Skip to content

prompt-general/Infrastructure-as-Code-Platform

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
.github/workflows
.github/workflows
 
 
backend
backend
 
 
frontend
frontend
 
 
infra
infra
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Infrastructure-as-Code Platform

Terraform AWS Azure GCP Policy as Code CI/CD

An enterprise-grade, multi-cloud Terraform platform for provisioning and governing infrastructure across AWS, Azure, and Google Cloud with strict environment isolation, policy enforcement, drift detection, and hardened CI/CD.

Visual Architecture

flowchart LR
    DEV[Developer PR] --> PLAN[Terraform Plan Workflow]
    PLAN --> CKV[Checkov Scan]
    PLAN --> OPA[OPA Custom Policies]
    PLAN --> COST[Infracost]
    CKV --> REVIEW[PR Comment with Plan + Cost + Policy]
    OPA --> REVIEW
    COST --> REVIEW
    REVIEW --> MERGE[Merge to main]
    MERGE --> APPLY[Terraform Apply Workflow]
    APPLY --> AWS[AWS Accounts]
    APPLY --> AZ[Azure Subscriptions]
    APPLY --> GCP[GCP Projects]
    DRIFT[Scheduled Drift Detection] --> AWS
    DRIFT --> AZ
    DRIFT --> GCP
    DRIFT --> ISSUE[Auto-create GitHub Issue]
Loading

Platform Overview

This platform is built around five core principles:

  1. Multi-cloud parity: consistent IaC patterns across AWS, Azure, and GCP.
  2. Environment isolation: separate dev, staging, and prod state and deployment flows.
  3. Governance first: cloud-native org policies plus policy-as-code checks in CI.
  4. Safe delivery: PR-based planning, artifacted outputs, controlled applies, and state locking.
  5. Operational resilience: drift detection, concurrency controls, and failure notifications.

What This Platform Provides

Infrastructure Modules

For each cloud, modular Terraform components are organized by domain:

  1. Networking
  2. Compute
  3. Database

Environment Layers

Each cloud has dedicated environment directories:

  1. dev
  2. staging
  3. prod

Each environment composes modules and can receive distinct variables, policy guardrails, and approvals.

Governance Layers

  1. AWS Service Control Policies (SCPs)
  2. Azure Policy assignments
  3. GCP Organization Policies
  4. CI static policy checks (Checkov)
  5. CI custom policy checks (OPA)

Repository Structure

.
├── .github/
│   └── workflows/
│       ├── terraform-plan.yml
│       ├── terraform-apply.yml
│       └── drift-detection.yml
├── infra/
│   ├── modules/
│   │   ├── aws/
│   │   │   ├── networking/
│   │   │   ├── compute/
│   │   │   └── database/
│   │   ├── azure/
│   │   │   ├── networking/
│   │   │   ├── compute/
│   │   │   └── database/
│   │   └── gcp/
│   │       ├── networking/
│   │       ├── compute/
│   │       └── database/
│   ├── envs/
│   │   ├── dev/
│   │   ├── staging/
│   │   └── prod/
│   └── global/
│       ├── org-policies/
│       │   ├── aws/
│       │   ├── azure/
│       │   └── gcp/
│       └── policies/
│           ├── checkov/
│           └── opa/
├── backend/
└── frontend/

CI/CD Workflows

1) Terraform Plan (PR)

Triggered on pull requests affecting infra/workflows.

Pipeline stages:

  1. Authenticate by cloud using OIDC.
  2. terraform init.
  3. Checkov scan.
  4. terraform validate.
  5. terraform plan.
  6. OPA evaluation on plan JSON.
  7. Infracost estimate.
  8. Post enriched PR comment (changes, cost, policy status).

2) Terraform Apply (main)

Triggered on push to main when infra/workflows change.

Pipeline stages:

  1. Authenticate by cloud using OIDC.
  2. terraform init.
  3. Checkov scan.
  4. terraform plan with lock timeout.
  5. OPA policy evaluation for prod.
  6. terraform apply with lock timeout.
  7. Slack alert on failure.

Hardening:

  1. Per cloud+environment concurrency group to prevent overlapping apply runs.
  2. State lock timeout to reduce lock race failures.

3) Drift Detection

Triggered every 6 hours and on demand.

Behavior:

  1. Runs terraform plan -detailed-exitcode across cloud/environment matrix.
  2. If drift exists (exit code 2), creates a GitHub issue with a plan excerpt.

Governance Implementation

AWS

SCP policy-as-code definitions include examples for:

  1. Deny disabling security services (CloudTrail/Config).
  2. Deny leaving organization.
  3. Deny KMS key deletion (except break-glass role pattern).
  4. Restrict regions.

Azure

Subscription policy assignments include:

  1. Allowed locations.
  2. Required Environment tag value.
  3. Deny public network access for storage.
  4. Allowed VM SKUs.

GCP

Folder-level organization policies include:

  1. Disable serial port access.
  2. Restrict Cloud SQL public IP.
  3. Enforce uniform bucket-level access.

OPA Custom Policies

Current baseline custom policy:

  1. Deny aws_instance type t2.micro in production plans.

Path:

  1. infra/global/policies/opa/deny_t2_micro_prod.rego

Quick Start

Prerequisites

  1. Terraform 1.6+
  2. Cloud credentials via OIDC or local authenticated sessions
  3. Optional local tools for parity with CI:
    • Python 3.11+
    • Checkov
    • OPA
    • Infracost
    • jq

Local Plan Example

AWS dev:

cd infra/envs/dev/aws
terraform init
terraform validate
terraform plan -lock-timeout=300s

Azure dev:

cd infra/envs/dev/azure
terraform init
terraform validate
terraform plan -lock-timeout=300s

GCP dev:

cd infra/envs/dev/gcp
terraform init
terraform validate
terraform plan -lock-timeout=300s

Secrets and Variable Management

Principles:

  1. Keep non-sensitive settings in environment-specific variable files.
  2. Inject secrets through GitHub Actions secrets or a cloud secret manager.
  3. Do not commit live credentials.

Recommended GitHub secrets:

  1. DB_PASSWORD
  2. DB_USERNAME
  3. AWS_ROLE_ARN
  4. AZURE_CLIENT_ID
  5. AZURE_TENANT_ID
  6. AZURE_SUBSCRIPTION_ID
  7. GCP_WORKLOAD_IDENTITY_PROVIDER
  8. GCP_SERVICE_ACCOUNT
  9. GCP_PROJECT_ID
  10. SLACK_WEBHOOK_URL

Security and Operations Notes

  1. SCP/Policy/Org policy guardrails are preventive controls at runtime.
  2. Checkov and OPA are preventive controls at PR/apply-time.
  3. Drift detection is detective control for out-of-band changes.
  4. Infracost adds financial risk visibility before merges.
  5. Concurrency and lock-timeouts reduce state corruption risk.

Suggested Production Rollout Path

  1. Enable workflows for dev only first.
  2. Validate policy behavior and false positives.
  3. Expand matrix to staging.
  4. Add manual approvals for prod environments in GitHub environments.
  5. Expand alerting to on-call channels.

Troubleshooting

  1. Plan fails on missing sensitive variables: Set required TF_VAR_* values or configure GitHub secrets.

  2. Checkov failures block PR: Fix resources or add explicitly reviewed exceptions.

  3. OPA fails in prod: Inspect plan.json and rego outputs to identify denied resources.

  4. Drift issue created unexpectedly: Review plan diff and decide between reconcile-to-code or accept-and-import.

  5. Apply blocked by lock: Wait for existing run completion or investigate stale lock in backend.

Project Maturity Snapshot

Capability Status
Multi-cloud Terraform modules Complete
Env isolation (dev/staging/prod) Complete
PR plan + comments Complete
Cloud governance (AWS/Azure/GCP) Complete
Policy-as-code (Checkov + OPA) Complete
Drift detection Complete
Cost estimation in PR Complete
Apply hardening + notifications Complete

License and Ownership

This repository is designed as an enterprise platform foundation. Adapt policy IDs, region restrictions, and approval controls to your organizational standards before production onboarding.

About

Enterprise-grade multi-cloud Infrastructure-as-Code platform using Terraform for AWS, Azure, and GCP with CI/CD, policy enforcement, drift detection, cost estimation, and governance

Topics

aws devops azure terraform infrastructure-as-code google-cloud-platform multi-cloud policy-as-code github-actions

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages