Skip to main content
Open Source Free MIT License

Multi-Cloud Runway

Designing a compliant, multi-account cloud landing zone from scratch means months of architecture work and a high risk of security gaps.

View on GitHub Get Production Help

Enterprise landing zones for AWS and GCP, ready to fly

Multi-Cloud Runway is a free, open-source infrastructure template providing security-hardened landing zones for AWS and GCP. It sets up multi-account environments with networking, IAM, security monitoring, and compliance via Terraform/Terragrunt. Available on GitHub at github.com/cloudon-one/multi-cloud-runway.

Core Features

Multi-Account Architecture

Enterprise-grade account and project structures for both AWS and GCP.

  • AWS Organizations with multi-account separation
  • GCP resource hierarchy with project-level isolation
  • Environment-based account structure (dev, staging, prod)
  • Centralized billing and governance

Network & Security

Pre-configured networking, encryption, and security monitoring.

  • VPC/VNet with Transit Gateway and interconnect
  • GuardDuty and Security Command Center
  • CloudTrail and audit logging
  • Encryption at rest and in transit

Compliance Automation

Built-in compliance frameworks with automated validation.

  • PCI DSS, CIS Benchmarks, SOC 2 Type II
  • ISO 27001 and NIST Framework controls
  • Pre-commit hooks with tfsec and checkov
  • Quarterly disaster recovery testing

How It Works

01

Clone and Configure

Clone the repository and run make verify-setup to ensure prerequisites are met. Configure your accounts and regions.

02

Initialize State Backend

Run make init to provision the S3/DynamoDB (AWS) or GCS (GCP) state backend with encryption and locking.

03

Deploy Landing Zone

Apply Terraform modules in sequence: accounts, networking, security, then services. Each module is independently deployable.

04

Start Building

Your multi-account environment is ready with networking, IAM, security monitoring, and compliance checks in place.

Why Choose Multi-Cloud Runway?

Days, Not Months

Deploy compliant, multi-region cloud environments in days instead of months of manual architecture design.

Compliance From Day One

Pre-configured for PCI DSS, CIS Benchmarks, SOC 2 Type II, ISO 27001, and NIST Framework — no retrofitting required.

Error Prevention

Pre-validated modules eliminate common configuration mistakes. Pre-commit hooks enforce security scanning and formatting standards.

True Multi-Cloud

Unified IaC approach for both AWS and GCP. Consistent patterns, shared conventions, separate cloud-specific implementations.

Tech Stack

Terraform v1.5+ Terragrunt v0.70+ AWS Organizations GCP Resource Manager Transit Gateway GuardDuty Security Command Center tfsec checkov detect-secrets

Frequently Asked Questions

What cloud providers does Multi-Cloud Runway support?
Multi-Cloud Runway provides landing zone templates for both AWS and GCP. Each cloud has dedicated modules following provider-specific best practices.
What compliance frameworks are supported?
Multi-Cloud Runway includes controls for PCI DSS, CIS Benchmarks, SOC 2 Type II, ISO 27001, and NIST Framework. Compliance is enforced through automated scanning.
Can I use only the AWS or only the GCP modules?
Yes. The AWS and GCP modules are independent. You can deploy one or both depending on your cloud strategy.
How does the pre-commit security scanning work?
Pre-commit hooks automatically run tfsec (Terraform security), checkov (policy-as-code), and detect-secrets before each commit, preventing insecure configurations from entering the codebase.
Is this suitable for startups or only enterprises?
Multi-Cloud Runway works for organizations of any size. Startups benefit from starting with best practices from day one, while enterprises use it to standardize their landing zone approach.

From the Blog

Building a Comprehensive Infra Validation Pipeline with GitHub Actions

How to implement a robust infrastructure validation pipeline using GitHub Actions covering security scanning, cost management, and quality checks for Terraform and IaC code.

GitHub Actions CI/CD Security Terraform
Read article

Other CloudOn Tools

KubeLaunch

KubeLaunch Essentials is a free, open-source Kubernetes platform with integrated security, observability, and service mesh. It deploys a security-hardened EKS cluster via Terraform/Terragrunt with ArgoCD, Kyverno, Falco, Istio, and Kubecost pre-configured. Available on GitHub at github.com/cloudon-one/kubelaunch-essentials.

Learn more

FinOps Guardian

FinOps Guardian is a free, open-source cost governance toolkit for AWS and GCP. It automatically detects idle resources, provides cost-saving recommendations, and cleans up unused infrastructure. Deployed with Terraform, it runs serverlessly on Lambda and Cloud Functions. Available on GitHub at github.com/cloudon-one/FinOps-Guardian.

Learn more

SecureOps

SecureOps is a free, open-source GitHub Action that performs automated security scanning on repositories. It detects secrets, vulnerabilities, and misconfigurations using Gitleaks, Trivy, and OSV-Scanner. Generates multi-format reports and integrates with GitHub Security tab. Available on GitHub at github.com/cloudon-one/git-security-scanner-public.

Learn more

Run Multi-Cloud Runway in your environment.

Clone the repo and deploy with Terraform — or book an engineering call for hands-on help adapting it to your stack.

View on GitHub Book an Engineering Call