Skip to content

2 min read

Cloudwright: natural-language cloud architecture

  • ai
  • infrastructure
  • case-study

Cloudwright is a tool that takes a one-line description of an application and outputs a working Terraform module, a monthly cost estimate, and a compliance gap report. You write something like “a Postgres-backed Next.js app with Redis caching on AWS” and it produces the infrastructure code, the bill, and the list of controls you’ll have to address before you can claim a SOC 2, HIPAA, or FedRAMP baseline.

Why this exists

Most cloud architecture happens by tribal knowledge. Someone on the team has built three of these before, copies the closest match from a previous repo, and tweaks. The cost shows up at the end of the first billing cycle. The compliance gaps show up six months later when an auditor asks. By then the redesign is expensive: production data is in the wrong place, IAM is wired into application code, the wrong service was picked for a workload that turned out to be latency-sensitive.

Cloudwright’s value is that the cost and compliance signal show up at design time, before the infrastructure ships, when the cost of a redesign is hours instead of weeks.

What it generates

For a typical web application target, the output covers:

  • Terraform HCL for the AWS resources: VPC with public and private subnets across two availability zones, RDS Postgres with an encrypted parameter group, ElastiCache Redis, an application load balancer, ECS or Fargate task definitions, IAM roles scoped to the principle of least privilege, and the security groups that connect them.
  • A cost line-item table priced against current AWS list prices, broken out by service, with notes on which line items scale with traffic versus baseline.
  • A control-by-control compliance gap matrix. For SOC 2 it walks through the trust services criteria. For HIPAA it covers the technical safeguards. For FedRAMP it lists the moderate-baseline controls. Each row has the control, the current state of the generated module, and what’s still required (encryption key rotation policies, logging retention windows, audit trail destinations).

Where it sits

This is not a replacement for a platform team. A real platform engineer will catch things that a code generator cannot: organizational nuance, tenancy decisions, the specific compliance interpretation your auditor uses. Cloudwright is a fast first-draft for solo founders, small teams, and engineers who don’t have a platform team yet but need to ship something defensible.

The repo is at github.com/xmpuspus/cloudwright.