{"id":49650218,"url":"https://github.com/emma-ola/terraform-platform-modules","last_synced_at":"2026-05-06T04:09:57.870Z","repository":{"id":331482936,"uuid":"1126008627","full_name":"emma-ola/terraform-platform-modules","owner":"emma-ola","description":"Production-grade Terraform modules for building foundational GCP platform infrastructure. This repository provides opinionated yet flexible modules for core platform primitives such as networking, security, and shared cloud services, designed for reuse across teams and environments.","archived":false,"fork":false,"pushed_at":"2026-01-17T17:23:14.000Z","size":78,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-17T20:51:13.105Z","etag":null,"topics":["cloud-platform","gcp","google-cloud","infrastructure-as-code","terraform","terraform-modules"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/emma-ola.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-31T21:27:05.000Z","updated_at":"2026-01-17T17:23:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/emma-ola/terraform-platform-modules","commit_stats":null,"previous_names":["emma-ola/terraform-platform-modules"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/emma-ola/terraform-platform-modules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emma-ola%2Fterraform-platform-modules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emma-ola%2Fterraform-platform-modules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emma-ola%2Fterraform-platform-modules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emma-ola%2Fterraform-platform-modules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/emma-ola","download_url":"https://codeload.github.com/emma-ola/terraform-platform-modules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emma-ola%2Fterraform-platform-modules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32677993,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-06T02:33:58.958Z","status":"ssl_error","status_checked_at":"2026-05-06T02:33:39.611Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-platform","gcp","google-cloud","infrastructure-as-code","terraform","terraform-modules"],"created_at":"2026-05-06T04:09:57.259Z","updated_at":"2026-05-06T04:09:57.853Z","avatar_url":"https://github.com/emma-ola.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform Platform Modules (GCP)\n\nOpinionated, reusable Terraform modules to provision **secure and consistent**\nGoogle Cloud infrastructure.\n\nDesigned to reduce duplication, prevent configuration drift, and enable safe\nupgrades via versioned releases.\n\n---\n\n## Modules\n\n- **network**\n    - VPC creation\n    - Multi-region subnets with optional secondary ranges\n    - Firewall rules with validation and guardrails\n    - Cloud NAT with scoped subnet and IP-range support\n    - Routes and VPC Flow Logs\n\n- **gke**\n    - Private GKE clusters\n    - Data-driven node pools\n    - Secure node defaults (COS, Shielded VMs, metadata hardening)\n    - Workload Identity enabled by default\n\n---\n\n## Philosophy\n\n- Secure-by-default\n- Minimal, well-validated inputs\n- Clear separation of concerns (project → network → GKE)\n- Versioned releases (teams pin module versions)\n- CI guardrails (formatting, validation, linting, security scanning)\n\n---\n\n## Security \u0026 Guardrails\n\nThis repository is designed as a **production-grade Terraform platform**, not a\ncollection of ad-hoc modules. Security is enforced primarily through opinionated\ndefaults and module-level guarantees rather than relying on callers.\n\n### Built-in security controls\n\n- **GKE hardening**\n    - Private clusters by default\n    - Legacy metadata endpoints disabled on all nodes\n    - Workload Metadata configured (`GKE_METADATA`)\n    - Shielded nodes enabled (Secure Boot + Integrity Monitoring)\n    - Container-Optimized OS (`COS_CONTAINERD`) enforced for node images\n    - Network Policy support enabled at the cluster level\n\n- **Network security**\n    - VPC Flow Logs supported and configurable per subnet\n    - Firewall rules validated to prevent conflicting or unsafe configurations\n    - Cloud NAT configurable with scoped subnet and IP-range selection\n\n- **Platform standards**\n    - Baseline resource labels enforced at the module level\n    - Caller-supplied labels merged with platform defaults\n    - Guardrails implemented using Terraform preconditions\n\n### Automated security scanning\n\n- **Static analysis:** `tflint`\n- **Security scanning:** `tfsec` with SARIF upload to GitHub Security\n- Security findings are:\n    - Addressed through secure defaults where applicable, or\n    - Explicitly suppressed with documented justification\n\n#### Suppressed tfsec rule\n\n- **google-gke-enforce-pod-security-policy**\n\n**Reason:**  \nPodSecurityPolicy (PSP) is deprecated and removed in modern Kubernetes and GKE.\nPod security is enforced via **Pod Security Admission (PSA)** and/or **Policy\nController (Gatekeeper)** as a platform concern rather than legacy PSP.\n\nAll other security findings remain enabled and enforced.\n\n---\n\n## Usage\n\nSee `examples/dev` and `examples/gke-dev` for a reference implementation demonstrating composition of\nthe project, network, and GKE modules.\n\n---\n\n## Development\n\nCommon tasks are standardized using a Makefile.\n\n```bash\nmake fmt        # format Terraform files\nmake fmt-check  # check formatting\nmake validate   # validate Terraform configuration\nmake ci         # run all CI checks locally\nmake help       # show all available commands\n```\n\n---\n\n## Maintenance Windows \u0026 Exclusions\n\nThe GKE module supports **maintenance policies** to control when Google may perform cluster and node upgrades.\n\nMaintenance behavior is defined using:\n- A **recurring maintenance window** (when upgrades are allowed)\n- Optional **maintenance exclusions** (blackout periods when upgrades are blocked)\n\n---\n\n### Recurring maintenance window\n\nA recurring maintenance window defines **when upgrades may occur**.\n\n```hcl\nmaintenance = {\n  recurring_window = {\n    start_time = \"2026-01-01T00:00:00Z\"\n    end_time   = \"2026-01-01T06:00:00Z\"\n    recurrence = \"FREQ=WEEKLY;BYDAY=SA,SU\"\n  }\n}\n```\n\n**Behavior:**\n\n- GKE may perform upgrades every **Saturday and Sunday**\n- Only between **00:00–06:00 UTC**\n- Outside this window, upgrades are deferred\n\nThis configuration provides 12 hours per week, which safely satisfies\nGKE’s 48-hour / 32-day maintenance requirement.\n\n**This applies to:**\n\n- Control plane upgrades\n- Node pool upgrades (when `auto_upgrade = true`)\n- Routine cluster maintenance\n\n---\n\n### Maintenance exclusions (blackout periods)\n\nMaintenance exclusions define periods where **no upgrades are allowed**, even if they overlap with a recurring maintenance window.\n\n```hcl\nmaintenance = {\n  exclusions = {\n    black_friday = {\n      start_time = \"2026-11-27T00:00:00Z\"\n      end_time   = \"2026-11-30T23:59:59Z\"\n      scope      = \"NO_UPGRADES\"\n    }\n  }\n}\n```\n\n**Behavior:**\n\n- No upgrades will occur during the exclusion window\n- Exclusions **always take precedence** over recurring windows\n- Deferred upgrades resume during the next valid maintenance window\n\n---\n\n### How windows and exclusions interact\n\n- **Recurring windows** define when upgrades are allowed\n- **Exclusions** define when upgrades are forbidden\n- If both apply at the same time, **exclusions win**\n\n---\n\n### Timezone considerations\n\nAll maintenance times must be specified in **UTC**.\n\nFor reference, 00:00–06:00 UTC corresponds to:\n- **7pm–1am ET** during standard time (EST)\n- **8pm–2am ET** during daylight time (EDT)\n\nAlways convert local maintenance windows to UTC before configuring\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femma-ola%2Fterraform-platform-modules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Femma-ola%2Fterraform-platform-modules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femma-ola%2Fterraform-platform-modules/lists"}