Migrated from ADR-0025 on 2026-05-02 per ADR-0047. Source file retained with deprecation banner at
docs/adr/0025-multi-cloud-terraform-strategy.md.
PLAT-0010 — Multi-Cloud Strategy and Terraform Approach¶
| Field | Value |
|---|---|
| Status | Accepted |
| Date | 2026-04-06 |
| Author | Ben Peries |
| Sources | ADR-0025 |
Context¶
The Archon Platform homelab hosts critical services (k3s workloads, Infisical, AWX) on physical nodes with a single UPS for power resilience. No cloud failover exists. The portfolio site (peries.ca) runs exclusively on Cloudflare Pages. Multi-cloud redundancy was identified as a Phase 3+ objective covering three scenarios:
- Active-active web presence across multiple cloud providers
- DNS-level geo-redundancy independent of any single provider
- DR failover for critical homelab services to cloud
Decision¶
Multi-cloud providers¶
| Provider | Account | Purpose | Tier |
|---|---|---|---|
| Azure | REDACTED | Primary cloud — Static Web Apps, Blob Storage, DR failover | Free tier |
| GCP | peries-209922 (270375183603) | Secondary cloud — Cloud Run, Cloud Storage | Free tier |
| Cloudflare | peries.ca zone | DNS, CDN, Pages (primary web hosting) | Free tier |
| AWS | TBD | Tertiary — activate when needed | Free tier |
| Alibaba Cloud | International/Singapore | DashScope AI API (translation) | Free trial |
Terraform approach¶
- State backend: Local state initially, migrate to Terraform Cloud (free tier) when multi-cloud grows
- Repository: archon-cloud repo — one folder per provider (azure/, gcp/, cloudflare/, aws/)
- Credentials: All provider credentials stored in Infisical, injected at runtime — never hardcoded
- Scope — Phase 3: Provider configuration + credentials only. First real resources: Azure Static Web Apps (peries.ca failover) + Terraform state backend on Azure Blob Storage
- Scope — Phase 4+: GCP Cloud Run deployment, DNS failover strategy, DR for homelab services
Free tier constraints¶
All Terraform-managed resources must stay within free tier limits: - Azure: Static Web Apps (free), Blob Storage (5GB/12mo), no VMs beyond B1s - GCP: Cloud Run (2M requests/month), Cloud Storage (5GB), e2-micro VM (1/month) - No GPU resources, no managed databases, no premium networking
Service principal credentials¶
| Secret | Infisical key | Provider |
|---|---|---|
| Azure SP App ID | AZURE_CLIENT_ID | Azure |
| Azure SP Password | AZURE_CLIENT_SECRET | Azure |
| Azure Tenant ID | AZURE_TENANT_ID | Azure |
| Azure Subscription ID | AZURE_SUBSCRIPTION_ID | Azure |
| GCP Service Account Key | GCP_SERVICE_ACCOUNT_KEY | GCP (base64 JSON) |
| Cloudflare API Token | CLOUDFLARE_API_TOKEN | Cloudflare |
Consequences¶
- Terraform manages cloud resources only — homelab IaC remains in Ansible/k3s
- Local Terraform state is acceptable for Phase 3 scope (low blast radius)
- Free tier limits constrain what can be provisioned — documented per provider
- AWS activation deferred until a specific use case requires it
- DNS geo-redundancy deferred — requires independent DNS provider decision (NS1, Route53, PowerDNS)
- All credentials rotate via the secret rotation runbook (docs/internal/secret-rotation.md)
References¶
- IAM-0001 — Infisical for secrets
- PLAT-0007 — Power outage strategy (DR motivation)