Deploy

From validated canvas to live cloud infrastructure.

When your architecture passes simulation, deploy directly to AWS, Azure, or GCP — or export Terraform HCL, AWS CDK, and Pulumi to run through your own pipeline. Every step is logged. No long-lived credentials stored.

pinpole deploy
$ pinpole deploy --env production
Terraform plan generated (27 resources)
Diff reviewed · 27 to add, 0 to change
STS AssumeRole · session 58m remaining
VPC, Lambda, DynamoDB, API Gateway
Deployment complete in 94s
3Cloud providers supported
0Long-lived secrets stored
ST · UAT · PRMulti-environment pipeline
1-clickRollback to any canvas state
Deploy workflow

Four steps from canvas to production.

01

Select target environment

Choose ST, UAT, or Production. Select AWS, GCP, or Azure. Multi-environment configuration is set once per workspace.

02

Review deployment plan

Pinpole generates a diff against the current state of your target environment. Resource-level changes are visible before you approve.

03

Approve and deploy

One-click deploy uses STS AssumeRole (AWS), Workload Identity Federation (GCP), or Managed Identity (Azure). Explicit confirmation required for every deployment.

04

Confirm and monitor

Status updates in real time. Success and failure states are logged to execution history with a full architecture snapshot.

PlanPreviewDeployMonitor
IaC

Export to your pipeline.

Prefer to deploy through your own CI/CD? Export Terraform HCL, AWS CDK, ARM/Bicep, or Pulumi from any canvas state — before or after simulation. The export reflects the exact configuration at the moment of export.

  • Terraform HCL · variables · outputs
  • AWS CDK · TypeScript
  • Azure ARM & Bicep templates
  • Google Cloud Deployment Manager
Sync with GitHub →
$ pinpole export --format terraform

 Generated 27 resources
  ├─ main.tf
  ├─ variables.tf
  ├─ networking.tf
  └─ outputs.tf
import * as cdk from 'aws-cdk-lib';
import * as lambda from 'aws-cdk-lib/aws-lambda';

export class PinpoleStack extends cdk.Stack {
  // exported from canvas state
}
Security model

Deploy without handing over the keys.

Pinpole never stores long-lived cloud credentials. Cross-account access uses provider-native, least-privilege delegation.

AWS STS AssumeRole

Customer-provisioned cross-account IAM role. Short-lived session credentials (max 1 hour). Revoke access anytime from your AWS account.

GCP Workload Identity

Service account or Workload Identity Federation scoped to target projects with least-privilege IAM bindings.

Azure Managed Identity

Entra ID service principal with RBAC scoped to subscriptions or resource groups. Customer controls provisioning and revocation.

Read the full security model →

Connect your cloud

One-click connect. Zero stored keys.

Pinpole is an OIDC issuer — your cloud trusts Pinpole through standard federation, and every deploy uses short-lived credentials minted on demand.

AWS OIDC connect

One-click CloudFormation Quick Create in your account sets up the IAM OIDC provider, deploy role, and onboarding webhook. Validate-first onboarding tests the connection before your first deploy.

GCP Workload Identity Federation

Terraform ZIP with a Cloud Shell command, or a Google OAuth flow that provisions the WIF pool and provider for you.

Cloudflare API token

Verify a token, resolve the account, and deploy Workers, Pages, KV, D1, Queues, R2, and DNS in real time. Import existing resources onto the canvas.

Azure quick deploy

Generate an ARM template from the canvas and open the Azure Portal deploy link — full OIDC connect is on the roadmap.

Quick deploy — no connect

No stored credentials at all: generate the template plus a console Quick Create URL and deploy from your own cloud console.

MFA-gated connect

Connecting a cloud account requires privileged MFA. Team plans gate who can connect accounts and deploy via role capabilities.

GitHub → Lambda code sync.

Link a GitHub repo, branch, and handler path to any Lambda node on the canvas. Pinpole discovers SAM and Serverless functions in the repo, and pushes code updates to deployed functions without a full stack redeploy.

  • Auto-deploy on push — webhook syncs the linked branch automatically
  • Manual "Sync code from GitHub" via UpdateFunctionCode
  • Post-deploy auto-sync runs whenever a deploy succeeds
  • Sync status shows last manual and webhook sync timestamps
All connectors →
github webhook
push to main · pinpole/api-worker
Function discovered (handler src/index.ts)
UpdateFunctionCode · resize-worker
Code live in 11s — no stack redeploy
Post-deploy manage

The canvas stays in charge after the deploy.

Once connected, the Deploy button becomes Sync. Push changes, detect drift, inspect live resources, and keep the design and the deployment aligned.

Sync & incremental apply

A diff engine routes small changes to direct API updates and larger ones to full stack updates — on AWS and GCP.

Per-service push update

Push a single service's config — or even a single field — to a live AWS resource without redeploying the stack.

Drift detection

Compare the canvas against live CloudFormation/Lambda state (AWS), the last deployed snapshot (GCP), or resource fingerprints (Cloudflare).

Deployment history

Per-workspace versioned list with status, trigger, resource counts, estimated monthly cost, and timestamps.

Deployment detail page

Live status polling, event timeline, stack outputs, resource snapshot, duration, and a deep link to the AWS Console.

Live resource cards

Per-node physical name, ARN, endpoint URL, and "Open in AWS Console" links for every deployed resource.

Deploy notifications

Toasts and an in-app inbox for deploy success/failure and OIDC onboarding progress — plus email preferences.

Cancel in-flight deploy

Abort a running deploy and optionally tear down the onboarding stack.

Audit log

Immutable, MFA-gated history of canvas changes, deploys, and team actions.

GitHub sync

Canvas changes become pull requests. Two-way sync keeps your repo and canvas aligned.

Rollback

Roll back to any prior canvas configuration with one click. Full snapshot preserved in execution history.

Audit trail

Every simulation and deployment logged with user, timestamp, canvas snapshot, and resulting resource ARNs.

Validated design.
Confident deployment.

Design → Simulate → Optimize → Deploy · One workflow