feat: add vendor-agnostic cloud schema for AWS, GCP, and Azure (#20)

* feat: add vendor-agnostic cloud schema for AWS, GCP, and Azure

Add a comprehensive cloud schema to store compute and networking objects
across multiple cloud providers in a vendor-agnostic way.

Schema includes:
- CloudProvider, CloudAccount, CloudRegion, CloudAvailabilityZone
- CloudVirtualNetwork, CloudSubnet, CloudSecurityGroup
- CloudInstance, CloudNetworkInterface
- CloudInternetGateway, CloudNATGateway, CloudRouteTable, CloudElasticIP

Also includes:
- Demo object files with sample data for all 3 cloud providers
- New `invoke demo-cloud` task to load the cloud demo data

* ruff

* docs: add cloud resource management tutorial

Add documentation for the cloud schema and demo data:
- New cloud-management.mdx tutorial explaining the vendor-agnostic
  cloud schema for AWS, GCP, and Azure
- Update readme.mdx to reference the new tutorial
- Update sidebars.ts to include the new page in navigation

* Edits of docs

* Spelling

Author: petercrocker

.gitignore

@@ -15,7 +15,8 @@
 **/*.tar.xz
 docker-compose.yml
 generated-configs/
+infrahub_backups/
 infrahub_bundle_dc.egg-info
 infrahub-backup
 scripts/debug/
-service_catalog/.streamlit/
+service_catalog/.streamlit/

.vale/styles/spelling-exceptions.txt

@@ -23,6 +23,7 @@ dns
 Docker's
 Dockerfile
 Docusaurus
+ENIs
 env
 envrc
 evolvability
@@ -47,6 +48,8 @@ mermaid
 namespace
 namespaces
 Netbox
+NICs
+NSGs
 netmiko
 npm
 OSPF
@@ -72,5 +75,7 @@ uv
 VIPs
 VLAN
 VLANs
+VNets
+VPCs
 VXLAN
 walkthrough

docs/docs/cloud-management.mdx

@@ -0,0 +1,195 @@
+---
+title: Cloud resource management
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+This tutorial shows an example of cloud resource management schema, which provides a vendor-agnostic way to model cloud infrastructure across AWS, GCP, and Azure. You'll load sample cloud data and explore how Infrahub can serve as a unified inventory for multi-cloud environments.
+
+## Overview
+
+The cloud schema enables you to track:
+
+- **Cloud providers** - AWS, GCP, Azure, or other cloud platforms
+- **Cloud accounts** - AWS accounts, GCP projects, Azure subscriptions
+- **Regions and availability zones** - Geographic locations and fault domains
+- **Virtual networks** - VPCs (AWS), VPC networks (GCP), VNets (Azure)
+- **Subnets** - Network segments within virtual networks
+- **Security groups** - Network access control rules (Security Groups, Firewall Rules, NSGs)
+- **Compute instances** - Virtual machines across all providers
+- **Network infrastructure** - Internet gateways, NAT gateways, route tables, elastic IPs
+- **Network interfaces** - ENIs, NICs attached to instances
+
+This vendor-agnostic model allows you to manage multi-cloud infrastructure from a single source of truth, with consistent naming and relationships regardless of the underlying cloud provider.
+
+## Prerequisites
+
+Before starting this tutorial, ensure you have:
+
+- Completed the [installation guide](./install.mdx) and have Infrahub running
+- Loaded the bootstrap data and schemas
+- Access to the Infrahub web interface at `http://localhost:8000`
+
+## Loading cloud demo data
+
+The demo includes sample data for all three major cloud providers with realistic infrastructure examples.
+
+The easiest way to load the cloud demo is using the provided invoke task:
+
+```bash
+uv run invoke demo-cloud
+```
+
+This command:
+
+1. Creates a new branch named `demo-cloud`
+2. Loads all schemas (including the cloud schema)
+3. Loads cloud object files with sample data for AWS, GCP, and Azure
+4. Displays a URL to view the cloud resources
+
+## Exploring cloud resources
+
+After loading the demo data, navigate to the cloud resources in the Infrahub web interface.
+
+### Viewing all cloud resources
+
+1. Ensure you're on the correct branch (for example, `demo-cloud`)
+2. Navigate to **Cloud Resource** in the left sidebar menu
+3. You'll see a list of all cloud resource types
+
+Or access the cloud resources directly:
+
+```text
+http://localhost:8000/objects/CloudResource?branch=demo-cloud
+```
+
+### Sample data structure
+
+The demo includes a comprehensive multi-cloud environment:
+
+#### Cloud providers (3)
+
+- Amazon Web Services (AWS)
+- Google Cloud Platform (GCP)
+- Microsoft Azure
+
+#### Cloud accounts (12)
+
+Each provider has production, staging, and development accounts:
+
+- `opsmill-aws-production`, `opsmill-aws-staging`, `opsmill-aws-dev`
+- `opsmill-gcp-production`, `opsmill-gcp-staging`, `opsmill-gcp-dev`
+- `opsmill-azure-production`, `opsmill-azure-staging`, `opsmill-azure-dev`
+
+#### Regions and availability zones
+
+- **AWS**: US East (N. Virginia), US West (Oregon), EU West (Ireland)
+- **GCP**: US Central (Iowa), US East (South Carolina), Europe West (Belgium)
+- **Azure**: East US, West US 2, West Europe
+
+Each region includes 3 availability zones.
+
+#### Virtual networks (12)
+
+VPCs and VNets across all accounts with various configurations:
+
+- Production VPCs with public and private subnets
+- Staging and development networks
+- DNS support and hostname configuration
+
+#### Compute instances (19)
+
+Various instance types across all providers:
+
+- Web servers, application servers, database servers
+- Linux and Windows instances
+- Different instance sizes (t3.large, m5.xlarge, n1-standard-2, Standard_D2s_v3, etc.)
+
+#### Network infrastructure
+
+- Internet gateways for public connectivity
+- NAT gateways for private subnet outbound access
+- Route tables for traffic routing
+- Elastic/static IP addresses
+- Network interfaces with security group associations
+
+## Schema architecture
+
+The cloud schema uses a hierarchical structure with clear relationships:
+
+```text
+CloudProvider
+  └── CloudAccount
+        └── CloudVirtualNetwork
+              ├── CloudSubnet
+              ├── CloudSecurityGroup
+              ├── CloudInternetGateway
+              └── CloudRouteTable
+
+CloudRegion
+  └── CloudAvailabilityZone
+        └── CloudInstance
+              └── CloudNetworkInterface
+```
+
+### Key relationships
+
+- **CloudAccount** belongs to a **CloudProvider** (parent relationship)
+- **CloudRegion** is associated with a **CloudProvider**
+- **CloudAvailabilityZone** belongs to a **CloudRegion** (parent relationship)
+- **CloudVirtualNetwork** is associated with a **CloudAccount** and **CloudRegion**
+- **CloudSubnet** belongs to a **CloudVirtualNetwork** (parent relationship)
+- **CloudInstance** is associated with a **CloudAccount**, **CloudAvailabilityZone**, and **CloudSubnet**
+- **CloudSecurityGroup** can be attached to **CloudInstance** and **CloudNetworkInterface**
+
+### Common attributes
+
+All cloud resources inherit from the `CloudResource` generic, providing:
+
+- `name` - Resource name
+- `description` - Optional description
+- `cloud_id` - Provider-specific resource identifier (ARN, resource ID, etc.)
+- `status` - Operational status (active, stopped, provisioning, terminating, error)
+- `tags` - Optional tags for categorization
+
+## Use cases
+
+### Multi-cloud inventory
+
+Use Infrahub as a single source of truth for all cloud resources:
+
+- Track resources across AWS, GCP, and Azure in one place
+- Maintain consistent naming conventions
+- Link cloud resources to on-premises infrastructure
+
+### Security auditing
+
+Query security groups and their associations:
+
+- Identify instances with specific security group configurations
+- Audit network access rules across all clouds
+- Track public IP assignments
+
+### Capacity planning
+
+Analyze compute resources across your cloud footprint:
+
+- Count instances by type, region, or provider
+- Track resource utilization patterns
+- Plan for growth and optimization
+
+### Network documentation
+
+Document your cloud network architecture:
+
+- Map virtual networks, subnets, and routing
+- Track NAT and internet gateway configurations
+- Document network interface assignments
+
+## Next steps
+
+For more information on Infrahub concepts, see:
+
+- **[Understanding the concepts](./concepts.mdx)** - Core Infrahub patterns
+- **[Developer guide](./developer-guide.mdx)** - Extending schemas and creating transforms

docs/docs/readme.mdx

@@ -35,6 +35,7 @@ This documentation is organized following the [Diataxis framework](https://diata
 | **[User walkthrough](./user-walkthrough.mdx)** | A complete hands-on tutorial that guides you through the end-user experience: creating topologies, managing branches, running generators, creating proposed changes, and validating configurations. Perfect for learning the workflow from start to finish. |
 | **[Deploy a virtual lab with Containerlab](./containerlab-deployment.mdx)** | Learn how to deploy generated configurations to a virtual network lab using Containerlab. Extract device configurations and topology files from Infrahub, spin up virtual Arista cEOS switches, and test your data center fabric before production deployment. |
 | **[Working with security management](./security-management.mdx)** | Explore Infrahub's security management capabilities by examining firewall policies, security zones, and address objects. Learn how structured security data transforms into vendor-specific firewall configurations (Juniper JunOS) and how to modify policies safely using branches. |
+| **[Cloud resource management](./cloud-management.mdx)** | Manage multi-cloud infrastructure (AWS, GCP, Azure) with a vendor-agnostic schema. Load demo cloud data including accounts, regions, virtual networks, instances, and security groups. Learn how Infrahub serves as a unified inventory for cloud resources. |
 | **[Using the service catalog](./service-catalog.mdx)** | Learn how to use the Service Catalog web interface for simplified infrastructure provisioning. Enable the Streamlit application, navigate between branches, view existing infrastructure, and create new data centers through a guided form-based workflow that automates branch creation and generator execution. |
 
 ### Guides
@@ -82,6 +83,7 @@ The demo implements realistic network topologies including:
 - **Point of presence (POP) networks** with edge routers and peering connections
 - **Network segments** with load balancers and service endpoints
 - **Security zones and policies** with firewall rules and access control
+- **Cloud infrastructure** with vendor-agnostic modeling for AWS, GCP, and Azure
 - **Resource pools** for IP address, VLAN, and ASN allocation
 - **Multi-vendor support** (Arista, Juniper, Cisco, and SONiC templates)
 - **Automated topology generation** from abstract design definitions

docs/sidebars.ts

@@ -17,6 +17,7 @@ const sidebars: SidebarsConfig = {
         'user-walkthrough',
         'containerlab-deployment',
         'security-management',
+        'cloud-management',
         'service-catalog',
       ],
     },

objects/cloud/01_cloud_providers.yml

@@ -0,0 +1,21 @@
+# Cloud Providers - AWS, GCP, and Azure
+---
+apiVersion: infrahub.app/v1
+kind: Object
+spec:
+  kind: CloudProvider
+  data:
+    - name: "Amazon Web Services"
+      provider_type: aws
+      console_url: "https://console.aws.amazon.com"
+      organization: "AWS"
+
+    - name: "Google Cloud Platform"
+      provider_type: gcp
+      console_url: "https://console.cloud.google.com"
+      organization: "Google Cloud"
+
+    - name: "Microsoft Azure"
+      provider_type: azure
+      console_url: "https://portal.azure.com"
+      organization: "Azure"

objects/cloud/02_cloud_accounts.yml

@@ -0,0 +1,72 @@
+# Cloud Accounts/Projects/Subscriptions for all three providers
+---
+apiVersion: infrahub.app/v1
+kind: Object
+spec:
+  kind: CloudAccount
+  data:
+    # AWS Accounts
+    - name: "opsmill-aws-production"
+      account_id: "123456789012"
+      description: "OpsMill Production AWS Account"
+      status: active
+      environment: production
+      provider: "Amazon Web Services"
+
+    - name: "opsmill-aws-staging"
+      account_id: "123456789013"
+      description: "OpsMill Staging AWS Account"
+      status: active
+      environment: staging
+      provider: "Amazon Web Services"
+
+    - name: "opsmill-aws-dev"
+      account_id: "123456789014"
+      description: "OpsMill Development AWS Account"
+      status: active
+      environment: development
+      provider: "Amazon Web Services"
+
+    # GCP Projects
+    - name: "opsmill-gcp-production"
+      account_id: "opsmill-prod-12345"
+      description: "OpsMill Production GCP Project"
+      status: active
+      environment: production
+      provider: "Google Cloud Platform"
+
+    - name: "opsmill-gcp-staging"
+      account_id: "opsmill-stg-12345"
+      description: "OpsMill Staging GCP Project"
+      status: active
+      environment: staging
+      provider: "Google Cloud Platform"
+
+    - name: "opsmill-gcp-dev"
+      account_id: "opsmill-dev-12345"
+      description: "OpsMill Development GCP Project"
+      status: active
+      environment: development
+      provider: "Google Cloud Platform"
+
+    # Azure Subscriptions
+    - name: "opsmill-azure-production"
+      account_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+      description: "OpsMill Production Azure Subscription"
+      status: active
+      environment: production
+      provider: "Microsoft Azure"
+
+    - name: "opsmill-azure-staging"
+      account_id: "b2c3d4e5-f6a7-8901-bcde-f12345678901"
+      description: "OpsMill Staging Azure Subscription"
+      status: active
+      environment: staging
+      provider: "Microsoft Azure"
+
+    - name: "opsmill-azure-dev"
+      account_id: "c3d4e5f6-a7b8-9012-cdef-123456789012"
+      description: "OpsMill Development Azure Subscription"
+      status: active
+      environment: development
+      provider: "Microsoft Azure"