-
Notifications
You must be signed in to change notification settings - Fork 6
Home
Terraform Guardrail Multi-Cloud Policy (MCP) (TerraGuard) is an enterprise-grade IaC governance and guardrail platform that enforces architectural intent, compliance, and platform standards directly inside CI/CD. It runs outside Terraform, exposes provider context, and enforces guardrails that prevent bad state before apply.
It offers an easy way to generate valid Terraform code and ensure compliance. This tool helps your team manage cloud resources more effectively. With a user-friendly CLI and a minimal web UI, you do not need a technical background to get started.
pip install terraform-guardrailbrew install Huzefaaa2/tap/terraform-guardrailchoco install terraform-guardrailTerraform-Guardrail is licensed under Business Source License (BSL) 1.1 with a change date to Apache 2.0. Commercial usage requires explicit permission.
- Licensing details: Licensing
Making Infrastructure Governance Executable
Despite using Terraform and security scanners, enterprises still face:
- Inconsistent enforcement across teams
- Policies applied too late in delivery
- Manual reviews that don’t scale
- Different interpretations of “standards”
- Audit findings caused by drift, not intent
👉 The issue is not lack of tools —
👉 The issue is lack of a governance distribution mechanism.
Terraform-Guardrail Multi-Cloud Policy (MCP) is an enterprise-grade IaC governance and guardrail platform for Terraform that enforces architectural intent, compliance, and platform standards directly in CI/CD.
It:
- Establishes a non-negotiable safety floor
- Distributes guardrails consistently via CI/CD
- Enables progressive enforcement (Advisory → Warn → Strict)
- Makes governance versioned, auditable, and repeatable
Governance becomes code, not documents.
| Layer | Role |
|---|---|
| Terraform-Guardrail Multi-Cloud Policy (MCP) | Governance & enforcement orchestration |
| Checkov / tfsec / Terrascan | Deep static security & compliance scanning |
| OPA / Sentinel | Advanced & runtime policy enforcement |
| CI/CD (GitLab/GitHub) | Execution & control point |
Terraform-Guardrail does not replace existing tools — it connects and operationalizes them.
Every Terraform change passes through the same guardrails, before it ever reaches the cloud.
Implemented at:
- Merge request / pull request stage
- GitLab group-level CI enforcement
- No per-repo negotiation
| Phase | Mode | Business Outcome |
|---|---|---|
| Phase 1 | Advisory | Visibility, zero disruption |
| Phase 2 | Warn | Accountability without blocking |
| Phase 3 | Strict | Mandatory compliance for prod |
✔ No “big-bang” rollout
✔ Teams keep autonomy above the safety floor
Without it:
- Governance relies on people & process
- Controls drift over time
- Audit remediation is expensive
With it:
- Governance is automatic and consistent
- Security shifts left into CI
- Audit evidence is generated by default
- Platform teams scale without becoming bottlenecks
Terraform-Guardrail Multi-Cloud Policy (MCP) turns infrastructure governance
from guidelines into guarantees.
It enables speed and safety — without trading one for the other.
Non-negotiable safety floor, composable freedom above it. Guardrails live outside Terraform so platform teams can enforce baseline invariants while product teams retain agility.
flowchart LR
USER[Platform + Product Teams] --> CHANNELS[CLI / UI / REST API / CI]
CHANNELS --> GUARDRAIL[TerraGuard Control Plane]
GUARDRAIL --> POLICIES[Baseline + Context Policies]
GUARDRAIL --> REPORTS[Guidance + Evidence]
GUARDRAIL --> TERRAFORM[Safer Terraform Applies]
classDef actor fill:#e3f2fd,stroke:#1565c0,stroke-width:1px,color:#0d47a1;
classDef channel fill:#f3e5f5,stroke:#6a1b9a,stroke-width:1px,color:#4a148c;
classDef core fill:#e8f5e9,stroke:#2e7d32,stroke-width:1px,color:#1b5e20;
classDef output fill:#fff3e0,stroke:#ef6c00,stroke-width:1px,color:#e65100;
class USER actor;
class CHANNELS channel;
class GUARDRAIL,POLICIES core;
class REPORTS,TERRAFORM output;
- Roadmap
- Deliverables Reference
- Enterprise Implementation Plan
- Enterprise Features
- Examples
- AWS Support
- AWS CodePipeline
- Architecture
- Diagrams
- Comparison with Other Tools
- CLI Usage
- Command Reference
- Custom Rules
- GitHub Action
- GitLab CI Templates
- Packaging
- Licensing
- Multi-Cloud Policy (MCP) Server
- Compliance Rules
- Streamlit Deployment
- Docker Compose Stack
- Live Streamlit App
- PyPI Package
- Release Process
- Version: 1.0.4
- Container image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail
- Registry image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail-registry
- Supported providers: AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, vSphere
- Local stack: Docker Compose (API + UI + policy registry, optional analytics)
- Policy registry: OPA bundles published under
/bundles/*.tar.gz(registry path; sample bundles: https://github.com/Huzefaaa2/terraform-guardrail/tree/main/ops/policy-registry/bundles) - Policy evaluation available via CLI when OPA is installed
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (upload up to 10) |