Multi-Cloud Terraform — Manage AWS, GCP, and Azure from One Codebase

Let us be clear: running the same workload on two cloud providers for "redundancy" is almost never worth the complexity cost. True multi-cloud — where you abstract away the provider and deploy identically on AWS or GCP — requires enormous engineering investment and sacrifices provider-specific features that are often the reason you chose a cloud provider in the first place.

What does make sense is multi-cloud by purpose: your application runs on AWS, your data analytics pipeline uses BigQuery on GCP, your identity provider is Azure AD, and your CDN is Cloudflare. Each provider is chosen for its strengths, and Terraform manages all of them from one repository.

Another valid scenario is disaster recovery. Your primary workload runs on AWS, and a warm standby environment on GCP or Azure is ready to take over if AWS has a regional outage. Terraform provisions both environments from shared modules, with provider-specific implementations behind a consistent interface.

We also see multi-cloud in acquisitions, where two companies merge and one runs on AWS while the other runs on GCP. Terraform provides a unified management plane while the team gradually consolidates or builds cross-cloud networking.

We organize the codebase with provider-specific directories under a shared root. Each provider has its own state backend (S3 for AWS, GCS for GCP, Azure Storage for Azure) because cross-provider state backends add unnecessary risk. A shared modules/ directory contains provider-agnostic logic (naming conventions, tagging standards, configuration generation).

Provider-specific modules implement the same interface with different backends. A database module on AWS provisions RDS, on GCP provisions Cloud SQL, and on Azure provisions Azure Database. The consuming code calls the module with the same variables regardless of provider. This abstraction is thin — we do not hide provider-specific features, but we standardize the common patterns.

Cross-cloud networking uses VPN tunnels or dedicated interconnects between providers. Terraform manages both ends: an AWS VPN Gateway paired with a GCP Cloud VPN, or an AWS Direct Connect paired with Azure ExpressRoute. Security groups and firewall rules on both sides are managed in the same PR, ensuring they stay in sync.

CI/CD runs provider-specific pipelines in parallel. An AWS change triggers the AWS plan/apply workflow; a GCP change triggers the GCP workflow. Cross-provider changes (like networking updates that affect both sides) run sequentially with dependency ordering to ensure consistency.

A multi-cloud Terraform setup tailored to your specific provider combination:

• Unified repository — all cloud providers managed from one codebase with consistent structure
• Provider-specific modules — optimized for each provider while sharing common interfaces
• Independent state — per-provider state backends with encryption and locking
• Cross-cloud networking — VPN or interconnect with firewall rules managed together
• Parallel CI/CD — per-provider pipelines with dependency handling for cross-provider changes
• Credential management — OIDC federation for each provider, no long-lived keys
• Cost reporting — unified tagging strategy across providers for consolidated cost visibility