Deprecated โ Migrated to PLAT-0010 on 2026-05-02 per ADR-0047. This source file is retained as a reference; the canonical content is in PLAT-0010.
ADR-0025: Multi-Cloud Strategy and Terraform Approach¶
Date: 2026-04-06 Status: Accepted
Context¶
The Archon Platform homelab hosts critical services (k3s workloads, Infisical, AWX) on physical nodes with a single UPS for power resilience. No cloud failover exists. The portfolio site (peries.ca) runs exclusively on Cloudflare Pages. Multi-cloud redundancy was identified as a Phase 3+ objective covering three scenarios:
- Active-active web presence across multiple cloud providers
- DNS-level geo-redundancy independent of any single provider
- DR failover for critical homelab services to cloud
Decision¶
Multi-cloud providers¶
| Provider | Account | Purpose | Tier |
|---|---|---|---|
| Azure | REDACTED | Primary cloud -- Static Web Apps, Blob Storage, DR failover | Free tier |
| GCP | peries-209922 (270375183603) | Secondary cloud -- Cloud Run, Cloud Storage | Free tier |
| Cloudflare | peries.ca zone | DNS, CDN, Pages (primary web hosting) | Free tier |
| AWS | TBD | Tertiary -- activate when needed | Free tier |
| Alibaba Cloud | International/Singapore | DashScope AI API (translation) | Free trial |
Terraform approach¶
- State backend: Local state initially, migrate to Terraform Cloud (free tier) when multi-cloud grows
- Repository: archon-cloud repo -- one folder per provider (azure/, gcp/, cloudflare/, aws/)
- Credentials: All provider credentials stored in Infisical, injected at runtime -- never hardcoded
- Scope -- Phase 3: Provider configuration + credentials only. First real resources: Azure Static Web Apps (peries.ca failover) + Terraform state backend on Azure Blob Storage
- Scope -- Phase 4+: GCP Cloud Run deployment, DNS failover strategy, DR for homelab services
Free tier constraints¶
All Terraform-managed resources must stay within free tier limits: - Azure: Static Web Apps (free), Blob Storage (5GB/12mo), no VMs beyond B1s - GCP: Cloud Run (2M requests/month), Cloud Storage (5GB), e2-micro VM (1/month) - No GPU resources, no managed databases, no premium networking
Service principal credentials¶
| Secret | Infisical key | Provider |
|---|---|---|
| Azure SP App ID | AZURE_CLIENT_ID | Azure |
| Azure SP Password | AZURE_CLIENT_SECRET | Azure |
| Azure Tenant ID | AZURE_TENANT_ID | Azure |
| Azure Subscription ID | AZURE_SUBSCRIPTION_ID | Azure |
| GCP Service Account Key | GCP_SERVICE_ACCOUNT_KEY | GCP (base64 JSON) |
| Cloudflare API Token | CLOUDFLARE_API_TOKEN | Cloudflare |
Consequences¶
- Terraform manages cloud resources only -- homelab IaC remains in Ansible/k3s
- Local Terraform state is acceptable for Phase 3 scope (low blast radius)
- Free tier limits constrain what can be provisioned -- documented per provider
- AWS activation deferred until a specific use case requires it
- DNS geo-redundancy deferred -- requires independent DNS provider decision (NS1, Route53, PowerDNS)
- All credentials rotate via the secret rotation runbook (docs/internal/secret-rotation.md)
Related ADRs¶
- ADR-0002: Infisical for secrets
- ADR-0006: Power outage strategy (DR motivation)
- ADR-0008: CanEast public naming
- ADR-0022: ADO project consolidation