Crucible IAP
Self-hosted Infrastructure Automation Platform — run, review, and govern your IaC pipelines on your own infrastructure. No per-resource pricing. No plan output leaving your environment.
View on GitHubCrucible IAP v0.9.x is a stable release — actively deployed and battle-tested. Recent additions include per-resource Infracost cost breakdown, per-organisation resource quotas, approval escalation notifications, BYOK with AWS KMS / HashiCorp Vault Transit / Azure Key Vault, multi-org administration, SIEM audit log streaming to Splunk / Datadog / Elasticsearch / Chronicle / Wazuh / Graylog, Bitbucket Cloud + Azure DevOps as first-class VCS providers, compliance policy packs (SOC 2, CIS AWS, HIPAA, PCI-DSS), and a major documentation expansion for IaC newcomers. Commercial licensing and dedicated support tiers are coming soon.
The Problem
Cloud-based IaC platforms are expensive, opaque, and not yours
The major hosted infrastructure automation platforms charge per resource, per run, or per seat — costs that compound fast as your footprint grows. Worse, your plan output, state files, and environment secrets transit their infrastructure, not yours.
Crucible IAP gives you the same automated plan/apply workflows, policy gates, drift detection, and approval queues — running entirely within your own environment, at a cost you actually control.
0
Third-party plan exposure
Multi-tool
OpenTofu, Terraform, Terragrunt, Ansible, Pulumi
Flat cost
No per-run or per-resource fees
Self-hosted
Your infra, your rules
Features
Everything your IaC pipeline needs
Built by engineers who managed infrastructure at scale and grew tired of paying cloud tax for something they could run themselves.
Multi-Tool Stack Management
Manage OpenTofu, Terraform, Terragrunt, Ansible, and Pulumi stacks from a single platform. Define your stack once — branch, root, runner image, and behavior — and let Crucible handle the rest.
Policy-Gated Apply Workflows
Use OPA (Open Policy Agent) to define exactly which plans auto-apply and which require a human review. Store .rego files in a git repo and Crucible syncs them automatically on push — policies reviewed in PRs, version-controlled, and deployed without touching the UI.
Drift Detection & Remediation
Schedule drift checks on any stack. When your live infrastructure diverges from your declared state, Crucible surfaces it immediately — and can auto-remediate if you want it to.
Complete Audit Trail
Every plan, apply, approval, discard, and destroy is recorded with actor, timestamp, and full context. Meet compliance requirements with tamper-evident logs stored in your own object storage.
Self-Hosted, Your Infrastructure
Deploy on your own hardware or cloud account via Docker Compose. Your plan output, your state files, your secrets — none of it touches a third-party platform. Full control, no per-resource pricing.
Secrets & State Management
Built-in AES-256-GCM vault with deployment-unique keys — plus native integrations with AWS Secrets Manager, HashiCorp Vault, Bitwarden, and Vaultwarden. Plan artifacts are HMAC-signed so the apply phase cryptographically verifies nothing was tampered with between plan and apply. S3, GCS, and Azure backends for remote state.
Variable Sets
Define a named collection of env vars once and attach it to as many stacks as you need. Eliminates copy-paste across stacks that share provider credentials or feature flags. Values are encrypted at rest with the same vault as stack env vars.
Stack Templates
Save any stack configuration as a reusable template — tool, repo, branch, project root, policies, auto-apply settings, drift schedule. New stacks can be pre-filled from a template in one click, enforcing consistency across your estate.
Notifications & Monitoring
Per-stack Slack, Discord, Microsoft Teams, Gotify, ntfy, and email notifications for plan complete, run succeeded, run failed, and validation status-change events. Embedded Grafana dashboards in the UI show HTTP latency, run throughput, and queue depth — no separate browser tab required.
GitOps — PR Comments & Commit Status
Every push triggers a plan. Crucible posts the result as a PR/MR comment — resource counts, policy outcome, and a link to the run — and sets a commit status check. Works with GitHub, GitLab, Gitea, Gogs, Bitbucket Cloud, and Azure DevOps — including self-hosted instances. HMAC-verified webhooks (ADO uses Basic auth) and a native GitHub App option for cleaner per-installation permissions.
Private Module Registry
A built-in Terraform Module Registry Protocol-compliant registry backed by MinIO. Publish modules via UI upload or automatic git-tag detection. Source them as terraform modules with your own hostname — no Terraform Cloud account needed.
Keyless Cloud Auth via OIDC
Crucible acts as its own OIDC provider. Each run receives a short-lived signed JWT — exchange it for AWS, GCP, or Azure credentials using workload identity federation. No static cloud credentials stored anywhere.
Stack Dependency Graph
Define upstream and downstream relationships between stacks. A successful apply on an upstream stack automatically triggers the downstream run queue — with cycle detection built in. Coordinate multi-stack deployments without custom scripting.
Scheduled Runs
Set cron expressions on any stack for automatic plan, apply, or destroy runs independent of code pushes. Pairs with drift detection and environment TTL to keep dev environments clean without manual intervention.
PR Preview Environments
Automatically create a stack from a template when a PR opens and destroy it when the PR closes. Branch name drives workspace isolation — full per-PR environments with zero manual setup. Pairs with stack dependencies for complete environment chains.
AI-Assisted Troubleshooting
One-click "Explain failure" on any failed run. Crucible sends the run log context to the Claude API and returns a structured root-cause explanation with a suggested fix. Opt-in via your own API key — logs never leave your environment.
IaC Security Scanning
Built-in Checkov and Trivy scan runs post-plan. Findings surface as structured results in the run detail alongside OPA policy output. Configure a severity threshold to block apply on critical findings — shift security left without a separate pipeline.
OPA Policy Test Playground
A live policy sandbox built into the UI. Select any saved policy, paste synthetic plan JSON, run it, and see allow/deny/warn/trigger results with an optional OPA evaluation trace. Test policy changes before they gate real runs — no toolchain required.
Compliance Policy Packs
Pre-built OPA policy bundles for SOC 2, CIS AWS Foundations, HIPAA, and PCI-DSS — ready to attach to any stack in two clicks. Each pack ships as a git-backed policy source so your team can review, extend, or override individual rules via PR.
Continuous Validation
Set a per-stack validation interval and Crucible will periodically re-evaluate your OPA policies against the current live Terraform state — independent of runs. Status changes trigger notifications immediately, so drift from compliance doesn't wait for the next plan.
Plan Diff Between Runs
Compare the resource changes of any two runs side by side. Instantly see what was added, changed, or removed between a plan and its predecessor — invaluable for auditing why a later run touched more resources than expected.
ChatOps Approvals
Approve or discard pending runs directly from Slack or Microsoft Teams — without opening the UI. Crucible posts an interactive approval card with the plan summary; one button press confirms or rejects the run, and the audit log records who acted.
Budget Alerts & Plan Thresholds
Set resource-count or cost-delta thresholds on any stack. When a plan exceeds the threshold — more than N resources changed, or Infracost delta above $X — Crucible fires a budget alert before apply and can block auto-apply for human review.
In-App Run Analytics
Per-stack and org-wide analytics built into the dashboard — run counts, success/failure rates, median duration, and plan-to-apply latency over rolling windows. No external analytics service required; data lives in your PostgreSQL instance.
Terragrunt Support
Run Terragrunt projects as first-class Crucible stacks. Crucible invokes terragrunt plan/apply inside the correct working directory, resolves includes automatically, and surfaces structured output — same approval flow, same policy gates, same audit trail as native Terraform.
Per-Resource Cost Breakdown
Every run with an Infracost API key gets a per-resource cost table on the run detail page — see exactly which resources are adding to (or subtracting from) your monthly spend, sorted by the biggest movers. Beyond the existing aggregate cost delta, you can now answer 'which resource cost us the extra $400 this month?' without leaving Crucible.
Per-Org Resource Quotas
Cap concurrent runs at the organisation level — essential for shared / MSP deployments where any one org could otherwise monopolise the worker queue. New runs that would exceed the cap return HTTP 429 with a descriptive message; the webhook delivery log records the rejection so missed triggers stay visible. Scheduled drift / TTL / auto-remediation jobs bypass the cap by design.
Approval Escalation
Runs that sit in unconfirmed or pending_approval longer than a per-stack threshold fire a one-time ⏰ escalation through the stack's existing notification channels (Slack, Discord, Teams, Gotify, ntfy, email). Race-safe: two workers can't double-fire. Useful for paging on-call when an apply has been waiting too long for human action.
BYOK — Bring Your Own Key
Wrap Crucible's internal vault master key with a key from your own KMS — AWS KMS, HashiCorp Vault Transit, or Azure Key Vault. The KMS key never leaves your KMS; Crucible unwraps once at boot and holds the master in memory. Online rotation re-encrypts every vault row in a single transaction with no restart required.
SIEM Audit Log Streaming
Forward every audit event in near-real-time to your SIEM of choice — Splunk HEC, Datadog Logs, Elasticsearch, generic webhook, GCP SecOps / Chronicle, Wazuh, or Graylog (GELF). Each destination's config is stored vault-encrypted; delivery is best-effort with retries and a delivery log for missed events.
Multi-Org Administration
Host many organisations on a single Crucible deployment — designed for MSPs and shared platform teams. Instance admins create, archive, and restore orgs from a dedicated admin panel; an opt-in MSP mode disables auto-creation of personal orgs so users must be invited to an existing org first.
Documentation
Get up and running fast
Hands-on guides covering deployment, cloud auth, team setup, and every IaC tool Crucible supports.
Quickstart
Deploy Crucible and run your first plan in under an hour.
Deploy on AWS (ECS)
Production deployment: ECS Fargate for the API, EC2 for the worker, RDS, S3, ALB.
Deploy on GCP (Cloud Run)
Production deployment: Cloud Run for the API, Compute Engine for the worker, Cloud SQL, GCS.
Deploy on Azure (Container Apps)
Production deployment: Container Apps for the API, Azure VM for the worker, PostgreSQL Flexible Server, Blob Storage.
AWS OIDC
Keyless AWS credentials via workload identity federation.
GCP OIDC
Keyless Google Cloud credentials for your Terraform runs.
Azure OIDC
Keyless Azure credentials via federated workload identity.
Stack Dependencies
Wire stacks together so upstream applies trigger downstream runs.
Drift Detection
Schedule checks and auto-remediate config drift.
Run Hooks
Per-stack pre/post-plan and pre/post-apply bash scripts.
Team Setup
Invite members, configure SSO, and set org-level policies.
Ansible
Check → confirm → apply lifecycle for Ansible playbooks.
Pulumi
Preview → confirm → up lifecycle for Pulumi programs.
Remote State
Cross-stack terraform_remote_state with scoped access tokens.
Cloudflare
Manage Cloudflare infra as code — bootstrap with cf-terraforming, OPA policies.
Migrate from Spacelift
Concept mapping, state migration options, and a working Cloudflare example.
Provider Registry
Distribute private Terraform providers — air-gapped deployments, GPG signing.
Stack Templates
Reusable stack configs with pre-filled defaults for your platform teams.
Blueprints
Self-service infrastructure — publish a form, app teams deploy in one click.
Policy GitOps
Store .rego files in a git repo, Crucible syncs on push. Webhook setup, mirror mode, type inference.
Operator Guide
Production hardening, backups, upgrades, and monitoring.
Terragrunt
Run Terragrunt stacks — includes, root-level config, and multi-module pipelines.
Compliance Packs
Attach SOC 2, CIS AWS, HIPAA, or PCI-DSS policy bundles to any stack.
Continuous Validation
Schedule periodic OPA re-evaluation against live state — outside the run lifecycle.
ChatOps Approvals
Approve or discard pending runs from Slack or Microsoft Teams.
IaC 101 — Beginner's Intro
New to Infrastructure as Code? Plan / apply / state explained, and why Crucible vs raw Terraform.
Glossary
Every Crucible + Terraform / Pulumi / Ansible / OPA / VCS term in one place.
Troubleshooting
User-facing errors and fixes — plan failed, state locked, policy denied, webhook silent, OIDC loop, drift.
The crucible CLI
Trigger runs, check status, approve, and discard from your terminal — built for scripting and CI.
Projects
Hierarchical org → project → stack model with per-project RBAC for multi-team deployments.
Variable Sets
Reusable bundles of env vars attached to many stacks at once — credentials, monitoring tokens, shared tags.
Tags
Color-coded stack labels for filtering, grouping, and policy-driven approval gates.
External Secret Stores
Fetch secrets from AWS Secrets Manager, HashiCorp Vault, Bitwarden SM, or Vaultwarden at run time.
DigitalOcean
API token, Droplet provisioning, Spaces as state backend, cost-control and tag-required policies.
Hetzner Cloud
hcloud token, ARM vs x86 sizing notes, EU-only datacentre policy, brief Hetzner Robot coverage.
Kubernetes & Helm
Cluster-vs-workload stack split, three auth options, Helm release patterns, CRD gotchas.
GitHub Actions
Trigger Crucible runs from workflows — build-and-deploy chains, PR-preview cleanup, workflow_dispatch.
Migrate from Terraform Cloud
Concept mapping, state pull and upload, Sentinel → Rego translation, cut-over procedure.
In Action
See Crucible IAP at work
A clean, focused interface that gets out of the way and lets your team ship infrastructure confidently.
How It Works
From commit to applied — with guardrails
Connect Your Repo
Point Crucible at a Git repository, branch, and working directory. Choose your IaC tool and configure runtime behavior — auto-apply, drift schedule, custom runner image.
Plan on Every Push
Commits trigger a plan automatically. OPA evaluates the result against your policies — low-risk changes apply automatically, significant ones queue for human review.
Review, Approve, Apply
Reviewers see the full plan output before confirming. Every decision is logged. Applied changes stream live to the run view. Drift checks run on your schedule.
Built for every stakeholder
Technical depth for the engineers running it. Clear outcomes for the leaders funding it.
For Engineers
- OpenTofu, Terraform, Terragrunt, Ansible, and Pulumi — all supported
- OPA policies in Rego — testable, version-controlled, PR-reviewed
- Compliance policy packs — SOC 2, CIS AWS, HIPAA, PCI-DSS in two clicks
- Continuous validation — periodic OPA checks against live state, not just on runs
- Live streaming run logs with auto-scroll and download
- Variable sets, secret store injection, remote state references
- External secret stores — AWS Secrets Manager, HashiCorp Vault, Bitwarden SM, Vaultwarden
- BYOK — wrap vault master key with AWS KMS, HC Vault Transit, or Azure Key Vault
- HMAC-signed plan artifacts — cryptographic tamper detection
- Keyless cloud auth — OIDC workload identity for AWS, GCP, Azure
- Private module registry — full Terraform Registry Protocol
- PR/MR comments and commit status on every plan
- First-class VCS support — GitHub, GitLab, Gitea, Gogs, Bitbucket Cloud, Azure DevOps
- ChatOps approvals — approve or discard runs from Slack or Teams
- Approval escalation — one-time on-call notification when runs sit too long
- Plan diff between runs — compare resource changes across any two runs
- Custom runner images — bring your own toolchain
- Scheduled runs — cron expressions per stack, independent of pushes
- External worker agents — run jobs on your own servers at any scale
- PR preview environments — auto-create on open, auto-destroy on close
- AI failure explanation — one-click root cause via Claude API (opt-in)
- IaC security scanning — Checkov / Trivy post-plan with severity gates
- Cost estimation — per-run Infracost delta alongside plan output
- Per-resource cost breakdown — see exactly which resources drive your monthly spend
- Budget alerts — block auto-apply when resource or cost delta exceeds threshold
- Per-org concurrent-run quotas — protect shared deployments from any one org
- In-app run analytics — success rates, durations, and throughput per stack
- Stack locking — block new runs during incidents or manual changes
- Fine-grained RBAC — per-stack viewer/approver in addition to org roles
- Projects — hierarchical org → project → stack model with per-project RBAC
- Multi-org administration — host many tenants on a single deployment (MSP mode)
- Service account API tokens — machine credentials for CI pipelines
- SSO via any OIDC provider — Authentik, Okta, GitHub, Keycloak
- SIEM streaming — Splunk, Datadog, Elasticsearch, Chronicle, Wazuh, Graylog, generic webhook
- Slack, Discord, Teams, Gotify, ntfy, and email notifications
- Docker Compose deployment — running in under an hour
- Open source — read it, fork it, contribute back
For Leadership
- No per-resource or per-run fees — predictable infrastructure cost
- Plan output and state never leave your environment
- No static cloud credentials — OIDC workload identity federation
- BYOK — vault master key wrapped by your own KMS (AWS / Vault / Azure), online rotation
- Plan artifacts cryptographically signed — apply verifies nothing changed
- Approval gates before significant changes apply — including ChatOps from Slack/Teams
- Approval escalation surfaces stuck runs to on-call before they auto-expire
- Budget alerts block auto-apply when cost or resource delta exceeds your threshold
- Per-resource cost attribution — see exactly which resources are driving spend
- Per-org concurrent-run quotas protect shared / MSP deployments from runaway tenants
- Full audit trail — who, what, when for every infra change
- SIEM streaming — every audit event fan-out to Splunk / Datadog / Elasticsearch / Chronicle / Wazuh / Graylog
- Drift detection surfaces config debt before it becomes an incident
- Continuous validation — scheduled OPA checks against live state, independent of runs
- Compliance policy packs for SOC 2, CIS AWS Foundations, HIPAA, and PCI-DSS
- IaC security scanning gates apply on critical Checkov/Trivy findings
- Cost estimation per run — see monthly delta before applying
- In-app run analytics — visibility into deployment frequency, failure rates, and lead time
- PR preview environments auto-destroy on merge — no dev environment sprawl
- AI-assisted failure explanation reduces mean time to resolution
- Stack locking prevents runs during manual changes or incidents
- Multi-org administration — host many teams or clients on one deployment with isolated RBAC
- SSO group → role mapping eliminates manual user provisioning at scale
- Beginner-friendly documentation — IaC 101, glossary, and troubleshooting guides for new hires
- Embedded Grafana dashboards — no extra monitoring tool to buy
- Production ready — commercially supported tiers coming soon
Technology
Boring technology, in the best possible way
Proven, battle-tested open-source components your team already knows how to operate, monitor, and secure.
Today
Community
Free to deploy, forever open source. Full access to all features, always.
- All core features
- SSO via any OIDC provider
- Community support via GitHub
- AGPL-3.0 license
Coming Soon
Professional
For teams needing SLA response times, assisted onboarding, and priority features.
- Everything in Community
- Email & Slack support
- SLA response guarantee
- Assisted onboarding
Coming Soon
Enterprise
For orgs with complex compliance needs, custom integrations, and dedicated support.
- Everything in Professional
- Custom policy development
- SAML integration
- SSO/OIDC integration assistance
- Dedicated support engineer
- Custom SLA
Own your infrastructure pipeline — all of it
Crucible IAP is open source and free to deploy today. Built and supported by Forged in Feathers Technology.