Terraform Consulting · AWS

Terraform on AWS, engineered for regulated teams.

Infrastructure as code on AWS from an Advanced Tier Partner: reusable modules, isolated remote state, PR-based plan/apply gates, and policy-as-code guardrails. Founder-led, ISO 27001:2022 certified, and 16+ years of cloud engineering behind every module we ship.

AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
Vanta
ISO 27001:2022 Certified
ISO 9001:2015 Certified
HAZERCLOUD · TERRAFORMAudit-Ready IaC

The Terraform stack we standardise on.

Terraform+ OpenTofu
Remote StateS3 + DynamoDB
ModulesVersioned
GitHub ActionsPR plan
checkov + tfsecScanning
OPA / SentinelPolicy-as-code
Control TowerLanding zone
terraform importImport blocks
9
Applications migrated to AWS on IaC and automated CI/CD
Heroku case study
0
Production outages across those code-driven migrations
Migration service
ISO
27001:2022 certified — we build IaC to the standard we operate under
ISO 27001 service
16+
Years of cloud engineering behind every module we write
DevOps practice
AWS certifications held by the founder who leads delivery
About the founder
Why Infrastructure as Code

Why IaC wins for regulated workloads.

Terraform is not just faster provisioning — for FinTech, HealthTech, and compliance-driven SaaS it is the difference between a console you cannot audit and infrastructure you can prove. Four properties that matter when an assessor is in the room.

01 · AUDITABILITY

Every change is a reviewed pull request

With infrastructure as code on AWS, no one clicks a production change into existence. Every modification is a Terraform pull request with a plan diff, a named approver, and an immutable git history. That is precisely the change-management and access-control evidence ISO 27001, SOC 2, and DORA assessors ask for — generated as a by-product of how your team already works, not assembled the week before an audit.

Git HistoryPR ReviewPlan DiffApprovals
02 · DRIFT DETECTION

Prove production still matches the code

Console tweaks and emergency fixes cause drift — the silent gap between what is approved and what is actually running. A scheduled terraform plan surfaces that drift on every run: anything changed outside code shows up as a diff you either codify or revert. For a regulated environment, being able to demonstrate that live infrastructure reconciles to an approved definition is a control in its own right, not a nice-to-have.

terraform planScheduled DriftReconcileCloudTrail
03 · REPRODUCIBILITY

Same code, same infrastructure, every time

Dev, staging, and production built from the same versioned modules means environments differ only by variables, not by whatever someone remembered to click. Rebuilding a region for disaster recovery, or vending a new account, becomes a few module calls instead of a fragile runbook. Reproducibility is also what makes your recovery objectives believable — the environment can be stood up from code, on demand, under your DevOps pipelines.

Versioned ModulesPer-Env VarsRepeatable BuildsDR
04 · AUDIT EVIDENCE

Infrastructure that is evidence, not slideware

Because the definition, the change record, and the approval all live in code and version control, the Terraform repository itself becomes an evidence source. We wire policy-as-code and scanning into the pipeline so security controls are enforced and logged, feeding the trail your ISO 27001 and DORA assessors expect. We delivered exactly this pattern — CI/CD plus AWS Config — on our published ISO-hardening engagement.

AWS ConfigPolicy LogsImmutable TrailEvidence
Our Terraform Standards

How we write Terraform that lasts.

The difference between Terraform AWS experts and a pile of .tf files is the operating discipline around it. These four standards ship on every engagement, and they are what your engineers inherit at handover.

01 · MODULES

Reusable, versioned modules

Battle-tested community modules (terraform-aws-modules for VPC, EKS, RDS, IAM) pinned to explicit versions, wrapped in thin opinionated modules that encode your naming, tagging, and network conventions. The result is an internal module library your team owns — a new service or environment is a handful of module calls, not hundreds of hand-written resources copied between folders.

terraform-aws-modulesVersion PinningModule RegistryConvention
02 · REMOTE STATE

State that is safe and isolated

Encrypted remote state in S3 with a DynamoDB lock table, so concurrent applies can never corrupt state. State is isolated per environment and per account — separate state, separate blast radius — never one file for the whole estate. Versioning is on for point-in-time recovery, access is least-privilege via IAM, and we keep secrets out of plaintext state wherever the provider allows.

S3 BackendDynamoDB LockState IsolationLeast Privilege
03 · CI PLAN / APPLY GATES

Plan on the PR, gated apply

terraform plan runs automatically on every pull request and posts the diff for review — reviewers see exactly what will change before anyone approves. Apply is gated behind that approval and a protected branch, with OIDC federation into AWS so pipelines use short-lived credentials, never long-lived keys. This is the same rigour we bring to application delivery in our AWS DevOps and ECS work.

PR PlanGated ApplyOIDCProtected Branch
04 · POLICY-AS-CODE

Guardrails that fail the build

checkov and tfsec catch insecure defaults — public buckets, unencrypted volumes, wide-open security groups, missing logging — and OPA or Sentinel enforce organisation rules like mandatory tags, approved regions, and forbidden instance types. A plan that violates policy fails its check and never reaches apply. It is the shift-left thinking from our DevSecOps practice, applied to infrastructure at review time.

checkovtfsecOPASentinel
ClickOps → IaC

From console clicks to codified infrastructure.

Most teams do not start with a blank repository — they start with years of infrastructure built by hand in the console. We adopt what is already running, without recreating a single resource, in three deliberate steps.

Step 01 · Import

Adopt what already runs

We bring existing resources under Terraform using terraform import and Terraform import blocks, writing code that describes your live estate exactly. Nothing is destroyed and re-created — the running VPCs, databases, and roles are adopted as-is. We work resource group by resource group until state reflects reality.

import blocks · zero re-create, zero downtime
How we run DevOps
Step 02 · Incremental

Codify service by service

No big-bang rewrite. We prioritise the highest-risk or most-changed infrastructure first, move it into modules, and leave the rest running untouched until its turn. Each slice ships behind the same plan/apply gates, so the estate is always in a known, reviewable state as coverage grows from a few resources to the whole account.

Prioritised adoption, always in a known state
AWS migration service
Step 03 · Reconcile

Drive drift to zero

Once imported, we run terraform plan until it reports zero changes against live infrastructure — the proof that code and reality match. From there, scheduled plans catch any new drift, and manual console changes become the exception you consciously codify or revert. The endpoint is an account where the repository is the source of truth.

plan = 0 · code becomes the source of truth
See it applied on ECS
Multi-Account & Landing Zones

Landing zones, the pragmatic way.

Regulated estates outgrow a single account fast — separate accounts for prod, non-prod, security, and shared services are a control, not a luxury. Here is how we decide between AWS Control Tower and a custom Terraform landing zone.

Start with Control Tower when…

You want a governed landing zone fast

  • Account Factory does the vending. New accounts are provisioned from a blueprint with baseline guardrails already applied.
  • Org-level guardrails out of the box. Preventive and detective controls via service control policies and AWS Config conformance packs.
  • Centralised logging and audit. A dedicated log-archive and audit account from day one, which auditors expect to see.
  • Terraform governs the workloads. Control Tower owns the landing zone; Terraform provisions and manages everything inside each workload account.
  • Faster to a compliant baseline. Weeks of foundational work compressed into a managed, AWS-maintained framework.
Go custom when…

Control Tower constrains what you need

  • Bespoke org structure. An OU and account layout that Control Tower's opinions do not cleanly fit.
  • Full control of guardrails. SCPs, permission boundaries, and network topology defined entirely in your own Terraform.
  • Existing AWS Organizations estate. A mature multi-account setup that predates Control Tower and cannot be re-homed easily.
  • Custom account vending. A Terraform-driven account factory tailored to your onboarding and tagging rules.
  • Shared-services patterns. Centralised networking, DNS, and CI/CD in a shared account, wired exactly to your requirements.
Our pragmatic default: Control Tower for the landing zone, Terraform for everything inside it. Custom landing zones are the right call for large or unusual estates — a short review tells us which one fits your org, and we build that, not the one that is easier to sell.
IaC For Compliance

Terraform that passes an audit, not just a plan.

Infrastructure as code and compliance pull in the same direction: both want change to be reviewed, approved, logged, and reproducible. When your AWS estate is defined in Terraform, the artefacts an assessor asks for — change records, access controls, an audit trail, proof that production matches the approved design — already exist in your repository and pipeline.

We deliver this in production and hold ISO 27001:2022 ourselves, so we build IaC to the same standard we operate under. For teams heading into an ISO 27001 certification or preparing for DORA resilience obligations, the Terraform work slots straight into the wider evidence trail — and pairs naturally with our DevSecOps guardrails.

Discuss your compliance posture →
  • Change management as code: every infrastructure change is a reviewed, approved pull request with a plan diff and a named approver.
  • Access control on state and apply: least-privilege IAM on remote state, OIDC-federated pipelines, no long-lived keys.
  • Policy-as-code enforcement: checkov, tfsec, OPA, and Sentinel block non-compliant plans before they ever apply.
  • Drift as a control: scheduled terraform plan proves live infrastructure still matches the approved definition.
  • Evidence on tap: git history plus AWS Config and CloudTrail give assessors an immutable, timestamped trail.
  • Reproducible recovery: environments rebuildable from code make DORA-style resilience and DR objectives demonstrable, not aspirational.
Common Questions

What buyers ask before a Terraform engagement.

Don't see your question? Book a 30-minute IaC review and ask directly.

Book a call →
Terraform, or CloudFormation / CDK — which should we use?+
The honest answer: it depends on your team, not on fashion. We use Terraform when you want one tool that spans AWS plus SaaS providers (Datadog, GitHub, Cloudflare), a large community module ecosystem, and a plan/apply workflow that reviews cleanly in a pull request. We reach for CloudFormation or CDK when you are all-in on AWS, want native drift detection and StackSets, or your team already thinks in TypeScript and wants CDK’s abstractions. We deliver all three, so the recommendation is based on your constraints — if a 30-minute review shows CDK fits your team better, we will tell you that rather than sell you a Terraform engagement.
We built everything by hand in the console. Can you move us to Terraform without downtime?+
Yes — this is the most common way our Terraform engagements start. We import existing resources into state using terraform import and Terraform import blocks so the code describes what is already running, without recreating or disrupting a single resource. We work service by service, run terraform plan until it reports zero changes against live infrastructure, and only then hand you a repository that reconciles exactly with production. Nothing is destroyed and re-created; the running estate is adopted as-is, then improved from there.
How do you manage Terraform state safely across a team?+
Remote state in an encrypted S3 bucket with a DynamoDB table for state locking, so two engineers or two pipeline runs can never corrupt state with a concurrent apply. State is isolated per environment and per account — separate state files (or workspaces) for dev, staging, and production, never one blast-radius state for everything. Access to state is least-privilege via IAM, versioning is on for point-in-time recovery, and no secrets are stored in plaintext state where we can avoid it. This is table stakes for regulated workloads and we set it up on day one.
What does policy-as-code actually enforce in your pipelines?+
Guardrails that run automatically on every pull request, before any apply. We wire in checkov and tfsec to catch insecure defaults — public S3 buckets, unencrypted volumes, over-broad security groups, missing logging — and OPA (Open Policy Agent) or HashiCorp Sentinel for organisation-specific rules like mandatory tagging, approved regions, or forbidden instance types. A plan that violates policy fails the check and never reaches apply. This is the same shift-left thinking behind our DevSecOps practice, applied to infrastructure code so misconfigurations are caught at review time, not in a breach report.
Do you use public registry modules or write your own?+
Both, deliberately. For well-solved problems — VPCs, EKS, RDS, IAM — we lean on the battle-tested terraform-aws-modules community modules rather than reinventing them, pinned to specific versions so upgrades are intentional. On top of that we write your own thin, opinionated modules that encode your conventions: naming, tagging, network topology, and compliance controls baked in. The result is a versioned internal module library your team owns and reuses across services, so a new environment is a few module calls rather than hundreds of hand-written resources.
How does Terraform help with ISO 27001, SOC 2, or DORA audits?+
Infrastructure as code turns your environment into reviewable, versioned evidence. Every change is a pull request with an approver, a plan diff, and a git history — which is exactly the change-management, access-control, and audit-trail evidence that ISO 27001, SOC 2, and DORA assessors ask for. Drift detection via terraform plan proves production still matches the approved definition. We deliver this in production and hold ISO 27001:2022 ourselves, so we build IaC to the same standard we operate under, and the Terraform work slots straight into the wider evidence trail your auditor expects.
Can you set up multi-account AWS with Terraform and Control Tower?+
Yes. For most organisations we start with AWS Control Tower for the landing zone — account factory, org-level guardrails, centralised logging and an audit account — and use Terraform to provision and govern the workload accounts and everything inside them. Where Control Tower is too constraining, we build a custom Terraform landing zone with account vending, an AWS Organizations structure, service control policies, and a shared-services account. Either way, per-account state isolation and a clear promotion path from dev to production come as standard.
Do you hand over the Terraform, or keep us dependent on you?+
You own everything. The Terraform lives in your repository, the state in your AWS account, the pipelines in your CI. We write it to be read and maintained by your engineers — documented modules, a clear directory structure, and a README that explains the promotion flow. Most clients keep us on a light retainer for reviews, upgrades, and new modules, but that is a choice, not a lock-in. If you want to run it entirely in-house after handover, the codebase is built for exactly that.
IaC
Running AWS by hand, or about to codify it?

30 minutes with our founder. One specific Terraform recommendation guaranteed.

Whether you're moving off ClickOps, cleaning up sprawling state, adding plan/apply gates, or building a multi-account landing zone for an audit — start with a free infrastructure-as-code review directly with the founder. One concrete recommendation, no commitment required.

AWS Advanced Tier Services Partner · ISO 27001:2022 · Terraform AWS Experts

30 min Free Consultation →