Apache-2.0
KRM/Protobuf/Buf
Pulumi/OpenTofu
CLI-first
CI/CD-ready

Open‑Source Multi‑Cloud
Infrastructure Framework

Author KRM‑style YAML once, validate with Protobuf + Buf ProtoValidate, then execute with Pulumi or OpenTofu. Consistent APIs across AWS, GCP, Azure, and Kubernetes—no provider‑specific yak‑shaving.

Define once.Deploy anywhere.

Why ProjectPlanton?

Built for DevOps engineers, platform teams, and infrastructure architects who need consistency across clouds

One model, many clouds

A single CloudResourceKind enum and provider‑specific APIs (e.g., AwsStaticWebsite, GcpGkeCluster, AzureAksCluster, RedisKubernetes) with the same KRM‑style shape: apiVersion, kind, metadata, spec, status.

Validation & sane defaults

Field‑level rules via Buf ProtoValidate; default/recommended_default options and message‑level CEL guardrails; manifests fail fast with clear errors before any provisioning.

Modules under the hood

Curated Pulumi and OpenTofu modules reside alongside each API (apis/.../iac/pulumi/module, apis/.../iac/tf), so you never write raw Terraform or Pulumi code.

Dev‑grade workflow

pulumi preview/update/refresh/destroy and tofu init/plan/apply/destroy/refresh through one CLI; stack FQDN <org>/<project>/<stack>; reproducible workspaces under ~/.project-planton.

Security & governance

Provider credentials are first‑class stack‑inputs (e.g., aws-credential.yaml, gcp-credential.yaml, kubernetes-cluster.yaml); modules apply consistent planton.org/* labels and support foreign‑key references across resources.

Extensibility

Add kinds and modules in‑repo; APIs generate language stubs via Buf; modules are selected per kind/provider automatically; override any manifest value at the CLI with --set key=value.

How It Works

From YAML manifest to deployed infrastructure in five clear steps

Parse

apiVersion/kind/metadata/spec → Protobuf object

Validate

Buf ProtoValidate/CEL on spec

Build

stack‑input = { provisioner, pulumi|terraform, target, providerCredential }

Plan/Preview

pulumi preview or tofu plan

Apply

pulumi update or tofu apply (backends: local|s3|gcs|azurerm)

Input: YAML Manifest

# example: aws-static-website.yaml
apiVersion: aws.project-planton.org/v1
kind: AwsStaticWebsite
metadata:
name: my-site
spec:
enableCdn: true

Output: Status/Results

# modules export status.outputs
status:
outputs:
hostname: my-site.s3-website.amazonaws.com
cloudfront_url: d1234.cloudfront.net
bucket_name: my-site-bucket-xyz

Get Started in Minutes

Four simple steps to deploy your first multi-cloud infrastructure

1. Install
brew install project-planton/tap/project-planton
2. Validate a manifest
project-planton validate manifest.yaml
3. Deploy
# Pulumi (example)
project-planton pulumi up   --manifest manifest.yaml   --stack myorg/myproject/dev   --module-dir .   --set metadata.labels.env=dev

# OpenTofu (example)
project-planton tofu init   --manifest manifest.yaml   --backend-type s3   --backend-config bucket=my-tf-state-bucket   --backend-config dynamodb_table=my-tf-locks   --backend-config region=us-west-2   --backend-config key=stacks/myproject/dev.tfstate

project-planton tofu plan --manifest manifest.yaml
project-planton tofu apply --manifest manifest.yaml --auto-approve
4. Destroy (optional)
project-planton pulumi destroy --manifest manifest.yaml --stack myorg/myproject/dev
# or
project-planton tofu destroy --manifest manifest.yaml --auto-approve

Prerequisites & Notes

  • • Provide credentials via files in an input dir (e.g., aws-credential.yaml, gcp-credential.yaml, kubernetes-cluster.yaml) or explicit flags
  • • Pulumi/OpenTofu CLIs must be installed separately
  • • OpenTofu supports backends: local, s3, gcs, azurerm
  • • Stack FQDN format is <org>/<project>/<stack>

Example Gallery

Real manifests from the repo (trimmed for clarity). Replace placeholders like <project-id>.

Static Website with CDN
aws-static-website.yaml
apiVersion: aws.project-planton.org/v1
kind: AwsStaticWebsite
metadata:
  name: my-site
  labels:
    env: dev
spec:
  enableCdn: true
  # Minimal example; additional fields include SPA routing, aliases, TLS, cache TTLs, and logging.

Deploy:

project-planton validate aws-static-website.yaml
project-planton pulumi up --manifest aws-static-website.yaml --stack myorg/site/dev
EC2 Instance with References
aws-ec2.yaml
apiVersion: aws.project-planton.org/v1
kind: AwsEc2Instance
metadata:
  name: app-vm
spec:
  subnetId:
    valueFrom:
      kind: AwsSubnet
      name: my-vpc-subnet
      fieldPath: status.outputs.subnet_id
  securityGroupIds:
    - valueFrom:
        kind: AwsSecurityGroup
        name: app-sg
        fieldPath: status.outputs.security_group_id
  amiId: ami-0123456789abcdef0
  instanceType: t3.micro
  connectionMethod: SSM

Deploy:

project-planton tofu plan --manifest aws-ec2.yaml
project-planton tofu apply --manifest aws-ec2.yaml --auto-approve

CLI Reference

Complete command reference for the ProjectPlanton CLI

Primary Commands
project-planton pulumi preview

Preview Pulumi changes

project-planton pulumi update

Apply Pulumi changes

project-planton pulumi refresh

Refresh Pulumi state

project-planton pulumi destroy

Destroy Pulumi resources

project-planton tofu init

Initialize OpenTofu backend

project-planton tofu plan

Create OpenTofu execution plan

project-planton tofu apply

Apply OpenTofu changes

project-planton tofu destroy

Destroy OpenTofu resources

project-planton tofu refresh

Refresh OpenTofu state

project-planton validate <manifest.yaml>

Validate manifest with Buf ProtoValidate

project-planton version

Show CLI version

Validation Example
# Validate a manifest before deployment
project-planton validate manifest.yaml
# Example output:
✓ Manifest validation passed
✓ Buf ProtoValidate rules: OK
✓ CEL expressions: OK
✓ Required fields: OK
Core Flags
FlagDescriptionRequired
--manifest <path>path to the deployment‑component manifest file
Required
--stack <org/project/stack>Pulumi stack FQDN (required for pulumi commands)
Required
--module-dir <dir>directory containing the Pulumi/Tofu module (defaults to current dir)
Optional
--input-dir <dir>directory containing target.yaml and/or credential yamls
Optional
--set key=valueoverride manifest fields (deep dot‑paths supported)
Optional
--auto-approveskip interactive approval (tofu apply/destroy)
Optional
--destroycreate a destroy plan (tofu plan)
Optional
--backend-type {local|s3|gcs|azurerm}choose backend (tofu init)
Optional
--backend-config key=valuerepeatable backend arguments (tofu init)
Optional
Provider Credential Flags

Supported by stackinputcredentials

--aws-credential <file>

AWS credential file

--gcp-credential <file>

GCP credential file

--azure-credential <file>

Azure credential file

--kubernetes-cluster <file>

Kubernetes cluster config file

--confluent-credential <file>

Confluent credential file

--mongodb-atlas-credential <file>

MongoDB Atlas credential file

--snowflake-credential <file>

Snowflake credential file

CI/CD Integration

Deploy your infrastructure automatically with GitHub Actions

GitHub Actions Workflow
name: Deploy with ProjectPlanton
on:
  push:
    branches: [ main ]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install ProjectPlanton CLI
        run: brew install project-planton/tap/project-planton

      - name: Install Pulumi & OpenTofu
        run: |
          curl -fsSL https://get.pulumi.com | sh
          echo "$HOME/.pulumi/bin" >> $GITHUB_PATH
          curl -L https://github.com/opentofu/opentofu/releases/latest/download/tofu_linux_amd64.zip -o tofu.zip
          sudo unzip -o tofu.zip -d /usr/local/bin

      - name: Plan (Tofu)
        run: project-planton tofu plan --manifest infra/manifest.yaml

      - name: Apply (Pulumi)
        run: project-planton pulumi up --manifest infra/manifest.yaml --stack myorg/myproj/prod

Deterministic

Same commands, same results across all environments

Version Controlled

Infrastructure as code with full Git history

Portable

Works with any CI/CD system that supports CLI tools

How We Compare

Short, factual comparison with other infrastructure tools

vs Crossplane

Crossplane: In‑cluster controllers

ProjectPlanton: Runs on‑demand via CLI with Pulumi/OpenTofu modules

vs Terraform HCL

Terraform HCL: Imperative DSL

ProjectPlanton: Declarative KRM‑style YAML with strict proto validations

vs Pulumi Code

Pulumi code: App‑like programs

ProjectPlanton: Declarative manifests while Pulumi executes curated modules

Feature Comparison
FeatureProjectPlantonCrossplaneTerraformPulumi
Declarative YAML
Yes
Multi-cloud consistency
Yes
Strong validation
Yes
Multiple backends
Yes
CLI workflow
Yes
Kubernetes native
Programming languages
Curated modules
Yes

Frequently Asked Questions

Everything you need to know about ProjectPlanton