Skip to content

TerminalsandCoffee/multi-cloud-cspm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
environments/baseline
environments/baseline
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Cloud Security Baseline

Terraform baseline for enterprise cloud security guardrails with an Azure-first operating model and GCP secondary onboarding path. This repository is designed for production security engineering teams implementing preventive, detective, and governance controls as code.

Baseline Objectives

  • Establish secure-by-default cloud guardrails for network, logging, posture management, and detection.
  • Provide repeatable control implementation aligned to NIST 800-53 and ISO 27001 control intent.
  • Support audit evidence generation from Terraform state, plans, outputs, and CI/CD execution history.
  • Operationalize security controls through CI validation, policy checks, and runbook-oriented documentation.

Architecture

                    ┌─────────────────────────────────────────┐
                    │           GitHub Actions CI/CD          │
                    │    fmt / validate / lint → plan → apply  │
                    └────────────────┬────────────────────────┘
                                     │ OIDC federation
               ┌─────────────────────┴─────────────────────┐
               │                                           │
       ┌───────▼────────────────┐                 ┌────────▼─────────┐
       │ Azure security baseline │                 │ GCP (secondary)  │
       │                        │                 │                  │
       │ Sentinel + Log Analytics│                 │ SCC notifications│
       │ Defender for Cloud      │                 │ Pub/Sub pipeline │
       │ Firewall + NSG guardrails│                │ GCS archive      │
       └─────────────────────────┘                 │ Chronicle stub   │
                                                   └──────────────────┘

Module Coverage

Module Cloud Security Function Control Focus
azure-sentinel Azure Centralized logging + SIEM detections AU-4, AU-6, AC-7, SI-4
azure-defender Azure Posture management and workload protection baseline AU-6, SI-4
azure-firewall Azure Boundary control and threat-intel blocking SC-7, SI-4
azure-nsg Azure Segmentation and least-privilege network enforcement AC-4, SC-7
gcp-scc GCP Security findings export pipeline and archive SI-4, AU-4, AU-11
gcp-chronicle GCP Chronicle ingestion prerequisites (infrastructure stub) SC-28, AU-4

Deployment Model

  • Azure-first by default: Azure modules are always deployed.
  • GCP optional by design: set enable_gcp_secondary = true only when GCP org prerequisites are ready.
  • No forced multi-cloud symmetry: GCP scope remains narrower until enterprise adoption maturity requires expansion.

Quick Start

cd environments/baseline
terraform init -backend=false
terraform validate
terraform plan -var-file="your.tfvars"

Minimal Azure-first tfvars

environment               = "prod"
azure_subscription_id     = "00000000-0000-0000-0000-000000000000"
azure_resource_group_name = "rg-security-baseline"
azure_location            = "eastus"
log_retention_days        = 365

firewall_subnet_id = "/subscriptions/.../subnets/AzureFirewallSubnet"

Enable secondary GCP controls (when ready)

enable_gcp_secondary = true
gcp_project_id       = "my-security-project"
gcp_region           = "us-central1"
gcp_organization_id  = "123456789"
chronicle_sa_email   = "[email protected]"

CI/CD Security Controls

Workflow Purpose
terraform-validate.yml fmt, validate, and tflint on pull requests
terraform-plan.yml OIDC-authenticated plan with PR comment + artifact
terraform-apply.yml Main-branch apply with environment approval gate

Governance and Audit Artifacts

  • NIST mapping: docs/nist-800-53-control-mapping.md
  • ISO mapping: docs/iso-27001-control-mapping.md
  • Control evidence matrix: docs/control-evidence-matrix.md

Manual Prerequisites and Known Constraints

  • GCP credentials are always required. The Google provider is initialized unconditionally so Terraform can validate the configuration graph. Even with enable_gcp_secondary = false, valid GCP credentials (or GOOGLE_CREDENTIALS / ADC) must be available. Set gcp_project_id to any accessible project for Azure-only deployments.
  • SCC premium capabilities require manual organization-level enablement.
  • Chronicle full onboarding (feeds, parsers, detections, response playbooks) remains manual.
  • Azure Firewall subnet (AzureFirewallSubnet) must exist in the target network.
  • Delete locks are enabled by default for critical Azure resources and should only be disabled through approved exception process.
  • Remote Terraform state backend is intentionally commented out and must be configured before production apply. The CI apply workflow uses -backend=false — state is not persisted until a backend is configured.
  • Some cloud security resources do not support user-defined tags due to platform limitations.

About

A multi-cloud security baseline using Terraform. Demonstrates NIST 800-53 and ISO 27001 compliance through Infrastructure as Code across Azure (primary) and GCP (secondary).

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages