Skip to content

Cloud Infra

Repository: landerox/cloud-landerox-infra

cloud-landerox-infra is the public Terraform baseline and reference architecture for GCP. It runs my personal prd environment day-to-day and is also positioned as a drop-in starting point for small-to-medium teams that want a defense-in-depth, single-project foundation without inheriting enterprise landing-zone overhead.

Current State

  • Released as v0.1.0 (2026-05-13).
  • Two environments: prd (always active) and dev (opt-in sandbox).
  • Eight modules available — iam and storage enabled by default; secrets, cloud_run, scheduler, artifact_registry, bigquery, and observability staged behind explicit enable_*_module toggles.

What It Covers

  1. Identity & access: Workload Identity Federation (no static SA keys), custom roles, per-resource IAM bindings.
  2. Compute & data: Cloud Run (services + jobs), Cloud Scheduler, Artifact Registry, Secret Manager, GCS with Public Access Prevention and UBLA enforced, BigQuery medallion (raw / bronze / silver / gold) with both typed and YAML-based composition paths.
  3. Observability: Cloud Monitoring alerts, dashboards, and notification channels declared as Terraform.
  4. Supply-chain integrity: every terraform plan is signed via Sigstore; the apply job verifies the attestation before consuming the plan artifact.
  5. Defense in depth: 98 module tests, 29 Conftest mutation tests, plus variable-level validations rejecting unsafe inputs at plan time.
  6. Governance & assurance: GOVERNANCE.md, threat-model and mitigations matrix in docs/assurance-case.md, SSH-signed commits required on main, OpenSSF Best Practices silver tier.

Tech Focus

  • Terraform 1.14.9 + Google Cloud Provider.
  • Toolchain pinned via mise; Conftest (OPA Rego), Checkov, TFLint for policy and linting; pre-commit + Commitizen for change hygiene.
  • GitHub Actions for CI, drift detection, CodeQL SAST, and OpenSSF Scorecard.
  • Renovate for dependency updates; Sigstore for plan attestation; SSH-signed tags and releases.

Relationship to Data

This project provisions the infrastructure foundation consumed by Cloud Data.

View on GitHub