-notes#117

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.40%. Comparing base (f8770e9) to head (adf547e).
⚠️ Report is 37 commits behind head on features/terraform-bicep-settings.

Files with missing lines	Patch %	Lines
...corerp/datamodel/bicepsettings_v20250801preview.go	0.00%	2 Missing ⚠️
...rp/datamodel/terraformsettings_v20250801preview.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@                          Coverage Diff                          @@
##           features/terraform-bicep-settings   #10832      +/-   ##
=====================================================================
- Coverage                              50.40%   50.40%   -0.01%     
=====================================================================
  Files                                    664      666       +2     
  Lines                                  41277    41289      +12     
=====================================================================
+ Hits                                   20807    20813       +6     
- Misses                                 18497    18502       +5     
- Partials                                1973     1974       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	ytimocin/radius
Commit ref	adf547e
Unique ID	func084425fed0
Image tag	pr-func084425fed0

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr:
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func084425fed0
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func084425fed0
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func084425fed0
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func084425fed0
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func084425fed0
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[kachawla]

Looking at the design, should this also consist a key for url/hostname: Record<string, TerraformCredentialConfiguration>

credentials: [
      <url>: {
        secret: providerSecret.id
      }
    ]

https://github.com/radius-project/design-notes/blob/84c37201a020e5ddfbb514cfe9d0cfd483260dde/features/2025-08-14-terraform-bicep-settings.md

[kachawla]

Do backend config values ever need to be anything other than strings? I think Terraform passes all backend settings as map[string]string, so we should tighten this to Record instead of an open map.

[kachawla]

Just to confirm - The example schema in design doc has it as "registryAuthentication".. did we decide to change it to "authentication"?

[kachawla]

Could you please add a link to relevant Terraform's docs here for reference?

[kachawla]

Should we rename it to be more explicit?

Suggested change

	Version *TerraformVersionConfig `json:"version,omitempty"`
	Version *TerraformBinaryConfig `json:"version,omitempty"`

[kachawla]

Is this a fixed list of URLs or open ended?

[sylvainsf]

Why is the provider mirror using the module registry auth? they are different protocols and potentially different hosts.

[sylvainsf]

Terraform has module registries and provider mirrors, provider registry mirror is confusing.

[sylvainsf]

What is the scenario for TLS config here? In the situation where users have an internal CA we use an init container to add the internal CA certs to the Radius container root CA directory.

[ytimocin]

We are not going to have init container anymore.

[sylvainsf]

This must be done at the container level.

[sylvainsf]

This looks like a Terraform Provider Mirror has been split into two abstractions; ProviderInstallation and NetworkMirror. Why?

[sylvainsf]

What is a direct installation?

[vishwahiremat]

could you please run make generate again? as I see fake clients for Bicep/Terraform settings are not generated : https://github.com/radius-project/radius/blob/9bdba6ff49102ed7dfd4ce78d0fe82b1886fccf4/pkg/corerp/api/v20250801preview/fake