QuantumForge is a working, policy-as-code post-quantum cryptography readiness program (the QuantumForge PQC GRC Framework): Terraform modules for hybrid-PQC AWS infrastructure, Rego/OPA policies for crypto discovery, risk scoring, and compliance gating, and GitHub Actions pipelines that turn all of it into continuously generated audit evidence.
This repo implements the four-phase QuantumForge program end to end:
| Phase | What lives here |
|---|---|
| 1. Discovery & Inventory | policies/discovery/ — Rego classifier for crypto assets in Terraform plan/state JSON |
| 2. Vulnerability Prioritization | policies/scoring/ — Rego risk-scoring engine (HNDL exposure × data classification × remediation cost) |
| 3. Cryptographic Agility Architecture | modules/hybrid-pqc-kms/, modules/hybrid-pqc-alb/, policies/hybrid/ — hybrid-PQC Terraform modules + Conftest crypto-agility gate |
| 4. Continuous Compliance | .github/workflows/ — CI pipelines producing signed evidence bundles and a CMVP status monitor |
Every module, policy, and workflow in this repo has been validated (terraform validate, opa test, conftest test — see Validation status below) before being committed.
quantumforge/
├── main.tf # root module wiring both hybrid-PQC modules
├── variables.tf, outputs.tf, versions.tf
├── modules/
│ ├── hybrid-pqc-kms/ # AWS KMS ML-DSA (FIPS 204) signing key module
│ └── hybrid-pqc-alb/ # AWS ALB/NLB hybrid post-quantum TLS listener module
├── policies/
│ ├── discovery/ # Phase 1 — crypto asset classifier + unit tests
│ ├── scoring/ # Phase 2 — risk scoring engine + unit tests
│ └── hybrid/ # Phase 3/4 — crypto-agility Conftest gate + unit tests
├── examples/sandbox/ # Mock Terraform plan JSON fixtures for exercising the gate without a live AWS account
├── watchlist/cmvp-watchlist.json # Phase 4 — libraries tracked against the NIST CMVP Modules in Process list
├── .github/workflows/
│ ├── census.yml # Phase 1 — PR-triggered crypto census + CBOM generation
│ ├── pqc-compliance-gate.yml # Phase 3/4 — policy tests, Trivy/Checkov scans, Conftest gate, evidence bundle
│ └── cmvp-monitor.yml # Phase 4 — scheduled CMVP status check
├── ingest/, reports/, evidence/ # CI output directories (gitignored, kept with .gitkeep)
Install locally before working with this repo (full detailed setup steps are in the companion PQC Readiness Program Build Guide document shared alongside this repo):
- Terraform >= 1.8.0
- OPA (
opa) - Conftest (
conftest) - AWS CLI v2, configured with credentials that can manage KMS and ELBv2 resources
- (Optional, for CBOM generation) Node.js +
npm install -g @cyclonedx/cdxgen - (Optional, for the full PQC test harness described in the build guide) WSL2/Linux with
liboqs+liboqs-python
git clone <this-repo-url>
cd quantumforge
# 1. Unit-test every policy before trusting it
opa test -v policies/discovery/ policies/scoring/ policies/hybrid/
# 2. Validate the Terraform
terraform init
terraform validate
# 3. Plan against your own AWS account (requires real credentials)
terraform plan -out=tfplan
terraform show -json tfplan > plan.json
# 4. Run the crypto-agility gate against your plan
conftest test plan.json -p policies/hybrid/By default enable_hybrid_pqc_kms = true and enable_hybrid_pqc_alb = false (the ALB module needs an existing load balancer/target group/certificate — see variables.tf). Flip enable_hybrid_pqc_alb to true and supply existing_load_balancer_arn, existing_target_group_arn, and existing_acm_certificate_arn to provision the hybrid-PQC listener too.
examples/sandbox/ contains two hand-built plan-JSON fixtures so you can see the gate work without touching a real AWS account:
# Should FAIL — classical-only RSA signing key + classical TLS policy
conftest test examples/sandbox/mock-plan-classical-fail.json -p policies/hybrid/
# Should PASS — ML-DSA signing key + hybrid post-quantum TLS policy
conftest test examples/sandbox/mock-plan-hybrid-pass.json -p policies/hybrid/Provisions an aws_kms_key with key_usage = "SIGN_VERIFY" and a post-quantum customer_master_key_spec (ML_DSA_44 / ML_DSA_65 / ML_DSA_87 — enforced by a variable validation block). Keys are generated and protected inside FIPS 140-3 Security Level 3 validated HSMs by AWS KMS. Signing uses the ML_DSA_SHAKE_256 algorithm (see the signing_algorithm output).
Asymmetric keys, including ML-DSA keys, do not support AWS-managed automatic rotation — enable_key_rotation is hardcoded false and key rotation must be handled operationally (provision a new key, dual-sign/verify during transition, retire the old key via the deletion_window_in_days grace period).
Provisions an aws_lb_listener on port 443 using AWS's hybrid post-quantum TLS security policy (ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 by default), which negotiates X25519MLKEM768, SecP256r1MLKEM768, or SecP384r1MLKEM1024 hybrid key exchange with PQ-capable clients and falls back to classical TLS 1.2/1.3 for clients that don't yet support ML-KEM. A variable validation block requires any ssl_policy override to still contain PQ — this module exists specifically to enforce PQ-capable listeners; use a plain aws_lb_listener resource directly if you need a classical-only listener for some other purpose.
Azure note: Azure Key Vault / Managed HSM PQC support is still tracking through 2026 and is not yet available for direct Terraform provisioning as of this writing. There is intentionally no hybrid-pqc-azure module yet — track Azure readiness as a roadmap item rather than building against an unstable/unavailable API surface.
Classifies aws_kms_key and aws_lb_listener resources found in a Terraform plan/state JSON document into post_quantum / classical_only / symmetric / unknown (KMS) or hybrid_post_quantum / classical_only (TLS listeners). Exposes an inventory (partial set of classified assets) and a summary (roll-up counts) rule — the latter is what the Phase 1 Executive Crypto-Census Briefing is built from.
Takes enriched asset metadata (data_retention_years, data_classification, remediation_cost) and produces a weighted score (0–100) and tier (critical/high/medium/low). priority_matrix buckets a full batch of assets by tier — this is the Phase 2 PQC Migration Priority Matrix.
The Phase 3/4 Crypto-Agility Gate. deny rules block:
- Any
aws_lb_listenerwithprotocol = "HTTPS"whosessl_policydoesn't containPQ - Any
aws_kms_keywithkey_usage = "SIGN_VERIFY"whosecustomer_master_key_specisn't anML_DSA_*spec
A warn rule flags ML_DSA_44 (NIST security level 1) signing keys as a candidate for upgrade to ML_DSA_65/ML_DSA_87 on National Security System assets. The gate fails safe: if no data.config.enforce_cutover override is supplied, enforce_cutover defaults to true.
census.yml— runs on every PR touching.tfor discovery-policy files; unit-tests the discovery policy, classifies the plan, regenerates the CBOM, and uploads both as artifacts.pqc-compliance-gate.yml— runs on every PR and push tomain; unit-tests all three policy packages, runs Trivy and Checkov IaC scans, runs the Conftest crypto-agility gate against the real plan, regenerates the CBOM, and (on push tomain) assembles a signed, 7-year-retention evidence bundle. Uses GitHub OIDC federation for AWS credentials — no static keys are stored in the repo. Before this runs against a real AWS account, provision an IAM role trusted for GitHub OIDC and set its ARN as theQUANTUMFORGE_EVIDENCE_ROLE_ARNrepository secret, then uncomment theconfigure-aws-credentialsstep.cmvp-monitor.yml— scheduled weekly job scaffolding a check of the NIST CMVP Modules in Process list againstwatchlist/cmvp-watchlist.json. The actual diff-and-issue logic is left as aworkflow_dispatch-testable stub (if: falseon the issue-creation step) — wire in real diffing against a stored previous snapshot before enabling it in production.
Everything in this repo was validated before commit:
| Check | Result |
|---|---|
terraform validate (modules/hybrid-pqc-kms) |
✅ Success |
terraform validate (modules/hybrid-pqc-alb) |
✅ Success |
terraform validate (root module) |
✅ Success |
terraform fmt -check -recursive |
✅ Clean |
opa test policies/discovery/ |
✅ 10/10 passed |
opa test policies/scoring/ |
✅ 10/10 passed |
opa test policies/hybrid/ |
✅ 6/6 passed |
conftest test against a classical-only mock plan |
✅ Correctly denies (2 failures) |
conftest test against a hybrid-PQC mock plan |
✅ Correctly passes |
| GitHub Actions workflow YAML | ✅ Parses cleanly |
terraform plan against a real AWS account was not exercised in this environment since no AWS credentials are attached — the modules and root plan resolve correctly up to the point of needing live AWS API access (aws_caller_identity / KMS/ELB API calls).
- NIST, FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism Standard
- NIST, FIPS 204 — Module-Lattice-Based Digital Signature Standard
- AWS KMS Developer Guide, ML-DSA Keys in AWS KMS
- AWS Documentation, Security Policies for Your Application Load Balancer — hybrid PQ-TLS policy
ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 - Terraform Registry,
aws_kms_keyresource docs —ML_DSA_44/ML_DSA_65/ML_DSA_87key spec support - NSA, CNSA 2.0
- NIST CSRC, CMVP Modules in Process List
- Open Quantum Safe project —
liboqs/oqs-provider - Open Policy Agent / Conftest
- PQC Readiness Program Build Guide — the full four-phase program design (Discovery & Inventory, Vulnerability Prioritization, Cryptographic Agility Architecture, Continuous Compliance) that this repo implements in Terraform, Rego, and CI.
See ROADMAP.md for planned work — currently focused on making the risk-scoring model impact-driven and expanding module coverage beyond AWS to Azure, GCP, on-prem, and other environments.
Contributions are welcome — see CONTRIBUTING.md for development setup, testing requirements, and the PR process. Please review SECURITY.md before reporting any vulnerabilities, and CODE_OF_CONDUCT.md for community standards.
Part of the QuantumForge PQC GRC Framework. This is the implementation repo for the companion PQC Readiness Program Build Guide document.
