What It Does#
Terraform IaC for spinning up FedRAMP Moderate-compliant infra on GCP. No tfengine, just native Terraform.
Why#
Google’s official FedRAMP blueprint used tfengine to generate Terraform configs. That added a layer of abstraction that made it harder to understand what was actually being deployed, harder to customize, and harder to debug. Also tfengine is no longer maintained.
This project uses native Terraform directly. You can read the .tf files and understand exactly what’s going into your authorization boundary.
Stack#
- Workload Identity Federation - No long-lived service account keys. GitHub Actions authenticates via OIDC, which is what FedRAMP assessors want to see.
- Private GKE Clusters - Control plane and nodes on private IPs. No public endpoints exposed to the internet.
- Private Cloud SQL (Postgres 15) - Database accessible only from within the VPC. No public IP assignment.
- Binary Authorization - Only signed container images run in the cluster. Prevents deploying unverified workloads.
- Confidential Computing (AMD SEV) - Data encrypted in-use at the hardware level. Useful for processing sensitive data where memory protection matters.
- GitHub Actions with OIDC - CI/CD authenticates to GCP via short-lived tokens instead of stored credentials.
- CMEK (Customer-Managed Encryption Keys) - Encryption keys managed in Cloud KMS rather than Google-managed defaults. Required for FedRAMP Moderate.
- Cloud Armor - WAF and DDoS protection for public-facing services.
Disclaimer#
Unofficial project. Not affiliated with Google. This is a starting point, not a complete authorization package - you’ll still need to do the SSP, policies, and assessment work.
