-
Notifications
You must be signed in to change notification settings - Fork 6
Home
Terraform Guardrail Multi-Cloud Policy (MCP) (TerraGuard) is an enterprise-grade IaC governance and guardrail platform that enforces architectural intent, compliance, and platform standards directly inside CI/CD. It runs outside Terraform, exposes provider context, and enforces guardrails that prevent bad state before apply.
pip install terraform-guardrailbrew install Huzefaaa2/tap/terraform-guardrailchoco install terraform-guardrailTerraform-Guardrail is licensed under Business Source License (BSL) 1.1 with a change date to Apache 2.0. Commercial usage requires explicit permission.
- Licensing details: Licensing
Making Infrastructure Governance Executable
Despite using Terraform and security scanners, enterprises still face:
- Inconsistent enforcement across teams
- Policies applied too late in delivery
- Manual reviews that don’t scale
- Different interpretations of “standards”
- Audit findings caused by drift, not intent
👉 The issue is not lack of tools —
👉 The issue is lack of a governance distribution mechanism.
Terraform-Guardrail Multi-Cloud Policy (MCP) is an enterprise-grade IaC governance and guardrail platform for Terraform that enforces architectural intent, compliance, and platform standards directly in CI/CD.
It:
- Establishes a non-negotiable safety floor
- Distributes guardrails consistently via CI/CD
- Enables progressive enforcement (Advisory → Warn → Strict)
- Makes governance versioned, auditable, and repeatable
Governance becomes code, not documents.
| Layer | Role |
|---|---|
| Terraform-Guardrail Multi-Cloud Policy (MCP) | Governance & enforcement orchestration |
| Checkov / tfsec / Terrascan | Deep static security & compliance scanning |
| OPA / Sentinel | Advanced & runtime policy enforcement |
| CI/CD (GitLab/GitHub) | Execution & control point |
Terraform-Guardrail does not replace existing tools — it connects and operationalizes them.
Every Terraform change passes through the same guardrails, before it ever reaches the cloud.
Implemented at:
- Merge request / pull request stage
- GitLab group-level CI enforcement
- No per-repo negotiation
| Phase | Mode | Business Outcome |
|---|---|---|
| Phase 1 | Advisory | Visibility, zero disruption |
| Phase 2 | Warn | Accountability without blocking |
| Phase 3 | Strict | Mandatory compliance for prod |
✔ No “big-bang” rollout
✔ Teams keep autonomy above the safety floor
Without it:
- Governance relies on people & process
- Controls drift over time
- Audit remediation is expensive
With it:
- Governance is automatic and consistent
- Security shifts left into CI
- Audit evidence is generated by default
- Platform teams scale without becoming bottlenecks
Terraform-Guardrail Multi-Cloud Policy (MCP) turns infrastructure governance
from guidelines into guarantees.
It enables speed and safety — without trading one for the other.
Non-negotiable safety floor, composable freedom above it. Guardrails live outside Terraform so platform teams can enforce baseline invariants while product teams retain agility.
flowchart LR
USER[Platform + Product Teams] --> CHANNELS[CLI / UI / REST API / CI]
CHANNELS --> GUARDRAIL[TerraGuard Control Plane]
GUARDRAIL --> POLICIES[Baseline + Context Policies]
GUARDRAIL --> REPORTS[Guidance + Evidence]
GUARDRAIL --> TERRAFORM[Safer Terraform Applies]
classDef actor fill:#e3f2fd,stroke:#1565c0,stroke-width:1px,color:#0d47a1;
classDef channel fill:#f3e5f5,stroke:#6a1b9a,stroke-width:1px,color:#4a148c;
classDef core fill:#e8f5e9,stroke:#2e7d32,stroke-width:1px,color:#1b5e20;
classDef output fill:#fff3e0,stroke:#ef6c00,stroke-width:1px,color:#e65100;
class USER actor;
class CHANNELS channel;
class GUARDRAIL,POLICIES core;
class REPORTS,TERRAFORM output;
- Roadmap
- Deliverables Reference
- Enterprise Implementation Plan
- Enterprise Features
- Examples
- AWS Support
- AWS CodePipeline
- Architecture
- Diagrams
- Comparison with Other Tools
- CLI Usage
- Command Reference
- Custom Rules
- GitHub Action
- GitLab CI Templates
- Packaging
- Licensing
- Multi-Cloud Policy (MCP) Server
- Compliance Rules
- Streamlit Deployment
- Docker Compose Stack
- Live Streamlit App
- PyPI Package
- Release Process
- Version: 1.0.4
- Container image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail
- Registry image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail-registry
- Supported providers: AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, vSphere
- Local stack: Docker Compose (API + UI + policy registry, optional analytics)
- Policy registry: OPA bundles published under
/bundles/*.tar.gz(registry path; sample bundles: https://github.com/Huzefaaa2/terraform-guardrail/tree/main/ops/policy-registry/bundles) - Policy evaluation available via CLI when OPA is installed
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (upload up to 10) |