Back to GitHub Projects
    Open Source · Go

    AWS IaC Generator

    A pipeline that turns a plain-English infrastructure requirement into reviewed, policy-checked Terraform — generated, validated, and Trivy-scanned, but never deployed.

    AWS
    Terraform
    Generative AI
    Go
    View on GitHub
    Architecture
    architecture-diagram.png
    AWS IaC Generator Architecture

    About

    AWS IaC Generator turns a plain-English infrastructure requirement into reviewed, policy-checked Terraform. A Go backend orchestrates a six-stage pipeline — Architect (normalize the requirement into a topology brief), Terraform (generate strict JSON converted to *.tf files), Security (terraform validate + Trivy scan with automatic retry on HIGH/CRITICAL findings), Pull Request, Release, and Cloud readiness — streaming every stage back to a React/Vite UI over Server-Sent Events. The model layer is pluggable and auto-selects at startup: Kiro CLI, Amazon Bedrock (Converse API), or offline fixtures when no key is set. Crucially it runs in backend=false mode and never deploys: model output is treated as untrusted data, generated filenames are constrained to *.tf basenames, and the supported-resource scope is deliberately narrow — S3, IAM, VPC, and KMS.

    Key Features

    Plain-English requirement → reviewed, policy-checked Terraform
    Six-stage Go pipeline: Architect → Terraform → Security → PR → Release → Cloud
    Security gate: terraform validate + Trivy scan on HIGH/CRITICAL, auto-retry up to 2×
    Pluggable LLM backend auto-selected at startup (Kiro CLI / Amazon Bedrock / offline fixtures)
    Offline fixtures mode — full pipeline with no network or API key
    POST /pipeline streams stage updates, generated files, and validation results over SSE
    Generate-only by design (backend=false) — never deploys to AWS
    Untrusted model output handling; filenames constrained to *.tf basenames
    React + Vite SPA frontend over a single streaming endpoint
    One-command run via Makefile or Docker Compose

    Engineering Challenges

    Treating LLM output as untrusted data while still converting it into runnable Terraform
    Gating on security without dead-ending — retrying generation on Trivy HIGH/CRITICAL failures
    Supporting three model backends behind one interface with startup auto-selection
    Streaming six pipeline stages to the UI in real time over Server-Sent Events

    Results & Impact

    Plain-English infra requirements become validated, scanned Terraform in one run
    Security scanning is a pipeline gate, not an afterthought — bad code never reaches review
    Runs end-to-end offline for demos and CI with zero model spend
    Safe by construction: generates code for human review, never touches a live account