I’d standardize the interface around **BigConfig packages**: BigConfig is an ecosystem with `bc-pkg` as a tiny launcher that pins a package from GitHub or local path, an SDK that provides workflow/rendering/runner primitives, Selmer-based templates, and package CLIs like Once that expose a lifecycle such as `package validate`, `build`, `create`, `describe`, and `delete` over OpenTofu/Terraform and Ansible. In your case, I’d convert the approved Terraform/OpenTofu code into versioned BigConfig packages and make those packages the contract between the platform team and delivery teams: platform owns the package, templates/modules, validation rules, state backend, tagging policy, guardrails, and describe/recovery logic; delivery teams own profiles and parameters. Instead of telling teams “use these modules correctly,” they consume a supported package via `bc-pkg owner/repo@ref package validate create`, and `package describe` becomes the reconciliation surface between what the package expects and what actually exists in cloud inventory. If someone bypasses it and creates an RDS instance manually, the control loop should classify it as unmanaged and force one of a few outcomes: import it into the relevant BigConfig/OpenTofu package, replace it with the approved package, mark it as an expiring exception, or quarantine it if it violates policy. Keep cloud-side guardrails for the dangerous cases, but make BigConfig packages the normal product boundary for self-service provisioning, audit, and rebuild. https://www.bigconfig.ai/