Reference Architecture

An opinionated, end-to-end tech stack built on top of the Infrastructure as Code Library that we deploy into your AWS accounts in about a day.

Get a Demo

A new standard for architecture

Enterprise Only
The Reference Architecture is only available with Enterprise Subscriptions.

The Reference Architecture is an opinionated, battle-tested, best-practices way of setting up all the foundational pieces you need to get started with AWS and Terraform, including:

  • AWS multi-account structure: Gruntwork Landing Zone.
  • Network topology: VPCs, subnets, route tables, VPN, etc.
  • CI / CD: Pipelines.
  • Auth: AWS Identity Center (SSO), IAM roles, OIDC, etc.
  • Guard Rails: SCPs, AWS Config, GuardDuty, CloudTrail, etc.
  • Compliance: Gruntwork Compliance.

We generate the Reference Architecture based on your needs, deploy into your AWS accounts, and give you 100% of the code. Since you have all the code, you can extend, enhance, and customize it as much as you need. The deploy process takes about a day. Contact Us to set up a demo!

Gruntwork Reference Architecture
An example AWS Reference Architecture.

How It Works

Choose your architecture options

You can customize the following aspects of your architecture:

AWS accounts:
  • Default: logs, security, shared, dev, stage, and prod
  • Primary region
Account vending:
  • Pure Terraform
  • Control Tower Integration (Gruntwork Enterprise only)
Controls and guard rails:
  • GuardDuty, Macie, IAM Access Analyzer
  • SCPs, AWS Config Rules (Gruntwork Enterprise only)
  • IAM users, IAM roles, OIDC
  • AWS Identity Center / SSO (Gruntwork Enterprise only)
CI server:
  • GitHub Actions
  • GitLab
  • CircleCI
  • VPC: subnets, route tables, IGW, NAT, NACLs.
  • Network entrypoint: VPN or bastion host.
Example configuration of apps and data stores:
  • Orchestration: EKS, EKS Fargate, ECS, or none
  • Database: PostgreSQL, MySQL, SQL Server, Aurora, or none
  • Cache: Redis, Memcached, or none

Gruntwork deploys your architecture

We generate the architecture using Terragrunt, Terraform, Bash, Python and Go. We deploy the resources to your AWS accounts. We validate the configuration, then we push the code to your git repository.

Learn how to use it

Use Gruntwork Docs and the DevOps Training Library to learn how to use your new architecture.

Get guided onboarding (Gruntwork Enterprise only)

Work with the Gruntwork team directly to help you get started with your architecture.

Get support

If you run into a snag, ask a question on our community support channel via Slack. Or sign up for Pro or Enterprise Support to chat directly with Gruntwork engineers via a private shared Slack channel or email, and guarantee a timely response.

Keep your code up to date automatically

With Patcher, you can streamline staying up to date, even with breaking changes.

Reference Architecture Features

Infrastructure as Code

Infrastructure as Code

Written in Terraform, Go, Python, and Bash. You get 100% of the code.



The architecture has been proven with hundreds of Gruntwork customers.



We'll deploy a fully-working, best-practices tech stack in AWS in about a day!



Designed for high availability, scalability, and durability



Account-level segmentation, centralized audit trail, network segmentation, encrypted by default, server hardening, & more



Includes training videos and documentation


Check out the Pricing page for details. Please note that to use the Reference Architecture, you must be a Gruntwork Subscriber.