Announcement

Cloud landing zones using OpenTofu

Deploy and manage enterprise-wide cloud governance patterns with automated drift detection and self-healing resources across AWS, Azure & GCP.

Turbot Team
5 min. read - Jan 28, 2025
Deploy and manage enterprise-wide cloud governance patterns with automated drift detection and self-healing resources across AWS, Azure & GCP.

We're excited to announce that Turbot Guardrails now supports OpenTofu for cloud landing zones and governance. This enhancement enables cloud teams to deploy and manage standardized patterns across their enterprise cloud environment while leveraging the community-driven, Linux Foundation-backed OpenTofu project.

Why use Guardrails for deploying stacks?

While teams can use OpenTofu in their own deployment pipelines, using Guardrails' Stacks to deploy OpenTofu is specifically designed for cloud teams managing enterprise-wide patterns and standards across a multi-cloud environment. Common use cases would be to deploy Landing Zone configurations, consistent networking patterns, IAM resources, resource policies, etc.

Guardrails Stacks gives cloud teams additional benefits:

  • Unified Governance: Manage infrastructure standards alongside existing cloud security and FinOps guardrails.
  • Policy-Driven Control: Apply consistent patterns while supporting exceptions through Guardrails' policy engine.
  • Automated Drift Correction: Ensure configurations remain compliant with automated drift detection and correction without managing state files.
  • Context-aware: Dynamically bring in context from the Guardrails CMDB, audit trail, and outside data sources. Wrap the context with conditional logic using calculated policies to handle a wide variety of enterprise use cases.

Guardrails Stack [Native]

Our new governance stacks, labeled Stack [Native], bring expanded capabilities and flexibility to cloud teams. Powered by OpenTofu, these stacks offer significant improvements over our original Stack/Configured controls:

FeatureStack/ConfiguredStack [Native]
VersionTerraform 0.15 and earlierOpenTofu 1.8.3 and later
TriggeringResource updateResource update, interval
CMDB Required?YesNo
Resources SupportedOnly resources supported in GuardrailsAny resource supported by the provider
Support for count, for_eachNoYes

How to use Guardrails OpenTofu Stacks

Update your AWS mod

Update the @turbot/aws mod to version v5.33 or later.

Once the mod is installed, you will see new Stack [Native] policies added to your environment. For example, AWS > Account > Stack [Native] > * policies:

Set your first stack policy

Let's start with an existing policy pack sample from the Guardrails Hub to Deploy AWS IAM Stack.

This policy pack creates an IAM Role with ReadOnlyAccess access in each applicable AWS account.

The policy pack sets the following OpenTofu HCL in the AWS > IAM > Stack [Native] > Source policy:

variable "trusted_principals" {
description = "A list of principal ARNs that can assume the role. These wil be added to the trust policy."
type = set(string)
}
resource "aws_iam_role" "read_only_role" {
name = "read_only_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = var.trusted_principals
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "read_only" {
role = aws_iam_role.read_only_role.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Setting conditional logic to your stack

The policy pack also uses the AWS > IAM > Stack [Native] > Variables policy to define .tfvar-style variable overrides. While we can simply place a static variable(s) in the configuration, using calculated policies, we can dynamically look up values.

The variable we set in the HCL source is for trusted principals. Using calculated policies we can look up a list of trusted AWS Account IDs. In this case, we will lookup the account ID the stack will apply to, essentially allowing the role to be assumed from within the same account.

A calculated policy consists of a GraphQL input to pull in the account tags from the Guardrails CMDB, and a Nunjucks template in the policy to define the conditional logic:

trusted_principals = ["arn:aws:iam::{{$.account.Id}}:root"]

To test how the stack will apply, we can attach the policy pack to our Acme organization to see the calculated values per account:

When ready, we can officially deploy the policy pack by changing the AWS > IAM > Stack [Native] policy setting from Check: Configured to Enforce: Configured.

Automated drift correction

Guardrails can also detect and correct drift of your applied stacks. By default, drift detection policies will run automatically when a resource changes.

When any changes occur in runtime affecting the stack, Guardrails will alert and auto-correct the misconfiguration.

For example, if a developer modifies the AWS Principal in the policy, Guardrails will immediately identify the misconfiguration, alert, then take automated action to fix the policy. Here we can see Bob updated the resource, then within a minute, Guardrails detected the drift and updated the resource.

Exploring the control detail, we can visualize the configuration correction back to the desired state of the stack:

See it in Action

Watch this demo to see how Turbot Guardrails manages OpenTofu stacks with automatic drift correction in real time:

Get started with Guardrails Stacks for cloud landing zones

Turbot Guardrails transforms how you manage OpenTofu deployments across AWS, Azure, and GCP. By combining OpenTofu with Guardrails' policy engine, cloud teams can ensure their cloud landing zones stay compliant and secure through context-aware deployments, automated drift detection and correction.

Start your 14-day free trial to experience automated cloud landing zones with Guardrails.