When to write a module

Hello everyone!
I need to configure a new business logic on
Azure, which should be composed of a few resources:

Service principal
Managed identity
RG with a KV
Another RG with SA
Role assignments

It will be configured on 3 different environments with separeted configurations (main.tf)

I struggle to decide whether to put those resources together in one module or to create separated modules/resources and use input variables for the dependencies.

Few considerations for creating 1 module are to encapsulate this component and reduce code duplication, which will make it easier to manage.
On the other hand, there might be future needs for the same resource types, and therfore by breaking it to small parts I could use them for other use cases (with for_each for example).

I spend some time reading the docs and best practices, and I might be missing the whole point of creating a module here, but I just feel like using the same resource types for every new logic that comes up is not scalable.

Would appreciate any thoughts or experiences to help me decide which approach is better.

While there are always exceptions, in general modules are best used where you have several different Terraform resources bundled together to achieve a specific outcome, rather than only containing a single resource. The main advantages of using modules are the code reuse (potentially across multiple root modules), enforcement of an API (via outputs & variables) and segmentation of the code.

I’d suggest looking that the different resources you listed and deciding if any of them live together, in which case a module might be a good idea. You might also find that the module should contain everything (or have multiple levels of modules) if you are wanting to have multiple nearly identical environments.

I’d also caution against designing things for a possible future use case, as often that never appears (or is materially different from the expectation designed for). If something does come up in the future you can always refactor your existing code, instead of living with complexity now that isn’t needed.

Thanks @stuart-c for your reply.

I will refine my question to make things simple:

Say you have 2 modules, each of which creates some resources and needs to define RBAC on those resources. which approach is the one to go with:

  1. Each module should handle its own Service Principal and role assignment.
  2. Decoupling the above and have it be handled for both modules in one place on the root module.