{"id":48670819,"url":"https://github.com/ghndrx/terraform-foundation","last_synced_at":"2026-04-10T12:10:04.192Z","repository":{"id":335700247,"uuid":"1146476586","full_name":"ghndrx/terraform-foundation","owner":"ghndrx","description":"Enterprise-grade multi-tenant cloud foundation with Terraform. ABAC, SCPs, cost optimization.","archived":false,"fork":false,"pushed_at":"2026-02-24T20:05:43.000Z","size":273,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-25T00:26:27.097Z","etag":null,"topics":["abac","aws","devops","infrastructure-as-code","landing-zone","multi-tenancy","terraform"],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ghndrx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T06:37:03.000Z","updated_at":"2026-02-24T20:05:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ghndrx/terraform-foundation","commit_stats":null,"previous_names":["ghndrx/terraform-foundation"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ghndrx/terraform-foundation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghndrx%2Fterraform-foundation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghndrx%2Fterraform-foundation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghndrx%2Fterraform-foundation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghndrx%2Fterraform-foundation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ghndrx","download_url":"https://codeload.github.com/ghndrx/terraform-foundation/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghndrx%2Fterraform-foundation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31641555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-10T07:40:12.752Z","status":"ssl_error","status_checked_at":"2026-04-10T07:40:11.664Z","response_time":98,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","aws","devops","infrastructure-as-code","landing-zone","multi-tenancy","terraform"],"created_at":"2026-04-10T12:10:03.664Z","updated_at":"2026-04-10T12:10:04.180Z","avatar_url":"https://github.com/ghndrx.png","language":"HCL","readme":"# Terraform Foundation\n\n![Terraform](https://img.shields.io/badge/Terraform-1.5+-7B42BC?style=flat\u0026logo=terraform)\n![AWS](https://img.shields.io/badge/Cloud-AWS-FF9900?style=flat\u0026logo=amazon-aws)\n![License](https://img.shields.io/badge/License-MIT-blue)\n\nEnterprise-grade cloud foundation with multi-tenancy, designed to scale from startup to enterprise.\n\n## Features\n\n- 🏢 **Multi-tenancy** - Logical tenant isolation via tags \u0026 ABAC\n- 💰 **Cost optimized** - Single shared VPC, one NAT Gateway\n- 🔒 **Security** - SCPs, tag enforcement, tenant-scoped IAM\n- 📊 **Billing** - Per-tenant and per-app budget alerts\n- 🎚️ **Flexible** - Single-account or multi-account deployment\n- 🚀 **CI/CD Ready** - GitHub Actions workflow included\n- 📦 **Workload Templates** - ECS, Lambda, RDS ready to deploy\n\n## Deployment Modes\n\n| Mode | Accounts | Best For | Cost |\n|------|----------|----------|------|\n| **single-account** | 1 | Startups, POCs, small teams | $ |\n| **multi-account** | 1 per env (prod/staging/dev) | Growing companies, compliance | $$ |\n\nBoth modes use the same tenant isolation pattern (tags + ABAC + security groups).\n\n```\n┌─────────────────────────────────────────────────────────────────────┐\n│                         Shared VPC                                   │\n│                                                                      │\n│   ┌─────────────┐  ┌─────────────┐  ┌─────────────┐                │\n│   │  Tenant A   │  │  Tenant B   │  │  Tenant C   │                │\n│   │  SG: A-*    │  │  SG: B-*    │  │  SG: C-*    │                │\n│   └─────────────┘  └─────────────┘  └─────────────┘                │\n│                                                                      │\n│   Isolation: Security Groups + Tags (ABAC) + IAM                    │\n│   Cost: Single NAT Gateway (~$32/mo vs $288 for 3 separate VPCs)    │\n└─────────────────────────────────────────────────────────────────────┘\n```\n\n## Quick Start\n\n### Prerequisites\n\n- Terraform \u003e= 1.5\n- AWS CLI configured with appropriate permissions\n- Make (optional, for convenience commands)\n\n### Single-Account Mode (Fastest)\n\n```bash\n# 1. Bootstrap\ncd terraform/00-bootstrap\nterraform init\nterraform apply -var=\"project_name=myproject\" -var=\"deployment_mode=single-account\"\n\n# 2. Network (skip 01-organization in single-account mode)\ncd ../02-network\nterraform init -backend-config=../00-bootstrap/backend.hcl\nterraform apply -var=\"state_bucket=myproject-terraform-state\"\n\n# 3. Platform (ECR, CI/CD)\ncd ../03-platform\nterraform init -backend-config=../00-bootstrap/backend.hcl\nterraform apply -var=\"state_bucket=myproject-terraform-state\" -var=\"project_name=myproject\"\n\n# 4. Add a tenant\n./scripts/new-tenant.sh acme\ncd terraform/04-tenants/acme\n# Edit main.tf (apps, budgets, emails)\nterraform init -backend-config=../../00-bootstrap/backend.hcl\nterraform apply -var=\"state_bucket=myproject-terraform-state\"\n\n# 5. Deploy a workload\n./scripts/new-workload.sh ecs acme api\ncd terraform/05-workloads/acme-api\n# Edit main.tf (container image, ports, scaling)\nterraform init -backend-config=../../00-bootstrap/backend.hcl\nterraform apply -var=\"state_bucket=myproject-terraform-state\"\n```\n\n### Multi-Account Mode (Enterprise)\n\n```bash\n# 1. Bootstrap\ncd terraform/00-bootstrap\nterraform init\nterraform apply -var=\"project_name=myorg\" -var=\"deployment_mode=multi-account\"\n\n# 2. Organization (creates AWS Org, OUs, core accounts)\ncd ../01-organization\nterraform init -backend-config=../00-bootstrap/backend.hcl\nterraform apply\n\n# 3. Network (VPC in dedicated network account)\ncd ../02-network\nterraform init -backend-config=../00-bootstrap/backend.hcl\nterraform apply -var=\"state_bucket=myorg-terraform-state\" -var=\"deployment_mode=multi-account\"\n\n# 4. Platform \u0026 tenants as above\n```\n\n### Using Make\n\n```bash\nmake help              # Show all commands\nmake init              # Initialize all layers\nmake plan              # Plan all layers\nmake apply             # Apply all layers\nmake new-tenant NAME=acme\nmake plan-tenant NAME=acme\n```\n\n## Layered Structure\n\nApply in order — each layer depends on the previous:\n\n```\nterraform/\n├── 00-bootstrap/       # State bucket, locks, KMS (FIRST)\n├── 01-organization/    # AWS Org, OUs, SCPs (multi-account only)\n├── 02-network/         # Shared VPC, NAT, subnets\n├── 03-platform/        # Shared services: ECR, CodeBuild\n├── 04-tenants/         # Per-tenant: SGs, IAM, budgets\n│   ├── _template/      # Copy for new tenants\n│   ├── acme/\n│   └── globex/\n├── 05-workloads/       # Actual resources\n│   ├── _template/\n│   │   ├── ecs-service/\n│   │   ├── eks-cluster/\n│   │   ├── elasticache-redis/\n│   │   ├── lambda-function/\n│   │   ├── rds-database/\n│   │   ├── sqs-queue/\n│   │   └── static-site/\n│   ├── acme-api/\n│   └── acme-db/\n└── modules/            # Reusable modules\n    ├── backup-plan/      # AWS Backup automation\n    ├── vpc-endpoints/    # PrivateLink endpoints\n    └── ...\n```\n\n## Tenant Isolation\n\n### Security Groups\n\nEach tenant gets isolated SGs that **only allow intra-tenant traffic**:\n\n```\nacme-prod-base-sg     → Self-referencing (acme can talk to acme)\nacme-prod-web-sg      → 443/80 from internet\nacme-prod-app-sg      → 8080 from acme-base only\nacme-prod-db-sg       → 5432 from acme-base only\n\n❌ globex-* cannot reach acme-* (no SG rules allow it)\n```\n\n### ABAC (Attribute-Based Access Control)\n\nIAM roles are scoped to tenant by tag:\n\n```hcl\n# acme-admin can ONLY touch resources tagged Tenant=acme\nCondition = {\n  StringEquals = {\n    \"aws:ResourceTag/Tenant\" = \"acme\"\n  }\n}\n\n# Must tag new resources correctly\nCondition = {\n  StringEquals = {\n    \"aws:RequestTag/Tenant\" = \"acme\"\n  }\n}\n```\n\n### Budgets\n\n- **Tenant budget**: Total spend for all apps\n- **App budgets**: Per-app limits\n- **Alerts**: 50%, 80%, 100% thresholds → email\n\n## Workload Templates\n\n### ECS Fargate Service\n\nFull container orchestration with:\n- ECS Cluster with Fargate/Fargate Spot\n- Application Load Balancer with access logging\n- Auto-scaling (CPU/Memory based)\n- CloudWatch logging\n\n```bash\n./scripts/new-workload.sh ecs \u003ctenant\u003e \u003capp-name\u003e\n```\n\n### EKS Kubernetes Cluster\n\nProduction-ready Kubernetes with:\n- EKS managed node groups (On-Demand \u0026 Spot)\n- IRSA (IAM Roles for Service Accounts)\n- Core addons (VPC CNI, CoreDNS, kube-proxy, EBS CSI)\n- IMDSv2 enforced, encrypted EBS volumes\n- Cluster Autoscaler \u0026 LB Controller ready\n\n```bash\n./scripts/new-workload.sh eks \u003ctenant\u003e \u003ccluster-name\u003e\n```\n\n### Lambda Function\n\nServerless functions with:\n- API Gateway HTTP API (optional)\n- VPC access for database connectivity\n- EventBridge scheduled execution\n- X-Ray tracing\n\n```bash\n./scripts/new-workload.sh lambda \u003ctenant\u003e \u003cfunction-name\u003e\n```\n\n### RDS Database\n\nManaged databases with:\n- PostgreSQL, MySQL, or Aurora\n- KMS encryption, IAM authentication\n- Secrets Manager for credentials\n- Enhanced monitoring, Performance Insights\n\n```bash\n./scripts/new-workload.sh rds \u003ctenant\u003e \u003cdb-name\u003e\n```\n\n### ElastiCache Redis\n\nIn-memory caching with:\n- Redis 7.x replication group\n- Encryption at rest and in transit\n- Automatic failover (Multi-AZ)\n- Auth token in Secrets Manager\n\n```bash\n./scripts/new-workload.sh redis \u003ctenant\u003e \u003ccache-name\u003e\n```\n\n### SQS Queue\n\nMessage queuing with:\n- Main queue + dead letter queue\n- KMS encryption\n- CloudWatch alarms (depth, age, DLQ)\n- FIFO support optional\n\n```bash\n./scripts/new-workload.sh sqs \u003ctenant\u003e \u003cqueue-name\u003e\n```\n\n### DynamoDB Table\n\nNoSQL database with:\n- On-demand or provisioned capacity\n- KMS encryption, point-in-time recovery\n- GSI/LSI support, TTL\n- Auto-scaling (provisioned mode)\n\n```bash\n./scripts/new-workload.sh dynamodb \u003ctenant\u003e \u003ctable-name\u003e\n```\n\n### EventBridge Event Bus\n\nEvent-driven architecture with:\n- Custom event bus for tenant isolation\n- Event rules with pattern matching\n- Dead letter queue, event archiving\n- Schema discovery\n\n```bash\n./scripts/new-workload.sh eventbus \u003ctenant\u003e \u003cbus-name\u003e\n```\n\n### Step Functions Workflow\n\nServerless orchestration with:\n- Standard or Express workflows\n- IAM permissions per service\n- CloudWatch logging, X-Ray tracing\n- API Gateway or EventBridge triggers\n\n```bash\n./scripts/new-workload.sh stepfn \u003ctenant\u003e \u003cworkflow-name\u003e\n```\n\n### Static Site (S3 + CloudFront)\n\nCDN-backed static hosting with:\n- S3 bucket (private, OAC access)\n- CloudFront with HTTPS\n- Security headers (CSP, HSTS, etc.)\n- Optional custom domain + ACM\n\n```bash\n./scripts/new-workload.sh static \u003ctenant\u003e \u003csite-name\u003e\n```\n\n### ECR Repository\n\nContainer registry with:\n- Lifecycle policies (auto-cleanup old images)\n- Cross-account pull/push access\n- Multi-region replication\n- Image scanning on push\n\n```bash\n./scripts/new-workload.sh ecr \u003ctenant\u003e \u003crepo-name\u003e\n```\n\n### SNS Topic\n\nPub/sub messaging with:\n- Multiple subscription types (Lambda, SQS, HTTP, Email)\n- Message filtering policies\n- Dead letter queue for failed deliveries\n- FIFO topics for ordered delivery\n\n```bash\n./scripts/new-workload.sh sns \u003ctenant\u003e \u003ctopic-name\u003e\n```\n\n### SSM Parameters\n\nConfiguration store with:\n- Hierarchical parameter paths\n- SecureString for secrets (KMS encrypted)\n- Free tier (cheaper than Secrets Manager)\n- IAM policies for read/write access\n\n```bash\n./scripts/new-workload.sh params \u003ctenant\u003e \u003cconfig-name\u003e\n```\n\n### EventBridge Rules\n\nEvent-driven automation with:\n- Scheduled rules (cron/rate expressions)\n- Event pattern matching (AWS service events)\n- Input transformations\n- Multiple targets (Lambda, SQS, SNS, Step Functions)\n\n```bash\n./scripts/new-workload.sh events \u003ctenant\u003e \u003crules-name\u003e\n```\n\n### Cognito User Pool\n\nAuthentication with:\n- User signup/signin\n- Social identity providers\n- MFA (TOTP, SMS)\n- Custom UI branding\n- App clients for web/mobile\n\n```bash\n./scripts/new-workload.sh cognito \u003ctenant\u003e \u003cauth-name\u003e\n```\n\n### SES Email\n\nTransactional email with:\n- Domain identity verification\n- DKIM/SPF/DMARC\n- Email templates\n- Reputation monitoring\n- Bounce/complaint handling\n\n```bash\n./scripts/new-workload.sh ses \u003ctenant\u003e \u003cemail-name\u003e\n```\n\n### API Gateway\n\nREST API with:\n- Lambda integration\n- Request validation\n- Usage plans and API keys\n- Custom domain support\n- CloudWatch logging\n\n```bash\n./scripts/new-workload.sh apigw \u003ctenant\u003e \u003capi-name\u003e\n```\n\n## Platform Services (03-platform)\n\nThe platform layer provides shared infrastructure:\n\n- **ECR Repositories**: Container registry with lifecycle policies\n- **CodeBuild**: Shared build project with VPC access\n- **S3 Artifacts**: CI/CD artifact storage with lifecycle rules\n- **SSM Parameters**: Centralized configuration store\n\n## Cost Savings\n\n| Setup | NAT Gateways | Est. Monthly |\n|-------|--------------|--------------|\n| VPC per tenant (3 tenants, 3 AZ) | 9 | ~$288 |\n| **Shared VPC (1 NAT)** | 1 | ~$32 |\n| **Savings** | | **~$256/mo** |\n\n## Scripts\n\n```bash\n# Create new tenant\n./scripts/new-tenant.sh \u003cname\u003e\n\n# Create new workload\n./scripts/new-workload.sh \u003cecs|eks|lambda|rds\u003e \u003ctenant\u003e \u003cname\u003e\n\n# Apply all layers in order\n./scripts/apply-all.sh plan   # Preview\n./scripts/apply-all.sh apply  # Deploy\n```\n\n## CI/CD\n\nGitHub Actions workflow included (`.github/workflows/terraform.yml`):\n\n- **On PR**: Format check, validate, security scan, plan (comments on PR)\n- **On merge**: Auto-apply (requires `production` environment approval)\n\nSetup:\n1. Create an IAM role for GitHub OIDC\n2. Add `AWS_ROLE_ARN` to repository secrets\n3. Create `production` environment with required reviewers\n\n## Requirements\n\n- Terraform \u003e= 1.5\n- AWS CLI configured\n- Sufficient IAM permissions (Organizations, IAM, EC2, RDS, etc.)\n\n### Optional Tools\n\n- [tfsec](https://github.com/aquasecurity/tfsec) - Security scanning\n- [terraform-docs](https://github.com/terraform-docs/terraform-docs) - Documentation generation\n- [infracost](https://www.infracost.io/) - Cost estimation\n\n## Security Controls\n\nBuilt-in security controls (see [docs/SECURITY.md](docs/SECURITY.md)):\n\n| Control | Implementation |\n|---------|----------------|\n| **Encryption at rest** | KMS for RDS, EBS, S3, SQS, ElastiCache |\n| **Encryption in transit** | TLS enforced on all services |\n| **Network isolation** | VPC Flow Logs, private subnets, SG-based tenant isolation |\n| **Access logging** | ALB, CloudFront, S3, VPC flow logs → centralized bucket |\n| **IMDSv2** | Enforced on all EC2/EKS nodes via SCP + launch template |\n| **Tag enforcement** | SCP requires Tenant + Environment tags |\n| **Audit protection** | SCP prevents disabling CloudTrail, GuardDuty, Config |\n\n## Reusable Modules\n\n| Module | Purpose |\n|--------|---------|\n| **alerting** | SNS topics (critical/warning/info), Slack/PagerDuty integration |\n| **backup-plan** | AWS Backup with daily/weekly/monthly, cross-region DR |\n| **budget-alerts** | Cost budgets with anomaly detection |\n| **cloudtrail** | Audit logging with S3, CloudWatch, KMS |\n| **cloudwatch-dashboard** | Pre-built metric dashboards |\n| **github-oidc** | Secure CI/CD without long-lived credentials |\n| **iam-role** | Service, cross-account, and OIDC roles |\n| **kms-key** | Customer-managed encryption keys |\n| **route53-zone** | Hosted zones with health checks |\n| **security-baseline** | GuardDuty, Security Hub, AWS Config, IAM Access Analyzer |\n| **vpc-endpoints** | Gateway (S3, DynamoDB) + Interface endpoints |\n| **vpc-lite** | Cost-optimized VPC ($0-$32/mo NAT options) |\n| **waf-alb** | AWS WAF with managed rules, rate limiting, geo-blocking |\n\n## Terragrunt Support\n\nFor DRY multi-environment configuration:\n\n```bash\nlive/\n├── terragrunt.hcl          # Root config\n├── prod/\n│   ├── env.hcl             # Environment variables\n│   └── network/\n│       └── terragrunt.hcl\n├── staging/\n│   └── env.hcl\n└── dev/\n    └── env.hcl\n```\n\nCopy `terragrunt.hcl` to your `live/` directory and customize `env.hcl` per environment.\n\n## Documentation\n\n- [Security Architecture](docs/SECURITY.md) — Encryption, access control, audit logging\n- [Cost Optimization](docs/COST-OPTIMIZATION.md) — Savings strategies, right-sizing guide\n\n## Roadmap\n\n- [x] ~~Add 03-platform (shared ECR, CI/CD)~~\n- [x] ~~Add 05-workloads templates (ECS, Lambda, RDS, EKS)~~\n- [x] ~~Security hardening (KMS, VPC Flow Logs, IMDSv2)~~\n- [x] ~~Terragrunt support~~\n- [x] ~~Event-driven templates (EventBridge, Step Functions)~~\n- [x] ~~Security baseline (GuardDuty, Security Hub, Config)~~\n- [x] ~~WAF module for ALB protection~~\n- [x] ~~Alerting module (SNS, Slack, PagerDuty)~~\n- [ ] GCP/Azure modules (future)\n- [ ] Service mesh (AWS App Mesh)\n- [ ] Prometheus/Grafana on EKS\n\n## License\n\nMIT\n\n## AI-Assisted Development (MCP Servers)\n\nThis repository includes MCP (Model Context Protocol) server configurations for AI-assisted infrastructure development.\n\n### Available MCP Servers\n\n| Server | Purpose |\n|--------|---------|\n| `terraform` | HashiCorp Terraform Registry integration |\n| `awslabs.terraform-mcp-server` | AWS-specific Terraform resources |\n| `awslabs.aws-documentation-mcp-server` | Real-time AWS documentation |\n| `awslabs.cdk-mcp-server` | AWS CDK best practices |\n| `awslabs.core-mcp-server` | Core AWS utilities |\n| `awslabs.cost-analysis-mcp-server` | Cost Explorer analysis |\n| `awslabs.cloudformation-mcp-server` | CloudFormation operations |\n\n### Setup\n\n1. **Install prerequisites**:\n   ```bash\n   # Node.js (for HashiCorp MCP server)\n   npm install -g npx\n\n   # Python uv (for AWS Labs servers)\n   pip install uv\n   # or\n   curl -LsSf https://astral.sh/uv/install.sh | sh\n   ```\n\n2. **Configure your MCP client**:\n\n   For **Claude Code**:\n   ```bash\n   # Already configured in .mcp.json\n   claude-code .\n   ```\n\n   For **Cursor**:\n   ```bash\n   cp .mcp.json .cursor/mcp.json\n   ```\n\n   For **VS Code**:\n   ```bash\n   cp .mcp.json .vscode/mcp.json\n   ```\n\n### Usage Examples\n\nWith MCP servers enabled, your AI assistant can:\n\n- **Generate Terraform configurations** using latest provider schemas\n- **Look up AWS documentation** for service configurations\n- **Apply best practices** from AWS Well-Architected Framework\n- **Analyze costs** and suggest optimizations\n- **Validate security** against AWS security guidelines\n\n```\n# Example prompts with MCP\n\"Create a Terraform module for an ECS service with Fargate\"\n\"What are the latest IAM best practices for GitHub OIDC?\"\n\"Analyze the cost impact of this RDS configuration\"\n```\n\n### Security Note\n\nMCP servers with AWS credentials (`cost-analysis`, `cloudformation`) are disabled by default. Enable them only when needed and ensure proper IAM permissions.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghndrx%2Fterraform-foundation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghndrx%2Fterraform-foundation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghndrx%2Fterraform-foundation/lists"}