European Sovereign Cloud

Why the Nuvibit Terraform Collection is ahead of classic AWS landing zones

Last month, adesso announced a strategic partnership with nuvibit. With the Nuvibit Terraform Collection (NTC), nuvibit offers a product solution that allows an enterprise-ready landing zone platform to be set up on AWS in a very short time – automated, standardised and consistently ‘as code’ .

Classic AWS landing zone approaches in comparison

Other solutions in the AWS ecosystem make similar promises:

• AWS Control Tower can be set up in a few hours and forms the basis for complementary solutions such as Account Factory for Terraform (AFT) or Customisations for Control Tower (CfCT).
• The Landing Zone Accelerator (LZA) also provides a comprehensive landing zone environment in a very short time.

AFT and CfCT are powerful frameworks that enable companies to develop, expand and operate their own landing zones. LZA, on the other hand, is a very powerful solution for deploying complex environments at impressive speed.

What all approaches have in common is that they offer a high degree of automation and standardisation via infrastructure as code – including account vending, baseline configurations and much more.

Where the Nuvibit Terraform Collection differs fundamentally

The key difference of the Nuvibit Terraform Collection is already evident in its foundation: it deliberately dispenses with AWS Control Tower as a central element. Instead, the associated capabilities are implemented in a modular fashion.

Some examples:

• CloudTrail: A central audit trail is undoubtedly useful, but does not require a Control Tower service to be deployed.
• Service Control Policies (SCPs): Centralised management of guardrails can also be implemented independently of the Control Tower.
• Account vending and security and compliance baselines: NTC provides these functions as reusable, modular building blocks.

These features are integrated into NTC from the outset. This allows platform and DevOps teams to focus directly on the parts of the infrastructure that have truly individual requirements, rather than having to deal with the limitations of a central AWS service first.

Technical basis: Open, flexible, community-driven

Technically, the Nuvibit Terraform Collection is based on OpenTofu, a fork of Terraform 1.5. The solution is open source and is continuously developed by the community.

For customers, this means:

• The NTC is used in conjunction with a version control system (VCS) of your choice – for example, GitHub, GitLab or Bitbucket.
• Platform engineers work directly in their own VCS and maintain the platform configurations there. Changes remain entirely in the customer's possession.
• Established CI/CD systems such as GitHub Actions, AWS CodePipeline or Spacelift can be used for deployment, depending on the company's tooling strategy.

In short, the platform adapts to the existing toolchain, not the other way around.

European Sovereign Cloud: Opportunities – and a problem for traditional landing zones

With the launch of the European Sovereign Cloud (ESC) as the fourth AWS partition, European customers now have access to a digitally sovereign AWS cloud. It is particularly attractive for public sector clients and highly regulated industries.

The downside is that only a limited service catalogue is available at launch. Many specialised services will only be available in the ESC at a later date – if at all. This also applies to two services that are now considered by many to be ‘standard’ for landing zone platforms.

• AWS CodePipeline
• Amazon IAM Identity Centre

IAM Identity Centre in the ESC

The IAM Identity Centre has now established itself as the de facto standard for connecting to the company-wide identity provider and for centralised access management. Availability for the ESC has been announced for the first half of the year (check the current roadmap).

Until then, a proven approach from the ‘pre-SSO era’ remains:

• Centralised management of IAM users in a dedicated AWS account
• Access to target accounts via cross-account roles via STS

Although this approach is tried and tested, it is functionally limited and more administratively complex than Identity Center.

CodePipeline in the ESC – a real gap

Unlike Identity Centre, there is currently no concrete commitment to the availability of AWS CodePipeline in the ESC. At the same time, there is no equivalent native AWS replacement service within the ESC that could easily substitute CodePipeline.

This is particularly problematic for CfCT and AFT, as both rely heavily on CodePipeline and use the service as one of their key technologies. Without CodePipeline, these solutions can only be operated to a limited extent or not at all as intended.

Why the Nuvibit solution has a clear advantage in the ESC

This is exactly where the Nuvibit Terraform Collection shows its strength:

• In the NTC, AWS CodePipeline is only one option, not a hard-wired requirement.
• CI/CD is deliberately designed to be tool-agnostic.

Instead, depending on customer requirements and ESC support, alternative runners and platforms can be used, for example:

• GitHub Actions
• Other CI/CD runners (such as GitLab CI, Jenkins)
• Specialised platforms such as Spacelift

For ESC customers, this means:

• Landing zone automation is not linked to the availability of CodePipeline.
• The existing CI/CD landscape can continue to be used – even in a sovereign cloud environment.
• The platform architecture remains future-proof because it can be adapted to new or changed services in the ESC without having to rebuild the foundation.

Conclusion

Classic approaches to landing zones, such as Control Tower with AFT/CfCT or LZA, are powerful but quickly reach their limits in the European Sovereign Cloud because they are heavily dependent on specific AWS services such as CodePipeline.

Comparison of AWS landing zone approaches