Internal Developer Platform
We build a custom self-service platform for your engineering team — trigger Terraform, Pulumi, Terragrunt, or GitHub Actions directly from a browser, with real-time logs, approval workflows, RBAC, and a full audit trail.
Like Spacelift or env0 — but built for your stack, running on your infrastructure, owned by you.
Workspaces
staging-infra
⚠ Drift detected — 3 resources changed outside Terraform
$ terragrunt run-all plan --terragrunt-non-interactive
✓ Initializing modules...
✓ Refreshing state...
~ aws_security_group.api_sg (1 change)
~ aws_ecs_service.backend (tags updated)
- aws_s3_bucket.temp_upload (will be destroyed)
Plan: 0 to add, 2 to change, 1 to destroy.
▌
Core features
What we build into every platform — based on what engineering teams actually need.
One-click Infrastructure Actions
Trigger Terraform plan/apply, Terragrunt run-all, Pulumi up, or any GitHub Actions workflow directly from the browser. No CLI access required for developers.
- Terraform plan preview before apply
- Terragrunt multi-stack orchestration
- Pulumi Automation API integration
- GitHub Actions / GitLab CI manual trigger
- Custom action buttons per environment (dev / staging / prod)
Real-time Log Streaming
WebSocket-streamed logs from CI runners, Terraform runs, and Kubernetes pods. No more SSH-ing into servers or checking CI dashboards in another tab.
- WebSocket live log tail (no page refresh)
- ANSI color support for Terraform / shell output
- Log persistence — review historical runs
- Download logs as plain text
- Search & filter within log stream
Approval Gates & RBAC
Production actions require explicit approval. Fine-grained role-based access: developers can plan but not apply to prod. Full approval workflow with comments.
- Multi-level approval: dev → staging → prod
- RBAC: Viewer / Operator / Admin / Owner
- SSO integration (Google, GitHub OAuth, SAML)
- Approval timeout with auto-reject
- Slack notification for pending approvals
Real-time Status Dashboard
Single pane of glass for all environments. See what's running, what's drifted, what's pending approval — without opening 5 different tools.
- Environment health: Healthy / Drifted / Locked / Deploying
- Resource diff: current state vs desired state
- Terraform state drift detection
- Kubernetes workload status per namespace
- Cost delta per infrastructure change
Full Audit Trail
Every action logged — who triggered what, when, from where, with what result. Immutable audit log for compliance (SOC2, ISO27001).
- Immutable event log per workspace
- Actor: user, SSO identity, or service account
- Before/after state for every apply
- Exportable to SIEM (Datadog, Splunk, Elastic)
- Compliance report generation
Notifications & Alerts
Slack, email, or webhook notifications for every state change. Alert on drift, failed apply, pending approval, or cost spike.
- Slack bot with approve/reject buttons inline
- Email digest for daily run summary
- Webhook integration for custom systems
- PagerDuty alert on failed production apply
- Drift detection notification on schedule
Architecture
Self-hosted on your Kubernetes cluster. No SaaS dependency. You own everything.
Frontend
Next.js App Router with real-time WebSocket. Terminal emulator for log streaming. Dark-mode dashboard UI.
Backend API
Stateless REST + WebSocket API. Connects to GitHub, GitLab, Terraform Cloud, Pulumi Cloud, or self-hosted runners.
Runner Layer
Self-hosted GitHub Actions runners or custom runner pods in Kubernetes. Isolated per workspace. Ephemeral — no shared state between runs.
IaC Execution
Terraform, Terragrunt, Pulumi run inside isolated containers. State backend (S3 + DynamoDB) per workspace. Secrets injected at runtime via Vault.
State & Storage
PostgreSQL for platform state, run history, RBAC. Redis for real-time pub/sub log streaming. S3 for log archive and artifact storage.
Auth & Access
SSO via OAuth2 (GitHub, Google, Okta). Fine-grained RBAC per workspace and environment. All API calls authenticated with short-lived JWT.
Request flow
Integrations
Works with your existing tools. Not the other way around.
IaC Tools
CI Platforms
Cloud Providers
Secret Backends
Notifications
Auth Providers
State Backends
Observability
Common use cases
Dev team self-service
Developers provision their own feature environments (DB, Redis, app stack) with one click. No waiting for DevOps. Auto-destroyed after 24h.
Controlled production changes
Infrastructure changes require plan review + approval from team lead. Applied with real-time log visibility. Full rollback if needed.
Multi-cloud orchestration
Manage AWS, GCP, and Azure resources from a single platform. Unified RBAC, unified audit log, unified cost visibility.
Compliance & audit
SOC2 / ISO27001 requirement: every infrastructure change must be logged, attributed to a human, and reviewable. IDP gives you that out of the box.
On-call runbook automation
On-call engineer hits 'Restart service' or 'Scale up' directly from the dashboard at 3am. No SSH, no elevated permissions on local machine.
Cost-gated deployments
Show the cost delta of a Terraform plan before apply. Engineers see 'This change will add $120/month' and decide accordingly.
Custom IDP vs SaaS alternatives
| Option | Pros | Cons |
|---|---|---|
| Spacelift | Feature-rich, mature | Expensive ($$$), no customization, vendor lock-in |
| Atlantis | Open source, simple | PR-only workflow, no UI, limited to Terraform/Tofu |
| env0 | Good UI, cost tracking | SaaS-only, limited self-host, pricing scales fast |
| Custom IDP (us) | Fully owned, customized to your workflow, integrates with your existing tools, one-time build cost | Requires initial investment to build |
Questions
How long does it take to build?
A core IDP (trigger runs, real-time logs, RBAC, audit trail) takes 6–10 weeks. Full-featured with all integrations takes 3–4 months. We scope it to what you actually need — not everything at once.
Can we self-host this?
Yes. Everything runs on your Kubernetes cluster. No SaaS dependency. You own the code, the data, and the infrastructure.
How does real-time log streaming work?
Runner jobs publish log lines to Redis Pub/Sub. The backend subscribes and streams to the browser via WebSocket. No polling, no page refresh — you see logs appear in real time like a terminal.
What if Terraform apply fails halfway?
The platform shows the exact point of failure in the log, captures the Terraform state, and offers a rollback action. The run is marked failed with the full diff of what was applied vs what wasn't.
Can we start small and expand later?
Yes. Most teams start with: trigger + real-time logs + basic RBAC. Then add approval gates, drift detection, cost tracking as they mature. We build it modular.
Do you maintain it after building?
Optional. We offer a retainer to maintain and evolve the platform. Or we do full knowledge transfer so your team can own it independently.
Interested in a custom platform?
Book a discovery call. We'll understand your workflow, show you what a minimal viable IDP looks like for your team, and scope the build.
30 min · Free · No commitment