Terraform / OpenTofu
IaC scaffold path:
infra/
Terraform/OpenTofu owns infrastructure provisioning:
- Kubernetes cluster.
- Managed Postgres.
- Object storage.
- Secrets backend.
- Network and DNS dependencies.
- Externalized observability infrastructure where chosen.
Provider-specific implementation is intentionally scaffolded until the target cloud is selected.
AWS is now the Phase 1 primary target. The AWS-specific scaffold lives at:
infra/aws/
It includes modules for isolated networking, EKS, RDS PostgreSQL, ECR, KMS, S3 evidence storage, IAM/OIDC, and observability bootstrap. The first intended target is AWS dev; staging and production remain scaffolded until ADRs and account safety controls are accepted.
Before app infrastructure is applied, bootstrap remote state and CI trust through:
infra/aws/bootstrap/
The bootstrap stack defines the isolated state bucket, DynamoDB lock table, optional state KMS key, and GitHub/GitLab OIDC role scaffolding. Real backend configs and tfvars are intentionally examples only.
AWS app environments also include a docs-site module for private S3 + CloudFront hosting. Publishing stays disabled until protected CI variables are configured.
Useful local checks:
make aws-terraform-fmt
make aws-terraform-validate
make aws-bootstrap-fmt
make aws-bootstrap-validate
make aws-preflight-check
make aws-bootstrap-plan
make aws-bootstrap-apply-dryrun
make aws-helm-template
make aws-iac-check
make ci-helm-render
These checks do not require real AWS credentials, but provider initialization may require internet access to download the AWS Terraform provider.
AWS dev deployment is CI-gated. .gitlab-ci.yml is the current wrapper, and GitHub workflow skeletons call the same scripts/ci/ commands for future handoff.