Home/Capabilities/Terraform IaC

Terraform and federal IaC.

Infrastructure-as-code for AWS GovCloud, Azure Government, and on-premise clouds. Compliance-as-code, drift detection, versioned module libraries, and authorization-ready artifacts.

Discuss your stack View capabilities statement

IaC is the foundation of federal cloud operations

Every federal cloud system that reaches production passes through infrastructure-as-code. Manual cloud configuration does not scale, does not audit, and does not survive the turnover of a 5-year federal mission. Terraform and CloudFormation are the dominant tools. We build in both, with a strong preference for Terraform (or its OpenTofu fork) for multi-cloud and multi-agency portability.

IaC in a federal context is more demanding than in commercial. Every resource must be tagged to a program, cost center, and data classification. Every provisioning decision must be justified against NIST 800-53 controls. Every change must produce a plan artifact that a security control assessor can inspect. Every state file must be encrypted, access-controlled, and backed up. The bar is high, and the consequences of getting it wrong include failed audits, mis-authorized systems, and material findings on annual assessment.

Our default federal IaC stack

  • Language: Terraform 1.9+ or OpenTofu 1.8+. HCL for all resource definitions.
  • State: S3 backend with KMS CMK encryption and DynamoDB locking in AWS GovCloud; Azure Storage Account backend with state locking in Azure Government.
  • Module registry: Private registry (Terraform Cloud, Artifactory, or GitHub-hosted) with semver versioning and changelog discipline.
  • Policy: Checkov and tfsec in pre-commit and CI. Open Policy Agent (Conftest) or Sentinel for organization-specific policy.
  • Testing: Terratest for module unit tests, terraform plan validation in CI, ephemeral test environments for integration.
  • Execution: Atlantis, Terraform Cloud, Spacelift, or GitHub Actions with OIDC-federated cloud credentials. No long-lived access keys.
  • Observability: Plan and apply artifacts shipped to S3 for audit retention, state change alerts to SIEM, drift detection on a scheduled cadence.

Landing zones for federal clouds

A landing zone is the account/subscription structure, networking, identity, and baseline controls that every workload inherits. Getting this right once saves a hundred workloads' worth of remediation later. Our landing zones for AWS GovCloud and Azure Government implement: multi-account organization with separation of duties, transit gateway or hub-spoke networking with classification-aware routing, centralized logging (CloudTrail, CloudWatch Logs, Azure Monitor), centralized KMS/Key Vault for shared encryption keys, Security Hub / Defender for Cloud enabled and baseline-configured, GuardDuty / Defender threat detection, Config Rules / Azure Policy for continuous compliance, and SSO federation to the agency identity provider.

Compliance-as-code

The most valuable property of federal IaC is that it makes compliance enforceable at plan time. Rather than discovering in a 3PAO audit that an S3 bucket is missing encryption, you block it in a pre-commit hook. We ship policy libraries that map directly to NIST 800-53 control families:

  • AC family — identity and access baseline policies.
  • AU family — logging enabled on every auditable resource.
  • SC family — encryption in transit (TLS 1.2+) and at rest on every storage resource.
  • CM family — required tags for configuration management and cost tracking.
  • SI family — vulnerability scanning enabled on every VM and container image.

A terraform plan that violates any policy fails CI. The human author gets a specific error tying the violation to a control. Remediation happens in minutes, not in a post-audit remediation sprint.

Module libraries for reuse

Our federal module library is versioned, documented, and tested. Representative modules:

  • FedRAMP-boundary VPC — three-tier network with private subnets, NAT gateways or NAT instances, flow logs to S3 with KMS encryption.
  • IAM baseline — standard roles, MFA enforcement, password policy, access analyzer.
  • S3 hardened bucket — block public access, default encryption with CMK, versioning, lifecycle transitions, access logging.
  • EKS hardened cluster — private endpoint, control plane logging, KMS envelope encryption on secrets, OIDC provider for IRSA.
  • GuardDuty + Security Hub — multi-account delegated administrator, finding aggregation, CIS benchmark and FedRAMP standards enabled.
  • CloudTrail organization trail — multi-region, log file validation, KMS-encrypted destination bucket in log archive account.
  • KMS key lifecycle — CMK with key policy template, rotation enabled, alias management.
  • WAFv2 — OWASP top 10 rule group, rate limiting, geo-blocking where mission permits.

CloudFormation when it fits

For AWS-only federal programs with a preference to avoid third-party providers, we deliver in CloudFormation with the same rigor: StackSets for multi-account rollout, nested stacks for modularity, custom resources via Lambda for anything the resource model does not cover. AWS CDK is a valid choice when the team is comfortable with TypeScript or Python as the IaC language; we treat CDK as a CloudFormation generator, which is what it is.

Terraform for Kubernetes and platform layers

We use Terraform to provision cluster control planes (EKS, AKS, GKE) and the Kubernetes provider for in-cluster bootstrap (namespaces, CRDs, cluster-wide policy). Application-level Kubernetes manifests belong to GitOps (Argo CD, Flux), not Terraform — a separation that keeps the authorization boundary clean and the failure surfaces distinct. See federal Kubernetes.

Who we build IaC for

  • DoD — Terraform landing zones on AWS GovCloud with IL5 overlay.
  • HHS — Azure Government landing zones for health data workloads.
  • VA — multi-account AWS GovCloud with FedRAMP High inheritance.
  • DHS — mission-specific application stacks with zero-trust networking.
  • GSA — cloud.gov-aligned workloads, shared service patterns.

Related reading

Frequently Asked
Federal IaC, answered.
Terraform or CloudFormation for federal work?

Terraform dominates because of multi-cloud portability and a deeper module ecosystem. CloudFormation is preferred when the program is AWS-only. OpenTofu is gaining adoption for agencies wanting an OSS-governance-aligned alternative.

How do you enforce compliance in IaC?

Policy-as-code via OPA Conftest, Sentinel, or Checkov. Terraform plans are evaluated in CI against NIST 800-53 mappings. Non-compliant resources blocked at plan time.

What Terraform modules have you built for federal clouds?

Landing zones for AWS GovCloud and Azure Government, VPC patterns for FedRAMP boundaries, IAM baseline, GuardDuty, KMS key rotation, S3 hardened bucket, CloudTrail pipelines, WAF rulesets.

How do you manage Terraform state?

S3 backend with KMS encryption and DynamoDB locking in GovCloud; Azure Storage Account backend in Azure Gov. Tagged, access-restricted, versioned, never on developer workstations.

Do you handle drift detection?

Yes. Scheduled terraform plan runs detect drift; alerts feed the SIEM. AWS Config rules and Azure Policy provide a second layer at the API level.

Is Precision Federal a SAM.gov-registered small business?

Yes. Precision Delivery Federal LLC, SAM.gov active, UEI Y2JVCZXT9HP5, CAGE 1AYQ0, NAICS 541512. Ames, Iowa.

Related capabilities
Often deployed together.
Capability

Kubernetes

Hardened clusters for federal workloads.
Capability

CI/CD Pipelines

GitHub Actions and GitLab for federal delivery.
Capability

FedRAMP Engineering

Authorization engineering for cloud providers.
1 business day response

Build cloud that audits itself.

Terraform, OpenTofu, and CloudFormation for federal missions.

[email protected]
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE