Provisioning AWS used to be three tools. Foundry makes it one.
Why Foundry exists
Every serious AWS shop ends up running the same three tools:
- Something for provisioning — Terraform, CloudFormation, CDK, Pulumi.
- Something for inventory — AWS Config, Steampipe, a homegrown collector.
- Something for compliance + cost optimization — Trusted Advisor, AWS Config rules, Prowler, an off-the-shelf CSPM.
They don't talk to each other. You describe a bucket in Terraform, AWS Config notices it exists, a CSPM scans it for encryption, and Trusted Advisor writes you a note about storage class tier. Four different perspectives on the same bytes.
Foundry collapses the whole stack into one tool — one WebSocket, one data model, one set of resource definitions used for both provisioning and inventory.
How it works
Authoring a stack is authoring a flat list of CloudFormation-shaped resources:
{
"type": "AWS::S3::Bucket",
"logical_id": "AssetsBucket",
"properties": {
"BucketName": "foundry-assets-prod",
"VersioningEnabled": true,
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
}
If you can read CloudFormation, you can read Foundry. Refs + GetAtt work as expected; the dependency graph builds itself.
Then:
foundry_plan_deploymentproduces a colored diff against live AWS state.foundry_apply_deploymentruns the plan in topological order via boto3.foundry_destroy_stackreverses the order.foundry_import_stackscans existing resources by tag or ARN and materializes them into a Foundry stack that's fully manageable going forward.
The frontend opens exactly one bidirectional WebSocket. No REST, no polling, no version-skew between the plan you saw and the plan that applied.
What's in the box
- 57 CloudFormation-shaped resource types, all with
create/read/update/delete+ moto-backed lifecycle tests. - 39 inventory discoverers + 44 CloudTrail event patterns — batch and real-time coverage of every AWS service Foundry touches.
- 27 Trusted-Advisor-style checks covering cost, security, performance, and fault tolerance — with dollar estimates where applicable.
- 6 compliance packs (CIS, PCI-lite, HIPAA, NIST 800-53 Moderate, ops-hygiene) totaling 36 rules, declaratively evaluated against the inventory.
- 8 cost estimators backed by the AWS Pricing API.
- Subnet-level IP availability plus pre-deploy ENI footprint estimation so you don't blow through
/24headroom on apply. - AWS Organizations discovery + cross-account assume-role chain + ControlTower reader + parallel fleet scanner with bounded concurrency.
- 43 MCP tools — every capability above is a tool that Claude (or any MCP client) can call directly.
Under the hood
- Provisioning: boto3 only. No Terraform, no CDK, no CloudFormation templates.
- Backend: FastAPI with a single
/wsWebSocket,/mcpfor FastMCP, and three tiny service-only REST routes (auth probe, Narrative import hook, CloudTrail ingest). That's it. - State: PostgreSQL with async SQLAlchemy.
- Cross-instance fan-out: Valkey pub/sub.
- Frontend: React 19 + Vite 6 + TypeScript, single WebSocket client, canonical
AvianApp.renderauth. - Observability: structlog + Prometheus + OpenTelemetry → Chronicle.
The one that builds itself
The nerdiest part: Foundry bootstraps its own production deployment stack using its own resource library. scripts/bootstrap_production.py authors the 11-resource stack (ECR + target group + listener rule + Route53 + SSM + CodeBuild + CodePipeline), plans it with foundry.plan, applies it with foundry.apply. After first apply, Foundry takes over management of itself via foundry_import_stack. No chicken-and-egg, no Terraform bootstrap scraps left in the tree.
Status
Live and in production today. The legacy Nimbus / Kipp / Skyline triplet is retired.