https://github.com/landerox/cloud-landerox-infra
GCP Terraform baseline and reference architecture — multi-environment CI/CD, defense-in-depth (validations + Conftest + Sigstore plan attestation), Workload Identity Federation, BigQuery medallion, recipes per module. OpenSSF Best Practices silver.
https://github.com/landerox/cloud-landerox-infra
artifact-registry bigquery checkov cicd cloud-run cloud-scheduler conftest devsecops gcp iam infrastructure-as-code openssf reference-architecture secret-manager sigstore slsa terraform terraform-modules workload-identity-federation
Last synced: 12 days ago
JSON representation
GCP Terraform baseline and reference architecture — multi-environment CI/CD, defense-in-depth (validations + Conftest + Sigstore plan attestation), Workload Identity Federation, BigQuery medallion, recipes per module. OpenSSF Best Practices silver.
- Host: GitHub
- URL: https://github.com/landerox/cloud-landerox-infra
- Owner: landerox
- License: mit
- Created: 2026-01-09T07:21:53.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-05-17T03:22:55.000Z (16 days ago)
- Last Synced: 2026-05-17T05:11:50.657Z (16 days ago)
- Topics: artifact-registry, bigquery, checkov, cicd, cloud-run, cloud-scheduler, conftest, devsecops, gcp, iam, infrastructure-as-code, openssf, reference-architecture, secret-manager, sigstore, slsa, terraform, terraform-modules, workload-identity-federation
- Language: HCL
- Homepage: https://landerox.com/projects/cloud-infra
- Size: 296 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: .github/SECURITY.md
- Governance: GOVERNANCE.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
# cloud-landerox-infra
[](https://github.com/landerox/cloud-landerox-infra/actions/workflows/terraform.yml)
[](https://github.com/landerox/cloud-landerox-infra/actions/workflows/ci.yml)
[](https://github.com/landerox/cloud-landerox-infra/actions/workflows/codeql.yml)
[](https://github.com/landerox/cloud-landerox-infra/actions/workflows/drift-detection.yml)
[](https://scorecard.dev/viewer/?uri=github.com/landerox/cloud-landerox-infra)
[](https://www.bestpractices.dev/projects/12813)
[](https://www.bestpractices.dev/projects/12813)
[](https://github.com/landerox/cloud-landerox-infra/issues?q=author%3Aapp%2Frenovate)
[](https://github.com/landerox/cloud-landerox-infra/blob/main/.pre-commit-config.yaml)
[](https://github.com/landerox/cloud-landerox-infra/commits/main)
[](https://github.com/landerox/cloud-landerox-infra/releases)
[](LICENSE)
[](https://www.terraform.io/)
> Terraform baseline for personal GCP infrastructure, also positioned as a reference architecture for small-to-medium enterprise adopters — see [docs/positioning.md](docs/positioning.md). WIF-based auth, modular toggles per service, defense-in-depth across module variable validations + `terraform test` + Conftest policies. Two environments: `prd` (always on), `dev` (opt-in).
## Infrastructure State & Environments
Our infrastructure is designed around a dual-environment model to balance stability with experimentation.
### Environments
- **`prd` (Production):** Our primary environment, which is always active.
- **`dev` (Development):** An opt-in sandbox environment. It remains dormant until activated by configuring the necessary `GCP_DEV_*` variables and secrets. Curious about the design? Check out [ADR-0006](docs/adr/0006-two-environment-foundation.md).
### Module Availability
Both environments share the same baseline configuration. Here is a quick look at what is available and its default state:
| Module | Default Status | Notes |
| :--- | :--- | :--- |
| **State Bucket** | Always On | Safely managed via Terraform with `prevent_destroy` to protect your state. |
| **IAM** | Enabled | Core identity and access management. |
| **Storage** | Enabled | Foundational storage primitives. |
| **BigQuery** | Disabled | Available for incremental activation. |
| **Secrets** | Disabled | Available for incremental activation. |
| **Scheduler** | Disabled | Available for incremental activation. |
| **Cloud Run** | Disabled | Available for incremental activation. |
| **Artifact Registry** | Disabled | Available for incremental activation. |
| **Observability** | Disabled | Cloud Monitoring alerts, dashboards, notification channels — see [ADR-0009](docs/adr/0009-declarative-observability.md). |
## Continuous Integration & Delivery
Our CI/CD pipelines are fully automated via GitHub Actions to ensure code quality and prevent infrastructure drift:
- **Validation & Checks (`ci.yml`):** Runs formatting, linting (TFLint, actionlint), secret scanning (Checkov, gitleaks, detect-secrets), documentation checks, and **policy mutation tests** (`conftest verify` against `main_test.rego` — asserts that the deny rules still fire on crafted bad inputs) on every push.
- **Terraform Operations (`terraform.yml`):** Automatically generates a Terraform plan matrix per environment on PRs and pushes. Includes module **smoke + security tests** (`terraform test` with `mock_provider`) and **Conftest policies** (no primitive roles, no public IAM, PAP enforced on buckets, UBLA enabled). Every plan is signed via GitHub OIDC + Sigstore (`actions/attest-build-provenance`); the apply job verifies the attestation before consuming the artifact, closing the TOCTOU window between PR review and manual dispatch. Applying the plan requires a manual workflow dispatch along with environment approval.
- **Drift Detection (`drift-detection.yml`):** Runs weekly (and can be triggered manually) across environments to catch and alert on any manual changes made outside of Terraform.
- **OpenSSF Scorecard (`scorecard.yml`):** Runs weekly + on push to `main` + on branch protection events. Publishes results to scorecard.dev (badge above) and uploads SARIF to the GitHub Security tab.
## Explore the Documentation
Whether you are just starting or looking for deep architectural insights, our documentation has you covered:
- **[Positioning](docs/positioning.md):** *Start here.* Repo scope, adoption tiers (single-developer / small team / mid-enterprise), and the out-of-scope roadmap.
- **[Getting Started](docs/development.md#getting-started):** The best place to begin your journey.
- **[Tutorial — From Zero to First Bucket in `prd`](docs/tutorial-first-bucket.md):** Guided walkthrough for first-time setup. Read once before running `just bootstrap`.
- **[Architecture](docs/architecture.md):** A high-level overview of how everything fits together.
- **[Diagrams](docs/diagrams/):** Mermaid diagrams of the env model, CI/CD flow, IAM/WIF chain, and trust boundaries.
- **[CI/CD](docs/cicd.md):** Details on our automation workflows.
- **[Operations](docs/operations.md):** Day-2 procedures, drift response, and runbook entries.
- **[Project Governance](GOVERNANCE.md):** Project governance model — roles, decision-making, and continuity (single-maintainer Benevolent Dictator today).
- **[Assurance Case](docs/assurance-case.md):** Security threat model, trust boundaries, and mitigations matrix.
- **[Resource Governance](docs/resource-governance.md):** Resource tagging conventions and compliance labels.
- **[Recipes](docs/recipes/):** Ready-to-use HCL snippets for every module. Just copy, paste, and adapt!
- **[Architecture Decision Records (ADRs)](docs/adr/):** Dive into the *why* behind our non-obvious engineering choices.
- **[Terraform Reference](terraform/README.md):** Auto-generated module inputs and outputs.
- **[Contributor / Agent Guide](AGENTS.md):** The single source of truth for project conventions and AI agent rules.
## Getting Started
> Looking for the full end-to-end playbook (new GCP project, GitHub config,
> first apply)? See **[Bootstrapping a New GCP Project from Scratch](docs/development.md#bootstrapping-a-new-gcp-project-from-scratch)**
> in the Development guide.
### 1. Bootstrapping Your Environment
First, ensure you have the correct version of Terraform installed. We recommend using [mise](https://mise.jdx.dev) to manage your toolchain seamlessly:
```bash
# From the repository root, install the required tools based on .mise.toml
mise install
# Verify that your Terraform version matches the one pinned in the project
terraform version
```
Next, navigate to the `terraform/` directory to set up your initial configuration:
```bash
cd terraform
cp terraform.tfvars.example terraform.tfvars
```
Open `terraform.tfvars` and fill in your specific required fields:
- `project_id`
- `state_bucket`
- `repository_id`
- `workload_identity_pool_id`
- `workload_identity_pool_provider_id`
Once configured, run the bootstrap script to provision your foundational resources:
```bash
just bootstrap
```
### 2. Daily Workflow
For day-to-day development, `just` makes it easy to interact with your infrastructure. From the `terraform/` directory, you can run:
```bash
just doctor # Verify your local tooling setup and pinned Terraform version
just check # Full local gate: fmt + validate + lint + lint-shell + docs + tests + policy-test + pre-commit
just precommit # Run the pre-commit hooks alone (mirror CI)
just policy-test # Run the Conftest mutation tests for the Rego policies
just plan # See what changes Terraform will apply
```
## License
This project is licensed under the terms found in the [LICENSE](LICENSE) file.