From validated canvas to live cloud infrastructure.
When your architecture passes simulation, deploy directly to AWS, Azure, or GCP — or export Terraform HCL, AWS CDK, and Pulumi to run through your own pipeline. Every step is logged. No long-lived credentials stored.
Four steps from canvas to production.
Select target environment
Choose ST, UAT, or Production. Select AWS, GCP, or Azure. Multi-environment configuration is set once per workspace.
Review deployment plan
Pinpole generates a diff against the current state of your target environment. Resource-level changes are visible before you approve.
Approve and deploy
One-click deploy uses STS AssumeRole (AWS), Workload Identity Federation (GCP), or Managed Identity (Azure). Explicit confirmation required for every deployment.
Confirm and monitor
Status updates in real time. Success and failure states are logged to execution history with a full architecture snapshot.
Export to your pipeline.
Prefer to deploy through your own CI/CD? Export Terraform HCL, AWS CDK, ARM/Bicep, or Pulumi from any canvas state — before or after simulation. The export reflects the exact configuration at the moment of export.
- Terraform HCL · variables · outputs
- AWS CDK · TypeScript
- Azure ARM & Bicep templates
- Google Cloud Deployment Manager
$ pinpole export --format terraform
✓ Generated 27 resources
├─ main.tf
├─ variables.tf
├─ networking.tf
└─ outputs.tf
import * as cdk from 'aws-cdk-lib';
import * as lambda from 'aws-cdk-lib/aws-lambda';
export class PinpoleStack extends cdk.Stack {
// exported from canvas state
}
Deploy without handing over the keys.
Pinpole never stores long-lived cloud credentials. Cross-account access uses provider-native, least-privilege delegation.
AWS STS AssumeRole
Customer-provisioned cross-account IAM role. Short-lived session credentials (max 1 hour). Revoke access anytime from your AWS account.
GCP Workload Identity
Service account or Workload Identity Federation scoped to target projects with least-privilege IAM bindings.
Azure Managed Identity
Entra ID service principal with RBAC scoped to subscriptions or resource groups. Customer controls provisioning and revocation.
One-click connect. Zero stored keys.
Pinpole is an OIDC issuer — your cloud trusts Pinpole through standard federation, and every deploy uses short-lived credentials minted on demand.
One-click CloudFormation Quick Create in your account sets up the IAM OIDC provider, deploy role, and onboarding webhook. Validate-first onboarding tests the connection before your first deploy.
Terraform ZIP with a Cloud Shell command, or a Google OAuth flow that provisions the WIF pool and provider for you.
Verify a token, resolve the account, and deploy Workers, Pages, KV, D1, Queues, R2, and DNS in real time. Import existing resources onto the canvas.
Generate an ARM template from the canvas and open the Azure Portal deploy link — full OIDC connect is on the roadmap.
No stored credentials at all: generate the template plus a console Quick Create URL and deploy from your own cloud console.
Connecting a cloud account requires privileged MFA. Team plans gate who can connect accounts and deploy via role capabilities.
GitHub → Lambda code sync.
Link a GitHub repo, branch, and handler path to any Lambda node on the canvas. Pinpole discovers SAM and Serverless functions in the repo, and pushes code updates to deployed functions without a full stack redeploy.
- Auto-deploy on push — webhook syncs the linked branch automatically
- Manual "Sync code from GitHub" via UpdateFunctionCode
- Post-deploy auto-sync runs whenever a deploy succeeds
- Sync status shows last manual and webhook sync timestamps
The canvas stays in charge after the deploy.
Once connected, the Deploy button becomes Sync. Push changes, detect drift, inspect live resources, and keep the design and the deployment aligned.
A diff engine routes small changes to direct API updates and larger ones to full stack updates — on AWS and GCP.
Push a single service's config — or even a single field — to a live AWS resource without redeploying the stack.
Compare the canvas against live CloudFormation/Lambda state (AWS), the last deployed snapshot (GCP), or resource fingerprints (Cloudflare).
Per-workspace versioned list with status, trigger, resource counts, estimated monthly cost, and timestamps.
Live status polling, event timeline, stack outputs, resource snapshot, duration, and a deep link to the AWS Console.
Per-node physical name, ARN, endpoint URL, and "Open in AWS Console" links for every deployed resource.
Toasts and an in-app inbox for deploy success/failure and OIDC onboarding progress — plus email preferences.
Abort a running deploy and optionally tear down the onboarding stack.
Immutable, MFA-gated history of canvas changes, deploys, and team actions.
GitHub sync
Canvas changes become pull requests. Two-way sync keeps your repo and canvas aligned.
Rollback
Roll back to any prior canvas configuration with one click. Full snapshot preserved in execution history.
Audit trail
Every simulation and deployment logged with user, timestamp, canvas snapshot, and resulting resource ARNs.
Validated design.
Confident deployment.
Design → Simulate → Optimize → Deploy · One workflow