TerraformPilot

DevOps

Terraform for AI-Native Development Platforms on AWS

Provision AI-native developer platforms with Terraform: sandboxes, CI/CD runners, model-serving environments, secrets, VPCs, and preview environments.

LLuca Berton1 min read

AI-native development platforms are one of the strongest 2026 trends — engineering organizations are moving from "AI-assisted" to "AI-first" toolchains, where code, tests, infrastructure, and review are all generated and validated by AI agents inside opinionated developer platforms. Terraform is the control plane that makes those platforms repeatable.

This guide shows how to provision the foundation of an AI-native developer platform on AWS with Terraform.

What an AI-Native Platform Needs

#
CapabilityAWS serviceTerraform module
Developer sandboxesEKS namespaces, IAM Roles for Service Accountsaws_eks_cluster, kubernetes_namespace
CI/CD runnersEC2 Spot, ECS, GitHub Actions runners on EKSaws_launch_template, helm_release
Model servingSageMaker endpoints, Bedrock, EKS + KServeaws_sagemaker_endpoint
SecretsAWS Secrets Manager + IRSAaws_secretsmanager_secret
Artifact registryECR, S3, CodeArtifactaws_ecr_repository
Preview envsPer-PR namespaces + Route53 wildcardskubernetes_namespace, aws_route53_record

Multi-Tenant EKS Cluster

# 
module "platform_cluster" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"
 
  cluster_name    = "ai-platform"
  cluster_version = "1.31"
 
  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets
 
  enable_irsa = true
 
  eks_managed_node_groups = {
    general = {
      instance_types = ["m7i.2xlarge"]
      min_size       = 3
      desired_size   = 6
      max_size       = 24
    }
 
    gpu = {
      instance_types = ["g5.2xlarge"]
      min_size       = 0
      desired_size   = 0
      max_size       = 8
 
      labels = { workload = "gpu" }
      taints = [{
        key    = "nvidia.com/gpu"
        value  = "true"
        effect = "NO_SCHEDULE"
      }]
    }
  }
}

Per-Developer Sandbox Namespaces

# 
variable "developers" {
  type = set(string)
}
 
resource "kubernetes_namespace" "sandbox" {
  for_each = var.developers
 
  metadata {
    name = "sandbox-${each.key}"
    labels = {
      "platform.io/owner" = each.key
      "platform.io/type"  = "sandbox"
    }
  }
}
 
resource "kubernetes_resource_quota" "sandbox" {
  for_each = var.developers
 
  metadata {
    name      = "quota"
    namespace = kubernetes_namespace.sandbox[each.key].metadata[0].name
  }
 
  spec {
    hard = {
      "requests.cpu"            = "8"
      "requests.memory"         = "32Gi"
      "requests.nvidia.com/gpu" = "1"
      "limits.cpu"              = "16"
      "limits.memory"           = "64Gi"
      "pods"                    = "50"
    }
  }
}

Preview Environments per Pull Request

# 
resource "aws_route53_zone" "preview" {
  name = "preview.platform.example.com"
}
 
resource "aws_acm_certificate" "preview" {
  domain_name               = "preview.platform.example.com"
  subject_alternative_names = ["*.preview.platform.example.com"]
  validation_method         = "DNS"
}

A GitHub Actions workflow then runs terraform apply -var "pr_number=$PR" to spin up a namespace and Route53 record per pull request, and terraform destroy on close.

Secrets via IRSA

# 
data "aws_iam_policy_document" "secrets_read" {
  statement {
    actions   = ["secretsmanager:GetSecretValue"]
    resources = [aws_secretsmanager_secret.openai_key.arn]
  }
}
 
module "secrets_irsa" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "~> 5.0"
 
  role_name = "platform-secrets"
  role_policy_arns = {
    read = aws_iam_policy.secrets_read.arn
  }
 
  oidc_providers = {
    main = {
      provider_arn               = module.platform_cluster.oidc_provider_arn
      namespace_service_accounts = ["platform:secrets-reader"]
    }
  }
}

Best Practices

#
  • Use Terraform Stacks to split networking, EKS, platform addons, and per-team workloads.
  • Enforce policy with OPA/Conftest in CI so developers can't escalate quota or skip taints.
  • Tag everything with owner, cost-center, and pr-number so finance can attribute spend.
  • Automate teardown of preview environments with TTL labels and a scheduled terraform destroy.
#
#Terraform#AI#Platform Engineering#AWS#DevOps

Share this article

Related articles