Terraform & OpenTofu modules
176 verified Terraform modules across 20 cloud providers — every one is OpenTofu-compatible and statically validated (tofu validate + tflint + Checkov) before it passes the publish gate. Each ships an annotated terraform.tfvars.example: copy, edit, tofu apply.
99 of 176 are live-tested — really applied, verified, then destroyed. The rest are static-validated, live-test pending. We never label a module “live-tested” without the real test — how we verify.
All Terraform & OpenTofu modules
ACM Certificate (DNS-validated)
Requests a public, DNS-validated ACM TLS certificate that ACM auto-renews forever, outputting the validation records to publish — CT logging on, wildcards and SANs supported.
Akamai App & API Protector (WAF)
Security configuration with policy, WAF mode, match targets, rate controls, and IP/geo blocking, activated to staging or production.
Akamai CPS DV Certificate
Automated Domain Validated TLS enrollment with DNS/HTTP challenge outputs wired for Edge DNS.
Akamai Edge DNS Zone
Authoritative Edge DNS zone with full recordset management on Akamai's DDoS-resilient anycast network.
Akamai Edge Redirector Cloudlet
Rule-driven edge redirects (vanity URLs, migrations) managed as code with versioned policy activation.
Akamai EdgeWorker with EdgeKV
Deploy JavaScript at the edge with bundle versioning, EdgeKV namespace, and network activation in one module.
Akamai GTM Failover/Weighted Domain
Global Traffic Management domain with datacenters and failover or weighted-round-robin properties plus liveness tests.
Akamai Ion Delivery Property
End-to-end Ion CDN property: origin, edge hostname, caching/performance rule tree, CP code, and staging/production activation.
Akamai Network Lists
Versioned IP and geo block/allow lists with activation, ready to feed WAF policies and property rules.
Alibaba Cloud ACK Cluster
Managed ACK Kubernetes with node pools, VPC integration, and RAM roles.
Alibaba Cloud VPC Foundation
Multi-AZ VPC with vSwitches, NAT gateway, SNAT, security groups, and flow logs.
AlloyDB for PostgreSQL Cluster
AlloyDB cluster with primary + read-pool instances, PSC connectivity, automated backups and columnar/vector engine flags.
API Gateway & Deployment
Managed API gateway with route deployments, JWT/auth policies, rate limiting, CORS and custom-domain TLS.
API Gateway HTTP API
HTTP API with routes, Lambda/ALB integrations, custom domain, JWT authorizers, and access logs.
API Gateway (OpenAPI 2.0)
A serverless API Gateway fronting an OpenAPI 2.0 spec — API, immutable config and managed gateway — with a dedicated least-privilege backend service account and a built-in default spec.
API Gateway REST API (deny-by-default)
A REST API wired end to end — resource tree built from route paths, deny-by-default IAM authorization, MOCK/Lambda/HTTP integrations, deployment + stage with throttling and JSON access logs.
API Management (Consumption tier)
An API Management gateway tuned for the serverless Consumption tier — scale-to-zero, billed per call — with a system-assigned managed identity, TLS hardening, and HTTP/2 enabled.
Application Gateway v2 + WAF
Regional L7 load balancer with WAF v2 policy, TLS termination from Key Vault, autoscaling and health probes.
Application Load Balancer
ALB with HTTPS listeners, target groups, listener rules, and access logging — drop-in for ECS/EC2/Lambda targets.
Artifact Registry Repositories
Docker/Maven/npm repos with cleanup policies, remote and virtual repositories, CMEK and reader/writer IAM.
Aurora Cluster (Serverless v2 ready)
Aurora PostgreSQL/MySQL cluster with instances, parameter groups, Serverless v2 scaling, and enhanced monitoring.
Autonomous Database (Serverless)
ATP/ADW/JSON/APEX autonomous database with private endpoint, mTLS wallet output, ACLs, auto-scaling and backup config.
AWS S3 Bucket (hardened)
Private S3 bucket with encryption, versioning, public-access block, and TLS-only policy.
Azure App Service (Linux Web App)
App Service plan + Linux web app with deployment slots, custom domain + managed TLS, VNet integration and autoscale.
Azure Bastion + Hardened Jumpbox
Bastion (Developer/Basic/Standard SKU) with optional hardened Linux VM, JIT-style NSG rules and boot diagnostics for secure VM access without public IPs.
Azure Cache for Redis
Azure Cache for Redis done cheap by default — the Basic C0 tier with TLS 1.2 minimum and the non-SSL port disabled — scaling cleanly up to Standard and Premium via precondition-guarded inputs.
Azure Container Apps Environment
Container Apps environment with workload profiles, Dapr, KEDA scale rules, ACR pull identity and custom domain.
Azure Container Instances (ACI)
Runs one or more containers on Azure Container Instances without VMs or an orchestrator — secure by default with no privileged containers, redacted secret fields, and an optional managed identity.
Azure Container Registry
ACR with geo-replication, retention/trust policies, private endpoint and AcrPull role wiring for AKS/Container Apps.
Azure Cosmos DB Account
Cosmos DB (NoSQL or MongoDB API) with multi-region failover, autoscale throughput, private endpoint and backup policy.
Azure DevOps Project + Repo + Pipeline
Bootstraps an Azure DevOps project with an initialized Git repository and a YAML build pipeline — repeatable team setup as code.
Azure Front Door (Std/Premium) + WAF
Global entry point: Front Door profile, endpoints, origin groups, custom domains with managed TLS and WAF policy.
Azure Functions App
Function app (Flex Consumption or Premium) with storage, Application Insights, managed identity and VNet integration.
Azure Key Vault
RBAC-mode Key Vault with private endpoint, diagnostics, and managed keys/secrets/certificates scaffolding.
Azure Kubernetes Service Cluster
Hardened AKS with system/user node pools, workload identity, Entra RBAC integration, Azure CNI overlay, and Container Insights wired in.
Azure Landing Zone Core
Management-group hierarchy, policy baseline (ALZ-aligned), centralized logging and RBAC scaffolding — the flagship enterprise starter.
Azure Linux Virtual Machine (self-contained)
A fully self-contained general-purpose Linux VM on Azure — one apply creates the resource group, VNet, subnet, NSG, NIC, optional public IP and an SSH-key-only VM with a system-assigned identity.
Azure Linux VM Scale Set (Uniform)
A self-contained Linux VM Scale Set (Uniform orchestration) on Azure — one apply creates the resource group, VNet, subnet, NSG and an SSH-key-only scale set with deny-all-inbound and no public IPs.
Azure Monitor & Log Analytics Baseline
Central Log Analytics workspace, diagnostic-settings-everywhere pattern, action groups and starter alert pack (metric + log + activity).
Azure Private DNS Zone
A self-contained Azure Private DNS zone with virtual-network links and optional record sets for private name resolution across VNets and Private Endpoints — VM auto-registration off by default.
Azure Private Endpoint (Private Link)
An Azure Private Endpoint giving a target PaaS resource a private IP inside your VNet so traffic stays on the Microsoft backbone — wire to existing subnet/target or run fully self-contained.
Azure Public DNS Zone & Records
An Azure public DNS zone plus a map-driven set of record sets — A, AAAA, CNAME, TXT, MX, NS, CAA and SRV — with relative naming, verbatim TXT values, and apex footgun guards.
Azure SQL Database
Logical SQL server + database with Entra-only auth, firewall/private endpoint, auditing, TDE and failover-group option.
Azure Standard Load Balancer (L4)
An Azure Standard L4 load balancer with a self-created static public IP frontend, a backend address pool, health probes and load-balancing rules — Standard SKU throughout.
Azure Static Web App
Globally distributed hosting for static sites and SPAs on Azure Static Web Apps with optional serverless APIs, free auto-renewing TLS, and a built-in global CDN — defaulting to the cost-free Free SKU.
Azure Storage Account (secure-by-default)
Storage account with containers/file shares, lifecycle rules, network rules, CMK encryption and private endpoint options — Azure's most-deployed resource done right.
Azure Traffic Manager Profile
Global, DNS-based load balancing with a Traffic Manager profile and map-driven external endpoints — Performance, Priority, Weighted, Geographic, Subnet or MultiValue routing with an HTTPS health probe.
Azure Virtual Network (hub-ready)
Production VNet with subnets, NSGs, route tables, peering and optional NAT Gateway — the network backbone every Azure deployment starts with.
Base Database Service (DBCS VM)
Oracle Database VM system with DB home, TDE via Vault, automated backups and optional Data Guard standby.
Bastion Service
Zero-footprint managed bastion with session-managed SSH/port-forward access to private subnets — replaces jump hosts.
BigQuery Dataset & Tables
Datasets with partitioned/clustered tables, authorized views, CMEK and dataset-level access controls.
Certificate Manager (certificate map)
A Certificate Manager certificate map for external HTTPS load balancers, with an optional Google-managed certificate and DNS authorization provisioned when you supply a domain you control.
Civo Compute Stack
Instances with network, firewall, volume, and reserved IP.
Civo Kubernetes Cluster
Fast-launch k3s cluster with node pools, firewall rules, and network.
Cloud Armor Security Policy (WAF)
A global Cloud Armor WAF policy with preconfigured OWASP SQLi and XSS rules enforcing by default, an optional per-client rate limit, and custom IP allow/deny rules — attachable to many backends.
Cloud Bigtable Instance & Table
A single-cluster Cloud Bigtable instance (one 1-node SSD cluster, the smallest footprint) plus a table with column families, IAM-only access, optional CMEK, and deletion protection on.
Cloud DNS Zones & Records
Public/private managed zones with record sets, DNSSEC, forwarding and peering configs.
Cloud Filestore NFS Share
A managed Cloud Filestore NFS share for GKE and Compute Engine, VPC-peered with no public exposure, optional per-client export rules for least-privilege access, and deletion protection on.
Cloudflare DNS & WAF
Zone DNS records, security settings, and managed WAF rulesets for a Cloudflare zone — provider v5 ready.
Cloudflare Workers Platform
Worker with KV/R2/D1 bindings, routes, custom domain, and secrets — full edge app scaffold.
Cloudflare Zero Trust Access
Access application with policies, identity provider wiring, and a cloudflared tunnel to private origins.
CloudFront Site (S3 + ACM + Route53)
Complete HTTPS site/CDN: CloudFront distribution, OAC-locked S3 origin, ACM cert, and Route53 alias records.
Cloud KMS Keyring & Keys
Keyrings and rotation-enabled crypto keys with per-key IAM for CMEK across GCS, BigQuery, Cloud SQL and disks.
Cloud Monitoring, Alerting & Log Export
A self-contained observability bundle: a metric-threshold alert policy, a Monitoring dashboard, and a log-export sink to a locked-down GCS bucket with the sink writer-identity IAM grant wired in.
Cloud NAT Gateway
A regional Cloud Router and Cloud NAT gateway giving private, external-IP-less instances outbound internet access, with auto-allocated NAT IPs, all-subnet coverage, and logging on by default.
Cloud Run Function (gen2)
Event-driven or HTTP gen2 function with source upload, dedicated runtime SA and Eventarc trigger wiring.
Cloud Run Job (v2)
A Cloud Run v2 Job for batch and run-to-completion workloads with a dedicated runtime service account, auto-wired Secret Manager accessor grants, VPC egress, bounded retries and per-task timeout.
Cloud Run Service
Cloud Run v2 service with autoscaling, secret and VPC egress wiring, custom domain and invoker IAM done right.
Cloud Scheduler HTTP Cron Job
A Cloud Scheduler cron job that calls an HTTP(S) endpoint on a schedule, with a bounded attempt deadline, capped exponential-backoff retries, and per-invocation OIDC/OAuth service-account auth.
Cloud Spanner Instance & Database
A regional Cloud Spanner instance at the smallest billable size (100 processing units) plus a database with optional starter schema, drop protection, and Terraform deletion protection on.
Cloud SQL (PostgreSQL/MySQL) HA Instance
Regional-HA Cloud SQL with private IP (PSA/PSC), automated backups, PITR, read replicas and IAM database auth.
Cloud Storage Bucket
Hardened GCS bucket with uniform access, versioning, lifecycle/soft-delete policies, CMEK and least-privilege IAM.
Cloud Tasks Queue
A Cloud Tasks queue with capped dispatch rate and concurrency, a bounded exponential-backoff retry policy, and full Stackdriver logging so failed dispatches are observable rather than silent.
CloudWatch Logs, Alarm & Dashboard
A self-contained CloudWatch observability bundle — an encrypted log group with retention, a metric alarm, and a dashboard — that stands up from just a name and points at any real metric.
Cloud Workflows (least-privilege identity)
A Cloud Workflows workflow that runs as a dedicated least-privilege service account instead of the broad Compute Engine default, with inline YAML, deletion protection, and call logging.
CodeDeploy CI/CD (EC2 / ECS / Lambda)
CodeDeploy application, deployment groups, and the platform-correct service role for automated EC2/ECS/Lambda rollouts with auto-rollback on failure.
CodePipeline + CodeBuild CI/CD
AWS-native CI/CD: CodePipeline orchestrating a CodeBuild project, with an encrypted private artifact bucket and least-privilege roles. Sources from S3 (or GitHub).
Cognito User Pool & App Client
A secure-by-default Cognito user pool and app client with optional hosted-UI domain — strong password policy, TOTP MFA, account-enumeration protection, SRP-only flows, and refresh-token revocation.
DigitalOcean App Platform Service
Declarative App Platform deployment with services, workers, domains, and alerts.
DigitalOcean DOKS Cluster
Production DOKS with node pools, VPC, registry hookup, and maintenance windows in one apply.
DigitalOcean Droplet Stack
Hardened droplet(s) with VPC, firewall, volume, reserved IP, and cloud-init bootstrap.
DigitalOcean Managed Database
Managed PG/MySQL/Valkey cluster with firewall trust list, users, DBs, and replicas.
DNS Zone & Traffic Steering
Public/private DNS zones with record sets, failover/geo steering policies and health-check probes.
DRG Hub & Spoke Connectivity
Dynamic Routing Gateway with VCN attachments, custom DRG route tables, remote peering and IPSec/FastConnect attach points.
DynamoDB Table
DynamoDB table with GSIs/LSIs, TTL, streams, autoscaling or on-demand, and point-in-time recovery.
EC2 Instance
EC2 instance with IMDSv2, encrypted EBS, instance profile, and EIP — secure defaults out of the box.
EC2 Launch Template + Auto Scaling Group
EC2 launch template and Auto Scaling group with IMDSv2 enforced, encrypted gp3 root volume, an egress-only security group, and scale-to-zero defaults so it applies cleanly with no compute cost.
ECR Repository
ECR repo with lifecycle rules, scan-on-push, immutable tags, and cross-account/replication policies.
ECS Fargate Service
Full Fargate stack: cluster, task definition, service with ALB integration, autoscaling, and Cloud Map discovery.
EFS File System (encrypted, in-transit TLS)
An EFS file system with mount targets, a least-privilege NFS security group, lifecycle tiering, automatic backups, and a resource policy that enforces encryption in transit.
EKS Cluster with Managed Node Groups
Opinionated EKS cluster with node groups, core add-ons, Pod Identity, and KMS secret encryption.
ElastiCache for Redis / Valkey
A cluster-mode-disabled ElastiCache Redis/Valkey cache with encryption at rest and in transit both on, no public exposure, and the subnet group and security group created for you.
Entra ID Workload Identity Baseline
App registrations, service principals, groups and federated credentials (OIDC for GitHub/Terraform) — the identity plumbing every Azure org rebuilds by hand.
Eventarc Pub/Sub Trigger
An Eventarc Pub/Sub trigger wired into a self-contained pipeline — a Cloud Run target, a dedicated delivery service account, and the run.invoker and eventReceiver grants Eventarc silently requires.
EventBridge Bus, Rule & Target
A custom EventBridge event bus, a pattern-filtered rule, and a target wired end-to-end — encryption at rest always on, least-privilege log delivery, and a 24h retry policy with optional DLQ.
Event Grid Topic & Subscriptions
An Event Grid custom topic plus event subscriptions with an optional in-module Storage Queue target — SAS auth off (Entra ID), a system-assigned identity, and HTTPS-only TLS 1.2+ storage.
Event Hubs Namespace & Hubs
An Event Hubs namespace plus hubs, each with consumer groups and least-privilege SAS rules for high-throughput (Kafka-compatible) ingestion — TLS 1.2 floor and optional default-deny networking.
Exoscale DBaaS
Managed PG/MySQL/Kafka with IP filters and TF-managed users.
Exoscale SKS Cluster
SKS Kubernetes with node pools, security groups, and anti-affinity.
File Storage (NFS)
Elastic NFSv3 file system with mount target, export options, snapshots and NSG-scoped access.
Flexible Load Balancer (L7)
HTTPS load balancer with backend sets, health checks, TLS certificates, rule sets and WAF-ready listeners.
Functions Application
Serverless Fn application with functions, provisioned concurrency, invoke logging and Events-rule trigger wiring.
GCP Project Factory
Opinionated project creation: API enablement, billing budget, default-SA lockdown, audit log sinks and baseline IAM.
GCP VPC Network Foundation
Production VPC with subnets, secondary ranges, firewall rules, Cloud Router and Cloud NAT — the network base every GCP workload sits on.
GKE Cluster (Autopilot & Standard)
Private, Workload-Identity-enabled GKE cluster with managed node pools, release channels and maintenance windows, hardened to Google best practice.
Global External HTTPS Load Balancer
Global ALB with managed TLS certs, URL map, serverless/instance NEG backends, optional Cloud CDN and Cloud Armor policy.
HA VPN (Site-to-Site)
99.99% SLA HA VPN gateway pair with BGP-dynamic routing — GCP-to-on-prem or GCP-to-AWS/Azure.
Hetzner Load-Balanced Web Tier
Managed LB with health checks, cert, and label-selected server targets.
Hetzner Private Network + NAT
Private network with subnets, routes, and a NAT gateway server for egress-only fleets.
Hetzner Server Fleet
N-server fleet with placement group, firewall, primary IPs, and cloud-init — Hetzner's price/perf with guardrails.
Huawei Cloud CCE Cluster
CCE Kubernetes with VPC/subnet, node pool, and EIP-attached ingress.
IAM Roles, Policies & OIDC Trust
Least-privilege IAM roles, managed policies, and GitHub/EKS OIDC federation in one composable module.
IBM Cloud Kubernetes (IKS) on VPC
IKS cluster on VPC Gen2 with worker pools and COS-backed registry namespace.
IBM Cloud VPC Landing Zone (Lite)
VPC with subnets, public gateways, ACLs, and security groups following IBM SLZ patterns.
Instance Pool with Autoscaling
Self-healing instance pool from an instance configuration with metric- or schedule-based autoscaling and LB attachment.
Internal Passthrough Load Balancer (L4)
An internal passthrough L4 load balancer — health check, regional backend service and forwarding rule — that stands up before any backends exist, preserving client source IPs, with optional global access.
Jenkins Controller on AWS (EC2)
Self-hosted Jenkins controller on a hardened EC2 instance — restricted security group, IMDSv2 enforced, SSM access, encrypted root volume, Jenkins auto-installed via user-data.
Jenkins Controller on Azure (VM)
Self-hosted Jenkins on a hardened Azure Linux VM — self-contained vnet/subnet/NSG, SSH-key auth only, managed-disk encryption, Jenkins installed via cloud-init.
Kinesis Data Stream (on-demand)
A Kinesis Data Stream with KMS encryption at rest on by default and ON_DEMAND capacity (no shard math), plus optional enhanced fan-out consumers and IAM-only access.
KMS Key with Policy Patterns
Customer-managed KMS keys with sane key policies, aliases, rotation, and multi-region replicas.
Lambda Function (Packaged & Wired)
Lambda with execution role, log group, triggers, aliases, and zip/container packaging handled.
Linode Block Storage Volume
Attachable, resizable NVMe block volume with safe attach/detach lifecycle handling.
Linode Cloud Firewall Baseline
Opinionated stateful firewall with deny-by-default inbound, curated allow rules, and multi-device attachment.
Linode Compute Instance (production-ready)
Hardened Linode VM with cloud-init, disk encryption, reverse DNS, backups, and firewall attachment in one apply.
Linode DNS Zone & Records
Complete DNS zone with typed record management and sane TTL defaults on Linode's free DNS Manager.
Linode Kubernetes Engine Cluster
Production LKE cluster with autoscaling node pools, HA control plane, disk encryption, ACL, and optional Enterprise tier.
Linode Managed Database (MySQL/PostgreSQL)
HA managed database cluster with allowlists, maintenance windows, and fork/restore support on the new Aiven platform.
Linode NodeBalancer Load Balancer
Managed L4/L7 load balancer with TLS termination, health checks, session stickiness, and UDP support.
Linode Object Storage Bucket
S3-compatible bucket with scoped access keys, versioning, lifecycle rules, and optional static-site hosting.
Linode VPC with Subnets
Isolated VPC network with labeled subnets ready for instances, LKE, and NodeBalancer backends.
Logic App (Consumption) Workflow
An Azure Logic App (Consumption) workflow with a built-in Recurrence trigger — serverless pay-per-execution automation with a system-assigned managed identity and inbound IP allowlists.
Managed Instance Group (autoscaling, autohealing)
A zonal Managed Instance Group built from a hardened Shielded-VM instance template, private by default, with optional CPU autoscaling, autohealing, and zero-downtime rolling template updates.
Memorystore Redis/Valkey
Private Memorystore instance or cluster (Redis or Valkey) with auth, TLS and maintenance policy on your VPC.
MSK Serverless (Apache Kafka)
An MSK Serverless Apache Kafka cluster with no brokers to size — SASL/IAM authentication only, encryption in transit and at rest always on, multi-AZ placement, and a locked-down security group.
MySQL Flexible Server
Azure Database for MySQL Flexible Server with TLS required by default, correct delegated-subnet + private DNS zone ordering, an Entra administrator, databases, and cheapest-by-default Burstable sizing.
MySQL HeatWave DB System
Managed MySQL with optional HeatWave analytics cluster, HA, backups, configuration and inbound replication channel.
Network Load Balancer (L4)
A Layer-4 Network Load Balancer with map-driven TCP/UDP/TLS listeners and target groups, modern TLS 1.3 termination from an ACM cert, and self-contained default-VPC networking.
Network Load Balancer (L4)
Low-latency pass-through NLB with TCP/UDP listeners, backend health checks and preserved client IPs.
Object Storage Bucket
Bucket with versioning, lifecycle/auto-tiering, retention rules, replication and pre-authenticated request support.
OCI Compute Instance (flex shapes)
Opinionated VM with E5/A1 flex shapes, cloud-init, attached block volumes, NSGs and in-transit encryption.
OCI IAM Foundation (compartments + policies)
Tenancy landing-zone core: compartment hierarchy, groups, dynamic groups, policy statements and tag namespaces from a single map.
OCI VCN (hub-ready network foundation)
Production VCN with public/private subnets, internet/NAT/service gateways, route tables, NSGs and IPv6 — the module every OCI tenancy starts with.
OKE Managed Kubernetes Cluster
Enhanced OKE cluster with managed + virtual node pools, private API endpoint, NSGs, addons and OIDC — flagship OCI workload platform.
OVHcloud Managed Database
Managed PG/MySQL/Kafka with users, IP restrictions, and private network egress.
OVHcloud Managed Kubernetes
MKS cluster with node pools and private-network (vRack) attachment.
PostgreSQL Flexible Server
Flexible Server with HA option, private VNet delegation, Entra auth, firewall and tuned server parameters.
Production VPC (Multi-AZ)
Battle-tested multi-AZ VPC with public/private/database subnets, NAT, endpoints, and flow logs.
Pub/Sub Topics & Subscriptions
Topics with schemas, push/pull/BigQuery subscriptions, dead-letter queues and retry policies preconfigured.
RDS Instance (PostgreSQL/MySQL)
Single-instance or Multi-AZ RDS with subnet/parameter/option groups, backups, and monitoring wired correctly.
Redshift Cluster (encrypted, private)
A production-ready single-node Redshift cluster with encryption always on, never publicly accessible, a parameter group enforcing require_ssl, and a generated admin password stored in Secrets Manager.
Resource Group + Naming/Tagging Baseline
Opinionated resource group factory with CAF-compliant naming, mandatory tags, locks and budget alert.
Route 53 Hosted Zone & Records
A Route 53 hosted zone (public or private via vpc_ids) plus a map-driven set of records, with name normalisation and the alias-vs-rdata distinction resolved and inputs validated.
Scaleway Kapsule Cluster
Kapsule Kubernetes with pools, private network, and autoscaling/autoheal presets.
Scaleway Managed Database
RDB PostgreSQL/MySQL with HA, private-network endpoint, users, and ACLs.
Scaleway Serverless Container
Container namespace, deployed container, custom domain, and registry wiring.
Secret Manager Secrets
Secrets with versions, replication policy, rotation schedules, expiry and accessor IAM.
Secrets Manager Secret
Secrets with versioning, resource policies, replication, and optional Lambda rotation scaffolding.
Security Group with Rule Presets
Security groups with named rule presets (https, postgres, redis...) using modern standalone rule resources.
Service Accounts & IAM Bindings
Service accounts with least-privilege project/resource IAM and optional Workload Identity Federation for keyless CI/CD (GitHub Actions).
Service Bus Namespace, Queues & Topics
An Azure Service Bus namespace with queues, topics and subscriptions on the Standard SKU — SAS local auth off (Entra ID + RBAC), TLS 1.2+ minimum, and dead-lettering of expired messages.
SES v2 Sending Stack
An SES v2 sending stack — a configuration set with an optional domain/email identity (Easy DKIM) — with TLS required, bounce/complaint suppression, and reputation metrics to CloudWatch.
SNS Topic with Subscriptions
SNS standard/FIFO topic with encryption, delivery policies, and SQS/Lambda/email subscriptions.
SQS Queue with DLQ
SQS standard/FIFO queue with dead-letter queue, redrive policy, SSE, and least-privilege queue policy.
SSM Parameter Store (map-driven)
Map-driven SSM Parameter Store parameters — String, StringList, and SecureString — created from a single map, with SecureString always KMS-encrypted and the free Standard tier by default.
Step Functions State Machine
A Step Functions state machine (STANDARD or EXPRESS) with a least-privilege execution role, a managed CloudWatch log group, X-Ray tracing, and encryption at rest — working out of the box from a single name.
Tencent Cloud VPC Foundation
VPC with subnets, route tables, NAT, and security groups across AZs.
Tencent TKE Cluster
Managed TKE Kubernetes with node pools and VPC-CNI networking.
UpCloud Managed Database
Managed PG/MySQL with properties tuning, users, and logical DBs.
UpCloud Server Stack
Servers on SDN private network with storage, router, and firewall rules.
User-Assigned Managed Identities
A map-driven module creating one or many user-assigned managed identities, each with optional workload identity federation (OIDC) and least-privilege RBAC role assignments — no secrets to rotate.
Vault, Keys & Secrets
KMS vault with HSM/software master keys, key rotation and secret lifecycle management for app credentials.
Vault Policies & Auth
Vault policies, auth backends, and secret engine configuration as code.
Vertex AI Endpoint
A Vertex AI Endpoint for online prediction with optional CMEK, optional Private Service Access networking and request/response logging — model deployment left to you, so it stands up for cents.
Vultr Compute Stack
Instances with VPC, firewall, block storage, and reserved IP.
Vultr VKE Cluster
VKE Kubernetes with node pools, VPC, and firewall in one module.
WAFv2 Web ACL (managed rules + rate limit)
A WAFv2 web ACL (REGIONAL or CLOUDFRONT) with a default-allow posture, configurable AWS managed rule groups blocking by default, and a rate-based rule that throttles abusive IPs.