{"product_id":"multi-cloud-terraform-patterns","title":"Multi-Cloud Terraform Patterns","description":"\u003ch3\u003eMulti-Cloud Terraform Patterns\u003c\/h3\u003e\n\u003cp\u003eMulti-cloud deployment is not \"deploy the same thing to AWS and GCP.\" It is managing two completely different API surfaces, identity systems, networking models, and failure modes with a single pipeline. At Lockheed Martin, we operated infrastructure across AWS GovCloud and Azure Government — each with different compliance boundaries, different IAM models, and different deployment tooling. A pipeline that works for one cloud is useless for the other unless it abstracts the cloud-specific details behind a common interface. This template provides that abstraction layer.\u003c\/p\u003e\n\n\u003ch3\u003ePipeline Stages\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003ecloud-detect\u003c\/strong\u003e — Analyzes the deployment manifest to determine target cloud(s). Routes to cloud-specific deployment paths based on annotations in the Kubernetes manifest or Terraform workspace.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003ebuild\u003c\/strong\u003e — Cloud-agnostic container build. Image pushed to both ECR (AWS) and Artifact Registry (GCP) with identical digests. SBOM generated once, attached to both registries.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003escan\u003c\/strong\u003e — Unified security scanning: Trivy for containers, Checkov for IaC (supports both AWS and GCP providers), TruffleHog for secrets. Single report covering all cloud targets.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003edeploy-aws\u003c\/strong\u003e — OIDC auth to AWS. EKS deployment via Helm. AWS-specific config injected: ALB Ingress, EBS storage class, IAM Roles for Service Accounts.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003edeploy-gcp\u003c\/strong\u003e — Workload Identity Federation to GCP. GKE deployment via Helm. GCP-specific config: GCE Ingress, PD storage class, Workload Identity binding.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003ecross-cloud-test\u003c\/strong\u003e — Verifies that both deployments return identical responses. Tests DNS failover, data replication lag, and API compatibility between cloud instances.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003etraffic-management\u003c\/strong\u003e — Route53 or Cloud DNS weighted routing. Gradual traffic shift: 90\/10 primary\/secondary, then 50\/50, with automatic failover on health check failure.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eSecurity Gates\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003ePer-cloud OIDC\u003c\/strong\u003e — Separate identity federation for each cloud. AWS role trusts GitHub OIDC provider. GCP Workload Identity Pool trusts GitHub OIDC provider. No shared credentials.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eUnified policy enforcement\u003c\/strong\u003e — OPA\/Conftest policies written once, applied to both AWS and GCP Terraform configurations. Ensures consistent security posture across clouds.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCross-cloud audit logging\u003c\/strong\u003e — CloudTrail (AWS) and Cloud Audit Logs (GCP) both forward to a central SIEM. Pipeline deployments are correlated across clouds by commit SHA.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eWhat Breaks First\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eKubernetes API version skew\u003c\/strong\u003e — EKS runs 1.29, GKE runs 1.30. A manifest using a v1.30 API fails on EKS. Fix: pin manifests to the lowest common API version, or use Kustomize overlays with cloud-specific API version patches.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eDNS propagation delay during failover\u003c\/strong\u003e — Route53 health check fails, DNS failover triggers, but clients cache the old DNS record for the TTL duration (60 seconds default). Fix: set TTL to 10 seconds for failover records and use client-side retry with DNS cache flush.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCloud-specific Helm value drift\u003c\/strong\u003e — AWS values.yaml and GCP values.yaml diverge over time as teams make cloud-specific changes without updating the other. Fix: use a base values.yaml with cloud-specific overlay files, and a CI check that flags new keys added to one overlay but not the other.\u003c\/li\u003e\n\u003c\/ul\u003e","brand":"Citadel Cloud Management","offers":[{"title":"Default Title","offer_id":54890412704035,"sku":"CCM-DEV-035","price":55.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0979\/8539\/7027\/files\/citadel-devops-product_2b855211-894d-45f6-8ba1-44152bc09a40.jpg?v=1775138195","url":"https:\/\/www.citadelcloudmanagement.com\/products\/multi-cloud-terraform-patterns","provider":"Citadel Cloud Management","version":"1.0","type":"link"}