Internal Tool

Foundry

Forge infrastructure. Track everything.

Explore Features

Features

One Tool for Provisioning, Inventory, and Compliance

Provision AWS resources via boto3 — no Terraform, no CloudFormation templates, no CDK. CloudFormation-shaped types, full plan / apply / destroy, drift detection, immutable stack versioning with rollback. Import every existing AWS-deployed stack with one call. Org-wide inventory across all member accounts and regions, 120+ compliance pack rules, full Trusted-Advisor-style check suite, AWS Pricing API cost rollups, and subnet-level IP availability — all behind a single bidirectional WebSocket and ~60 MCP tools.

ReplacesTerraform, AWS Config, Trusted Advisor

Provisioning

boto3, Not Terraform

  • AWS-Shaped Resource Types

    Every supported resource maps 1:1 to a CloudFormation-style type name (AWS::EC2::VPC, AWS::S3::Bucket, AWS::RDS::DBInstance) with the same property names and shapes. Author resources in the language you already know — no bespoke schema DSL.

  • Pure boto3 Engine

    Resource creation, update, and deletion go through the AWS Python SDK only. No Terraform, no CloudFormation templates, no CDK. Every type is a Python class with explicit create / read / update / delete handlers.

  • Plan, Apply, Destroy

    Every change produces a plan (the diff of desired vs. live) before execution. Apply runs the plan; destroy tears down a stack in reverse topological order. Re-running a plan against a converged stack yields an empty diff.

  • Dependency Resolution

    Foundry computes a resource dependency graph from Ref: and GetAtt:-style property references and executes operations in topological order. Cycles are rejected at plan time.

  • Atomic Deployments with Rollback

    A deployment is recorded with an immutable plan, start / end timestamps, status (pending / in-progress / succeeded / failed / rolled-back), and per-resource outcomes. On failure, Foundry attempts a best-effort rollback of resources created in that deployment.

Stacks

Flat Resource Collections, Versioned Forever

  • No Stack Configurations

    A stack is a flat, named collection of resources — no opinionated configuration blueprints, no inheritance, no abstract base modules. Each resource is {type, logical_id, properties, physical_id, dependencies, status}. Reuse by copying a stack or authoring via MCP.

  • Import from Live State

    Import an existing AWS-deployed stack by tag, ARN list, or name pattern. Foundry materializes the resources with physical_id attached; subsequent plans on the imported stack produce an empty diff. Bring legacy infrastructure under management with one call.

  • Stack Versioning & Diff

    Each apply creates an immutable stack version snapshot — full resource definitions plus deployment outcome. Diff between any two versions side-by-side. Roll back by re-applying an earlier version.

  • Self-Provisioning System Stack

    Foundry provisions its own infrastructure (ECS service, RDS, Valkey, Step Functions collector, S3 state bucket, EventBridge, IAM roles) using the same machinery it offers users. The system stack is hidden from the normal list and surfaced on a dedicated /system admin page.

Org-Wide Inventory

Every Resource, Every Account, Every Region

  • Org Scan

    Enumerate all member accounts via organizations:ListAccounts, assume a cross-account role into each, and describe every resource of every supported inventory type across 17 regions by default. ~130 resource types tracked — a superset of the ~80 types Foundry can provision.

  • Continuous CloudTrail Pipeline

    An EventBridge-based CloudTrail pipeline (StackSet-deployed across all member accounts) streams resource mutations into Foundry in near real-time. 143 event patterns covering 24 AWS services. Inventory stays fresh between batch scans.

  • ControlTower Integration

    Read landing zone state, enrolled OUs, and guardrail compliance. Inventory ControlTower-provisioned resources (log archive bucket, audit account, etc.) alongside everything else.

  • Daily Batch Scan

    Step Functions orchestrates ECS-task-per-account workers that re-describe every supported type. Backstop for any CloudTrail events that were dropped or never emitted.

Compliance

120 Conformance Packs, One-Click Remediation

  • AWS Config Conformance Packs

    All 120 AWS Config conformance pack JSONs imported — CIS, PCI-DSS, HIPAA, NIST 800-53, FedRAMP, SOC 2, CMMC, AWS Control Tower Detective Guardrails, Well-Architected pillars. Rules evaluate against live inventory.

  • Per-Resource Findings

    Each non-compliant resource shows the rule that failed, the remediation guidance, and a one-click remediation action where safe to automate. Compliance score per pack, per account, per resource.

  • Continuous Re-Evaluation

    Compliance state recomputes whenever the underlying inventory updates. New CloudTrail events trigger immediate rule re-evaluation for affected resources. No waiting for an overnight batch.

Trusted Advisor Parity

Full TA Check Suite, In-House

  • Native Check Implementation

    Every Trusted Advisor check (cost optimization, performance, security, fault tolerance, service limits) implemented in Foundry — not calling support:DescribeTrustedAdvisorChecks. Most derive from inventory data plus pricing data plus service-quotas:GetServiceQuota.

  • Findings with Severity

    Each check produces zero or more findings with severity (ok / warning / error), category, affected resources, estimated savings (where applicable), and remediation steps. Surfaced alongside conformance pack findings in a unified view.

  • Service Limit Tracking

    Track usage against every relevant service quota: VPCs per region, EIPs per account, RDS instances, Lambda concurrency, IAM roles, etc. Alert before hitting hard limits, not after.

Cost & Capacity

Pricing, Savings, IP Space

  • AWS Pricing API

    Pricing lookups for every supported resource type. Cost per resource estimated from instance type, region, and usage assumptions. Per-stack, per-account, and per-service cost summaries.

  • Savings Estimates

    Trusted-Advisor-style cost checks surface unused EIPs, idle load balancers, oversized instances, orphaned EBS volumes, and underutilized reserved capacity. Each finding includes a dollar-amount savings estimate.

  • Subnet-Level IP Availability

    For every VPC and subnet in inventory, compute total IPs, available IPs, and IPs in use by ENIs. Catches the IP-exhaustion bugs that take down auto-scaling groups before they happen.

  • Pre-Deploy IP Estimation

    Before applying a stack, estimate the IP footprint (how many ENIs the stack will create per subnet) and warn if any subnet would drop below a configurable threshold.

Real-Time Fabric

WebSocket Only

  • Single Bidirectional Socket

    The frontend opens one WebSocket to the backend. All commands, all responses, and all server-push events flow through the same connection. The backend exposes no REST routes for frontend consumption.

  • Live Plan / Apply / Inventory Updates

    Plan progress streams as resources are computed. Apply progress streams as each resource is created / updated / destroyed. Inventory mutations broadcast to every connected client. No polling, no refresh.

  • MCP Tool Surface

    Roughly 60 MCP tools cover stacks, resources, plans, applies, destroys, imports, inventory queries, compliance, Trusted Advisor, cost, IP space, org scan, and diagnostics. Streamable HTTP at /mcp plus a stdio bridge for direct Claude Code registration.

Accessibility

Built for Everyone

  • WCAG 2.1 AA Compliance

    4.5:1 contrast for body text, 3:1 for large text and UI components, in both light and dark themes.

  • Keyboard Navigation

    Every interaction reachable via keyboard. Logical tab order, visible focus indicators, Escape-to-dismiss for modals.

  • Screen Reader Support

    VoiceOver, NVDA, and JAWS tested. Semantic HTML, ARIA labels, live regions for dynamic updates.

  • Reduced Motion

    Respects prefers-reduced-motion. Usable at 200% zoom. Touch targets meet 44x44 minimum.

How It Works

Author, Plan, Apply, Inventory

  1. Step 1: Author

    Define a stack as a flat list of resources using CloudFormation-shape types and properties. No DSL to learn, no provider plugins to install, no module hierarchy to navigate.

  2. Step 2: Plan

    Foundry computes the dependency graph and diffs desired state against live AWS state. Plan output shows every create, update, replace, and destroy operation, in topological order, before anything happens.

  3. Step 3: Apply

    boto3 executes the plan atomically. Each resource transition streams over the WebSocket. On failure, Foundry attempts a best-effort rollback. The deployment record is immutable: plan, outcome, and per-resource status preserved forever.

  4. Step 4: Inventory & Govern

    Continuous CloudTrail events plus the daily org-wide batch scan keep ~130 resource types fresh across every account and region. Compliance packs, Trusted Advisor checks, and pricing roll-ups recompute automatically on every update.

Technical Specifications

Under the Hood

  • Backend

    • FastAPI (Python 3.12+)
    • FastMCP for the MCP tool surface
    • SQLAlchemy 2.0 async + asyncpg
    • PostgreSQL (shared RDS, dedicated foundry database)
    • Valkey for cache + pub/sub
    • boto3 with FOUNDRY_AWS_ENDPOINT_URL override for local emulator testing
    • structlog + OpenTelemetry instrumentation

  • Frontend

    • React 19 + TypeScript + Vite
    • Single bidirectional WebSocket client — no REST
    • @avian/design-system tokens, components, and Tailwind preset
    • @avian/auth-react 0.1.4 (OIDC via auth.renkara.com)
    • Light and dark mode

  • AWS Integration

    • ~80 provisionable resource types
    • ~130 inventoried resource types
    • AWS Organizations + cross-account assume-role
    • ControlTower landing zone reads
    • EventBridge + CloudTrail event pipeline (143 patterns, 24 services)
    • AWS Pricing API + Service Quotas API
    • 120 conformance pack rule sets

  • Inventory Collector

    • Step Functions orchestration
    • ECS task per account / region
    • EventBridge real-time mutation stream
    • Daily batch backstop
    • Idempotent: re-running yields no diff
    • S3 state bucket for snapshots

Development

100% Built by Claude

Every tool in the Renkara fleet was built by Claude (Anthropic) working alongside a single human supervisor. Every line of code, every test, every deployment: AI-authored with human direction. The leverage factor across the fleet runs in the 20x–50x range, with individual sessions regularly exceeding 100x.

See the daily leverage records for per-task numbers across the full build history.