Home Terraform Helm GitHub
Infrastructure as Code (IaC)

Secure Infrastructure
Made Simple

The "last mile" for NIS2 compliance. Production-ready Terraform modules, hardened Helm charts, and Policy-as-Code — all compliant by design.

View on GitHub Compliance Toggles

Multi-Cloud Terraform Modules

Deploy compliant infrastructure in minutes. Includes VPC hardening, private endpoints, and encryption at rest enabled by default.

Azure AWS GCP

Azure Module

  • AKS with Auto-Upgrade
  • PostgreSQL Flexible Server
  • Key Vault Integration
  • Log Analytics Workspace
source = "./modules/azure"
enable_key_vault = true

AWS Module

  • EKS Cluster Hardening
  • RDS with Encryption
  • VPC Flow Logs Enabled
  • S3 Block Public Access
source = "./modules/aws"
enable_flow_logs = true

GCP Module

  • GKE Private Cluster
  • Cloud SQL with IAM Auth
  • Artifact Registry
  • Workload Identity
source = "./modules/gcp"
private_cluster = true
New Feature

Flexible Compliance Toggles

Not every project needs full NIS2 compliance from Day 1. Our Azure module now supports granular toggles to balance Cost vs. Compliance. Control expensive resources like Log Analytics and Key Vault with simple booleans.

variables.tf
Terraform Configuration
module "azure_infrastructure" {
  source = "./modules/azure"
// Start small (Dev/Test)
enable_log_analytics = false # Save ~€100/mo
enable_key_vault     = false # Use K8s secrets instead

// Or go full NIS2 (Production)
full_nis2_compliance = true  # Overrides all above
}
Art. 21.2.c
Backup & Disaster Recovery
Art. 21.2.d
Access Control (Key Vault)
Art. 21.2.a
Risk Analysis (Logs)
Art. 21.2.e
Incident Handling

Policy as Code

Don't just trust; verify. We include OPA Gatekeeper policies to enforce NIS2 requirements at the Kubernetes admission level.

Blocked: Privileged Container

Pod attempted to run as root. Violated `k8snonroot` policy.

Blocked: Missing Labels

Deployment missing `nis2-compliance` label. Violated `k8srequiredlabels`.

Allowed: Compliant Pod

RunAsNonRoot: true, ReadOnlyRootFilesystem: true.

k8snonroot.yaml Rego Policy 
violation[{"msg": msg}] {
  input.review.object.spec.containers[_].securityContext.privileged
  msg := "Privileged containers are not allowed by NIS2 Art 21.2.d"
}

violation[{"msg": msg}] {
  not input.review.object.spec.securityContext.runAsNonRoot
  msg := "Containers must run as non-root user"
}
💎 Premium Add-ons

Enterprise Features

Take your infrastructure to the next level with premium modules for business continuity and advanced compliance.

Disaster Recovery Module

NEW

On-premise installation with automatic failover to encrypted cloud standby. Business continuity in <5 minutes with zero data loss.

RTO <5 min RPO <1 min Zero-Trust Encryption Art. 21.2.c Compliant
Learn More