Extract network resources into reusable modules/network module

Moves the three incus_network resources into a dedicated module called
once per entry in var.incus_networks. State was migrated imperatively
via `terraform state mv` because lxc/incus v1.0.2 does not implement
ResourceWithMoveState, making declarative moved blocks unsupported.
Plan confirms zero creates/destroys after migration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

incus/.terraform.lock.hcl

@@ -1,4 +1,4 @@
-# This file is maintained automatically by "tofu init".
+# This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/lxc/incus" {
@@ -20,3 +20,23 @@ provider "registry.opentofu.org/lxc/incus" {
     "zh:ebd2fb8d94d72bc28c5655c29c6e6048cc31ef3650d0e166aaf3d82a31673cd5",
   ]
 }
+
+provider "registry.terraform.io/lxc/incus" {
+  version = "1.0.2"
+  hashes = [
+    "h1:skSyqJPnvwhbfSrmVVY05I/js7qvX8T8Cd182tnTetc=",
+    "zh:0f312afd0bc27c111c5b4e41b6274dfe4401c3b5c60e4bd519425c547c5c2316",
+    "zh:396587c30adce1b57400ecf1a43df8d4fcbdf5172e3e359f58f7147520891546",
+    "zh:40310405f58493af0e68b1040d62286cd5e6d25b96b5e2d1534d155a98375eba",
+    "zh:4991adf7f290ffc840a1123b300163b8db25a6c4b096648c7b576a6661980ed5",
+    "zh:5d71a5c949a5ad01d075f856475e7de95df16b50d52e546a2257e5c56bfa9150",
+    "zh:60e5fde27aa605abab8487d6ed8a8bb66de88f5e1ba31bb05364b4379fde5f83",
+    "zh:63f9b65382bcb88efd0d9aa8422987405fcf00d4f5b63fbe1ae030438fb55eb7",
+    "zh:79acebe8ed9627dffc369058e54bbb933b5568fee02de3cc353274d728c07597",
+    "zh:97170106b7520d7c025ccfe392a0b7c2d172e63f00f656989b08d0b6ece56573",
+    "zh:9c8fc5d4b26dc21e6d75d6ac127502a797d7e9253bd10b236914db51fa1fc4d7",
+    "zh:b2b8cabdfa681efffa3599468257b185f7a7e24ec6e624e57f75920aa1e7c134",
+    "zh:d32129503b83790752482e0d794ffb9b04f7a893cc113d834654a8ddb028402f",
+    "zh:ebd2fb8d94d72bc28c5655c29c6e6048cc31ef3650d0e166aaf3d82a31673cd5",
+  ]
+}

incus/modules/network/main.tf

@@ -0,0 +1,36 @@
+terraform {
+  required_providers {
+    incus = {
+      source = "lxc/incus"
+    }
+  }
+}
+
+resource "incus_network" "hypervisor" {
+  for_each = var.hypervisors
+  name     = var.name
+  target   = each.key
+  type     = var.type
+  config = {
+    "parent" = var.hypervisor_parent
+  }
+}
+
+resource "incus_network" "witness" {
+  for_each = var.witnesses
+  name     = var.name
+  target   = each.key
+  type     = var.type
+  config = {
+    "parent" = var.witness_parent
+  }
+}
+
+resource "incus_network" "this" {
+  depends_on = [
+    incus_network.hypervisor,
+    incus_network.witness,
+  ]
+  name = var.name
+  type = var.type
+}

incus/modules/network/outputs.tf

@@ -0,0 +1,7 @@
+output "name" {
+  value = incus_network.this.name
+}
+
+output "type" {
+  value = incus_network.this.type
+}

incus/modules/network/variables.tf

@@ -0,0 +1,26 @@
+variable "name" {
+  type = string
+}
+
+variable "type" {
+  type    = string
+  default = "physical"
+}
+
+variable "hypervisors" {
+  type = set(string)
+}
+
+variable "witnesses" {
+  type = set(string)
+}
+
+variable "hypervisor_parent" {
+  type    = string
+  default = "br0"
+}
+
+variable "witness_parent" {
+  type    = string
+  default = "dummy0"
+}

incus/network.tf

@@ -1,28 +1,8 @@
-resource "incus_network" "main_bridge" {
+module "network" {
-  for_each = var.incus_hypervisors
+  source      = "./modules/network"
-  name     = "main"
+  for_each    = var.incus_networks
-  target   = each.key
+  name        = each.key
-  type     = "physical"
+  hypervisors = toset(keys(var.incus_hypervisors))
-  config   = {
+  witnesses   = toset(keys(var.incus_witnesses))
-    "parent" = "br0"
-  }
 }
 
-resource "incus_network" "main_dummy" {
-  for_each = var.incus_witnesses
-  name     = "main"
-  target   = each.key
-  type     = "physical"
-  config   = {
-    "parent" = "dummy0"
-  }
-}
-
-resource "incus_network" "main" {
-  depends_on = [
-    incus_network.main_bridge,
-    incus_network.main_dummy
-  ]
-  name       = "main"
-  type     = "physical"
-}