Skip to content

README.md

Latest commit

 

History

History
109 lines (83 loc) · 2.61 KB

README.md

File metadata and controls

109 lines (83 loc) · 2.61 KB

Sovereign Cloud Injection Configs

This directory contains example injection configurations for different sovereign cloud deployments.

How It Works

  1. Base repo contains minimal, cloud-agnostic configuration in root.hcl
  2. GitLab CI in each sovereign cloud copies the appropriate example to injection.hcl
  3. Terragrunt reads injection.hcl at runtime and merges it with base config
  4. Modules remain completely unchanged across all deployments

Available Injections

  • commercial.hcl.example - Standard AWS commercial cloud
  • us-govcloud.hcl.example - US GovCloud with FedRAMP compliance
  • canada-govcloud.hcl.example - Canada with PBMM compliance

Injection Structure

Each injection file can provide:

locals {
  # Override AWS region
  aws_region = "us-gov-west-1"
  
  # Add sovereign cloud specific tags
  additional_tags = {
    Compliance = "FedRAMP"
  }
  
  # Add provider configuration (assume role, etc)
  provider_config = <<-EOT
    assume_role {
      role_arn = "arn:aws-us-gov:iam::123:role/TerraformRole"
    }
  EOT
  
  # Override backend settings (KMS keys, etc)
  backend_overrides = {
    kms_key_id = "arn:aws-us-gov:kms:us-gov-west-1:123:key/my-key"
  }
  
  # Add compliance-specific inputs
  additional_inputs = {
    enable_cloudtrail = true
    log_retention_days = 2555
  }
}

GitLab CI Usage

Commercial Cloud

before_script:
  - cp injections/commercial.hcl.example injection.hcl

US GovCloud

before_script:
  - cp injections/us-govcloud.hcl.example injection.hcl

Canada GovCloud

before_script:
  - cp injections/canada-govcloud.hcl.example injection.hcl

Dynamic Generation

You can also generate injection.hcl dynamically from CI/CD variables:

before_script:
  - |
    cat > injection.hcl <<EOF
    locals {
      aws_region = "${AWS_REGION}"
      additional_tags = {
        Compliance = "${COMPLIANCE_LEVEL}"
        DataClassification = "${DATA_CLASS}"
      }
      additional_inputs = {
        enable_cloudtrail = ${ENABLE_CLOUDTRAIL}
        log_retention_days = ${LOG_RETENTION_DAYS}
      }
    }
    EOF

Adding New Sovereign Clouds

  1. Create new example file: injections/new-cloud.hcl.example
  2. Define region, tags, and compliance requirements
  3. Update GitLab CI in that cloud to use the new injection
  4. No changes needed to base repo or modules!

Security Notes

  • injection.hcl is gitignored and created at runtime
  • Never commit secrets or credentials to injection files
  • Use CI/CD variables for sensitive values
  • ARNs and account IDs in examples should be replaced with real values