Trying to connect cloud architecture (CAF / Zero Trust) with IaC validation

Source: Dev.to

We often say that architecture defines intent, while Infrastructure as Code (IaC) defines implementation.
In practice, they drift apart very quickly.

• Architecture lives in documents (CAF, Zero Trust, internal HLDs)
• IaC reflects what is actually deployed
• There is no reliable way to verify that one matches the other

The problem

IaC gives us precision, but not meaning.
Architecture gives us meaning, but not verification.

So we end up in a situation where:

• a system is “correctly deployed”
• but architecturally wrong

We only discover the mismatch during reviews, audits, or incidents.

A small experiment

I built a small PoC to explore whether architecture can be represented as a structured model and validated against Terraform state.

Idea:

Risk → Control → Constraint → Implementation → Validation

Instead of validating individual resources, the model allows evaluation of architecture at multiple levels.

Mapping level

• PASS – resource matches expected configuration
• FAIL – resource exists but is misconfigured
• MISSING – resource is not present

Control level

• FAILED – at least one mapping fails
• INCOMPLETE – partially implemented
• MISSING – not implemented at all

Risk level

• EXPOSED – controls are not fully implemented

Example

In the demo scenario:

• one control fails because of a parameter mismatch
• another is only partially implemented
• another fails due to tag mismatch
• another is completely missing

The validator aggregates this into:

FAILED control → EXPOSED risk

So instead of asking:

“Is this resource compliant?”

you can ask:

“Is this architectural risk exposed?”

What this tries to explore

This is not about replacing IaC or policy engines.
It’s about introducing an additional layer:

• linking architectural intent (risk / control)
• to implementation (Terraform)
• and verifying that link continuously

Open questions

I’m still exploring whether this makes sense outside my own use case. Some questions I’m interested in:

• Does this model actually help in real environments?
• Is “control‑level” validation useful, or is it over‑engineering?
• How would this scale in large architectures?
• Where would this break?

Repo

I’ve put together a small working PoC with:

• a simple architecture model (YAML)
• a validator against Terraform state
• a demo showing different failure modes

👉

Happy to hear thoughts, especially from people working with Terraform, Azure, or security architecture.