This directory contains example injection configurations for different sovereign cloud deployments.
- Base repo contains minimal, cloud-agnostic configuration in
root.hcl - GitLab CI in each sovereign cloud copies the appropriate example to
injection.hcl - Terragrunt reads
injection.hclat runtime and merges it with base config - Modules remain completely unchanged across all deployments
commercial.hcl.example- Standard AWS commercial cloudus-govcloud.hcl.example- US GovCloud with FedRAMP compliancecanada-govcloud.hcl.example- Canada with PBMM compliance
Each injection file can provide:
locals {
# Override AWS region
aws_region = "us-gov-west-1"
# Add sovereign cloud specific tags
additional_tags = {
Compliance = "FedRAMP"
}
# Add provider configuration (assume role, etc)
provider_config = <<-EOT
assume_role {
role_arn = "arn:aws-us-gov:iam::123:role/TerraformRole"
}
EOT
# Override backend settings (KMS keys, etc)
backend_overrides = {
kms_key_id = "arn:aws-us-gov:kms:us-gov-west-1:123:key/my-key"
}
# Add compliance-specific inputs
additional_inputs = {
enable_cloudtrail = true
log_retention_days = 2555
}
}before_script:
- cp injections/commercial.hcl.example injection.hclbefore_script:
- cp injections/us-govcloud.hcl.example injection.hclbefore_script:
- cp injections/canada-govcloud.hcl.example injection.hclYou can also generate injection.hcl dynamically from CI/CD variables:
before_script:
- |
cat > injection.hcl <<EOF
locals {
aws_region = "${AWS_REGION}"
additional_tags = {
Compliance = "${COMPLIANCE_LEVEL}"
DataClassification = "${DATA_CLASS}"
}
additional_inputs = {
enable_cloudtrail = ${ENABLE_CLOUDTRAIL}
log_retention_days = ${LOG_RETENTION_DAYS}
}
}
EOF- Create new example file:
injections/new-cloud.hcl.example - Define region, tags, and compliance requirements
- Update GitLab CI in that cloud to use the new injection
- No changes needed to base repo or modules!
injection.hclis gitignored and created at runtime- Never commit secrets or credentials to injection files
- Use CI/CD variables for sensitive values
- ARNs and account IDs in examples should be replaced with real values