Infrastructure
Layer 1 is the cloud foundation everything else sits on: the account/subscription structure, networking, identity, data stores, and DNS/TLS. It is the only cloud-specific layer — which cloud we build on is decided during the audit. Everything above it (Containerization and up) is portable.
Everything as code
Section titled “Everything as code”The foundation is provisioned with Terraform / OpenTofu, never click-ops. That’s what makes it reproducible, reviewable, and yours to keep:
- Remote, locked state with a documented backend.
- Reusable modules for the building blocks, so environments are consistent.
- Per-environment separation (e.g. staging vs production) from the same code.
This is the Infrastructure-as-Code you walk away owning under the Keep-It-All Promise.
What the foundation provides
Section titled “What the foundation provides”Independent of cloud, every platform gets the same capabilities — implemented with each provider’s native primitives:
| Capability | Built with | |---|---| | Account structure | AWS Organizations, multiple accounts | | Networking | VPC, subnets, route tables, NAT | | Identity | IAM, IRSA (IAM Roles for Service Accounts) | | Managed Kubernetes | Amazon EKS | | Data stores | RDS / Aurora, S3 | | Ingress / load balancing | ALB / NLB | | DNS & TLS | Route 53, ACM | | Secrets & encryption | KMS, Secrets Manager | | Baseline telemetry | CloudWatch |
| Capability | Built with | |---|---| | Subscription structure | Management groups, subscriptions | | Networking | VNet, subnets, route tables, NAT | | Identity | Microsoft Entra ID, workload identity | | Managed Kubernetes | Azure Kubernetes Service (AKS) | | Data stores | Azure Database for PostgreSQL / Azure SQL, Blob Storage | | Ingress / load balancing | Application Gateway / Load Balancer | | DNS & TLS | Azure DNS, managed certificates | | Secrets & encryption | Key Vault | | Baseline telemetry | Azure Monitor |
The mapping is deliberate: the same architecture, expressed in each cloud’s native services, so the Kubernetes layer above behaves identically either way.