The Account Factory solution for modern platform for all
Establish a first-class, end-to-end DevOps lifecycle on AWS, entirely as code, in about a day.
View all Gruntwork
legal docs
Subscribe to our RSS feed to be notified when we make changes to any of our legal documents.
From the DevOps experts who brought you:
Terraform: Up & Running
We literally wrote the book on Terraform and OpenTofu.
Terragrunt
We created the most popular open source tool for using OpenTofu and Terraform at scale.
OpenTofu
We are co-founders of OpenTofu and members of the steering commitee.
Meet our customers
It's been our privilege to work with software teams of all sizes. Hear how they've modernized their infrastructures using Gruntwork products and services.
We own our company and our destiny
Unlike many venture-backed startups, Gruntwork is fully bootstrapped. We have and will continue to grow responsibly based on the revenue we generate, without seeking external funding. This frees us up to think long-term, treat our people right, center on our customers, and avoid the pressures of unsustainable growth often imposed by investors. This model also makes our equity grants and profit sharing bonuses all that more valuable, as we truly believe in taking shared ownership of the company we’re building.
Automate all your infrastructure deployments
Quickly provision new AWS accounts
Bootstrap your IaC module catalog
Actually stay up-to-date. Automatically.
Why waste effort building from scratch?
Infrastructure as code
Over 350,000 lines of code written in Terraform, Go, Python, and Bash. You get access to 100% of the code.
Reusable
Our modules are highly reusable, configurable, composable, and extensible.
Tested
Every commit goes through a suite of automated tests. View support matrix.
Documented
Example code and thorough documentation are included for every module.
Secure
Built with security-first principles and validated with security scanning.
Supported
Gruntwork provides commercial maintenance and support. We continually make updates, additions, and fixes to the library.
Thoughtfully Opinionated
We balance flexibility and opinionatedness to ensure you get modern best practices.
No Lock-In
If you ever choose to cancel, you keep rights to all the code.
What’s Included
Landing Zone Baselines and Security
IAM users/groups/roles, GuardDuty, CloudTrail, etc.
App Orchestration
EKS, ECS, EC2, ASGs, etc.
Networking
CIS-compliant VPC, Transit Gateway, IPAM, DualStack/IPv6 [BETA]
Data Storage
MySQL, Postgres, Aurora, Redis, S3, etc.
Serverless
Lambda, API Gateway, etc.
Compliance & Governance
...
Search & Analytics
Elasticsearch, Kafka, Kinesis, etc.
Explore our latest blog
Promotion Workflows with Terraform
Jason Griffin
October 3, 2023 7 min read
The Impact of the HashiCorp License Change on Gruntwork Customers
Josh Padnick
October 3, 2023 7 min read
How to securely store secrets in 1Password CLI and load them into your ZSH shell when needed
Pete Emerson
October 3, 2023 7 min read“The quality that Gruntwork produces and maintains is outstanding. It has proven time and time again to be a huge accelerator bringing companies forward in terms of stability and quality. It also enables closer collaboration across the engineering organization by providing easy-to-use, battle-tested modules in a “plug-and-play” manner, enabling us to take care of the core business, generating more value across the board, and not being slowed down by unnecessary ‘grunt work.”
Markus Burger
DevOps Team Lead
“When I first broached the topic of working with Gruntwork and redoing our platform, there was a fair bit of trepidation and anxiety from the team. I had to sell them on the concept. Now, I'm hearing nothing but rave reviews about the work you guys have done. Literally big smiles and rave reviews. From hard-to-please-engineers. Superb work! I'll happily recommend to you all the firms where I serve on the advisory board.”
Venu Javarappa
Senior Vice President, Engineering
“Gruntwork’s solution - leveraging reusable high quality infrastructure components - is a fantastic fit for us. Literally in a couple of weeks we had a complete DevOps infrastructure up and running incorporating all kinds of “best practice” ideas - infrastructure as code, immutable infrastructure, continuous integration, continuous delivery, containerization, load balancing, auto scaling, monitoring, security, etc - taking it many steps beyond where we would have ended up had we decided to build it ourselves over what would have been a much longer period of time.
Dan Evison
CEO
“While we had made some good progress with various Terraform deployments across the company, Gruntwork really took our workflows and quality infrastructure code to another level that saves us time now and in the long run. By moving away from our proprietary build system to what I would call the Gruntwork “plug and play workflow,” we will have less issues and a more collaborative environment.”
Ryan Kelley
Senior Systems Engineer
“We ended up going with Gruntwork. I highly recommend. Jim Brikman of Gruntwork was the top infrastructure engineer during my tenure at LinkedIn, so I already knew what to expect. It was fantastic to see how they delivered our awesome AWS + Terraform infrastructure on time and well under budget.”
Erem Boto
Senior Software Engineer
Oct 27, 2023
Simplified Service Data terms
Aug 24, 2023
Update Data Processing Agreement governing law
Apr 18, 2023
Add Platform Accelerator program terms
Jul 19, 2022
Removed Foqal from data subprocessors
Jun 8, 2022
Simplified Reference Architecture Terms
It’s like expert consulting — only better
Tired of traditional consulting? So are we! Our DevOps Foundations solution provides unique benefits over both DIY and traditional consulting.
| Do it yourself | Consultant | |
Starting point | Leverage battle-tested code and tooling proven in prod | From scratch | From scratch |
Incentives | Maximize product utility from a reusable library of code | Minimize investment of time | Maximize billable hours |
Scope of work | End-to-end, modular architecture that fulfills the production-grade checklist | Varies depending on team knowledge and time available | Varies depending on consultant knowledge and budget available |
Time to launch | ~1 week (highly predictable) | 3 – 12 months (highly variable) | 3 – 12 months (highly variable) |
Monthly cost | $795 – $6,500 per month | $16,000 – $32,000 per month(2 devs, $100k – $200k / year) | $32,000 – $64,000 per month(2 devs, $100 – $200 / hour) |
Maintenance | On-going maintenance, updates, security patches | None | None |
Support | Commercial support | None | None |
Yevgeniy "Jim" Brikman
CO-FOUNDER
Jim is the author of two books published by O’Reilly Media: Hello, Startup and Terraform: Up & Running. He has more than a decade of experience building infrastructure and products that serve hundreds of millions of users at LinkedIn, TripAdvisor, Cisco Systems, and Thomson Financial.
We may be experts, but don’t take our word for it
“We ended up going with Gruntwork. I highly recommend. Jim Brikman of Gruntwork was the top infrastructure engineer during my tenure at LinkedIn, so I already knew what to expect. It was fantastic to see how they delivered our awesome AWS + Terraform infrastructure on time and well under budget.”Erem Boto
Senior Software Engineer
- “We ended up going with Gruntwork. I highly recommend. Jim Brikman of Gruntwork was the top infrastructure engineer during my tenure at LinkedIn, so I already knew what to expect. It was fantastic to see how they delivered our awesome AWS + Terraform infrastructure on time and well under budget.”
Erem Boto
Senior Software Engineer
- “We ended up going with Gruntwork. I highly recommend. Jim Brikman of Gruntwork was the top infrastructure engineer during my tenure at LinkedIn, so I already knew what to expect. It was fantastic to see how they delivered our awesome AWS + Terraform infrastructure on time and well under budget.”
Erem Boto
Senior Software Engineer
Lay your new DevOps Foundations today.
Chat with a DevOps expert and see how our integrated solution can meet the needs of your business and your teams.
Get up-to-date, then stay up-to-date.
Chat with a DevOps expert to learn more about how Patcher can help your team effortlessly keep its infrastructure up-to-date, and request access to the beta.
How it works
Automatically discover dependencies in your code
Automatically discover dependencies in your code
With Patcher
Run the Patcher CLI to automatically discover dependencies in your code, the versions they are at, and if new versions are available.
Without Patcher
You have to manually scan your code for dependencies, manually track which versions they are at, and manually look up if new versions are available.
Hassle-free updates with step-by-step instructions and automatic patching
Hassle-free updates with step-by-step instructions and automatic patching
With Patcher
Choose the desired module and its corresponding version for an update. Patcher automatically modifies your code, applying necessary patches. You will be guided through any necessary manual changes.
Without Patcher
Update to new versions manually. If the new version is backward incompatible, go searching for a migration guide, and follow the steps to update your code manually.
Feel what’s it’s like to be part of the team
We’re trying to build a diverse team that is welcoming and safe for people of all backgrounds, cultures, genders, and ethnicities. We don’t use puzzles and brainteasers in our interviews, as they are a complete waste of time that do little more than make the interviewer feel smart. We don’t do whiteboard coding interviews, as they test the wrong skills and discriminate against many developers, and often become little more than a hazing ritual. And we don’t do salary negotiations, as they lead to gender discrimination. Here’s what you can expect:
Connect
Connect
Either you find us (e.g., through our careers page) or we find you (e.g., through your blog posts, talks, open source work, or a personal connection). We’ll take a look at your background and make sure you meet our basic criteria:
You know how to write code, or have worked with many who do.
You have experience creating and shipping production software.
You want to help create software to transform DevOps.
Meet the team
Meet the team
We’ll set up video calls with a few team members. These chats help us understand what you’re looking for, and help you understand what we’re looking for. Tiny, bootstrapped, distributed startups in the DevOps space are not for everyone, so we try hard to understand what you’ve worked on in the past, what you want to work on in the future, and to share as much as we can about the type of work we do so that we can come to the right mutual decision.
Work with us on a paid trial project
Work with us on a paid trial project
If the chats go well, we’ll invite you to a paid trial project. Instead of you spending a day doing whiteboard coding at a company’s office, we ask that you take a day to work on a real project for us, from the comfort of your own home (or coffee shop or library or wherever you prefer working). We might have you fix a bug in one of our open source projects, add a new feature to an existing module in our IaC Library, or even build an entirely new module that a customer requested. We’ll introduce the project to you at the start of the day, chat with you via Slack and email throughout the day, and then review your work at the end.
In other words, it’s basically a regular work day—which is exactly the point! Our goal is to give you an accurate feel for what it would be like to join Gruntwork. By the end of the day, you should have a good idea of the type of projects we work on and what it’s like to work with us, and we should have a good idea of what you’re capable of and what it’s like to work with you.
Receive an offer
Receive an offer
If the trial project goes well and everyone wants to move forward, we’ll make an offer. As noted in the benefits section, Gruntwork pays a competitive above-market rate according to a formula to ensure transparency and fairness. We do not negotiate salaries.
End-to-end infrastructure automation.
Vend new SDLC accounts for your teams at the push of a button
Vend new SDLC accounts for your teams at the push of a button
Account Factory helps you quickly provision new accounts for your teams that come out-of-the-box with:
Secure baselines and guard rails
Secure network access
SSO Access
A GitOps Infra pipeline
Control Tower Integration
Scaffold new infrastructure from an approved catalog using self-service templates
Scaffold new infrastructure from an approved catalog using self-service templates
Curated module catalog. Browse a catalog of approved infrastructure modules, bootstrapped with the Gruntwork Library, and easily filter to find what you need.
Module templates. Select a template to help configure your module for common use cases.
Scaffolding. Scaffold new modules with a keystroke, with intelligent prompts for any configurations exposed in the selected template.
Deploy with confidence using GitOps automated workflows
Deploy with confidence using GitOps automated workflows
GitOps automation. Gruntwork Pipelines will run plan for any infra change pull request, and apply those changes when it gets merged.
Policy enforcement. All pipelines enforce a standard set of company policies, giving you confidence in every change.
Approval Workflows. Add safeguards by requiring approvals depending on the nature of the change.
Secure. Your prod AWS credentials are kept isolated from developers so the blast radius of any changes is kept to a minimum.
Stay up-to-date, even in the face of breaking changes
Stay up-to-date, even in the face of breaking changes
Automatic Updates. Patcher [BETA] opens PRs automatically when new versions of infrastructure dependencies get released.
Handle breaking changes. Breaking changes for Gruntwork Library modules come with patches that help you update your code automatically.
Promotion workflows. Promote changes across environments — from dev to stage to prod — so you can build confidence at each step.
Commercial maintenance & support. Get ongoing updates to all Gruntwork Library modules, as well as commercial support for all Gruntwork products.
See how Gruntwork has transformed DevOps for our satisfied customers.
Gruntwork proves instrumental in Instrumental’s growth
Gruntwork proves instrumental in Instrumental’s growth
Gruntwork Account Factory integrates seamlessly with AWS Control Tower, giving you the benefits of IaC and the convenience of AWS console controls.
Erem Boto
Senior Software Engineer
Gruntwork proves instrumental in Instrumental’s growth
Gruntwork proves instrumental in Instrumental’s growth
Gruntwork Account Factory integrates seamlessly with AWS Control Tower, giving you the benefits of IaC and the convenience of AWS console controls.
Trusted by top companies
Every few months, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made since the last newsletter and news from the DevOps industry. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.
Gruntwork Updates
Gruntwork, Inc. (“Gruntwork,” “we,” “our” and/or “us”) respects your privacy and is committed to protecting it through our compliance with this privacy policy (the “Privacy Policy”). Gruntwork is a DevOps platform designed to enable software teams to quickly launch production-grade cloud infrastructure. This Privacy Policy describes the types of information we may collect from and about you when you visit our website located at www.gruntwork.io (the “Site”); use the Gruntwork services, including our cloud-based developer portal located at app.gruntwork.io (“the Portal”) and any additional Gruntwork-branded features and functionalities, websites, user interfaces, and applications (collectively with the Portal, the “Services”); engage with us through our newsletters, emails, and branded social media accounts; or otherwise interact with us. It also describes our practices for using, maintaining, protecting, and disclosing that information as well as certain legal rights you may have, subject to applicable law, and how you can exercise them.
[NEW] Account factory: multi-account, multi-team, full SDLC
Gruntwork’s Landing Zone solution now supports a self-service account factory that can automate the process of setting up a new multi-account structure and full SDLC (Software Development Life Cycle) workflow for your dev teams. Here’s a quick outline of how it works:
Fill out the account request form. Your dev team fills out a web form (which you can customize to your needs), specifying the details of the account structure they need: e.g., team name, department, billing code, etc.
Automated account creation in Control Tower. When they submit the form, this kicks off an automated account provisioning process that provisions new AWS accounts for that team—e.g., dev, stage, and prod—using Control Tower. This allows you to use Control Tower as your single pane of glass for all of your AWS accounts.
Automated baselining. The automated account provisioning process applies a secure baseline to every account, ensuring it is configured with CloudTrail, GuardDuty, Macie, IAM Access Analyzer, default EBS encryption, Security Hub, IAM roles, SSO access, OIDC providers, and all the other security, monitoring, and auth features you need.
The OpenTofu release candidate is here!
A small holidays gift for everyone: the OpenTofu release candidate is now available! If we find no major issues, this release candidate will become our first stable release on January 10th, 2024!
DevOps News
In the last few months, we updated our Landing Zone solution with a self-service account factory that can automate the process of setting up a new multi-account structure and full SDLC (Software Development Life Cycle) workflow for your dev teams; updated our VPC code with support for IPv6, IPAM, transit subnets, private NATs, and black hole routes; and made huge progress on OpenTofu, including a release candidate that may become our first stable release. Also, one more reminder: Gruntwork will be closed for two weeks for the winter break. Happy holidays!
“Scale your Amazon Aurora clusters to millions of write transactions per second and manage petabytes of data. With this new capability, you can scale your relational database workloads on Aurora beyond the limits of a single Aurora writer instance without needing to create custom application logic or manage multiple databases.”
Erem Boto
Senior Software Engineer
AWS simplified authn and authz for EKS
AWS has made two improvements to authn and authz for EKS:
Simplified EKS cluster access. In the past, to control access to an EKS cluster, AWS required you to use a ConfigMap to map between IAM roles and EKS permissions, which was always a clunky and awkward experience. AWS has now launched a simpler way to manage access to your EKS clusters.
Simplified Pod IAM role access. AWS has also a feature called EKS Pod Identity which makes it easier to grant your EKS Pods access to IAM roles.
Gruntwork Alternatives
Gruntwork vs the competition, at a glance
Gruntwork vs doing it yourself (DIY)
Gruntwork vs Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)
Gruntwork vs open source modules (e.g. Ansible Galaxy, Terraform Module Registry, Puppet Forge, etc.)
Contract & Licensing
What's included with each Gruntwork user license?
What if I want to use the code with my own customers?
Gruntwork vs Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)
How can I modify your Terms of Service?
Pricing
What payment options do you accept?
Can I pay with AWS credits?
What's a user?
What if I want to cancel my Gruntwork Subscription?
What happens to my code if I cancel my subscription?
If I require product customization or consulting support, what options are provided?
Frequently Asked Questions
Is there a free trial?
Is a subscription required?
Can I purchase products individually?
What payment options do you accept?
What’s a user?
What’s included with each user license?
Can I modify your Terms of Service?
Security Docs
Security
Our Commitment
At Gruntwork, we understand the critical importance of security, both with respect to our customers’ information, as well as the infrastrucuture our customers build using our IaC library. Gruntwork is firmly committed to ensuring the security of its customers and users by protecting their information.
See below for a list of our security policies, or subscribe to our RSS feed or security mailing list to stay up to date on policy changes and security news.
Security Policies
Security Updates
Subscribe to our security mailing list. All Gruntwork subscribers receive notifications related to security releases, vulnerabilities, disclosures, and related security news via our mailing list. Subscribe to our security mailing list to receive these updates.
Get policy updates programmatically. Subscribe to our policy RSS feed to be notified when we release updates to our security policies. Note that you may need to cut and paste the RSS URL into your favorite RSS Feed Reader to monitor updates.
View recent policy updates. View changes to our legal and security policies. This is a human-friendly rendering of our RSS feed.
Report a Vulnerability
We accept vulnerability reports via security@gruntwork.io. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
We do not support PGP-encrypted emails. For particularly sensitive information, please reach out to support@gruntwork.io to discuss before sending over.
For more information, please see our Vulnerability Disclosure Policy.
Legal Docs
Terms of Service
This page outlines the terms of service and use of Gruntwork’s products and services.
It’s important to understand these Terms of Service, as they define your rights and our rights in our relationship. But legalese is not always easy to understand, so we’ve provided “plain English” summaries on the left side of the page to help you understand the official legal language on the right side of the page. Remember that we’re providing you these summaries for informational purposes only. Our actual Terms are the ones on the right under "Legalese" and will apply if we ever need to work through any issues.
Need to modify these terms?
See How can I modify these Terms of Service? in our FAQ.
General Terms
1. Updates
1.1: We might update these terms (e.g. when we introduce new services) and if we do, we’ll notify you in advance. If you disagree with the changes, you have the right to cancel your subscription per Section 5.2.
1.1. Revisions. We may revise these Terms from time-to-time. We will post the revised terms to our website (currently https://gruntwork.io/terms) (the “Website”) with a “last updated” date. We will also notify you in advance of any material updates to these Terms via email or through the Services. If you do not agree with an update, you have the right to reject the change by terminating these Terms in accordance with Section 5.2 below. IF YOU CONTINUE TO USE THE SERVICES AFTER THE REVISIONS TAKE EFFECT, YOU AGREE TO BE BOUND BY THE REVISED TERMS. You agree that we shall not be liable to you or to any third party for any modification of the Terms.
1.1. Revisions. We may revise these Terms from time-to-time. We will post the revised terms to our website (currently https://gruntwork.io/terms) (the “Website”) with a “last updated” date. We will also notify you in advance of any material updates to these Terms via email or through the Services. If you do not agree with an update, you have the right to reject the change by terminating these Terms in accordance with Section 5.2 below. IF YOU CONTINUE TO USE THE SERVICES AFTER THE REVISIONS TAKE EFFECT, YOU AGREE TO BE BOUND BY THE REVISED TERMS. You agree that we shall not be liable to you or to any third party for any modification of the Terms.
1.2: If we update the terms, we’ll email you, post the update to our Legal CHANGELOG, or let you know through some other means.
1.2. Notifying You of Updates. You agree to receive electronically all communications, agreements, and notices that we provide in connection with any Services (“Communications”), including by email, by posting them to our website or Platform, or through any other Services. You agree that all Communications that we provide to you electronically satisfy any legal requirement that such Communications be in writing and you agree to keep your account contact information current.
1.2. Notifying You of Updates. You agree to receive electronically all communications, agreements, and notices that we provide in connection with any Services (“Communications”), including by email, by posting them to our website or Platform, or through any other Services. You agree that all Communications that we provide to you electronically satisfy any legal requirement that such Communications be in writing and you agree to keep your account contact information current.
2. Authorized Users
2.1.1: Both you and your affiliates can use Gruntwork.An Authorized User is a human or machine user that accesses our private repos, training materials, or support services. Email support@gruntwork.io to add/remove users.
2.1.1. "Affiliate" means any person or entity owned or controlled by a party, owning or controlling a party, or under common ownership and control with a party, with “control” meaning the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract interest or otherwise. For purposes of these Terms, the term “Affiliate” does not include your investors or entities controlled by your investors that are not involved in your day-to-day business purpose.
CIS Repos — CIS Compliance gives you access to the CIS Repos and a license to use the CIS Modules (and the related submodules) in accordance with the License.
Automated Tests — The CIS Repos give you access to automated tests that will help you continue to validate compliance with the CIS Benchmark even if you choose to fork the CIS Modules and make customizations.
Updates — CIS Compliance provides you with access to all ongoing updates to the CIS Modules based on any new versions of the CIS Benchmark that are released by CIS.
2.1.1. "Affiliate" means any person or entity owned or controlled by a party, owning or controlling a party, or under common ownership and control with a party, with “control” meaning the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract interest or otherwise. For purposes of these Terms, the term “Affiliate” does not include your investors or entities controlled by your investors that are not involved in your day-to-day business purpose.
CIS Repos — CIS Compliance gives you access to the CIS Repos and a license to use the CIS Modules (and the related submodules) in accordance with the License.
Automated Tests — The CIS Repos give you access to automated tests that will help you continue to validate compliance with the CIS Benchmark even if you choose to fork the CIS Modules and make customizations.
Updates — CIS Compliance provides you with access to all ongoing updates to the CIS Modules based on any new versions of the CIS Benchmark that are released by CIS.
DevOps Foundations Pricing & Packaging
Team
$24,000 /yr20%
Enterprise
Exclusive Pricing
Exclusive Pricing
© 2024 Gruntwork