Home
Terraform Guardrail Multi-Cloud Policy (MCP) (TerraGuard) is an enterprise-grade IaC governance and guardrail platform that enforces architectural intent, compliance, and platform standards directly inside CI/CD. It runs outside Terraform, exposes provider context, and enforces guardrails that prevent bad state before apply.
Latest release: v2.0.0 Enterprise Foundation
v2.0.0 moves Terraform Guardrail from scanner and registry foundation into an enterprise governance workflow. The release adds policy authoring, metadata-rich findings, org baselines, group/repo enforcement, drift gates before apply, audit evidence export, and AWS CodePipeline/CodeBuild integration.
Start with the release detail page, then follow the roadmap and task guides:
- v2.0.0 Enterprise Release
- v3.0.0 Ecosystem Development
- Roadmap
- Enterprise Features
- How-To Guides
- AWS CodePipeline
- Diagrams
The current roadmap status is:
| Phase | Status | Focus |
|---|---|---|
| v1.0 Foundation | Delivered | Registry, packaging, CI templates, policy layering, custom rules |
| v2.0 Enterprise | Delivered | Authoring UI, baselines, group enforcement, drift gates, evidence export |
| v3.0 Ecosystem | In progress | Policy packs, service API, and invariants delivered; reference implementations next |
| v4.0 Intelligent | Planned | Context-aware evaluation and suggested fixes |
pip install terraform-guardrailbrew install Huzefaaa2/tap/terraform-guardrailchoco install terraform-guardrailTerraform-Guardrail is licensed under Business Source License (BSL) 1.1 with a change date to Apache 2.0. Commercial usage requires explicit permission.
- Licensing details: Licensing
Making Infrastructure Governance Executable
Despite using Terraform and security scanners, enterprises still face:
- Inconsistent enforcement across teams
- Policies applied too late in delivery
- Manual reviews that don’t scale
- Different interpretations of “standards”
- Audit findings caused by drift, not intent
👉 The issue is not lack of tools —
👉 The issue is lack of a governance distribution mechanism.
Terraform-Guardrail Multi-Cloud Policy (MCP) is an enterprise-grade IaC governance and guardrail platform for Terraform that enforces architectural intent, compliance, and platform standards directly in CI/CD.
It:
- Establishes a non-negotiable safety floor
- Distributes guardrails consistently via CI/CD
- Enables progressive enforcement (Advisory → Warn → Strict)
- Makes governance versioned, auditable, and repeatable
Governance becomes code, not documents.
| Layer | Role |
|---|---|
| Terraform-Guardrail Multi-Cloud Policy (MCP) | Governance & enforcement orchestration |
| Checkov / tfsec / Terrascan | Deep static security & compliance scanning |
| OPA / Sentinel | Advanced & runtime policy enforcement |
| CI/CD (GitLab/GitHub) | Execution & control point |
Terraform-Guardrail does not replace existing tools — it connects and operationalizes them.
Every Terraform change passes through the same guardrails, before it ever reaches the cloud.
Implemented at:
- Merge request / pull request stage
- GitLab group-level CI enforcement
- No per-repo negotiation
| Phase | Mode | Business Outcome |
|---|---|---|
| Phase 1 | Advisory | Visibility, zero disruption |
| Phase 2 | Warn | Accountability without blocking |
| Phase 3 | Strict | Mandatory compliance for prod |
✔ No “big-bang” rollout
✔ Teams keep autonomy above the safety floor
Without it:
- Governance relies on people & process
- Controls drift over time
- Audit remediation is expensive
With it:
- Governance is automatic and consistent
- Security shifts left into CI
- Audit evidence is generated by default
- Platform teams scale without becoming bottlenecks
Terraform-Guardrail Multi-Cloud Policy (MCP) turns infrastructure governance
from guidelines into guarantees.
It enables speed and safety — without trading one for the other.
Non-negotiable safety floor, composable freedom above it. Guardrails live outside Terraform so platform teams can enforce baseline invariants while product teams retain agility.
flowchart LR
USER[Platform + Product Teams] --> CHANNELS[CLI / UI / REST API / CI]
CHANNELS --> GUARDRAIL[TerraGuard Control Plane]
GUARDRAIL --> POLICIES[Baseline + Context Policies]
GUARDRAIL --> REPORTS[Guidance + Evidence]
GUARDRAIL --> TERRAFORM[Safer Terraform Applies]
classDef actor fill:#e3f2fd,stroke:#1565c0,stroke-width:1px,color:#0d47a1;
classDef channel fill:#f3e5f5,stroke:#6a1b9a,stroke-width:1px,color:#4a148c;
classDef core fill:#e8f5e9,stroke:#2e7d32,stroke-width:1px,color:#1b5e20;
classDef output fill:#fff3e0,stroke:#ef6c00,stroke-width:1px,color:#e65100;
class USER actor;
class CHANNELS channel;
class GUARDRAIL,POLICIES core;
class REPORTS,TERRAFORM output;
- v2.0.0 Enterprise Release
- Roadmap
- How-To Guides
- Deliverables Reference
- Enterprise Implementation Plan
- Enterprise Features
- Examples
- AWS Support
- AWS CodePipeline
- Architecture
- Diagrams
- Comparison with Other Tools
- CLI Usage
- Command Reference
- Custom Rules
- GitHub Action
- GitLab CI Templates
- Packaging
- Licensing
- Multi-Cloud Policy (MCP) Server
- Compliance Rules
- Streamlit Deployment
- Docker Compose Stack
- v1 Foundation Live App
- v2 Enterprise Live App
- PyPI Package
- Release Process
- Version: 2.0.0
- Release: https://github.com/Huzefaaa2/terraform-guardrail/releases/tag/v2.0.0
- PyPI: https://pypi.org/project/terraform-guardrail/2.0.0/
- Container image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail
- Registry image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail-registry
- Supported providers: AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, vSphere
- Local stack: Docker Compose (API + UI + policy registry, optional analytics)
- Enterprise store: JSON file store under
.guardrail/enterpriseorGUARDRAIL_ENTERPRISE_DATA_DIR - Enterprise API: policies, baselines, bindings, evaluations, drift checks, and evidence exports
- Enterprise CLI:
evaluate,enterprise policy,enterprise baseline,enterprise binding,enterprise drift-gate, andevidence export - Policy registry: OPA bundles published under
/bundles/*.tar.gz(registry path; sample bundles: https://github.com/Huzefaaa2/terraform-guardrail/tree/main/ops/policy-registry/bundles) - Policy evaluation available via CLI when OPA is installed
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (multi-file or folder upload) |
| Enterprise policy authoring | Yes | Yes |
| Org baselines and group enforcement | Yes | Yes |
| Drift gate before apply | Yes | API-backed |
| Evidence export | JSON / CSV / PDF | Linked from evaluation workflows |