Skip to content

franamaro-dev/TerraStack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
ansible
ansible
 
 
terraform
terraform
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

TerraStack

Infrastructure-as-Code templates for Zero-Trust deployments on AWS / GCP / on-prem.

License: MIT Terraform Ansible Zero Trust Validate IaC

What it solves

Most starter Terraform repos hand you a VPC and a public EC2. TerraStack starts from the opposite assumption: nothing is trusted by default.

It bundles a set of opinionated modules to bootstrap an environment that is private-by-default, audit-first, and reproducible — with Ansible doing the post-provision hardening that Terraform doesn't cover.

Architecture

flowchart LR
    subgraph IaC["IaC Pipeline"]
        TF[Terraform] -->|provision| Cloud[Cloud Resources]
        TF -->|outputs| Inv[Ansible Inventory]
        Inv --> Ans[Ansible Playbooks]
        Ans -->|harden| Cloud
    end
    Cloud --> ZT[Zero-Trust Posture]
    ZT --> Audit[Audit Logs / SIEM]

    style TF fill:#7B42BC,color:#fff
    style Ans fill:#EE0000,color:#fff
    style ZT fill:#red,color:#fff
Loading

Principles

  • Deny by default: every security group, firewall rule and IAM policy starts at deny *.
  • Least privilege: roles scoped per-service, no wildcard * actions.
  • No public ingress without an explicit, justified module flag.
  • State remote, encrypted, locked: S3 + DynamoDB / GCS + locks.
  • Immutable infrastructure: redeploy, don't ssh + patch.
  • CI validation: terraform fmt + terraform validate + tflint + tfsec on every PR.

Repository layout

.
├── terraform/
│   ├── modules/        # reusable, versioned modules
│   ├── envs/           # per-environment composition (dev / staging / prod)
│   └── backend.tf      # remote state config
├── ansible/
│   ├── playbooks/      # hardening, post-provision config
│   ├── roles/          # CIS-aligned roles
│   └── inventory/      # dynamic inventory (terraform output → ansible)
└── .github/workflows/  # validate_iac.yml

Quickstart

git clone https://github.com/franamaro-dev/TerraStack.git
cd TerraStack/terraform/envs/dev
terraform init
terraform plan -out tfplan
terraform apply tfplan

Then run hardening:

cd ../../../ansible
ansible-playbook -i inventory/dev playbooks/harden.yml

Tech stack

Layer Tool
Provisioning Terraform (HCL)
Configuration Ansible (YAML)
State S3 / GCS + lock table
Validation tflint, tfsec, ansible-lint
CI GitHub Actions

Roadmap

  • OpenTofu compatibility check
  • Module: zero-trust VPC peering
  • Module: SSO + SCIM for cloud accounts
  • OPA / Conftest policies for compliance gates
  • Cost guardrails (Infracost)

License

MIT © Francisco Amaro Prieto

Built by Francisco Amaro — Backend Engineer & SOC L1 Analyst LinkedIn · Email

About

Infrastructure-as-Code templates (Terraform/Ansible) for Zero-Trust deployments.

Topics

ansible devops cloud terraform infrastructure-as-code zero-trust

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages