Home
Terraform Guardrail Multi-Cloud Policy (MCP) (TerraGuard) is an enterprise-grade IaC governance and guardrail platform that enforces architectural intent, compliance, and platform standards directly inside CI/CD. It runs outside Terraform, exposes provider context, and enforces guardrails that prevent bad state before apply.
Start here for the full beginner-to-expert handbook:
The handbook covers the introduction, architecture, CLI, GUI, REST API, MCP server, rule catalog, policy registry, enterprise governance, CI/CD, cloud and on-premise support, evidence, drift, remediation, industry rollout patterns, competitive positioning, and appendices for commands, API routes, and rules.
flowchart LR
START["Beginner"] --> HANDBOOK["v5.0 Complete Handbook"]
HANDBOOK --> PRACTICE["Run scans and CI gates"]
PRACTICE --> PLATFORM["Build policy baselines"]
PLATFORM --> EXPERT["Operate autonomous governance"]
TerraGuard uses a shielded TG monogram for Terraform guardrails, multi-cloud policy, and autonomous governance. The brand system uses navy, cyan, blue, violet, green, and amber to reflect governance boundaries, policy decisions, remediation, evidence, and enforcement.
- TerraGuard Brand System
- Brand assets: https://github.com/Huzefaaa2/terraform-guardrail/tree/main/docs/assets/brand
Enterprise case studies: https://github.com/Huzefaaa2/terraform-guardrail/wiki/Enterprise-Case-Studies
v1-v5 Full platform live app: https://terraform-guardrail-platform.streamlit.app/
Latest release: v5.0.0 Autonomous Governance
v5.0.0 turns Terraform Guardrail into an autonomous governance loop: remediation plans, PR-ready patch bundles, GitHub PR automation, scheduled scans, evidence schedules, background runners, governance health, and trend dashboards. It builds on the v2 enterprise control plane, v3 ecosystem integrations, and v4 intelligent evaluation layer.
Roadmap status: v5.0.0 is delivered and published across GitHub Releases, PyPI, Homebrew, docs, and live app references.
Start with the release detail page, then follow the roadmap and task guides:
- v2.0.0 Enterprise Release
- v3.0.0 Ecosystem Release
- v4.0.0 Intelligent Release
- v5.0.0 Autonomous Governance Release
- Autonomous Governance Guide
- Roadmap
- Governance
- Enterprise Features
- How-To Guides
- AWS CodePipeline
- Diagrams
The current roadmap status is:
| Phase | Status | Focus |
|---|---|---|
| v1.0 Foundation | Delivered | Registry, packaging, CI templates, policy layering, and custom rules. |
| v2.0 Enterprise | Delivered | Policy authoring UI, org baselines, group enforcement, drift gates, and evidence export. |
| v3.0 Ecosystem | Delivered | Policy packs, service API, cross-provider invariants, reference implementations, and governance. |
| v4.0 Intelligent | Delivered | Context-aware evaluation, suggested fixes, explainability reports, SARIF/JUnit bridge, and waivers. |
| v5.0 Autonomous Governance | Delivered | Remediation plans, GitHub PR automation, scheduled governance, evidence schedules, and trend dashboards. |
pip install terraform-guardrailbrew install Huzefaaa2/tap/terraform-guardrailpy -m pip install terraform-guardrailTerraform-Guardrail is licensed under Business Source License (BSL) 1.1 with a change date to Apache 2.0. Commercial usage requires explicit permission.
- Licensing details: Licensing
Making Infrastructure Governance Executable
Despite using Terraform and security scanners, enterprises still face:
- Inconsistent enforcement across teams
- Policies applied too late in delivery
- Manual reviews that don’t scale
- Different interpretations of “standards”
- Audit findings caused by drift, not intent
👉 The issue is not lack of tools —
👉 The issue is lack of a governance distribution mechanism.
Terraform-Guardrail Multi-Cloud Policy (MCP) is an enterprise-grade IaC governance and guardrail platform for Terraform that enforces architectural intent, compliance, and platform standards directly in CI/CD.
It:
- Establishes a non-negotiable safety floor
- Distributes guardrails consistently via CI/CD
- Enables progressive enforcement (Advisory → Warn → Strict)
- Makes governance versioned, auditable, and repeatable
Governance becomes code, not documents.
| Layer | Role |
|---|---|
| Terraform-Guardrail Multi-Cloud Policy (MCP) | Governance & enforcement orchestration |
| Checkov / tfsec / Terrascan | Deep static security & compliance scanning |
| OPA / Sentinel | Advanced & runtime policy enforcement |
| CI/CD (GitLab/GitHub) | Execution & control point |
Terraform-Guardrail does not replace existing tools — it connects and operationalizes them.
Every Terraform change passes through the same guardrails, before it ever reaches the cloud.
Implemented at:
- Merge request / pull request stage
- GitLab group-level CI enforcement
- No per-repo negotiation
| Phase | Mode | Business Outcome |
|---|---|---|
| Phase 1 | Advisory | Visibility, zero disruption |
| Phase 2 | Warn | Accountability without blocking |
| Phase 3 | Strict | Mandatory compliance for prod |
✔ No “big-bang” rollout
✔ Teams keep autonomy above the safety floor
Without it:
- Governance relies on people & process
- Controls drift over time
- Audit remediation is expensive
With it:
- Governance is automatic and consistent
- Security shifts left into CI
- Audit evidence is generated by default
- Platform teams scale without becoming bottlenecks
Terraform-Guardrail Multi-Cloud Policy (MCP) turns infrastructure governance
from guidelines into guarantees.
It enables speed and safety — without trading one for the other.
Non-negotiable safety floor, composable freedom above it. Guardrails live outside Terraform so platform teams can enforce baseline invariants while product teams retain agility.
flowchart LR
USER[Platform + Product Teams] --> CHANNELS[CLI / UI / REST API / CI]
CHANNELS --> GUARDRAIL[TerraGuard Control Plane]
GUARDRAIL --> POLICIES[Baseline + Context Policies]
GUARDRAIL --> REPORTS[Guidance + Evidence]
GUARDRAIL --> TERRAFORM[Safer Terraform Applies]
classDef actor fill:#e3f2fd,stroke:#1565c0,stroke-width:1px,color:#0d47a1;
classDef channel fill:#f3e5f5,stroke:#6a1b9a,stroke-width:1px,color:#4a148c;
classDef core fill:#e8f5e9,stroke:#2e7d32,stroke-width:1px,color:#1b5e20;
classDef output fill:#fff3e0,stroke:#ef6c00,stroke-width:1px,color:#e65100;
class USER actor;
class CHANNELS channel;
class GUARDRAIL,POLICIES core;
class REPORTS,TERRAFORM output;
- v2.0.0 Enterprise Release
- Roadmap
- How-To Guides
- Deliverables Reference
- Enterprise Implementation Plan
- Enterprise Features
- Examples
- AWS Support
- AWS CodePipeline
- Architecture
- Diagrams
- Comparison with Other Tools
- CLI Usage
- Command Reference
- Custom Rules
- GitHub Action
- GitLab CI Templates
- Packaging
- Licensing
- Multi-Cloud Policy (MCP) Server
- Compliance Rules
- Streamlit Deployment
- Docker Compose Stack
- v1 Foundation Live App
- v2 Enterprise Live App
- v3-v5 Governance Live App
- v1-v5 Full Platform Live App
- Enterprise Case Studies
- PyPI Package
- Release Process
The recommended app model is three public demos: v1 Foundation for scanner basics, v2 Enterprise for authoring and baselines, one combined v3-v5 Governance app for policy packs, intelligent evaluation, remediation, PR dry runs, scheduled scans, evidence schedules, and health reporting, and one v1-v5 Full platform app for the complete product story in a single enterprise GUI.
- Version: 5.0.0
- Release: https://github.com/Huzefaaa2/terraform-guardrail/releases/tag/v5.0.0
- PyPI: https://pypi.org/project/terraform-guardrail/5.0.0/
- Container image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail
- Registry image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail-registry
- Supported providers: AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, vSphere
- Local stack: Docker Compose (API + UI + policy registry, optional analytics)
- Enterprise store: JSON file store under
.guardrail/enterpriseorGUARDRAIL_ENTERPRISE_DATA_DIR - Enterprise API: policies, baselines, bindings, evaluations, drift checks, and evidence exports
- Enterprise CLI:
evaluate,enterprise policy,enterprise baseline,enterprise binding,enterprise drift-gate, andevidence export - Policy registry: OPA bundles published under
/bundles/*.tar.gz(registry path; sample bundles: https://github.com/Huzefaaa2/terraform-guardrail/tree/main/ops/policy-registry/bundles) - Policy evaluation available via CLI when OPA is installed
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (multi-file or folder upload) |
| Enterprise policy authoring | Yes | Yes |
| Org baselines and group enforcement | Yes | Yes |
| Drift gate before apply | Yes | API-backed |
| Evidence export | JSON / CSV / PDF | Linked from evaluation workflows |