Public cloud — Infrastructure as Code
Managed Terraform, Ansible, Pulumi, and Crossplane — under one operating model. State management, policy enforcement, plan reviews, and drift detection built in. Stop shipping infrastructure changes from your laptop.
Terraform, Ansible, Pulumi, and Crossplane under one operator.
Locked, versioned, encrypted, backed up. No laptop state files.
Changes don't apply if they violate your guardrails.
If reality diverges from code, you know within the day.
Four managed tools
Different problems want different tools. Terraform for cloud resources, Ansible for configuration on machines, Pulumi when you want IaC in a real programming language, Crossplane when your control plane is already Kubernetes. We operate all four with one consistent workflow on top.
DECLARATIVE · CLOUD-NATIVE · HCL
The default for declarative cloud infrastructure. Providers for every major cloud, SaaS, and internal API. Module library, remote state with locking, and policy enforcement via OPA or Sentinel — all operated by us.
terraform · main.tf
terraform {
backend "intsignal" {
workspace = "prod"
project = "platform"
}
required_providers {
aws = { source = "hashicorp/aws", version = "~> 5.0" }
}
}
module "network" {
source = "intsignal-modules/vpc/aws"
version = "~> 3.2"
name = "prod-vpc"
cidr = "10.0.0.0/16"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
flow_logs = true
encryption = "aws-kms"
}CONFIGURATION · AGENTLESS · YAML
Agentless configuration management for OS-level state — package installs, file contents, services, users, security baselines. Plays into your existing inventory (or one we manage) over SSH or WinRM. Useful where Terraform stops and the OS begins.
yaml · harden.yml
# CIS hardening role applied to all production nodes
- name: Apply CIS baseline
hosts: production
become: yes
vars:
cis_level: "2"
audit_log_retention: "90d"
roles:
- role: intsignal.cis_hardening
tags: [hardening, compliance]
- role: intsignal.osquery
tags: [endpoint, monitoring]
- role: intsignal.log_forwarder
vars:
target: logs.intsignal.io
tags: [logging]
handlers:
- name: restart auditd
service: { name: auditd, state: restarted }IMPERATIVE · TYPESAFE · PROGRAMMING LANGUAGE
Infrastructure-as-code in TypeScript, Python, Go, or .NET. Real loops, real abstractions, real package managers, real testing. Best when your platform team wants to write infrastructure the way they write applications.
typescript · index.ts
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
// A loop and a function — try doing this in HCL.
const envs = ["staging", "prod"];
for (const env of envs) {
const vpc = new awsx.ec2.Vpc(`${env}-vpc`, {
cidrBlock: `10.${env === "prod" ? 0 : 1}.0.0/16`,
numberOfAvailabilityZones: 3,
enableDnsHostnames: true,
});
const cluster = new aws.eks.Cluster(`${env}-eks`, {
vpcConfig: { subnetIds: vpc.privateSubnetIds },
version: "1.30",
});
export const [`${env}_endpoint`] = cluster.endpoint;
}KUBERNETES-NATIVE · CONTINUOUS · CONTROL PLANE
Manage cloud infrastructure as Kubernetes resources. Compose your own internal abstractions (Composite Resources) and let app teams consume them with simple YAML. Kubernetes controllers reconcile continuously — closer to a control plane than a one-shot apply.
yaml · composition.yaml
# Compose a "ManagedDatabase" abstraction your devs can use
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: manageddatabases.platform.intsignal.io
spec:
group: platform.intsignal.io
names:
kind: ManagedDatabase
plural: manageddatabases
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
engine: { type: string, enum: [postgres, mysql] }
size: { type: string }
backup: { type: boolean }
# Dev YAML: kind: ManagedDatabase, engine: postgres, size: largeGitOps · review · apply
Infrastructure changes follow the same workflow as application code: branch, plan, review, merge, apply. The plan is generated, policy-checked, and posted to the pull request before a human ever clicks approve.
Once merged, apply runs against the locked remote state. Output, timing, and diff are recorded as part of the monthly evidence pack. No more "who changed what last week."
State · drift · evidence
Drift detection runs on a schedule and posts an issue when reality diverges from your Git repository. No more discovering during an incident that someone clicked a button in the console six months ago.
Day-two operations
Managed IaC isn't just running terraform apply. It's the boring scaffolding that makes infrastructure changes safe at 3 AM.
STATE MANAGEMENT
Remote state for every workspace, encrypted at rest with KMS, locked during apply to prevent concurrent modifications. Snapshotted nightly to a separate region.
POLICY ENFORCEMENT
OPA-based policy checks run on every plan. Common policies (encryption, public exposure, tagging, change windows) come pre-built; add custom policies for your specific guardrails.
DRIFT DETECTION
Every workspace is plan-only refreshed on schedule. Drift posts to your issue tracker with the diff, the resource, and the suggested action — fix code or fix reality.
MODULE LIBRARY
Internal module registry with vetted patterns for common shapes — VPCs, EKS clusters, RDS instances, observability stacks. Each module is versioned semver, with documented inputs and outputs.
SECRETS
Secrets injected at apply time from HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. State files never contain plaintext credentials. Rotation policy enforced at the source.
AUDIT & EVIDENCE
Plan output, policy results, reviewer, timestamp, and apply log captured per change. Bundled into the monthly evidence pack for SOC 2, ISO 27001, or any other framework you're audited against.
Hardening and operating practices aligned to the frameworks your assessors recognize. intSignal is not the certified entity for most of these — we deliver the controls and evidence that make your audit possible. Where required, we partner with FedRAMP-authorized providers for federal scoping.
HARDENING
Engine hardening with documented exceptions.
SOC 2
Controls and evidence cadence ready for audit.
ISO
Cloud-services control narratives.
HIPAA
Encryption, access, audit; BAA via partner.
FEDERAL
Authorized hyperscaler regions integrated.
DATACENTER
Hosting facility carries its own attestations.
FAQ
If yours isn't here, ask in the consultation — we'd rather flag the awkward bits early than discover them in production.
That depends on the engagement. The base service covers operating the pipeline — state management, policy gates, drift detection, and review workflow. Writing modules for your specific stack can be added as a deeper engagement, or your platform team can author them against our patterns. We're flexible.
Yes. The intSignal IaC service is a managed alternative to those platforms — same workflow (state, plan, policy, apply, drift), operated by us. Migration is straightforward: import your existing state, replicate your policies, point your pipelines at our backend. We've helped customers move off all the major vendors.
Terraform for cloud infrastructure (default, most ecosystem). Pulumi if your team prefers a real programming language and wants to unit-test infrastructure. Ansible for OS-level configuration and machine state. Crossplane if your control plane is already Kubernetes and you want infrastructure as CRDs. Most customers run two or three of them — we operate whichever you pick.
Secrets are pulled from a secrets manager at apply time and never stored in state. We support HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager. State files are encrypted at rest, but the philosophy is "don't put secrets there in the first place."
OPA (Open Policy Agent) is the default. We ship a baseline policy set covering encryption-at-rest, public exposure prevention, tagging, and change-window enforcement. Custom policies are written in Rego and reviewed with your team during onboarding. Sentinel is supported on request for Terraform Enterprise migrations.
Every workspace runs a plan-only refresh on a schedule (configurable, daily by default). If drift is detected, an issue is posted to your tracker with the diff, the affected resource, and the suggested remediation. Drift detection is a deliverable — you'll see drift reports as part of the monthly evidence pack.
Yes — through Crossplane Composite Resources or Terraform/Pulumi modules. We help you design abstractions so app teams request a "ManagedDatabase" or "ProductionVPC" without needing to understand the underlying provider-level resources. The platform team owns the abstraction; app teams consume it.
Tell us what tools you use today, your current pain points, and your compliance constraints. We'll propose a managed IaC setup and walk you through the migration path.