feat: Terraform Foundation - AWS Landing Zone

Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center

live/dev/env.hcl

@@ -0,0 +1,17 @@
+# Development environment configuration
+locals {
+  environment  = "dev"
+  aws_region   = "us-east-1"
+  project_name = "myproject"  # Update this
+  
+  # Environment-specific settings
+  settings = {
+    multi_az           = false
+    deletion_protection = false
+    backup_retention   = 1
+    instance_class     = "db.t3.micro"
+    node_type          = "cache.t3.micro"
+    min_capacity       = 1
+    max_capacity       = 2
+  }
+}

live/prod/env.hcl

@@ -0,0 +1,17 @@
+# Production environment configuration
+locals {
+  environment  = "prod"
+  aws_region   = "us-east-1"
+  project_name = "myproject"  # Update this
+  
+  # Environment-specific settings
+  settings = {
+    multi_az           = true
+    deletion_protection = true
+    backup_retention   = 35
+    instance_class     = "db.r6g.large"
+    node_type          = "cache.r6g.large"
+    min_capacity       = 2
+    max_capacity       = 20
+  }
+}

live/shared/github-oidc/terragrunt.hcl

@@ -0,0 +1,143 @@
+# GitHub OIDC Configuration
+# Implements AWS/Terraform/Security best practices
+#
+# Security features enabled:
+# - Explicit repository restrictions (no wildcards)
+# - Branch/environment protection
+# - Session duration limits
+# - Least-privilege policies
+# - CloudTrail monitoring
+
+terraform {
+  source = "../../../terraform/modules/github-oidc"
+}
+
+include "root" {
+  path = find_in_parent_folders("terragrunt.hcl")
+}
+
+inputs = {
+  # GitHub organization
+  github_org  = "ghndrx"  # Update to your org
+  name_prefix = "github"
+
+  # Security settings
+  path                       = "/github-actions/"  # Isolated IAM path
+  max_session_hours_limit    = 2                   # Cap all sessions at 2 hours
+  deny_wildcard_repos        = true                # No * repos allowed
+  require_permissions_boundary = false             # Enable in production
+  # permissions_boundary = "arn:aws:iam::ACCOUNT:policy/GitHubActionsBoundary"
+
+  # Monitoring (requires CloudTrail)
+  enable_cloudtrail_logging = false  # Set true when CloudTrail is configured
+  # alarm_sns_topic_arn     = "arn:aws:sns:us-east-1:ACCOUNT:security-alerts"
+
+  # Custom roles with explicit restrictions
+  roles = {
+    # Infrastructure deployment - main branch only
+    infra = {
+      repos        = ["terraform-foundation", "infrastructure"]
+      branches     = ["main"]
+      environments = ["production"]
+      policy_statements = [
+        {
+          sid       = "ReadOnly"
+          actions   = ["ec2:Describe*", "s3:List*", "s3:Get*", "iam:Get*", "iam:List*"]
+          resources = ["*"]
+        }
+      ]
+      max_session_hours = 1
+    }
+
+    # PR validation - read-only
+    validate = {
+      repos        = ["terraform-foundation"]
+      pull_request = true
+      policy_statements = [
+        {
+          sid       = "ReadOnlyValidation"
+          effect    = "Allow"
+          actions   = ["ec2:Describe*", "s3:List*", "iam:Get*", "iam:List*"]
+          resources = ["*"]
+        }
+      ]
+      max_session_hours = 1
+    }
+
+    # Release automation - tag-based
+    release = {
+      repos    = ["terraform-foundation"]
+      tags     = ["v*"]
+      branches = []  # Only tags, not branches
+      policy_statements = [
+        {
+          sid       = "ReleaseArtifacts"
+          actions   = ["s3:PutObject"]
+          resources = ["arn:aws:s3:::release-artifacts/*"]
+        }
+      ]
+    }
+  }
+
+  # Terraform deployment with least privilege
+  terraform_deploy_role = {
+    enabled        = true
+    repos          = ["terraform-foundation"]
+    branches       = ["main"]
+    environments   = ["production"]
+    state_bucket   = "your-terraform-state-bucket"  # Update
+    state_bucket_key_prefix = "terraform/*"         # Limit to specific paths
+    dynamodb_table = "terraform-locks"
+    allowed_services = [
+      "ec2", "s3", "iam", "lambda", "apigateway",
+      "cloudwatch", "logs", "route53", "acm"
+    ]
+    denied_actions = [
+      "iam:CreateUser",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccountPasswordPolicy",
+      "organizations:*",
+      "account:*",
+      "sts:AssumeRole"  # Prevent role chaining
+    ]
+  }
+
+  # ECR with explicit repos
+  ecr_push_role = {
+    enabled      = true
+    repos        = ["backend-api", "frontend-app"]
+    branches     = ["main", "develop"]
+    ecr_repos    = ["backend-api", "frontend-app"]  # Explicit ECR repos
+    allow_create = false
+    allow_delete = false
+  }
+
+  # S3 static sites
+  s3_deploy_role = {
+    enabled          = true
+    repos            = ["website", "docs"]
+    branches         = ["main"]
+    bucket_arns      = ["arn:aws:s3:::www.example.com"]  # Update
+    allowed_prefixes = ["assets/*", "*.html", "*.js", "*.css"]
+    cloudfront_arns  = []  # Add if using CloudFront
+  }
+
+  # Lambda deployments
+  lambda_deploy_role = {
+    enabled       = true
+    repos         = ["serverless-api"]
+    branches      = ["main"]
+    function_arns = [
+      "arn:aws:lambda:us-east-1:*:function:api-*"  # Update
+    ]
+    allow_create = false
+    allow_logs   = true
+  }
+
+  tags = {
+    Environment = "shared"
+    ManagedBy   = "terraform"
+    Component   = "github-oidc"
+    CostCenter  = "platform"
+  }
+}

live/staging/env.hcl

@@ -0,0 +1,17 @@
+# Staging environment configuration
+locals {
+  environment  = "staging"
+  aws_region   = "us-east-1"
+  project_name = "myproject"  # Update this
+  
+  # Environment-specific settings
+  settings = {
+    multi_az           = false
+    deletion_protection = false
+    backup_retention   = 7
+    instance_class     = "db.t3.small"
+    node_type          = "cache.t3.small"
+    min_capacity       = 1
+    max_capacity       = 5
+  }
+}