This repository contains shared Tofu modules used by nullplatform to standardize and reuse infrastructure across all projects.
.
βββ infrastructure/ # Cloud-specific infrastructure modules
β βββ aws/
β β βββ acm/ # AWS Certificate Manager
β β βββ alb_controller/ # ALB Ingress Controller
β β βββ backend/ # S3/DynamoDB remote state backend
β β βββ eks/ # Elastic Kubernetes Service
β β βββ iam/
β β β βββ agent/ # IAM role for nullplatform agent
β β β βββ cert_manager/ # IAM role for cert-manager
β β β βββ external_dns/ # IAM role for external-dns
β β βββ ingress/ # Ingress resources
β β βββ route53/ # DNS zones
β β βββ security/ # Security groups for gateways
β β βββ vpc/ # VPC, subnets, NAT
β β
β βββ azure/
β β βββ acr/ # Azure Container Registry
β β βββ aks/ # Azure Kubernetes Service
β β βββ dns/ # Public DNS zones
β β βββ private_dns/ # Private DNS zones
β β βββ resource_group/ # Resource group
β β βββ security/ # NSGs for gateways
β β βββ vnet/ # Virtual network, subnets
β β
β βββ gcp/
β β βββ artifact-registry/ # Artifact Registry
β β βββ cloud-dns/ # Cloud DNS
β β βββ cloud-nat/ # Cloud NAT
β β βββ gke/ # Google Kubernetes Engine
β β βββ iam/ # Service accounts & roles
β β βββ security/ # Firewall rules for gateways
β β βββ vpc/ # VPC, subnets
β β
β βββ oci/
β β βββ backend/ # OCI remote state backend
β β βββ dns/ # OCI DNS zones
β β βββ dynamic_groups/ # Dynamic groups & policies
β β βββ oke/ # Oracle Kubernetes Engine
β β βββ vcn/ # Virtual Cloud Network
β β
β βββ commons/ # Cloud-agnostic K8s modules
β βββ cert_manager/ # TLS certificate management
β βββ external_dns/ # DNS record automation
β βββ istio/ # Service mesh
β βββ prometheus/ # Monitoring stack
β
βββ nullplatform/ # Nullplatform-specific modules
β βββ account/ # Account configuration
β βββ agent/ # Nullplatform agent (Helm)
β βββ api_key/ # API key creation
β βββ asset/
β β βββ docker_server/ # Docker server asset
β β βββ ecr/ # ECR asset
β βββ base/ # Base Helm chart (gateways, logging, etc.)
β βββ code_repository/ # Code repository integration
β βββ dimensions/ # Metric dimensions
β βββ metrics/ # Prometheus provider configuration
β βββ scope_definition/ # Scope type & action specs
β βββ scope_definition_agent_association/ # Scope notification channel
β βββ service_definition/ # Service specification
β βββ service_definition_agent_association/ # Service notification channel
β βββ users/ # User management
β
βββ .github/
β βββ workflows/ # CI/CD workflows
βββ .pre-commit-config.yaml
βββ commitlint.config.js
βββ .gitignore
βββ README.md
These modules depend on the following tools:
Install them with:
# Install gomplate (see link for package-specific instructions)
https://docs.gomplate.ca/installing/
# Install np CLI
curl -fsSL https://cli.nullplatform.com/install.sh | shReference modules using their Git source with version pinning:
module "<name>" {
source = "git::https://github.com/nullplatform/tofu-modules.git//<module-path>?ref=v1.0.0"
}Then initialize and apply:
tofu init
tofu plan
tofu applyCreates a nullplatform API key with specific grants and tags.
module "agent_api_key" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v1.0.0"
name = "AGENT"
grants = [
{ nrn = "organization=123:account=456", role_slug = "controlplane:agent" },
{ nrn = "organization=123:account=456", role_slug = "developer" },
{ nrn = "organization=123:account=456", role_slug = "ops" },
]
tags = [
{ key = "managedBy", value = "IaC" },
]
}Deploys the nullplatform agent into a Kubernetes cluster via Helm. Requires an API key.
module "agent" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/agent?ref=v1.0.0"
api_key = module.agent_api_key.api_key
cluster_name = "my-cluster"
nrn = "organization=123:account=456:namespace=789"
tags_selectors = { environment = "production" }
image_tag = "latest"
cloud_provider = "aws"
}Installs the base Helm chart (gateways, logging, observability).
module "base" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v1.0.0"
np_api_key = var.np_api_key
nrn = var.nrn
k8s_provider = "eks"
}With gateway security enabled (Azure):
module "base" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v1.0.0"
np_api_key = var.np_api_key
nrn = var.nrn
k8s_provider = "aks"
gateway_internal_enabled = true
gateway_public_azure_nsg_id = module.base_security.public_gateway_nsg_id
gateway_private_azure_nsg_id = module.base_security.private_gateway_nsg_id
}Creates scope types and action specifications from templates.
module "scope_definition" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition?ref=v1.0.0"
nrn = var.nrn
np_api_key = var.np_api_key
service_path = "k8s"
service_spec_name = "Containers Default"
service_spec_description = "Allows you to deploy in K8S clusters"
}Links agents with scope definitions via notification channels.
module "scope_notification_api_key" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v1.0.0"
name = "SCOPE-NOTIFICATION-CHANNEL-K8S"
grants = [
{ nrn = "organization=123:account=456", role_slug = "controlplane:agent" },
{ nrn = "organization=123:account=456", role_slug = "ops" },
]
tags = [
{ key = "managedBy", value = "IaC" },
{ key = "usedBy", value = "K8S" },
]
}
module "scope_definition_agent_association" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition_agent_association?ref=v1.0.0"
nrn = var.nrn
api_key = module.scope_notification_api_key.api_key
scope_specification_id = module.scope_definition.service_specification_id
scope_specification_slug = module.scope_definition.service_slug
tags_selectors = { environment = "production" }
depends_on = [module.agent]
}Associates agents with service definitions for specific backends (e.g., PostgreSQL).
module "service_notification_api_key" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v1.0.0"
name = "SERVICE-NOTIFICATION-CHANNEL-POSTGRESQL"
grants = [
{ nrn = "organization=123:account=456", role_slug = "controlplane:agent" },
{ nrn = "organization=123:account=456", role_slug = "admin" },
{ nrn = "organization=123:account=456", role_slug = "ops" },
]
tags = [
{ key = "managedBy", value = "IaC" },
{ key = "usedBy", value = "POSTGRESQL" },
]
}
module "service_definition_agent_association" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v1.0.0"
api_key = module.service_notification_api_key.api_key
nrn = var.nrn
tags_selectors = { environment = "production" }
service_specification_id = "123"
service_specification_slug = "PostgreSQL"
service_path = "databases/postgres"
depends_on = [module.agent]
}Configures Prometheus as the metrics provider in nullplatform.
module "prometheus" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/prometheus?ref=v1.0.0"
prometheus_namespace = "prometheus"
}
module "metrics" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/metrics?ref=v1.0.0"
np_api_key = var.np_api_key
nrn = var.nrn
dimensions = { cluster = "my-cluster" }
prometheus_namespace = "prometheus"
depends_on = [module.prometheus]
}module "resource_group" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/resource_group?ref=v1.0.0"
resource_group_name = "rg-myorg-poc"
location = "eastus2"
subscription_id = var.azure_subscription_id
}
module "vnet" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/vnet?ref=v1.0.0"
address_space = ["10.0.0.0/16"]
vnet_name = "vnet-myorg-poc"
location = "eastus2"
resource_group_name = module.resource_group.resource_group_name
subnets_definition = var.subnets_definition
subscription_id = var.azure_subscription_id
}
module "aks" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v1.0.0"
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
cluster_name = "myorg-poc"
subscription_id = var.azure_subscription_id
vnet_subnet_id = module.vnet.subnet_ids["subnet-2"]
system_pool_vm_size = "Standard_B2ms"
user_pool_vm_size = "Standard_B2ms"
}
module "dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v1.0.0"
domain_name = "myorg.example.com"
resource_group_name = module.resource_group.resource_group_name
subscription_id = var.azure_subscription_id
}
module "acr" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v1.0.0"
containerregistry_name = "acrmyorgpoc"
resource_group_name = module.resource_group.resource_group_name
location = "eastus2"
subscription_id = var.azure_subscription_id
sku = "Basic"
}Each module must include its own README.md file describing:
- Purpose β what the module does and when to use it.
- Inputs β variables (
variables.tf) with descriptions, types, and default values. - Outputs β (
outputs.tf) explaining whatβs returned. - Usage examples β small working HCL snippets.
- Notes β any internal dependencies, restrictions, or compatibility details.
In .github/workflows/, you can include workflows for:
- Terraform / Tofu syntax validation.
- Auto-formatting with
tofu fmt. - Logical validation using
tofu validate.
These ensure code consistency and prevent configuration drift.
- Follow semantic versioning:
vX.Y.Z - Keep backward compatibility within minor versions.
- Increment the major version for breaking changes.
- Keep each module isolated: one module = one clear responsibility.
- Avoid circular dependencies between modules.
- Document all variables (mark required vs optional).
- Tag and version releases before using them in production.
- Centralize repeated logic in these modules to avoid duplication.
If you want to add or modify a module:
- Create a
feature/orfix/branch. - Add tests or validations if applicable.
- Update the module's documentation.
- Open a Pull Request for review.
This repository uses Conventional Commits to ensure consistent commit messages. A pre-commit hook validates all commit messages automatically.
Valid commit examples:
feat: add new EKS module
feat(aws): add support for multiple availability zones
fix: resolve VPC peering connection issue
fix(azure): correct DNS zone configuration
docs: update README with usage examples
refactor: simplify IAM role creation
chore: update provider versionsInvalid commit examples:
added new feature # β missing type prefix
Fix bug # β type must be lowercase
feat add login # β missing colon after typeSetup pre-commit hooks:
# Install pre-commit (if not already installed)
brew install pre-commit
# Install the commit-msg hook
pre-commit install --hook-type commit-msg