Abdelhady-elgendy
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 27 additions & 0 deletions b/‎.github/workflows/docs.yml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 6 additions & 0 deletions b/‎.gitignore‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 7 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 169 additions & 2 deletions b/‎README.md‎
Lines changed: 169 additions & 2 deletions
diff --git a/‎ci-templates/github-actions.yml‎
Lines changed: 95 additions & 0 deletions b/‎ci-templates/github-actions.yml‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎ci-templates/gitlab-ci.yml‎
Lines changed: 56 additions & 0 deletions b/‎ci-templates/gitlab-ci.yml‎
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,25 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.6.6"
+      - name: Terraform fmt
+        run: terraform fmt -recursive -check
+      - name: Terraform validate (examples)
+        run: |
+          for d in examples/*; do
+            if [ -d "$d" ]; then
+              echo "Validating $d"
+              (cd "$d" && terraform init -backend=false -input=false && terraform validate)
+            fi
+          done
@@ -0,0 +1,27 @@
+name: docs
+
+on:
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - name: Install MkDocs
+        run: pip install mkdocs
+      - name: Build site
+        run: mkdocs build --clean
+      - name: Deploy to GitHub Pages
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: site
@@ -0,0 +1,6 @@
+.terraform/
+*.tfstate
+*.tfstate.*
+.terraform.lock.hcl
+.DS_Store
+*.log
@@ -0,0 +1,4 @@
+# Changelog
+
+## v0.1.0
+- Initial scaffold
@@ -0,0 +1,7 @@
+# Contributing
+
+Thanks for contributing!
+
+- Use `terraform fmt -recursive`
+- Add docs updates in `docs/`
+- Add diagrams in `diagrams/`
@@ -1,2 +1,169 @@
-# terraform-apigee-enterprise-stack
-Production-grade Terraform Stack for Apigee X on GCP (Enterprise-ready, opinionated, secure-by-default)
+# Terraform Apigee Enterprise Stack (GCP) - Production-Grade Terraform Stacks Reference Architecture
+
+**terraform-apigee-enterprise-stack** is an opinionated, **enterprise-ready** reference implementation for deploying **Apigee X on Google Cloud (GCP)** using **Terraform Stacks**.  
+It gives platform teams a repeatable way to provision **Apigee Org, Instances, Environments, EnvGroups, networking, DNS, IAM, and KMS (CMEK)** with secure-by-default patterns.
+
+> Keywords: Terraform Apigee X, Apigee Terraform, Apigee X Terraform Stack, GCP API Management Terraform, Apigee enterprise architecture, Apigee landing zone, Apigee private ingress, Apigee CMEK, Apigee multi-region HA.
+
+---
+
+## Why this repository exists
+
+Many Apigee Terraform examples are either low-level or incomplete for enterprise rollouts. This stack provides:
+
+- **Terraform Stacks-first** structure for platform engineering and multi-environment workflows
+- **Secure-by-default** networking patterns (private ingress, controlled egress, IAM least privilege)
+- **Enterprise readiness**: CMEK, logging/monitoring hooks, clear separation of duties, production checklists
+- **Battle-tested repo hygiene**: examples, docs, diagrams, changelog, CI scaffolding
+
+---
+
+## What you can deploy
+
+### Apigee control plane (platform)
+- Apigee Org (existing Google Cloud Org / project model)
+- Apigee X Instances (single region or multi-region)
+- Apigee Environments and EnvGroups
+- Hostnames + DNS record structure (authoritative DNS external to this repo is supported)
+
+### Enterprise foundations
+- Networking patterns for Apigee runtime access (**private ingress** supported)
+- **Cloud KMS (CMEK)** for supported resources (where applicable)
+- IAM roles and service accounts for platform vs application teams
+
+---
+
+## Architecture diagrams
+
+- **Single-region production**: `diagrams/png/apigee-single-region.png`
+- **Multi-region HA**: `diagrams/png/apigee-multi-region-ha.png`
+- **CI/CD + Policy**: `diagrams/png/apigee-cicd-policy.png`
+
+Mermaid sources:
+- `diagrams/mermaid/apigee-single-region.mmd`
+- `diagrams/mermaid/apigee-multi-region-ha.mmd`
+- `diagrams/mermaid/apigee-cicd-policy.mmd`
+
+## Docs (MkDocs)
+
+The docs live in `docs/` and can be published with MkDocs.
+
+Local preview:
+
+```
+mkdocs serve
+```
+
+Deploy to GitHub Pages:
+
+```
+mkdocs gh-deploy --force
+```
+
+---
+
+## Repository layout
+
+```text
+terraform-apigee-enterprise-stack/
+├── stacks/
+│   ├── apigee-platform/             # Apigee control plane + foundation components
+│   │   ├── stack.hcl                 # Terraform Stacks entrypoint
+│   │   ├── variables.tf
+│   │   ├── outputs.tf
+│   │   └── components/
+│   │       ├── iam/
+│   │       ├── kms/
+│   │       ├── networking/
+│   │       ├── org/
+│   │       ├── instances/
+│   │       ├── environments/
+│   │       └── envgroups/
+│   └── runtime/                      # Optional runtime ingress/DNS patterns
+│       ├── stack.hcl
+│       ├── components/
+│       │   ├── ingress/
+│       │   ├── dns/
+│       │   └── observability/
+├── policies/                         # Policy-as-code examples (OPA/Conftest-ready)
+├── examples/                         # End-to-end example deployments
+├── docs/                             # Enterprise documentation
+├── diagrams/                         # Mermaid + PNG diagrams
+└── .github/workflows/                # CI scaffolding (fmt, validate, docs)
+```
+
+---
+
+## Quickstart (10-15 minutes)
+
+> This repo is designed for **platform engineering teams**. If you are new to Apigee X, start with the docs: `docs/01-overview.md`.
+
+### Prerequisites
+- Terraform >= 1.6
+- Google Cloud project(s) + permissions
+- Apigee API enabled
+- A VPC strategy decided (shared VPC recommended for enterprises)
+
+### Steps
+1. Clone and enter the repo
+2. Copy an example:
+   - `examples/single-region/` (recommended first)
+3. Populate `terraform.tfvars`
+4. Run:
+   - `terraform init`
+   - `terraform plan`
+   - `terraform apply`
+
+> Terraform Stacks workflow depends on your Terraform Stacks runtime (Terraform Cloud/Enterprise, or local stacks toolchain if available in your environment).  
+> This repo includes both **Stacks structure** and **plain Terraform module execution** paths.
+
+---
+
+## Production checklist
+
+See: `docs/06-production-checklist.md`
+
+Highlights:
+- Enable CMEK where supported
+- Separate projects for platform vs app teams
+- Centralized logging/monitoring and alerting
+- Define hostname strategy and certificate lifecycle
+- Adopt policy-as-code and drift detection
+
+---
+
+## Security & compliance
+
+- Least-privilege IAM patterns in `stacks/apigee-platform/components/iam`
+- CMEK/KMS scaffolding in `stacks/apigee-platform/components/kms`
+- Policy examples in `policies/`
+
+See: `docs/05-security.md`
+
+---
+
+## Examples
+
+- `examples/single-region/` - single region baseline (prod-ready starter)
+- `examples/multi-region-ha/` - multi-region HA pattern (active/active-ish routing patterns)
+
+---
+
+## Roadmap
+
+- v1.0: Single-region platform stack + private ingress patterns + docs
+- v1.1: Multi-region HA reference + runbooks
+- v1.2: GitHub/GitLab CI templates + policy gate examples
+- v2.0: Apigee Edge -> X migration helper docs and scripts
+
+---
+
+## Contributing
+
+PRs welcome. Please read `CONTRIBUTING.md` and open an issue for architectural changes.
+
+---
+
+## License
+
+MIT. See `LICENSE`.
@@ -0,0 +1,95 @@
+name: terraform-enterprise-template
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+
+env:
+  TF_VERSION: "1.6.6"
+  TF_DIR: "examples/single-region"
+
+jobs:
+  fmt-validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - name: Terraform fmt
+        run: terraform fmt -recursive -check
+      - name: Terraform validate
+        run: |
+          cd "${TF_DIR}"
+          terraform init -backend=false -input=false
+          terraform validate
+
+  tflint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: terraform-linters/setup-tflint@v3
+      - name: TFLint
+        run: |
+          tflint --init
+          tflint -f compact
+
+  checkov:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+
+  policy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Conftest
+        run: |
+          curl -L -o conftest.tar.gz https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz
+          tar -xzf conftest.tar.gz
+          sudo mv conftest /usr/local/bin
+      - name: Conftest policy gate
+        run: conftest test -p policies "${TF_DIR}"
+
+  plan:
+    runs-on: ubuntu-latest
+    needs: [fmt-validate, tflint, checkov, policy]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - name: Terraform plan
+        run: |
+          cd "${TF_DIR}"
+          terraform init -input=false
+          terraform plan -out=tfplan
+      - name: Upload plan artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfplan
+          path: ${{ env.TF_DIR }}/tfplan
+
+  apply:
+    runs-on: ubuntu-latest
+    needs: [plan]
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+      - name: Download plan artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: tfplan
+          path: ${{ env.TF_DIR }}
+      - name: Terraform apply
+        run: |
+          cd "${TF_DIR}"
+          terraform apply -input=false tfplan
@@ -0,0 +1,56 @@
+stages:
+  - validate
+  - policy
+  - plan
+  - approval
+  - apply
+
+variables:
+  TF_VERSION: "1.6.6"
+  TF_DIR: "examples/single-region"
+
+validate:
+  stage: validate
+  image: hashicorp/terraform:${TF_VERSION}
+  script:
+    - terraform fmt -recursive -check
+    - cd "${TF_DIR}"
+    - terraform init -backend=false -input=false
+    - terraform validate
+
+policy:
+  stage: policy
+  image: alpine:3.19
+  script:
+    - apk add --no-cache curl tar
+    - curl -L -o conftest.tar.gz https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz
+    - tar -xzf conftest.tar.gz
+    - mv conftest /usr/local/bin/conftest
+    - conftest test -p policies "${TF_DIR}"
+
+plan:
+  stage: plan
+  image: hashicorp/terraform:${TF_VERSION}
+  script:
+    - cd "${TF_DIR}"
+    - terraform init -input=false
+    - terraform plan -out=tfplan
+  artifacts:
+    paths:
+      - ${TF_DIR}/tfplan
+
+approval:
+  stage: approval
+  when: manual
+  script:
+    - echo "Manual approval required"
+
+apply:
+  stage: apply
+  image: hashicorp/terraform:${TF_VERSION}
+  dependencies:
+    - plan
+  script:
+    - cd "${TF_DIR}"
+    - terraform apply -input=false tfplan
+  when: manual