diff --git a/customer-managed/azure/README.md b/customer-managed/azure/README.md
index fd179d4..d7acc13 100644
--- a/customer-managed/azure/README.md
+++ b/customer-managed/azure/README.md
@@ -1,10 +1,21 @@
 # Overview
 
-This repository contains the code that deploys the resources customers are responsible for creating in association with a Redpanda customer-managed Azure cluster.
-These resources should be created in advance by the customer and then provided to Redpanda during cluster creation.
-The code is provided in [Terraform](https://developer.hashicorp.com/terraform) and Azure CLI (TODO).
+This [Terraform](https://developer.hashicorp.com/terraform) configuration invokes the
+[`redpanda-data/redpanda-byovnet/azure`](https://registry.terraform.io/modules/redpanda-data/redpanda-byovnet/azure/latest)
+module to create the Azure resources customers are responsible for in association with a Redpanda
+customer-managed VNET cluster. These resources should be created in advance by the customer and
+then provided to Redpanda during cluster creation. An Azure CLI variant is TODO.
 
-> There may be resources in this repository that already exist within your environment (for example, the VNET) that you don't want to create. Variables are provided for this purpose.
+> There may be resources created by the module that already exist within your environment (for example, the VNET) that
+> you don't want to create. Variables are provided for this purpose.
+
+> This code is provided as an example and should be reviewed to ensure it adheres to policies within your organization.
+> The full set of resources is defined in the module source — see the
+> [module repository](https://github.com/redpanda-data/terraform-azure-redpanda-byovnet) for a complete inventory.
+
+> **Migrating from a previous version:** if you have already applied an earlier copy of this Terraform (before it was
+> refactored to consume the module), the new `main.tf` includes `moved {}` blocks that relocate each existing resource
+> to its new `module.byovnet.*` address. Running `terraform plan` against an existing state should show **no changes**.
 
 # Customer Managed Resources
 Customer Managed Resources can be broken down into the following groups. You can walk through the code to get the exact list of the resources required to create and deploy Redpanda cluster.
@@ -37,7 +48,7 @@ The variable files contain the variables that allow you to modify to meet your s
 - `vars.iam.tf`: It contains the variables related to IAM roles.
 - `vars.misc.tf`: It contains the variables, region, zones, tags and resource name prefix.
 
-You can get the description of each variable in [here](./terraform/README.md).
+You can find the description of each variable in the [module documentation](https://registry.terraform.io/modules/redpanda-data/redpanda-byovnet/azure/latest?tab=inputs).
 
 Create a JSON file called `byovnet.auto.tfvars.json` inside the Terraform directory.
 
diff --git a/customer-managed/azure/terraform/.terraform.lock.hcl b/customer-managed/azure/terraform/.terraform.lock.hcl
index 5155643..9643906 100644
--- a/customer-managed/azure/terraform/.terraform.lock.hcl
+++ b/customer-managed/azure/terraform/.terraform.lock.hcl
@@ -2,21 +2,21 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.98.0"
-  constraints = "3.98.0"
+  version     = "3.117.1"
+  constraints = "~> 3.98"
   hashes = [
-    "h1:NgUpYK0Ym3DUtSORtakyJQsUEUtqBXIqe5bWs65oCvY=",
-    "zh:012c79f671cff194d769ee53d50c56e7d353d4b78de8fceec9915bcf5955878b",
-    "zh:022d07683f84f8534fa40567860f76da6d15713d678cbc979c1d8cd502bb3246",
-    "zh:12cefd7df62c23c434d853e1824d421b4f18ff683540861376cf37138d70795b",
-    "zh:42626315686f504c59bec02745d7beff2bdfa732c3ecfaca7794f6641fbebfdc",
-    "zh:44708deec3fe13ea7cdd899ee766971fd024c06e2d8e189c30b59bd56ef3a5d3",
-    "zh:54a54fb4c8fc6537aae658503182e03af545e9151afe68da0f254d9b31037c63",
-    "zh:8265688742f6b532f06a3cd0bb14a891eb2277a834cf126f4b483b6de0a8d8fa",
-    "zh:97294d6e502e4e07e0cd8d2669a05d7e5d1f42da542ced299b5d4a3849e8736e",
-    "zh:bf4b48606c53db399f53b3880d94f70fc1701c72fde269472d8231f6dda5cf49",
-    "zh:c5a957d61e4c705e2c94d53c6fff579d5262137b2192562d0dfbbda374891717",
-    "zh:e2a8232f20f74602632b24d50c5c9d21741b0345560e4133bfb38e257d20fb77",
+    "h1:j6wnjpHfBcQC4xd3ZYquaIPIIR46xJQs7rxwPdSOZos=",
+    "zh:0c513676836e3c50d004ece7d2624a8aff6faac14b833b96feeac2e4bc2c1c12",
+    "zh:50ea01ada95bae2f187db9e926e463f45d860767a85ebc59160414e00e76c35d",
+    "zh:52c2a9edacc06b3f72153f5ef6daca0761c6292158815961fe37f60bc576a3d7",
+    "zh:618eed2a06b19b1a025b45b05891846d570a6a1cca4d23f4942f5a99e1f747ae",
+    "zh:61cde5d3165d7e5ec311d5d89486819cd605c1b2d54611b5c97bd4e97dba2762",
+    "zh:6a873358d5031fc222f5e05f029d1237f3dce8345c767665f393283dfa2627f6",
+    "zh:afdd80064b2a04da311856feb4ed45f77ff4df6c356e8c2b10afb51fe7e61c70",
+    "zh:b09113df7e0e8c8959539bd22bae6c39faeb269ba3c4cd948e742f5cf58c35fb",
+    "zh:d340db7973109761cfc27d52aa02560363337c908b2c99b3628adc5a70a99d5b",
+    "zh:d5a577226ebc8c65e8f19384878a86acc4b51ede4b4a82d37c3b331b0efcd4a7",
+    "zh:e2962b147f9e71732df8dbc74940c10d20906f3c003cbfaa1eb9fabbf601a9f0",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }
diff --git a/customer-managed/azure/terraform/README.md b/customer-managed/azure/terraform/README.md
deleted file mode 100644
index f758e4d..0000000
--- a/customer-managed/azure/terraform/README.md
+++ /dev/null
@@ -1,158 +0,0 @@
-<!-- BEGIN_TF_DOCS -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | =3.98.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.98.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [azurerm_key_vault.console](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/key_vault) | resource |
-| [azurerm_key_vault.vault](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/key_vault) | resource |
-| [azurerm_nat_gateway.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/nat_gateway) | resource |
-| [azurerm_nat_gateway_public_ip_prefix_association.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/nat_gateway_public_ip_prefix_association) | resource |
-| [azurerm_network_security_group.redpanda_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/network_security_group) | resource |
-| [azurerm_network_security_group.redpanda_connectors](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/network_security_group) | resource |
-| [azurerm_network_security_rule.allow_inbound_to_redpanda_brokers_nodeport](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/network_security_rule) | resource |
-| [azurerm_public_ip_prefix.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/public_ip_prefix) | resource |
-| [azurerm_resource_group.all](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.agent](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.aks_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.assign_identity_storage_blob_data_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cert_manager](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.external_dns_rgreader](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.external_dns_zone_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.kafka_connect](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.redpanda_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.redpanda_console](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.redpanda_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.vault_secrets_officer](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.kafka_connect](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_definition) | resource |
-| [azurerm_role_definition.redpanda_agent](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_definition) | resource |
-| [azurerm_role_definition.redpanda_console](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_definition) | resource |
-| [azurerm_role_definition.redpanda_private_link](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/role_definition) | resource |
-| [azurerm_storage_account.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/storage_account) | resource |
-| [azurerm_storage_account.tiered_storage](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/storage_account) | resource |
-| [azurerm_storage_account_network_rules.redpanda_cloud_storage](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/storage_account_network_rules) | resource |
-| [azurerm_storage_container.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/storage_container) | resource |
-| [azurerm_storage_container.tiered_storage](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/storage_container) | resource |
-| [azurerm_subnet.private](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/subnet) | resource |
-| [azurerm_subnet.public](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/subnet) | resource |
-| [azurerm_subnet_nat_gateway_association.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/subnet_nat_gateway_association) | resource |
-| [azurerm_user_assigned_identity.aks](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.cert_manager](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.external_dns](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.kafka_connect](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.redpanda_agent](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.redpanda_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_user_assigned_identity.redpanda_console](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/user_assigned_identity) | resource |
-| [azurerm_virtual_network.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/resources/virtual_network) | resource |
-| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/data-sources/client_config) | data source |
-| [azurerm_location.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/data-sources/location) | data source |
-| [azurerm_resource_group.all](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/data-sources/resource_group) | data source |
-| [azurerm_virtual_network.redpanda](https://registry.terraform.io/providers/hashicorp/azurerm/3.98.0/docs/data-sources/virtual_network) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aks_identity_name"></a> [aks\_identity\_name](#input\_aks\_identity\_name) | The name of user assigned identity for AKS. | `string` | `"aks-uai"` | no |
-| <a name="input_azure_client_id"></a> [azure\_client\_id](#input\_azure\_client\_id) | The client ID of the application used to authenticate with Azure | `string` | `""` | no |
-| <a name="input_azure_client_secret"></a> [azure\_client\_secret](#input\_azure\_client\_secret) | The client secret of the application used to authenticate with Azure | `string` | `""` | no |
-| <a name="input_azure_subscription_id"></a> [azure\_subscription\_id](#input\_azure\_subscription\_id) | The subscription ID where the Redpanda cluster will live | `string` | `"60fc0bed-3072-4c53-906a-d130a934d520"` | no |
-| <a name="input_azure_tenant_id"></a> [azure\_tenant\_id](#input\_azure\_tenant\_id) | The subscription ID where the Redpanda cluster will live | `string` | `"9a95fd9e-005d-487a-9a01-d08c1eab2757"` | no |
-| <a name="input_azure_use_cli"></a> [azure\_use\_cli](#input\_azure\_use\_cli) | Whether to use the Azure CLI or Azure API directly | `bool` | `true` | no |
-| <a name="input_azure_use_msi"></a> [azure\_use\_msi](#input\_azure\_use\_msi) | Whether to use Azure Managed Identity authentication (formerly MSI) | `bool` | `false` | no |
-| <a name="input_azure_use_oidc"></a> [azure\_use\_oidc](#input\_azure\_use\_oidc) | Whether to use Azure OIDC authentication | `bool` | `false` | no |
-| <a name="input_create_nat"></a> [create\_nat](#input\_create\_nat) | Whether to create NAT gateway and its assoications | `bool` | `true` | no |
-| <a name="input_create_resource_groups"></a> [create\_resource\_groups](#input\_create\_resource\_groups) | If true, the module will create resource groups for Redpanda resources. | `bool` | `true` | no |
-| <a name="input_create_role_assignment"></a> [create\_role\_assignment](#input\_create\_role\_assignment) | Whether to create role assigments. | `bool` | `true` | no |
-| <a name="input_egress_subnets"></a> [egress\_subnets](#input\_egress\_subnets) | A list of CIDR ranges to use for the *egress* subnets. They needs to be at least /24. | `map(map(string))` | <pre>{<br>  "agent-public": {<br>    "cidr": "10.0.0.0/24",<br>    "name": "snet-agent-public"<br>  }<br>}</pre> | no |
-| <a name="input_kafka_connect_identity_name"></a> [kafka\_connect\_identity\_name](#input\_kafka\_connect\_identity\_name) | The name of user assigned identity for Kafka Connect. | `string` | `"kafka-connect-uai"` | no |
-| <a name="input_kafka_connect_role_name"></a> [kafka\_connect\_role\_name](#input\_kafka\_connect\_role\_name) | The role name of Kafka Connect. | `string` | `"kafka-connect-role"` | no |
-| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | A list of CIDR ranges to use for the *private* subnets. They needs to be at least /24. | `map(map(string))` | <pre>{<br>  "agent-private": {<br>    "cidr": "10.0.3.0/24",<br>    "name": "snet-agent-private"<br>  },<br>  "connect-pod": {<br>    "cidr": "10.0.10.0/24",<br>    "name": "snet-connect-pods"<br>  },<br>  "connect-vnet": {<br>    "cidr": "10.0.11.0/24",<br>    "name": "snet-connect-vnet"<br>  },<br>  "kafka-connect-pod": {<br>    "cidr": "10.0.12.0/24",<br>    "name": "snet-kafka-connect-pods"<br>  },<br>  "kafka-connect-vnet": {<br>    "cidr": "10.0.13.0/24",<br>    "name": "snet-kafka-connect-vnet"<br>  },<br>  "rp-0-pods": {<br>    "cidr": "10.0.4.0/24",<br>    "name": "snet-rp-0-pods"<br>  },<br>  "rp-0-vnet": {<br>    "cidr": "10.0.5.0/24",<br>    "name": "snet-rp-0-vnet"<br>  },<br>  "rp-1-pods": {<br>    "cidr": "10.0.6.0/24",<br>    "name": "snet-rp-1-pods"<br>  },<br>  "rp-1-vnet": {<br>    "cidr": "10.0.7.0/24",<br>    "name": "snet-rp-1-vnet"<br>  },<br>  "rp-2-pods": {<br>    "cidr": "10.0.8.0/24",<br>    "name": "snet-rp-2-pods"<br>  },<br>  "rp-2-vnet": {<br>    "cidr": "10.0.9.0/24",<br>    "name": "snet-rp-2-vnet"<br>  },<br>  "system-pod": {<br>    "cidr": "10.0.1.0/24",<br>    "name": "snet-system-pods"<br>  },<br>  "system-vnet": {<br>    "cidr": "10.0.2.0/24",<br>    "name": "snet-system-vnet"<br>  }<br>}</pre> | no |
-| <a name="input_redpanda_agent_identity_name"></a> [redpanda\_agent\_identity\_name](#input\_redpanda\_agent\_identity\_name) | The name of user assigned identity for Redpanda agent. | `string` | `"agent-uai"` | no |
-| <a name="input_redpanda_agent_role_name"></a> [redpanda\_agent\_role\_name](#input\_redpanda\_agent\_role\_name) | The role name of Redpanda agent. | `string` | `"agent-role"` | no |
-| <a name="input_redpanda_cert_manager_identity_name"></a> [redpanda\_cert\_manager\_identity\_name](#input\_redpanda\_cert\_manager\_identity\_name) | The name of user assigned identity for cert-manager. | `string` | `"cert-manager-uai"` | no |
-| <a name="input_redpanda_cluster_identity_name"></a> [redpanda\_cluster\_identity\_name](#input\_redpanda\_cluster\_identity\_name) | The name of user assigned identity for Redpanda cluster. | `string` | `"cluster-uai"` | no |
-| <a name="input_redpanda_console_identity_name"></a> [redpanda\_console\_identity\_name](#input\_redpanda\_console\_identity\_name) | The name of user assigned identity for Redpanda Console. | `string` | `"console-uai"` | no |
-| <a name="input_redpanda_console_key_vault_name"></a> [redpanda\_console\_key\_vault\_name](#input\_redpanda\_console\_key\_vault\_name) | The name of key vault for Redpanda Console | `string` | `"console-vault"` | no |
-| <a name="input_redpanda_console_role_name"></a> [redpanda\_console\_role\_name](#input\_redpanda\_console\_role\_name) | The role name of Redpanda Console. | `string` | `"console-role"` | no |
-| <a name="input_redpanda_external_dns_identity_name"></a> [redpanda\_external\_dns\_identity\_name](#input\_redpanda\_external\_dns\_identity\_name) | The name of user assigned identity for external-dns. | `string` | `"external-dns-uai"` | no |
-| <a name="input_redpanda_iam_resource_group_name"></a> [redpanda\_iam\_resource\_group\_name](#input\_redpanda\_iam\_resource\_group\_name) | The name of the resource group to place Redpanda IAM resources. | `string` | `"iam-rg"` | no |
-| <a name="input_redpanda_management_key_vault_name"></a> [redpanda\_management\_key\_vault\_name](#input\_redpanda\_management\_key\_vault\_name) | The name of key vault for Redpanda management | `string` | `"rp-vault"` | no |
-| <a name="input_redpanda_management_storage_account_name"></a> [redpanda\_management\_storage\_account\_name](#input\_redpanda\_management\_storage\_account\_name) | Azure Blob Storage account name for Redpanda management storage. | `string` | `"managementa"` | no |
-| <a name="input_redpanda_management_storage_container_name"></a> [redpanda\_management\_storage\_container\_name](#input\_redpanda\_management\_storage\_container\_name) | Name of the storage container for Redpanda management storage | `string` | `"managementc"` | no |
-| <a name="input_redpanda_network_resource_group_name"></a> [redpanda\_network\_resource\_group\_name](#input\_redpanda\_network\_resource\_group\_name) | The name of the resource group to place Redpanda network resources. | `string` | `"network-rg"` | no |
-| <a name="input_redpanda_private_link_role_name"></a> [redpanda\_private\_link\_role\_name](#input\_redpanda\_private\_link\_role\_name) | The role name of Redpanda private link. | `string` | `"private-link-role"` | no |
-| <a name="input_redpanda_resource_group_name"></a> [redpanda\_resource\_group\_name](#input\_redpanda\_resource\_group\_name) | The name of the resource group to place Redpanda resources. | `string` | `"redpanda-rg"` | no |
-| <a name="input_redpanda_security_group_name"></a> [redpanda\_security\_group\_name](#input\_redpanda\_security\_group\_name) | The name of Redpanda cluster security group | `string` | `"redpanda-nsg"` | no |
-| <a name="input_redpanda_storage_resource_group_name"></a> [redpanda\_storage\_resource\_group\_name](#input\_redpanda\_storage\_resource\_group\_name) | The name of the resource group to place Redpanda storage resources. | `string` | `"storage-rg"` | no |
-| <a name="input_redpanda_tiered_storage_account_name"></a> [redpanda\_tiered\_storage\_account\_name](#input\_redpanda\_tiered\_storage\_account\_name) | Azure Blob Storage account name for Redpanda tiered storage. | `string` | `"tieredstoragea"` | no |
-| <a name="input_redpanda_tiered_storage_container_name"></a> [redpanda\_tiered\_storage\_container\_name](#input\_redpanda\_tiered\_storage\_container\_name) | Name of the storage container for Redpanda tiered storage | `string` | `"tieredstoragec"` | no |
-| <a name="input_region"></a> [region](#input\_region) | The region where the resources live. | `string` | `"eastus"` | no |
-| <a name="input_reserved_subnet_cidrs"></a> [reserved\_subnet\_cidrs](#input\_reserved\_subnet\_cidrs) | Reserved CIDRs for AKS | `map(string)` | <pre>{<br>  "k8s-service": "10.0.15.0/24"<br>}</pre> | no |
-| <a name="input_resource_group_name_prefix"></a> [resource\_group\_name\_prefix](#input\_resource\_group\_name\_prefix) | The prefix added to the name of resource group. | `string` | `""` | no |
-| <a name="input_resource_name_prefix"></a> [resource\_name\_prefix](#input\_resource\_name\_prefix) | The prefix added to the name of non resource group resource. | `string` | `"pz-"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Tags to use when labeling resources. These will be set inside the provider block<br>as default tags. | `map(string)` | n/a | yes |
-| <a name="input_vnet_addresses"></a> [vnet\_addresses](#input\_vnet\_addresses) | The list of IP address prefixes used by vnet. | `list(string)` | <pre>[<br>  "10.0.0.0/20"<br>]</pre> | no |
-| <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | The name of the network. If empty, a VNET will be created. | `string` | `""` | no |
-| <a name="input_zones"></a> [zones](#input\_zones) | Physical availability zone ID. Ex: eastus-az1, eastus-az3, eastus-az2 | `list(string)` | <pre>[<br>  "eastus-az2"<br>]</pre> | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| <a name="output_agent_private_subnet_name"></a> [agent\_private\_subnet\_name](#output\_agent\_private\_subnet\_name) | Agent private subnet name |
-| <a name="output_agent_user_assigned_identity_name"></a> [agent\_user\_assigned\_identity\_name](#output\_agent\_user\_assigned\_identity\_name) | Agent user assigned identity name |
-| <a name="output_aks_user_assigned_identity_name"></a> [aks\_user\_assigned\_identity\_name](#output\_aks\_user\_assigned\_identity\_name) | AKS user assigned identity name |
-| <a name="output_cert_manager_user_assigned_identity_name"></a> [cert\_manager\_user\_assigned\_identity\_name](#output\_cert\_manager\_user\_assigned\_identity\_name) | Cert manager user assigned identity name |
-| <a name="output_cluster_user_assigned_identity_name"></a> [cluster\_user\_assigned\_identity\_name](#output\_cluster\_user\_assigned\_identity\_name) | Redpanda cluster user assigned identity name |
-| <a name="output_console_key_vault_name"></a> [console\_key\_vault\_name](#output\_console\_key\_vault\_name) | Console key vault name |
-| <a name="output_console_user_assigned_identity_name"></a> [console\_user\_assigned\_identity\_name](#output\_console\_user\_assigned\_identity\_name) | Redpanda console user assigned identity name |
-| <a name="output_egress_subnet_name"></a> [egress\_subnet\_name](#output\_egress\_subnet\_name) | Egress subnet name |
-| <a name="output_external_dns_user_assigned_identity_name"></a> [external\_dns\_user\_assigned\_identity\_name](#output\_external\_dns\_user\_assigned\_identity\_name) | External DNS user assigned identity name |
-| <a name="output_iam_resource_group_name"></a> [iam\_resource\_group\_name](#output\_iam\_resource\_group\_name) | IAM resource group name |
-| <a name="output_identities"></a> [identities](#output\_identities) | User assigned identities |
-| <a name="output_kafka_connect_pods_subnet_name"></a> [kafka\_connect\_pods\_subnet\_name](#output\_kafka\_connect\_pods\_subnet\_name) | Kafka connect pods subnet name |
-| <a name="output_kafka_connect_user_assigned_identity_name"></a> [kafka\_connect\_user\_assigned\_identity\_name](#output\_kafka\_connect\_user\_assigned\_identity\_name) | Redpanda Kafka Connect user assigned identity name |
-| <a name="output_kafka_connect_vnet_subnet_name"></a> [kafka\_connect\_vnet\_subnet\_name](#output\_kafka\_connect\_vnet\_subnet\_name) | Kafka connect vnet subnet name |
-| <a name="output_management_bucket_storage_account_name"></a> [management\_bucket\_storage\_account\_name](#output\_management\_bucket\_storage\_account\_name) | Management bucket storage account name |
-| <a name="output_management_bucket_storage_container_name"></a> [management\_bucket\_storage\_container\_name](#output\_management\_bucket\_storage\_container\_name) | Management bucket storage container name |
-| <a name="output_management_key_vault_name"></a> [management\_key\_vault\_name](#output\_management\_key\_vault\_name) | Management key vault name |
-| <a name="output_network_resource_group_name"></a> [network\_resource\_group\_name](#output\_network\_resource\_group\_name) | Network resource group name |
-| <a name="output_networks"></a> [networks](#output\_networks) | Networks |
-| <a name="output_redpanda_resource_group_name"></a> [redpanda\_resource\_group\_name](#output\_redpanda\_resource\_group\_name) | Redpanda resource group name |
-| <a name="output_redpanda_security_group_name"></a> [redpanda\_security\_group\_name](#output\_redpanda\_security\_group\_name) | Redpanda security group name |
-| <a name="output_resource_groups"></a> [resource\_groups](#output\_resource\_groups) | Resource groups |
-| <a name="output_roles"></a> [roles](#output\_roles) | IAM roles |
-| <a name="output_rp_0_pods_subnet_name"></a> [rp\_0\_pods\_subnet\_name](#output\_rp\_0\_pods\_subnet\_name) | Redpanda 0 pods subnet name |
-| <a name="output_rp_0_vnet_subnet_name"></a> [rp\_0\_vnet\_subnet\_name](#output\_rp\_0\_vnet\_subnet\_name) | Redpanda 0 vnet subnet name |
-| <a name="output_rp_1_pods_subnet_name"></a> [rp\_1\_pods\_subnet\_name](#output\_rp\_1\_pods\_subnet\_name) | Redpanda 1 pods subnet name |
-| <a name="output_rp_1_vnet_subnet_name"></a> [rp\_1\_vnet\_subnet\_name](#output\_rp\_1\_vnet\_subnet\_name) | Redpanda 1 vnet subnet name |
-| <a name="output_rp_2_pods_subnet_name"></a> [rp\_2\_pods\_subnet\_name](#output\_rp\_2\_pods\_subnet\_name) | Redpanda 2 pods subnet name |
-| <a name="output_rp_2_vnet_subnet_name"></a> [rp\_2\_vnet\_subnet\_name](#output\_rp\_2\_vnet\_subnet\_name) | Redpanda 2 vnet subnet name |
-| <a name="output_rp_connect_pods_subnet_name"></a> [rp\_connect\_pods\_subnet\_name](#output\_rp\_connect\_pods\_subnet\_name) | Redpanda connect pods subnet name |
-| <a name="output_rp_connect_vnet_subnet_name"></a> [rp\_connect\_vnet\_subnet\_name](#output\_rp\_connect\_vnet\_subnet\_name) | Redpanda connect vnet subnet name |
-| <a name="output_security"></a> [security](#output\_security) | Security groups |
-| <a name="output_storage"></a> [storage](#output\_storage) | Storage |
-| <a name="output_storage_resource_group_name"></a> [storage\_resource\_group\_name](#output\_storage\_resource\_group\_name) | Storage resource group name |
-| <a name="output_system_pods_subnet_name"></a> [system\_pods\_subnet\_name](#output\_system\_pods\_subnet\_name) | System pods subnet name |
-| <a name="output_system_vnet_subnet_name"></a> [system\_vnet\_subnet\_name](#output\_system\_vnet\_subnet\_name) | System vnet subnet name |
-| <a name="output_tiered_storage_account_name"></a> [tiered\_storage\_account\_name](#output\_tiered\_storage\_account\_name) | tiered storage account name |
-| <a name="output_tiered_storage_container_name"></a> [tiered\_storage\_container\_name](#output\_tiered\_storage\_container\_name) | tiered storage container name |
-| <a name="output_vault"></a> [vault](#output\_vault) | Key vault |
-| <a name="output_vnet_name"></a> [vnet\_name](#output\_vnet\_name) | VNet name |
-<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/customer-managed/azure/terraform/data.tf b/customer-managed/azure/terraform/data.tf
deleted file mode 100644
index a1bac13..0000000
--- a/customer-managed/azure/terraform/data.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-data "azurerm_client_config" "current" {}
-
-data "azurerm_location" "redpanda" {
-  location = var.region
-}
diff --git a/customer-managed/azure/terraform/identities.tf b/customer-managed/azure/terraform/identities.tf
deleted file mode 100644
index ea98e1b..0000000
--- a/customer-managed/azure/terraform/identities.tf
+++ /dev/null
@@ -1,79 +0,0 @@
-resource "azurerm_user_assigned_identity" "redpanda_agent" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_agent_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "cert_manager" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_cert_manager_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "external_dns" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_external_dns_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "redpanda_cluster" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_cluster_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "aks" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.aks_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "redpanda_console" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_console_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "kafka_connect" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.kafka_connect_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "redpanda_connect" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_connect_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "redpanda_connect_api" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_connect_api_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_user_assigned_identity" "redpanda_operator" {
-  location            = var.region
-  name                = "${var.resource_name_prefix}${var.redpanda_operator_identity_name}"
-  resource_group_name = local.redpanda_iam_resource_group_name
-
-  depends_on = [azurerm_resource_group.all]
-}
diff --git a/customer-managed/azure/terraform/key_vaults.tf b/customer-managed/azure/terraform/key_vaults.tf
deleted file mode 100644
index 8007011..0000000
--- a/customer-managed/azure/terraform/key_vaults.tf
+++ /dev/null
@@ -1,91 +0,0 @@
-locals {
-  allowed_subnet_ids = [for s in azurerm_subnet.private : s.id]
-}
-
-resource "azurerm_key_vault" "vault" {
-  count               = var.redpanda_management_key_vault_name != "" ? 1 : 0
-  name                = "${var.resource_name_prefix}${var.redpanda_management_key_vault_name}"
-  resource_group_name = local.redpanda_resource_group_name
-  location            = var.region
-  sku_name            = "standard"
-  tenant_id           = var.azure_tenant_id
-
-  public_network_access_enabled = true
-
-  enabled_for_deployment          = true
-  enabled_for_disk_encryption     = true
-  enabled_for_template_deployment = true
-  purge_protection_enabled        = true
-  enable_rbac_authorization       = true
-
-  network_acls {
-    bypass                     = "AzureServices"
-    default_action             = "Allow"
-    virtual_network_subnet_ids = local.allowed_subnet_ids
-  }
-
-  access_policy {
-    tenant_id      = var.azure_tenant_id
-    object_id      = data.azurerm_client_config.current.object_id
-    application_id = data.azurerm_client_config.current.client_id
-
-    secret_permissions = [
-      "Set",
-      "Get",
-      "List",
-      "Delete",
-      "Purge",
-      "Recover",
-      "Restore",
-      "Backup",
-    ]
-  }
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_key_vault" "console" {
-  count               = var.redpanda_console_key_vault_name != "" ? 1 : 0
-  name                = "${var.resource_name_prefix}${var.redpanda_console_key_vault_name}"
-  resource_group_name = local.redpanda_resource_group_name
-  location            = var.region
-  sku_name            = "standard"
-  tenant_id           = var.azure_tenant_id
-
-  public_network_access_enabled = true
-
-  enabled_for_deployment          = true
-  enabled_for_disk_encryption     = true
-  enabled_for_template_deployment = true
-  purge_protection_enabled        = true
-  enable_rbac_authorization       = true
-
-  network_acls {
-    bypass                     = "AzureServices"
-    default_action             = "Allow"
-    virtual_network_subnet_ids = local.allowed_subnet_ids
-  }
-
-  access_policy {
-    tenant_id      = var.azure_tenant_id
-    object_id      = data.azurerm_client_config.current.object_id
-    application_id = data.azurerm_client_config.current.client_id
-
-    secret_permissions = [
-      "Set",
-      "Get",
-      "List",
-      "Delete",
-      "Purge",
-      "Recover",
-      "Restore",
-      "Backup",
-    ]
-  }
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
diff --git a/customer-managed/azure/terraform/main.tf b/customer-managed/azure/terraform/main.tf
new file mode 100644
index 0000000..a92fa10
--- /dev/null
+++ b/customer-managed/azure/terraform/main.tf
@@ -0,0 +1,319 @@
+module "byovnet" {
+  source  = "redpanda-data/redpanda-byovnet/azure"
+  version = "~> 1.1"
+
+  region                     = var.region
+  zones                      = var.zones
+  tags                       = var.tags
+  resource_name_prefix       = var.resource_name_prefix
+  resource_group_name_prefix = var.resource_group_name_prefix
+
+  create_role_assignment                 = var.create_role_assignment
+  grant_caller_management_storage_access = var.grant_caller_management_storage_access
+  create_nat                             = var.create_nat
+
+  # Only azure_tenant_id is consumed inside the module (key vault tenancy);
+  # the other azure_* vars configure the root provider in providers.tf.
+  azure_tenant_id = var.azure_tenant_id
+
+  redpanda_agent_role_name          = var.redpanda_agent_role_name
+  redpanda_console_role_name        = var.redpanda_console_role_name
+  redpanda_private_link_role_name   = var.redpanda_private_link_role_name
+  kafka_connect_role_name           = var.kafka_connect_role_name
+  redpanda_connect_role_name        = var.redpanda_connect_role_name
+  redpanda_connect_api_role_name    = var.redpanda_connect_api_role_name
+  redpanda_secrets_reader_role_name = var.redpanda_secrets_reader_role_name
+
+  create_resource_groups               = var.create_resource_groups
+  redpanda_resource_group_name         = var.redpanda_resource_group_name
+  redpanda_storage_resource_group_name = var.redpanda_storage_resource_group_name
+  redpanda_network_resource_group_name = var.redpanda_network_resource_group_name
+  redpanda_iam_resource_group_name     = var.redpanda_iam_resource_group_name
+
+  redpanda_agent_identity_name        = var.redpanda_agent_identity_name
+  redpanda_cert_manager_identity_name = var.redpanda_cert_manager_identity_name
+  redpanda_external_dns_identity_name = var.redpanda_external_dns_identity_name
+  redpanda_cluster_identity_name      = var.redpanda_cluster_identity_name
+  aks_identity_name                   = var.aks_identity_name
+  redpanda_console_identity_name      = var.redpanda_console_identity_name
+  kafka_connect_identity_name         = var.kafka_connect_identity_name
+  redpanda_connect_identity_name      = var.redpanda_connect_identity_name
+  redpanda_connect_api_identity_name  = var.redpanda_connect_api_identity_name
+  redpanda_operator_identity_name     = var.redpanda_operator_identity_name
+
+  redpanda_management_storage_account_name   = var.redpanda_management_storage_account_name
+  redpanda_management_storage_container_name = var.redpanda_management_storage_container_name
+  redpanda_tiered_storage_account_name       = var.redpanda_tiered_storage_account_name
+  redpanda_tiered_storage_container_name     = var.redpanda_tiered_storage_container_name
+
+  redpanda_management_key_vault_name = var.redpanda_management_key_vault_name
+  redpanda_console_key_vault_name    = var.redpanda_console_key_vault_name
+
+  vnet_name             = var.vnet_name
+  vnet_addresses        = var.vnet_addresses
+  private_subnets       = var.private_subnets
+  egress_subnets        = var.egress_subnets
+  reserved_subnet_cidrs = var.reserved_subnet_cidrs
+
+  redpanda_security_group_name = var.redpanda_security_group_name
+}
+
+# State migration for deployments that pre-date the module refactor.
+# Every resource previously declared in this directory is now created by
+# module.byovnet; these `moved` blocks rewrite existing state addresses so
+# `terraform apply` is a no-op instead of a destroy/recreate.
+
+moved {
+  from = azurerm_key_vault.console
+  to   = module.byovnet.azurerm_key_vault.console
+}
+
+moved {
+  from = azurerm_key_vault.vault
+  to   = module.byovnet.azurerm_key_vault.vault
+}
+
+moved {
+  from = azurerm_nat_gateway.redpanda
+  to   = module.byovnet.azurerm_nat_gateway.redpanda
+}
+
+moved {
+  from = azurerm_nat_gateway_public_ip_prefix_association.redpanda
+  to   = module.byovnet.azurerm_nat_gateway_public_ip_prefix_association.redpanda
+}
+
+moved {
+  from = azurerm_network_security_group.redpanda_cluster
+  to   = module.byovnet.azurerm_network_security_group.redpanda_cluster
+}
+
+moved {
+  from = azurerm_network_security_group.redpanda_connectors
+  to   = module.byovnet.azurerm_network_security_group.redpanda_connectors
+}
+
+moved {
+  from = azurerm_network_security_rule.allow_inbound_to_redpanda_brokers_nodeport
+  to   = module.byovnet.azurerm_network_security_rule.allow_inbound_to_redpanda_brokers_nodeport
+}
+
+moved {
+  from = azurerm_public_ip_prefix.redpanda
+  to   = module.byovnet.azurerm_public_ip_prefix.redpanda
+}
+
+moved {
+  from = azurerm_resource_group.all
+  to   = module.byovnet.azurerm_resource_group.all
+}
+
+moved {
+  from = azurerm_role_assignment.agent
+  to   = module.byovnet.azurerm_role_assignment.agent
+}
+
+moved {
+  from = azurerm_role_assignment.aks_network_contributor
+  to   = module.byovnet.azurerm_role_assignment.aks_network_contributor
+}
+
+moved {
+  from = azurerm_role_assignment.assign_identity_storage_blob_data_contributor
+  to   = module.byovnet.azurerm_role_assignment.assign_identity_storage_blob_data_contributor
+}
+
+moved {
+  from = azurerm_role_assignment.caller_management_storage_blob_data_contributor
+  to   = module.byovnet.azurerm_role_assignment.caller_management_storage_blob_data_contributor
+}
+
+moved {
+  from = azurerm_role_assignment.cert_manager
+  to   = module.byovnet.azurerm_role_assignment.cert_manager
+}
+
+moved {
+  from = azurerm_role_assignment.external_dns_rgreader
+  to   = module.byovnet.azurerm_role_assignment.external_dns_rgreader
+}
+
+moved {
+  from = azurerm_role_assignment.external_dns_zone_contributor
+  to   = module.byovnet.azurerm_role_assignment.external_dns_zone_contributor
+}
+
+moved {
+  from = azurerm_role_assignment.kafka_connect
+  to   = module.byovnet.azurerm_role_assignment.kafka_connect
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_cluster
+  to   = module.byovnet.azurerm_role_assignment.redpanda_cluster
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_cluster_secrets_reader
+  to   = module.byovnet.azurerm_role_assignment.redpanda_cluster_secrets_reader
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_connect
+  to   = module.byovnet.azurerm_role_assignment.redpanda_connect
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_connect_api
+  to   = module.byovnet.azurerm_role_assignment.redpanda_connect_api
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_console
+  to   = module.byovnet.azurerm_role_assignment.redpanda_console
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_operator_secrets_reader
+  to   = module.byovnet.azurerm_role_assignment.redpanda_operator_secrets_reader
+}
+
+moved {
+  from = azurerm_role_assignment.redpanda_private_link
+  to   = module.byovnet.azurerm_role_assignment.redpanda_private_link
+}
+
+moved {
+  from = azurerm_role_assignment.vault_secrets_officer
+  to   = module.byovnet.azurerm_role_assignment.vault_secrets_officer
+}
+
+moved {
+  from = azurerm_role_definition.kafka_connect
+  to   = module.byovnet.azurerm_role_definition.kafka_connect
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_agent
+  to   = module.byovnet.azurerm_role_definition.redpanda_agent
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_connect
+  to   = module.byovnet.azurerm_role_definition.redpanda_connect
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_connect_api
+  to   = module.byovnet.azurerm_role_definition.redpanda_connect_api
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_console
+  to   = module.byovnet.azurerm_role_definition.redpanda_console
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_private_link
+  to   = module.byovnet.azurerm_role_definition.redpanda_private_link
+}
+
+moved {
+  from = azurerm_role_definition.redpanda_secrets_reader
+  to   = module.byovnet.azurerm_role_definition.redpanda_secrets_reader
+}
+
+moved {
+  from = azurerm_storage_account.management
+  to   = module.byovnet.azurerm_storage_account.management
+}
+
+moved {
+  from = azurerm_storage_account.tiered_storage
+  to   = module.byovnet.azurerm_storage_account.tiered_storage
+}
+
+moved {
+  from = azurerm_storage_account_network_rules.redpanda_cloud_storage
+  to   = module.byovnet.azurerm_storage_account_network_rules.redpanda_cloud_storage
+}
+
+moved {
+  from = azurerm_storage_container.management
+  to   = module.byovnet.azurerm_storage_container.management
+}
+
+moved {
+  from = azurerm_storage_container.tiered_storage
+  to   = module.byovnet.azurerm_storage_container.tiered_storage
+}
+
+moved {
+  from = azurerm_subnet.private
+  to   = module.byovnet.azurerm_subnet.private
+}
+
+moved {
+  from = azurerm_subnet.public
+  to   = module.byovnet.azurerm_subnet.public
+}
+
+moved {
+  from = azurerm_subnet_nat_gateway_association.redpanda
+  to   = module.byovnet.azurerm_subnet_nat_gateway_association.redpanda
+}
+
+moved {
+  from = azurerm_user_assigned_identity.aks
+  to   = module.byovnet.azurerm_user_assigned_identity.aks
+}
+
+moved {
+  from = azurerm_user_assigned_identity.cert_manager
+  to   = module.byovnet.azurerm_user_assigned_identity.cert_manager
+}
+
+moved {
+  from = azurerm_user_assigned_identity.external_dns
+  to   = module.byovnet.azurerm_user_assigned_identity.external_dns
+}
+
+moved {
+  from = azurerm_user_assigned_identity.kafka_connect
+  to   = module.byovnet.azurerm_user_assigned_identity.kafka_connect
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_agent
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_agent
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_cluster
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_cluster
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_connect
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_connect
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_connect_api
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_connect_api
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_console
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_console
+}
+
+moved {
+  from = azurerm_user_assigned_identity.redpanda_operator
+  to   = module.byovnet.azurerm_user_assigned_identity.redpanda_operator
+}
+
+moved {
+  from = azurerm_virtual_network.redpanda
+  to   = module.byovnet.azurerm_virtual_network.redpanda
+}
diff --git a/customer-managed/azure/terraform/network.tf b/customer-managed/azure/terraform/network.tf
deleted file mode 100644
index 59c95e0..0000000
--- a/customer-managed/azure/terraform/network.tf
+++ /dev/null
@@ -1,60 +0,0 @@
-locals {
-  vnet      = data.azurerm_virtual_network.redpanda
-  vnet_name = local.vnet.name
-}
-
-resource "azurerm_virtual_network" "redpanda" {
-  count               = var.vnet_name == "" ? 1 : 0
-  name                = "${var.resource_name_prefix}rp-vnet"
-  location            = var.region
-  resource_group_name = local.redpanda_network_resource_group_name
-  address_space       = var.vnet_addresses
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-data "azurerm_virtual_network" "redpanda" {
-  name                = var.vnet_name == "" ? azurerm_virtual_network.redpanda[0].name : var.vnet_name
-  resource_group_name = local.redpanda_network_resource_group_name
-}
-
-resource "azurerm_subnet" "private" {
-  for_each = var.private_subnets
-
-  name                 = "${var.resource_name_prefix}${each.value.name}"
-  resource_group_name  = local.redpanda_network_resource_group_name
-  virtual_network_name = local.vnet_name
-  address_prefixes     = [each.value.cidr]
-
-  # Use Azure's internal network to reach out to the following Azure services
-  service_endpoints = [
-    "Microsoft.Storage.Global",
-    "Microsoft.AzureActiveDirectory",
-    "Microsoft.KeyVault"
-  ]
-
-  lifecycle {
-    # AKS automatically configures subnet delegations when the subnets are assigned
-    # to node pools. To prevent undoing the delegations when network provisioning
-    # re-runs, we ignore any changes on them.
-    ignore_changes = [delegation]
-  }
-}
-
-resource "azurerm_subnet" "public" {
-  for_each = var.egress_subnets
-
-  name                 = "${var.resource_name_prefix}${each.value.name}"
-  resource_group_name  = local.redpanda_network_resource_group_name
-  virtual_network_name = local.vnet_name
-  address_prefixes     = [each.value.cidr]
-
-  # Use Azure's internal network to reach out to the following Azure services
-  service_endpoints = [
-    "Microsoft.Storage.Global",
-    "Microsoft.AzureActiveDirectory",
-    "Microsoft.KeyVault",
-  ]
-}
diff --git a/customer-managed/azure/terraform/outputs.tf b/customer-managed/azure/terraform/outputs.tf
index a9b5ad0..b041257 100644
--- a/customer-managed/azure/terraform/outputs.tf
+++ b/customer-managed/azure/terraform/outputs.tf
@@ -1,275 +1,214 @@
 output "management_bucket_storage_account_name" {
   description = "Management bucket storage account name"
-  value       = azurerm_storage_account.management.name
+  value       = module.byovnet.management_bucket_storage_account_name
 }
 
 output "management_bucket_storage_container_name" {
   description = "Management bucket storage container name"
-  value       = azurerm_storage_container.management.name
+  value       = module.byovnet.management_bucket_storage_container_name
 }
 
 output "vnet_name" {
   description = "VNet name"
-  value       = local.vnet_name
+  value       = module.byovnet.vnet_name
 }
 
 output "agent_private_subnet_name" {
   description = "Agent private subnet name"
-  value       = azurerm_subnet.private["agent-private"].name
+  value       = module.byovnet.agent_private_subnet_name
 }
 
 output "rp_0_pods_subnet_name" {
   description = "Redpanda 0 pods subnet name"
-  value       = azurerm_subnet.private["rp-0-pods"].name
+  value       = module.byovnet.rp_0_pods_subnet_name
 }
 
 output "rp_0_vnet_subnet_name" {
   description = "Redpanda 0 vnet subnet name"
-  value       = azurerm_subnet.private["rp-0-vnet"].name
+  value       = module.byovnet.rp_0_vnet_subnet_name
 }
 
 output "rp_1_pods_subnet_name" {
   description = "Redpanda 1 pods subnet name"
-  value       = azurerm_subnet.private["rp-1-pods"].name
+  value       = module.byovnet.rp_1_pods_subnet_name
 }
 
 output "rp_1_vnet_subnet_name" {
   description = "Redpanda 1 vnet subnet name"
-  value       = azurerm_subnet.private["rp-1-vnet"].name
+  value       = module.byovnet.rp_1_vnet_subnet_name
 }
+
 output "rp_2_pods_subnet_name" {
   description = "Redpanda 2 pods subnet name"
-  value       = azurerm_subnet.private["rp-2-pods"].name
+  value       = module.byovnet.rp_2_pods_subnet_name
 }
 
 output "rp_2_vnet_subnet_name" {
   description = "Redpanda 2 vnet subnet name"
-  value       = azurerm_subnet.private["rp-2-vnet"].name
+  value       = module.byovnet.rp_2_vnet_subnet_name
 }
 
 output "rp_connect_pods_subnet_name" {
   description = "Redpanda connect pods subnet name"
-  value       = azurerm_subnet.private["connect-pod"].name
+  value       = module.byovnet.rp_connect_pods_subnet_name
 }
 
 output "rp_connect_vnet_subnet_name" {
   description = "Redpanda connect vnet subnet name"
-  value       = azurerm_subnet.private["connect-vnet"].name
+  value       = module.byovnet.rp_connect_vnet_subnet_name
 }
 
 output "kafka_connect_pods_subnet_name" {
   description = "Kafka connect pods subnet name"
-  value       = azurerm_subnet.private["kafka-connect-pod"].name
+  value       = module.byovnet.kafka_connect_pods_subnet_name
 }
 
 output "kafka_connect_vnet_subnet_name" {
   description = "Kafka connect vnet subnet name"
-  value       = azurerm_subnet.private["kafka-connect-vnet"].name
+  value       = module.byovnet.kafka_connect_vnet_subnet_name
 }
 
 output "system_pods_subnet_name" {
   description = "System pods subnet name"
-  value       = azurerm_subnet.private["system-pod"].name
+  value       = module.byovnet.system_pods_subnet_name
 }
 
 output "system_vnet_subnet_name" {
   description = "System vnet subnet name"
-  value       = azurerm_subnet.private["system-vnet"].name
+  value       = module.byovnet.system_vnet_subnet_name
 }
 
 output "egress_subnet_name" {
   description = "Egress subnet name"
-  value       = azurerm_subnet.public["agent-public"].name
+  value       = module.byovnet.egress_subnet_name
 }
 
-
 output "redpanda_resource_group_name" {
   description = "Redpanda resource group name"
-  value       = "${var.resource_group_name_prefix}${var.redpanda_resource_group_name}"
+  value       = module.byovnet.redpanda_resource_group_name
 }
 
 output "storage_resource_group_name" {
   description = "Storage resource group name"
-  value       = "${var.resource_group_name_prefix}${var.redpanda_storage_resource_group_name}"
+  value       = module.byovnet.storage_resource_group_name
 }
 
 output "network_resource_group_name" {
   description = "Network resource group name"
-  value       = "${var.resource_group_name_prefix}${var.redpanda_network_resource_group_name}"
+  value       = module.byovnet.network_resource_group_name
 }
 
 output "iam_resource_group_name" {
   description = "IAM resource group name"
-  value       = "${var.resource_group_name_prefix}${var.redpanda_iam_resource_group_name}"
+  value       = module.byovnet.iam_resource_group_name
 }
 
 output "agent_user_assigned_identity_name" {
   description = "Agent user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_agent.name
+  value       = module.byovnet.agent_user_assigned_identity_name
 }
 
 output "cert_manager_user_assigned_identity_name" {
   description = "Cert manager user assigned identity name"
-  value       = azurerm_user_assigned_identity.cert_manager.name
+  value       = module.byovnet.cert_manager_user_assigned_identity_name
 }
 
 output "external_dns_user_assigned_identity_name" {
   description = "External DNS user assigned identity name"
-  value       = azurerm_user_assigned_identity.external_dns.name
+  value       = module.byovnet.external_dns_user_assigned_identity_name
 }
 
 output "aks_user_assigned_identity_name" {
   description = "AKS user assigned identity name"
-  value       = azurerm_user_assigned_identity.aks.name
+  value       = module.byovnet.aks_user_assigned_identity_name
 }
 
 output "cluster_user_assigned_identity_name" {
   description = "Redpanda cluster user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_cluster.name
+  value       = module.byovnet.cluster_user_assigned_identity_name
 }
 
 output "console_user_assigned_identity_name" {
   description = "Redpanda console user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_console.name
+  value       = module.byovnet.console_user_assigned_identity_name
 }
 
 output "kafka_connect_user_assigned_identity_name" {
   description = "Redpanda Kafka Connect user assigned identity name"
-  value       = azurerm_user_assigned_identity.kafka_connect.name
+  value       = module.byovnet.kafka_connect_user_assigned_identity_name
 }
 
 output "redpanda_connect_user_assigned_identity_name" {
   description = "Redpanda Connect user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_connect.name
+  value       = module.byovnet.redpanda_connect_user_assigned_identity_name
 }
 
 output "redpanda_connect_api_user_assigned_identity_name" {
   description = "Redpanda Connect API user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_connect_api.name
+  value       = module.byovnet.redpanda_connect_api_user_assigned_identity_name
 }
 
 output "redpanda_operator_user_assigned_identity_name" {
   description = "Redpanda operator user assigned identity name"
-  value       = azurerm_user_assigned_identity.redpanda_operator.name
+  value       = module.byovnet.redpanda_operator_user_assigned_identity_name
 }
 
 output "management_key_vault_name" {
   description = "Management key vault name"
-  value       = var.redpanda_management_key_vault_name != "" ? azurerm_key_vault.vault[0].name : ""
+  value       = module.byovnet.management_key_vault_name
 }
 
 output "console_key_vault_name" {
   description = "Console key vault name"
-  value       = var.redpanda_console_key_vault_name != "" ? azurerm_key_vault.console[0].name : ""
+  value       = module.byovnet.console_key_vault_name
 }
 
 output "tiered_storage_account_name" {
   description = "tiered storage account name"
-  value       = azurerm_storage_account.tiered_storage.name
+  value       = module.byovnet.tiered_storage_account_name
 }
 
 output "tiered_storage_container_name" {
   description = "tiered storage container name"
-  value       = azurerm_storage_container.tiered_storage.name
+  value       = module.byovnet.tiered_storage_container_name
 }
 
 output "redpanda_security_group_name" {
   description = "Redpanda security group name"
-  value       = azurerm_network_security_group.redpanda_cluster.name
+  value       = module.byovnet.redpanda_security_group_name
 }
 
 output "resource_groups" {
   description = "Resource groups"
-  value = jsonencode({
-    "redpanda" : {
-      "name" : local.redpanda_resource_group.name,
-      "id" : local.redpanda_resource_group.id
-    },
-    "storage" : {
-      "name" : local.redpanda_storage_resource_group.name,
-      "id" : local.redpanda_storage_resource_group.id
-    },
-    "network" : {
-      "name" : local.redpanda_network_resource_group.name,
-      "id" : local.redpanda_network_resource_group.id
-    },
-    "iam" : {
-      "name" : local.redpanda_iam_resource_group.name,
-      "id" : local.redpanda_iam_resource_group.id
-    }
-  })
+  value       = module.byovnet.resource_groups
 }
 
 output "roles" {
   description = "IAM roles"
-  value = jsonencode({
-    "agent" : azurerm_role_definition.redpanda_agent.id,
-    "console" : azurerm_role_definition.redpanda_console.id,
-    "private-link" : azurerm_role_definition.redpanda_private_link.id
-  })
+  value       = module.byovnet.roles
 }
 
 output "identities" {
   description = "User assigned identities"
-  value = jsonencode({
-    "agent" : azurerm_user_assigned_identity.redpanda_agent.id,
-    "cert-manager" : azurerm_user_assigned_identity.cert_manager.id,
-    "external-dns" : azurerm_user_assigned_identity.external_dns.id,
-    "aks" : azurerm_user_assigned_identity.aks.id,
-    "redpanda-cluster" : azurerm_user_assigned_identity.redpanda_cluster.id,
-    "redpanda-console" : azurerm_user_assigned_identity.redpanda_console.id
-  })
+  value       = module.byovnet.identities
 }
 
 output "networks" {
   description = "Networks"
-  value = jsonencode({
-    "vnet" : {
-      "name" : local.vnet_name,
-      "resource_group" : local.vnet.resource_group_name,
-      "address_space" : join(",", local.vnet.address_space)
-    },
-    "private-subnets" : {
-      for k, v in azurerm_subnet.private : k => {
-        "id" : v.id,
-        "address_prefixes" : join(",", v.address_prefixes)
-      }
-    },
-    "egress-subnets" : {
-      for k, v in azurerm_subnet.public : k => {
-        "id" : v.id,
-        "address_prefixes" : join(",", v.address_prefixes)
-      }
-    }
-    "subnet-cidrs-aks" : var.reserved_subnet_cidrs
-  })
+  value       = module.byovnet.networks
 }
 
 output "security" {
   description = "Security groups"
-  value = jsonencode({
-    "redpanda-cluster" : azurerm_network_security_group.redpanda_cluster.id
-  })
+  value       = module.byovnet.security
 }
 
 output "storage" {
   description = "Storage"
-  value = jsonencode({
-    "management" : {
-      "storage-account-id" : azurerm_storage_account.management.id,
-      "bucket" : azurerm_storage_container.management.id
-    },
-    "tiered" : {
-      "storage-account-id" : azurerm_storage_account.tiered_storage.id,
-      "bucket" : azurerm_storage_container.tiered_storage.id
-    }
-  })
+  value       = module.byovnet.storage
 }
 
 output "vault" {
   description = "Key vault"
-  value = jsonencode({
-    "redpanda-cluster" : var.redpanda_console_key_vault_name != "" ? azurerm_key_vault.vault[0].id : ""
-    "redpanda-console" : var.redpanda_console_key_vault_name != "" ? azurerm_key_vault.console[0].id : ""
-  })
+  value       = module.byovnet.vault
 }
diff --git a/customer-managed/azure/terraform/providers.tf b/customer-managed/azure/terraform/providers.tf
index 4aa0c98..2b462bb 100644
--- a/customer-managed/azure/terraform/providers.tf
+++ b/customer-managed/azure/terraform/providers.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.98.0"
+      version = "~> 3.98"
     }
   }
 }
diff --git a/customer-managed/azure/terraform/resource_groups.tf b/customer-managed/azure/terraform/resource_groups.tf
deleted file mode 100644
index 2bc24fa..0000000
--- a/customer-managed/azure/terraform/resource_groups.tf
+++ /dev/null
@@ -1,30 +0,0 @@
-locals {
-  redpanda_resource_group_name         = "${var.resource_group_name_prefix}${var.redpanda_resource_group_name}"
-  redpanda_storage_resource_group_name = "${var.resource_group_name_prefix}${var.redpanda_storage_resource_group_name}"
-  redpanda_network_resource_group_name = "${var.resource_group_name_prefix}${var.redpanda_network_resource_group_name}"
-  redpanda_iam_resource_group_name     = "${var.resource_group_name_prefix}${var.redpanda_iam_resource_group_name}"
-
-  resource_group_names = distinct([local.redpanda_resource_group_name, local.redpanda_storage_resource_group_name, local.redpanda_network_resource_group_name, local.redpanda_iam_resource_group_name])
-
-  resource_groups                 = { for rg in(var.create_resource_groups ? azurerm_resource_group.all : data.azurerm_resource_group.all) : rg.name => rg }
-  redpanda_resource_group         = local.resource_groups[local.redpanda_resource_group_name]
-  redpanda_storage_resource_group = local.resource_groups[local.redpanda_storage_resource_group_name]
-  redpanda_network_resource_group = local.resource_groups[local.redpanda_network_resource_group_name]
-  redpanda_iam_resource_group     = local.resource_groups[local.redpanda_iam_resource_group_name]
-
-  resource_group_ids = [for rg in azurerm_resource_group.all : rg.id]
-}
-
-resource "azurerm_resource_group" "all" {
-  for_each = var.create_resource_groups ? toset(local.resource_group_names) : []
-
-  name     = each.value
-  location = var.region
-
-  tags = var.tags
-}
-
-data "azurerm_resource_group" "all" {
-  for_each = var.create_resource_groups ? [] : toset(local.resource_group_names)
-  name     = each.value
-}
diff --git a/customer-managed/azure/terraform/role_assignments.tf b/customer-managed/azure/terraform/role_assignments.tf
deleted file mode 100644
index 57e4e56..0000000
--- a/customer-managed/azure/terraform/role_assignments.tf
+++ /dev/null
@@ -1,139 +0,0 @@
-locals {
-  create_role_assignment                = var.create_role_assignment ? 1 : 0
-  agent_role_assignment_resource_groups = var.create_role_assignment ? local.resource_groups : {}
-}
-
-// Allow the caller running Terraform to access management storage blobs
-resource "azurerm_role_assignment" "caller_management_storage_blob_data_contributor" {
-  count = var.grant_caller_management_storage_access ? 1 : 0
-
-  scope                = azurerm_storage_account.management.id
-  principal_id         = data.azurerm_client_config.current.object_id
-  role_definition_name = "Storage Blob Data Contributor"
-}
-
-// Allow storing Redpanda TF state to storage
-resource "azurerm_role_assignment" "assign_identity_storage_blob_data_contributor" {
-  count = local.create_role_assignment
-
-  scope                = azurerm_storage_account.management.id
-  principal_id         = azurerm_user_assigned_identity.redpanda_agent.principal_id
-  role_definition_name = "Storage Blob Data Contributor"
-}
-
-// Allow access to key vault
-resource "azurerm_role_assignment" "vault_secrets_officer" {
-  count = local.create_role_assignment
-
-  scope                = local.redpanda_resource_group.id
-  principal_id         = data.azurerm_client_config.current.object_id
-  role_definition_name = "Key Vault Secrets Officer"
-}
-
-resource "azurerm_role_assignment" "agent" {
-  for_each = local.agent_role_assignment_resource_groups
-
-  principal_id       = azurerm_user_assigned_identity.redpanda_agent.principal_id
-  scope              = each.value.id
-  role_definition_id = azurerm_role_definition.redpanda_agent.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "aks_network_contributor" {
-  count = local.create_role_assignment
-
-  scope                = local.redpanda_network_resource_group.id
-  principal_id         = azurerm_user_assigned_identity.aks.principal_id
-  role_definition_name = "Network Contributor"
-}
-
-resource "azurerm_role_assignment" "redpanda_private_link" {
-  count = local.create_role_assignment
-
-  principal_id       = azurerm_user_assigned_identity.aks.principal_id
-  scope              = local.redpanda_resource_group.id
-  role_definition_id = azurerm_role_definition.redpanda_private_link.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "redpanda_cluster" {
-  count = local.create_role_assignment
-
-  principal_id = azurerm_user_assigned_identity.redpanda_cluster.principal_id
-  # See https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---assigning-a-role-to-a-new-principal-sometimes-fails
-  principal_type       = "ServicePrincipal"
-  scope                = azurerm_storage_account.tiered_storage.id
-  role_definition_name = "Storage Blob Data Contributor"
-}
-
-resource "azurerm_role_assignment" "redpanda_console" {
-  count = local.create_role_assignment
-
-  principal_id       = azurerm_user_assigned_identity.redpanda_console.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.redpanda_console.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "cert_manager" {
-  count = local.create_role_assignment
-  # In TF provisioner, the scope is a DNS zone specific resource. We change it to RG here since DNS zone is not avaiable until cluster is being deployed.
-  # scope                = "/subscriptions/60fc0bed-3072-4c53-906a-d130a934d520/resourceGroups/rg-rpcloud-cqclghd44f471cmf8ojg/providers/Microsoft.Network/dnsZones/cqclghd44f471cmf8ojg.byoc.ign.cloud.redpanda.com"
-  scope                = local.redpanda_resource_group.id
-  role_definition_name = "DNS Zone Contributor"
-  principal_id         = azurerm_user_assigned_identity.cert_manager.principal_id
-  # See https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---assigning-a-role-to-a-new-principal-sometimes-fails
-  principal_type = "ServicePrincipal"
-}
-
-resource "azurerm_role_assignment" "external_dns_zone_contributor" {
-  count = local.create_role_assignment
-  # In TF provisioner, the scope is a DNS zone specific resource. We change it to RG here since DNS zone is not avaiable until cluster is being deployed.
-  #scope                = "/subscriptions/60fc0bed-3072-4c53-906a-d130a934d520/resourceGroups/rg-rpcloud-cqclghd44f471cmf8ojg/providers/Microsoft.Network/dnsZones/cqclghd44f471cmf8ojg.byoc.ign.cloud.redpanda.com"
-  scope                = local.redpanda_resource_group.id
-  role_definition_name = "DNS Zone Contributor"
-  principal_id         = azurerm_user_assigned_identity.external_dns.principal_id
-  # See https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---assigning-a-role-to-a-new-principal-sometimes-fails
-  principal_type = "ServicePrincipal"
-}
-
-resource "azurerm_role_assignment" "external_dns_rgreader" {
-  count                = local.create_role_assignment
-  scope                = local.redpanda_resource_group.id
-  role_definition_name = "Reader"
-  principal_id         = azurerm_user_assigned_identity.external_dns.principal_id
-  # See https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---assigning-a-role-to-a-new-principal-sometimes-fails
-  principal_type = "ServicePrincipal"
-}
-
-resource "azurerm_role_assignment" "kafka_connect" {
-  count              = local.create_role_assignment
-  principal_id       = azurerm_user_assigned_identity.kafka_connect.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.kafka_connect.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "redpanda_connect" {
-  count              = local.create_role_assignment
-  principal_id       = azurerm_user_assigned_identity.redpanda_connect.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.redpanda_connect.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "redpanda_connect_api" {
-  count              = local.create_role_assignment
-  principal_id       = azurerm_user_assigned_identity.redpanda_connect_api.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.redpanda_connect_api.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "redpanda_cluster_secrets_reader" {
-  count              = local.create_role_assignment
-  principal_id       = azurerm_user_assigned_identity.redpanda_cluster.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.redpanda_secrets_reader.role_definition_resource_id
-}
-
-resource "azurerm_role_assignment" "redpanda_operator_secrets_reader" {
-  count              = local.create_role_assignment
-  principal_id       = azurerm_user_assigned_identity.redpanda_operator.principal_id
-  scope              = azurerm_key_vault.console[0].id
-  role_definition_id = azurerm_role_definition.redpanda_secrets_reader.role_definition_resource_id
-}
diff --git a/customer-managed/azure/terraform/roles.tf b/customer-managed/azure/terraform/roles.tf
deleted file mode 100644
index 2256b64..0000000
--- a/customer-managed/azure/terraform/roles.tf
+++ /dev/null
@@ -1,211 +0,0 @@
-resource "azurerm_role_definition" "redpanda_agent" {
-  assignable_scopes = toset(local.resource_group_ids)
-  name              = "${var.resource_name_prefix}${var.redpanda_agent_role_name}"
-  scope             = local.redpanda_resource_group.id
-  description       = "Redpanda Agent Role"
-  permissions {
-
-    actions = [
-      # Ability to read the resource group
-      "Microsoft.Resources/subscriptions/resourcegroups/read",
-      # Storage Containers
-      "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/write",
-      "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
-      # Create DNS Zones
-      "Microsoft.Network/dnszones/read",
-      "Microsoft.Network/dnszones/write",
-      "Microsoft.Network/dnszones/delete",
-      # Workaround for TF needing to import the zone when it already exists.
-      "Microsoft.Network/dnszones/SOA/read",
-      # Private link read
-      "Microsoft.Network/privatelinkservices/read",
-      "Microsoft.Network/privatelinkservices/write",
-      "Microsoft.Network/privatelinkservices/delete",
-      # The agent needs access to the storage account in order to access the data
-      "Microsoft.Storage/storageAccounts/read",
-      # Manage AKS Clusters
-      "Microsoft.ContainerService/managedClusters/read",
-      "Microsoft.ContainerService/managedClusters/delete",
-      "Microsoft.ContainerService/managedClusters/write",
-      "Microsoft.ContainerService/managedClusters/agentPools/read",
-      "Microsoft.ContainerService/managedClusters/agentPools/write",
-      "Microsoft.ContainerService/managedClusters/agentPools/delete",
-      "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action",
-      # Without this, cannot create node pools to the specified AKS cluster
-      "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
-      # Required for ScaleIn/ScaleOut
-      "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
-      # Allows joining to a VNet
-      "Microsoft.Network/virtualNetworks/read",
-      "Microsoft.Network/virtualNetworks/subnets/join/action",
-      "Microsoft.Network/virtualNetworks/subnets/read",
-      "Microsoft.Network/virtualNetworks/subnets/write",
-      "Microsoft.Network/virtualNetworks/subnets/delete",
-      # Allow agent to manage role assignments for the Redpanda cluster
-      "Microsoft.Authorization/roleAssignments/read",
-      "Microsoft.Authorization/roleAssignments/write",
-      "Microsoft.Authorization/roleAssignments/delete",
-      # Allow agent to manage role definitions for the Redpana cluster
-      "Microsoft.Authorization/roleDefinitions/write",
-      "Microsoft.Authorization/roleDefinitions/read",
-      "Microsoft.Authorization/roleDefinitions/delete",
-      # Allow agent to manage identities for the Redpanda cluster
-      "Microsoft.ManagedIdentity/userAssignedIdentities/read",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/write",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
-      "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
-      # Allow agent to manage tiered storage bucket for the Redpanda cluster
-      "Microsoft.Storage/storageAccounts/read",
-      "Microsoft.Storage/storageAccounts/write",
-      "Microsoft.Storage/storageAccounts/delete",
-      "Microsoft.Storage/storageAccounts/blobServices/read",
-      "Microsoft.Storage/storageAccounts/blobServices/write",
-      # Allow agent to read public IPs
-      "Microsoft.Network/publicIPAddresses/read",
-      "Microsoft.Network/publicIPAddresses/write",
-      "Microsoft.Network/publicIPAddresses/delete",
-      # Creating the RP storage account requires these additional permissions to workaround  https://github.com/hashicorp/terraform-provider-azurerm/issues/25521
-      "Microsoft.Storage/storageAccounts/queueServices/read",
-      "Microsoft.Storage/storageAccounts/fileServices/read",
-      "Microsoft.Storage/storageAccounts/fileServices/shares/read",
-      "Microsoft.Storage/storageAccounts/listkeys/action",
-      # Read the keyvault
-      "Microsoft.KeyVault/vaults/read"
-    ]
-    data_actions = [
-      # Storage Containers
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "redpanda_console" {
-  name        = "${var.resource_name_prefix}${var.redpanda_console_role_name}"
-  description = "Redpanda Console Role"
-  scope       = local.redpanda_resource_group.id
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  permissions {
-    # https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault
-    actions = [
-      "Microsoft.KeyVault/vaults/secrets/read",
-      "Microsoft.KeyVault/vaults/secrets/write",
-    ]
-    data_actions = [
-      "Microsoft.KeyVault/vaults/secrets/update/action",
-      "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
-      "Microsoft.KeyVault/vaults/secrets/delete",
-      "Microsoft.KeyVault/vaults/secrets/setSecret/action"
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "redpanda_private_link" {
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  name        = "${var.resource_name_prefix}${var.redpanda_private_link_role_name}"
-  scope       = local.redpanda_resource_group.id
-  description = "Redpanda AKS Private Link Service"
-  permissions {
-
-    actions = [
-      "Microsoft.Network/privatelinkservices/read",
-      "Microsoft.Network/privateLinkServices/write",
-      "Microsoft.Network/privateLinkServices/delete",
-      "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",
-      "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",
-      "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete"
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "kafka_connect" {
-  name        = "${var.resource_name_prefix}${var.kafka_connect_role_name}"
-  description = "Redpanda Kafka Connect Role"
-  scope       = local.redpanda_resource_group.id
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  permissions {
-    # https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault
-    actions = [
-      "Microsoft.KeyVault/vaults/secrets/read",
-    ]
-    data_actions = [
-      "Microsoft.KeyVault/vaults/secrets/getSecret/action",
-      "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "redpanda_connect" {
-  name        = "${var.resource_name_prefix}${var.redpanda_connect_role_name}"
-  description = "Redpanda Connect Role"
-  scope       = local.redpanda_resource_group.id
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  permissions {
-    # https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault
-    data_actions = [
-      "Microsoft.KeyVault/vaults/secrets/getSecret/action",
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "redpanda_connect_api" {
-  name        = "${var.resource_name_prefix}${var.redpanda_connect_api_role_name}"
-  description = "Redpanda Connect API Role"
-  scope       = local.redpanda_resource_group.id
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  permissions {
-    # https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault
-    data_actions = [
-      "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
-      "Microsoft.KeyVault/vaults/secrets/getSecret/action",
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_role_definition" "redpanda_secrets_reader" {
-  name        = "${var.resource_name_prefix}${var.redpanda_secrets_reader_role_name}"
-  description = "Redpanda Secrets Reader Role"
-  scope       = local.redpanda_resource_group.id
-  assignable_scopes = [
-    local.redpanda_resource_group.id
-  ]
-  permissions {
-    # https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault
-    data_actions = [
-      "Microsoft.KeyVault/vaults/secrets/getSecret/action",
-    ]
-  }
-
-  depends_on = [azurerm_resource_group.all]
-}
-
diff --git a/customer-managed/azure/terraform/routing.tf b/customer-managed/azure/terraform/routing.tf
deleted file mode 100644
index 2f39d23..0000000
--- a/customer-managed/azure/terraform/routing.tf
+++ /dev/null
@@ -1,49 +0,0 @@
-locals {
-  create_nat = var.create_nat ? 1 : 0
-  // zone ids used for resources bound to the NAT gateways
-  natg_zone_ids = [
-    for m in data.azurerm_location.redpanda.zone_mappings :
-    m.logical_zone if contains(slice(var.zones, 0, 1), m.physical_zone)
-  ]
-}
-
-resource "azurerm_nat_gateway" "redpanda" {
-  count                   = local.create_nat
-  name                    = "${var.resource_name_prefix}ngw-${var.region}"
-  location                = var.region
-  resource_group_name     = local.redpanda_network_resource_group_name
-  sku_name                = "Standard"
-  idle_timeout_in_minutes = 10
-  zones                   = [element(local.natg_zone_ids, 0)]
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_public_ip_prefix" "redpanda" {
-  count               = local.create_nat
-  name                = "${var.resource_name_prefix}ippre-${var.region}"
-  location            = var.region
-  resource_group_name = local.redpanda_network_resource_group_name
-  prefix_length       = 31 # 2 IPs should offer more than enough source ports: 128k
-  zones               = [element(local.natg_zone_ids, 0)]
-  sku                 = "Standard"
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_nat_gateway_public_ip_prefix_association" "redpanda" {
-  count               = local.create_nat
-  nat_gateway_id      = azurerm_nat_gateway.redpanda[0].id
-  public_ip_prefix_id = azurerm_public_ip_prefix.redpanda[0].id
-}
-
-resource "azurerm_subnet_nat_gateway_association" "redpanda" {
-  for_each = var.create_nat ? var.private_subnets : {}
-
-  subnet_id      = azurerm_subnet.private[each.key].id
-  nat_gateway_id = azurerm_nat_gateway.redpanda[0].id
-}
diff --git a/customer-managed/azure/terraform/security_groups.tf b/customer-managed/azure/terraform/security_groups.tf
deleted file mode 100644
index 17e6ffc..0000000
--- a/customer-managed/azure/terraform/security_groups.tf
+++ /dev/null
@@ -1,54 +0,0 @@
-locals {
-  rfc1918_prefixes = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-  rfc6598_prefixes = ["100.64.0.0/10"]
-}
-
-resource "azurerm_network_security_group" "redpanda_cluster" {
-  name                = "${var.resource_name_prefix}${var.redpanda_security_group_name}"
-  location            = var.region
-  resource_group_name = local.redpanda_network_resource_group_name
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_network_security_group" "redpanda_connectors" {
-  name                = "${var.resource_name_prefix}nsg-${var.region}-connectors"
-  location            = var.region
-  resource_group_name = local.redpanda_network_resource_group_name
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_network_security_rule" "allow_inbound_to_redpanda_brokers_nodeport" {
-  name                         = "${var.resource_name_prefix}sgr-brokers-inbound"
-  description                  = <<-HELP
-  Allow traffic sent to Redpanda broker node ports.
-  HELP
-  priority                     = 101
-  direction                    = "Inbound"
-  access                       = "Allow"
-  protocol                     = "Tcp"
-  source_port_range            = "*"
-  destination_port_ranges      = ["30644", "30092", "30082", "30081"]
-  source_address_prefixes      = concat(local.rfc1918_prefixes, local.rfc6598_prefixes)
-  destination_address_prefixes = ["0.0.0.0/0"]
-  resource_group_name          = local.redpanda_network_resource_group_name
-  network_security_group_name  = azurerm_network_security_group.redpanda_cluster.name
-}
-
-resource "azurerm_storage_account_network_rules" "redpanda_cloud_storage" {
-  storage_account_id = azurerm_storage_account.tiered_storage.id
-
-  default_action = "Allow"
-  bypass         = ["Metrics", "Logging", "AzureServices"]
-
-  # If private link access is configured by organizational Azure policies,
-  # we don't want to remove it with our periodic reconciliation.
-  lifecycle {
-    ignore_changes = [private_link_access]
-  }
-}
diff --git a/customer-managed/azure/terraform/storage.tf b/customer-managed/azure/terraform/storage.tf
deleted file mode 100644
index 9bf8248..0000000
--- a/customer-managed/azure/terraform/storage.tf
+++ /dev/null
@@ -1,81 +0,0 @@
-locals {
-  resource_name_prefix = replace(var.resource_name_prefix, "-", "")
-}
-
-resource "azurerm_storage_account" "management" {
-  name                     = "${local.resource_name_prefix}${var.redpanda_management_storage_account_name}"
-  resource_group_name      = local.redpanda_resource_group_name
-  location                 = var.region
-  account_kind             = "StorageV2"
-  account_tier             = "Standard"
-  account_replication_type = "ZRS"
-  is_hns_enabled           = true
-  access_tier              = "Hot"
-
-  public_network_access_enabled   = true
-  allow_nested_items_to_be_public = true
-
-  cross_tenant_replication_enabled = false
-  shared_access_key_enabled        = false
-
-  blob_properties {
-    versioning_enabled = false # not supported in StorageV2 with HNS
-    delete_retention_policy {
-      days = 7
-    }
-  }
-
-  identity {
-    type         = "SystemAssigned, UserAssigned"
-    identity_ids = [azurerm_user_assigned_identity.redpanda_agent.id]
-  }
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_storage_container" "management" {
-  ###### TODO change var. to local.
-  name                  = "${local.resource_name_prefix}${var.redpanda_management_storage_container_name}"
-  storage_account_name  = azurerm_storage_account.management.name
-  container_access_type = "blob"
-  depends_on = [
-    azurerm_storage_account.management
-  ]
-}
-
-resource "azurerm_storage_account" "tiered_storage" {
-  name                     = "${local.resource_name_prefix}${var.redpanda_tiered_storage_account_name}"
-  resource_group_name      = local.redpanda_storage_resource_group_name
-  location                 = var.region
-  account_kind             = "StorageV2"
-  account_tier             = "Standard"
-  account_replication_type = "ZRS"
-  is_hns_enabled           = true
-  access_tier              = "Hot"
-
-  # WARNING/FIXME: Disabling public access breaks Terraform
-  # and the Azure Portal.
-  public_network_access_enabled     = true
-  allow_nested_items_to_be_public   = true
-  cross_tenant_replication_enabled  = false
-  shared_access_key_enabled         = false
-  infrastructure_encryption_enabled = true
-  enable_https_traffic_only         = true
-  default_to_oauth_authentication   = true
-
-  blob_properties {
-    versioning_enabled = false
-  }
-
-  tags = var.tags
-
-  depends_on = [azurerm_resource_group.all]
-}
-
-resource "azurerm_storage_container" "tiered_storage" {
-  name                  = "${local.resource_name_prefix}${var.redpanda_tiered_storage_container_name}"
-  storage_account_name  = azurerm_storage_account.tiered_storage.name
-  container_access_type = "private"
-}