Multi-Cloud Terraform Patterns

Multi-Cloud Terraform Patterns

Multi-cloud deployment is not "deploy the same thing to AWS and GCP." It is managing two completely different API surfaces, identity systems, networking models, and failure modes with a single pipeline. At Lockheed Martin, we operated infrastructure across AWS GovCloud and Azure Government — each with different compliance boundaries, different IAM models, and different deployment tooling. A pipeline that works for one cloud is useless for the other unless it abstracts the cloud-specific details behind a common interface. This template provides that abstraction layer.

Pipeline Stages

• cloud-detect — Analyzes the deployment manifest to determine target cloud(s). Routes to cloud-specific deployment paths based on annotations in the Kubernetes manifest or Terraform workspace.
• build — Cloud-agnostic container build. Image pushed to both ECR (AWS) and Artifact Registry (GCP) with identical digests. SBOM generated once, attached to both registries.
• scan — Unified security scanning: Trivy for containers, Checkov for IaC (supports both AWS and GCP providers), TruffleHog for secrets. Single report covering all cloud targets.
• deploy-aws — OIDC auth to AWS. EKS deployment via Helm. AWS-specific config injected: ALB Ingress, EBS storage class, IAM Roles for Service Accounts.
• deploy-gcp — Workload Identity Federation to GCP. GKE deployment via Helm. GCP-specific config: GCE Ingress, PD storage class, Workload Identity binding.
• cross-cloud-test — Verifies that both deployments return identical responses. Tests DNS failover, data replication lag, and API compatibility between cloud instances.
• traffic-management — Route53 or Cloud DNS weighted routing. Gradual traffic shift: 90/10 primary/secondary, then 50/50, with automatic failover on health check failure.

Security Gates

• Per-cloud OIDC — Separate identity federation for each cloud. AWS role trusts GitHub OIDC provider. GCP Workload Identity Pool trusts GitHub OIDC provider. No shared credentials.
• Unified policy enforcement — OPA/Conftest policies written once, applied to both AWS and GCP Terraform configurations. Ensures consistent security posture across clouds.
• Cross-cloud audit logging — CloudTrail (AWS) and Cloud Audit Logs (GCP) both forward to a central SIEM. Pipeline deployments are correlated across clouds by commit SHA.

What Breaks First

• Kubernetes API version skew — EKS runs 1.29, GKE runs 1.30. A manifest using a v1.30 API fails on EKS. Fix: pin manifests to the lowest common API version, or use Kustomize overlays with cloud-specific API version patches.
• DNS propagation delay during failover — Route53 health check fails, DNS failover triggers, but clients cache the old DNS record for the TTL duration (60 seconds default). Fix: set TTL to 10 seconds for failover records and use client-side retry with DNS cache flush.
• Cloud-specific Helm value drift — AWS values.yaml and GCP values.yaml diverge over time as teams make cloud-specific changes without updating the other. Fix: use a base values.yaml with cloud-specific overlay files, and a CI check that flags new keys added to one overlay but not the other.