Trying to connect cloud architecture (CAF / Zero Trust) with IaC validation
We often say that architecture defines intent, while Infrastructure as Code (IaC) defines implementation.
But in practice, they drift apart very quickly.
- Architecture lives in documents (CAF, Zero Trust, internal HLDs)
- IaC reflects what is actually deployed
- There is no reliable way to verify that one matches the other
The problem
IaC gives us precision, but not meaning.
Architecture gives us meaning, but not verification.
So we end up in a situation where:
- a system is “correctly deployed”
- but architecturally wrong
And we only discover that during reviews, audits, or incidents.
A small experiment
I built a small PoC to explore whether architecture can be represented as a structured model and validated against Terraform state.
The idea is simple:
Risk → Control → Constraint → Implementation → Validation
Instead of validating individual resources, the model allows you to evaluate architecture at multiple levels:
Mapping level
-
PASS– resource matches expected configuration -
FAIL– resource exists but is misconfigured -
MISSING– resource is not present
Control level
-
FAILED– at least one mapping fails -
INCOMPLETE– partially implemented -
MISSING– not implemented at all
Risk level
-
EXPOSED– controls are not fully implemented
Example
In the demo scenario:
- one control fails because of parameter mismatch
- another is only partially implemented
- another fails due to tag mismatch
- another is completely missing
The validator aggregates this into:
FAILED control → EXPOSED risk
So instead of asking:
"Is this resource compliant?"
you can ask:
"Is this architectural risk exposed?"
What this tries to explore
This is not about replacing IaC or policy engines.
It’s about introducing an additional layer:
- linking architectural intent (risk / control)
- to implementation (Terraform)
- and verifying that link continuously
Open questions
I’m still exploring whether this makes sense outside my own use case.
Some questions I’m interested in:
- Does this model actually help in real environments?
- Is “control-level” validation useful, or is it overengineering?
- How would this scale in large architectures?
- Where would this break?
Repo
I’ve put together a small working PoC with:
- a simple architecture model (YAML)
- a validator against Terraform state
- a demo showing different failure modes
👉 https://github.com/Illya-Kryushenko/architecture-as-code
Happy to hear thoughts, especially from people working with Terraform, Azure, or security architecture.
Top comments (0)