Skip to Content
ServicesGeneric Service OfferingsInfrastructure & Deployment
Service offering

Infrastructure & Deployment

Infrastructure provisioned by hand is infrastructure that drifts. We deliver Terraform-first infrastructure for Azure and SAP BTP — modular, version-controlled, and driven through CI/CD pipelines with mandatory approval gates before production changes. Every resource is declared in code, every change is reviewed in a PR, and every team we work with leaves with the knowledge to run and extend the platform independently.

TerraformAzure Landing ZoneSAP BTP Terraform ProviderRemote State (Azure Storage)GitHub Actions CI/CDPlan / Apply Approval GatesAzure Key Vault SecretsRBAC & Least PrivilegeMulti-Environment (dev · qas · prod)

How Terraform-Driven Infrastructure Works

Terraform treats infrastructure as declarative configuration — you describe the desired state, Terraform computes the difference from the current state and applies only the changes needed. Every resource is tracked in remote state, every change is a code review, and every environment is a variant of the same module library. The result is infrastructure that is reproducible by construction: spinning up a new environment is running terraform apply with a different variable file, not copying a server and hoping it matches.

Terraform CI/CD pipeline — from PR to production, with plan review and approval gate
Target Platforms
Microsoft Azure (VMs · VNets · Storage · Key Vault)SAP BTP (subaccounts · entitlements · service instances · destinations)AWS (S3 · CloudFront · EC2 · Route 53 · ACM)
↑ terraform apply — only approved, planned changes reach production ↑
GitHub Actions CI/CD Pipeline
PR: terraform fmt · validate · plan (posted as PR comment)Merge to main: terraform apply (dev / qas auto · prod gated)Approval gate — required reviewer signs off prod plan before applySecrets from Azure Key Vault — no credentials in pipeline varsState lock during apply — concurrent runs blocked
↕ version-controlled · PR-reviewed · state-tracked
Terraform Codebase (Git Repository)
Reusable module library (networking · compute · storage · identity)Environment variable files (dev.tfvars · qas.tfvars · prod.tfvars)Remote state backend (Azure Storage · versioned · locked)Module documentation and input variable reference

The plan is the key artefact. Every PR generates a Terraform plan and posts it as a comment — reviewers see exactly what will change in the target environment before they approve. Production changes require an explicit approval on the plan before terraform apply runs. No surprises, no accidental deletions.

Environment Promotion Model

Infrastructure changes follow the same promotion model as application code — validated in development, promoted to QA, then gated into production with an explicit approval. Each environment shares the same module library with environment-specific variable overrides.

Dev & QAS
Continuous Deployment — Auto-Apply on Merge

Changes merged to the main branch are automatically applied to development and QA environments without an additional approval step. This keeps lower environments current and allows the team to iterate quickly. VM sizes, replication factors, and retention periods are reduced in dev/qas variable files to control cost while maintaining structural parity with production.

  • Auto-apply on merge — no manual approval required
  • Reduced VM sizes and storage tiers for cost control
  • Structural parity with production — same modules, different variables
  • Plan result visible in PR comment within minutes of opening
Production
Gated Apply — Explicit Approval on Every Change

Production Terraform applies require an explicit approval from a designated reviewer who has read and accepted the plan output. The approval gate is enforced at the pipeline level — not by policy or convention — so it cannot be bypassed without modifying the pipeline itself. Only changes already validated in QA are promoted to production.

  • Mandatory plan review before apply — enforced in pipeline
  • Designated approvers via GitHub Environment protection rules
  • Apply only after QA validation is confirmed
  • State lock prevents concurrent applies during rollout
Infrastructure change promotion flow — PR to production with plan review at every gate
PR Openedterraform plan posted as PR comment
Merge to MainAuto-apply to dev · plan to qas
QA ValidationTeam validates in QAS environment
Prod ApprovalReviewer approves plan in GitHub
Prod ApplyLocked · audited · state updated

Core Capabilities

Module Architecture
Reusable Terraform Module Library
Infrastructure is structured as a library of focused, reusable modules — networking (VNet, subnets, NSGs, route tables), compute (VMs, scale sets), storage (managed disks, Storage Accounts, ANF), identity (managed identities, RBAC assignments), and SAP BTP (subaccounts, entitlements, service instances, destinations). Each module has a clear input/output contract, documented variables, and validated defaults. Modules are shared across environments via environment-specific variable files — one module, three environments.
Terraform modules · azurerm provider · btp provider · input variable validation · output values · module composition · environment tfvars · shared module library · terraform-docs generated reference
State & Backend
Remote State — Azure Storage with Locking
Terraform state is stored remotely in an Azure Storage Account with blob versioning and soft delete — accidental state corruption is recoverable. State locking via blob lease prevents concurrent applies from corrupting state. Per-environment state isolation keeps dev, qas, and prod state completely separate. State access is governed by Azure RBAC — only the pipeline service principal and designated engineers can read or write state. State migration procedures are documented for bootstrapping and disaster recovery.
azurerm backend · Azure Storage Account · blob versioning · soft delete · state locking (blob lease) · per-environment state isolation · RBAC-governed state access · state migration runbook
Security
No Hardcoded Credentials — Key Vault & OIDC
The pipeline authenticates to Azure using OIDC Workload Identity Federation — no client secret stored in GitHub, no credential rotation schedule, no expiry risk. Application secrets are stored in Azure Key Vault and pulled at runtime. Terraform resource definitions contain no hardcoded credentials. RBAC follows least-privilege: the pipeline service principal has only the permissions required by the modules it applies, scoped to the relevant resource groups.
OIDC Workload Identity Federation · Azure Key Vault secrets · least-privilege RBAC · no hardcoded credentials · service principal scoped to resource group · Key Vault RBAC access policy · GitHub Environments (required reviewers)
SAP BTP
BTP Terraform Provider — Subaccounts as Code
The SAP BTP Terraform provider manages BTP subaccounts, directory structures, entitlements, service instances, service bindings, and destinations as Terraform resources — the same way Azure resources are managed. BTP environment setup, service plan assignments, and destination configurations are declared in code and promoted through dev, qas, and prod with the same pipeline and approval model as the underlying Azure infrastructure. No manual BTP cockpit configuration required.
SAP BTP Terraform provider · subaccount management · directory structure · entitlement assignment · CF environment provisioning · service instance · service binding · BTP Destination Service configuration · btp_subaccount_service_instance resource

What We Deliver

Terraform Module Library

A library of reusable, documented Terraform modules covering your infrastructure scope — networking, compute, storage, identity, and SAP BTP resources. Each module has validated input variables, typed outputs, and usage examples. Module library is structured for extension: adding a new resource type means adding a module, not editing existing ones. Delivered in your GitHub repository under a conventional directory structure.

Remote State Backend & Locking

Azure Storage Account provisioned as the Terraform state backend — blob versioning and soft delete enabled for state recovery. State locking via blob lease prevents concurrent applies. Per-environment state isolation via separate storage containers. RBAC-governed access: pipeline service principal and designated engineers only. State migration procedures documented for bootstrapping and disaster recovery.

Multi-Environment Variable Configuration

Environment-specific variable files (dev.tfvars, qas.tfvars, prod.tfvars) sharing the same module library. Variable definitions cover all environment differences — VM sizes, replication counts, retention periods, and feature flags. Variable validation rules ensure invalid combinations are caught at plan time. Sensitive variable values sourced from Azure Key Vault — no secrets checked into git.

GitHub Actions Pipelines with Approval Gates

PR pipeline: terraform fmt, validate, and plan — plan output posted as a PR comment so reviewers see the exact diff. Merge pipeline: auto-apply to dev, plan-only to qas pending validation. Production pipeline: plan posted for approval, apply only after an explicit reviewer sign-off via GitHub Environments. OIDC Workload Identity Federation — no client secrets in GitHub Actions secrets.

Security Baseline — RBAC & Key Vault

Pipeline service principal scoped to minimum required permissions at the resource group level. Azure Key Vault provisioned for all application secrets — connection strings, API keys, certificates. RBAC assignments for the pipeline principal and application managed identities at the appropriate scope. No hardcoded credentials in Terraform state or pipeline variables. Secret rotation procedures documented and tested.

Documentation & Team Enablement

Module reference documentation generated from Terraform variable and output definitions. Runbooks for all common operations: adding a new resource, promoting a change to production, recovering from a failed apply, importing an existing resource into state, and running a state migration. Live walkthrough with your team covering the module structure, pipeline workflow, and how to extend the codebase for new requirements.

How Customers Benefit

Reproducible
Same Infrastructure Every Time — No Snowflakes
Every resource is declared in Terraform. Creating a new environment is running terraform apply with a different variable file — not cloning a server and hoping it matches. Infrastructure differences between environments are explicit in the variable files, not hidden in undocumented manual steps.
Auditable
Every Change in Git with a Full PR Trail
Every infrastructure change is a commit, reviewed in a PR, with the plan diff attached as a comment. Git history is a complete, human-readable record of what changed, why, and who approved it. No more “who changed the NSG rule last Tuesday” — it is in the git log with a PR link.
Safe
Production Changes Always Approved Before Apply
The approval gate is enforced at the pipeline level — not by convention. A production Terraform apply cannot run without an explicit sign-off on the plan by a designated reviewer. The reviewer sees exactly what will change — additions, modifications, and deletions — before they approve. Accidental destructive changes are caught before they reach production.
Secure
No Credentials in Pipelines or State
OIDC Workload Identity Federation means the pipeline has no client secret to rotate, leak, or expire unexpectedly. Application secrets live in Azure Key Vault with RBAC-governed access. Terraform state contains no sensitive values. Your security team gets a clean answer when they audit the pipeline.
Fast
New Environments in Hours — Not Days
Because infrastructure is defined in code with environment-specific variable files, standing up a new environment is a pipeline run, not a project. Onboarding a new team, spinning up a performance test environment, or replicating a QA landscape for a parallel workstream takes hours of pipeline time, not days of manual provisioning.
Owned
Your Team Runs It Independently After Handover
We build the platform and then transfer it. The module library, the pipeline, the runbooks, and the live walkthrough are all designed so your engineers can add resources, promote changes, and resolve issues without ongoing CNBS involvement. The goal is a team that is self-sufficient, not dependent.

How We Work

01

IaC Assessment & Module Design

We review your existing infrastructure — whether managed manually, via scripts, or with an existing IaC approach — and identify the full resource scope to bring under Terraform management. Module boundaries, variable strategy, environment promotion model, and state organisation agreed before any code is written.

02

State Backend & Security Foundation

Azure Storage Account provisioned as the remote state backend with versioning, soft delete, and per-environment isolation. Pipeline service principal created with OIDC Workload Identity Federation configured in GitHub. Azure Key Vault provisioned for secrets. RBAC assignments scoped to minimum required permissions. Bootstrap state for the state backend itself committed to the repository.

03

Module Development & Existing Resource Import

Terraform modules built for all resources in scope — networking, compute, storage, identity, SAP BTP. Existing resources imported into Terraform state so they are managed going forward without recreation. Variable files for dev, qas, and prod populated and validated. Module documentation generated from variable and output definitions.

04

Pipeline Integration & Approval Workflow

GitHub Actions workflows configured: PR pipeline (fmt, validate, plan as PR comment), merge pipeline (auto-apply to dev), and production pipeline (plan + approval gate + apply). GitHub Environments configured with required reviewers for production. First end-to-end run validated — PR opened, plan reviewed, merged, dev auto-applied, prod approved and applied.

05

Validation & Drift Check

All environments validated post-apply — resources match declarations, no configuration drift detected. Terraform plan run against each environment confirming no unintended changes pending. Failover and recovery scenarios tested where applicable. Monitoring and alerting for pipeline failures configured.

06

Handover & Team Enablement

Module reference documentation delivered alongside the codebase. Runbooks written for all common operations: adding a resource, promoting to production, recovering from a failed apply, importing an unmanaged resource, and running a state migration. Live walkthrough with your engineering team covering module structure, pipeline workflow, Key Vault secret management, and how to extend the library for new requirements.

Ready to put your infrastructure under control?

Let’s build your Terraform foundation — reviewed, gated, and owned by your team.

Tell us about your current infrastructure scope, target platforms, and team structure — we’ll design and deliver a Terraform platform your engineers can run and extend independently from day one.

Get in touch →
Documentation as Code