Forging modern infrastructure
ALPHA SOFTWARE WARNING
Forge is currently in alpha stage. While the architecture is solid and the CLI is functional, many providers use mock implementations for testing. This is perfect for:
- Testing the CLI and workflow
- Evaluating the architecture
- Providing feedback on the user experience
Not yet ready for production use. See Implementation Status for details.
Forge is a modern, agentless configuration management and infrastructure orchestration tool written in Go. It combines the best features of Terraform's plan/apply workflow, Ansible's agentless approach, and Puppet's resource model into a fast, typed, and secure platform.
Linux (x64)
curl -L -o forge https://github.com/ataiva-software/forge/releases/latest/download/forge-linux-amd64
chmod +x forge
sudo mv forge /usr/local/bin/Linux (ARM64)
curl -L -o forge https://github.com/ataiva-software/forge/releases/latest/download/forge-linux-arm64
chmod +x forge
sudo mv forge /usr/local/bin/macOS (Intel)
curl -L -o forge https://github.com/ataiva-software/forge/releases/latest/download/forge-darwin-amd64
chmod +x forge
sudo mv forge /usr/local/bin/macOS (Apple Silicon)
curl -L -o forge https://github.com/ataiva-software/forge/releases/latest/download/forge-darwin-arm64
chmod +x forge
sudo mv forge /usr/local/bin/Windows
Download the latest forge-windows-amd64.exe from the releases page and add to your PATH.
go install github.com/ataiva-software/forge@latestgit clone https://github.com/ataiva-software/forge.git
cd forge
go build -o forge ./cmd/forge/# Initialize a new project
forge init my-infrastructure
cd my-infrastructure
# Create a plan to see what will change
forge plan --module modules/webserver.yaml --inventory inventory/hosts.yaml
# Apply changes (dry run first)
forge apply --module modules/webserver.yaml --inventory inventory/hosts.yaml --dry-run
# Apply for real (with confirmation)
forge apply --module modules/webserver.yaml --inventory inventory/hosts.yaml# Initialize a new project
forge init <project-name>
# Create an execution plan
forge plan --module <module.yaml> [--inventory <inventory.yaml>]
# Apply changes to infrastructure
forge apply --module <module.yaml> [--inventory <inventory.yaml>] [--dry-run] [--auto-approve]
# Get help
forge --help
forge <command> --help# Plan changes for a module
forge plan --module examples/simple-file/module.yaml
# Apply changes with confirmation
forge apply --module examples/simple-file/module.yaml
# Dry run (show what would happen)
forge apply --module examples/simple-file/module.yaml --dry-run
# Auto-approve (skip confirmation)
forge apply --module examples/simple-file/module.yaml --auto-approve
# Use with inventory
forge plan --module webserver.yaml --inventory hosts.yaml┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Controller │ │ Inventory │ │ Targets │
│ │ │ │ │ │
│ • Compiler │◄──►│ • Static YAML │ │ • Linux/macOS │
│ • Planner │ │ • Cloud APIs │ │ • Windows │
│ • Executor │ │ • Labels/Facts │ │ • Containers │
│ • Policy Engine │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ ▲
│ SSH/WinRM/Cloud APIs │
└──────────────────────────────────────────────┘
Typed units of infrastructure state (packages, files, services, users, etc.)
apiVersion: ataiva.com/forge/v1
kind: Module
metadata:
name: webserver
version: 1.0.0
spec:
resources:
- type: pkg
name: nginx
state: present
- type: file
name: nginx-config
state: present
path: /etc/nginx/nginx.conf
content: |
server {
listen 80;
root /var/www/html;
}
mode: "0644"
- type: service
name: nginx
state: running
enabled: trueDynamic and static target discovery
# inventory/hosts.yaml
targets:
webservers:
selector: "role=web,env=prod"
connection:
type: ssh
user: ubuntu
key: ~/.ssh/id_rsa
databases:
hosts:
- db1.example.com
- db2.example.com
connection:
type: ssh
user: admin
key: ~/.ssh/id_rsaDeterministic change previews
$ forge plan --inventory inventory/hosts.yaml --module webserver.yaml
Plan: 3 to add, 1 to change, 0 to destroy
+ pkg.nginx
(will be created)
~ file.nginx-config
(will be updated)
path: /etc/nginx/nginx.conf
+ service.nginx
(will be created)
state: stopped → running
enabled: false → true- Basic CLI structure - Full command-line interface
- Resource type system - Strongly typed resource definitions
- SSH connection management - Secure remote execution
- Core providers - All 5 providers implemented and tested
- File Provider - Files, directories, templates, permissions
- Package Provider - Cross-platform package management
- Service Provider - System service lifecycle management
- User Provider - User and group management
- Shell Provider - Command execution with guardrails
- Module system and registry - YAML-based configuration
- Plan/apply workflow - Terraform-style preview and execution
- Static inventory support - Host and group management
- Basic templating - Go template engine integration
- Dynamic inventory - Pluggable inventory providers with AWS support
- Parallel execution engine - Dependency-aware concurrent execution
- Dependency resolution - Automatic dependency graph creation
- Error handling and rollback - Automatic failure recovery with retry logic
- Real SSH integration - Production-ready SSH connection management
- WinRM integration - Windows remote management support
- Drift detection scheduling - Continuous monitoring with configurable intervals
- Event system and notifications - Real-time status updates with multiple channels
- Web UI dashboard - Visual management interface
- Policy engine - Built-in policy evaluation with Rego-style rules
- Audit logging and trails - Comprehensive audit logging with rotation
- RBAC and multi-tenancy - Role-based access control with user management
- Secrets management integration - Vault, AWS Secrets Manager integration
- Compliance modules (CIS, NIST, STIG) - Pre-built compliance policies
- Approval workflows - Multi-stage approval processes
- Kubernetes provider - Container orchestration support
- Cloud provider integrations - Azure VM discovery
- Monitoring and observability - Prometheus metrics and monitoring
- WASM provider SDK - WebAssembly provider extensions
- Supply chain security (cosign, SLSA) - Signed modules and provenance
- High availability controller - Distributed controller architecture
- Enterprise features (SAML, SCIM) - Enterprise authentication
- Terraform integration
- GitOps workflows
- CI/CD pipeline integration
- Monitoring and observability
- SaaS offering (Forge Cloud)
- Go 1.21+
- Make
- Docker (for testing)
make buildmake test
make test-integrationWe use Test-Driven Development (TDD):
- Write failing tests first
- Implement minimal code to pass
- Refactor and improve
- Repeat
See CONTRIBUTING.md for detailed guidelines.
- file: File and directory management with templating
- pkg: Package management (apt, yum, dnf, zypper, brew, choco)
- service: System service management (systemd, init)
- user: User and group management with full configuration
- shell: Command execution with conditional logic and guardrails
- aws: EC2, SSM, tags, metadata
- azure: VM metadata, tags
- gcp: Compute metadata, tags
- kubernetes: Deployments, ConfigMaps, Secrets
- database: PostgreSQL, MySQL user/schema management
- network: Routes, firewall rules, DNS
apiVersion: ataiva.com/forge/v1
kind: Module
metadata:
name: simple-file
spec:
resources:
- type: file
name: hello-file
state: present
path: /tmp/hello.txt
content: "Hello from Forge!"
mode: "0644"apiVersion: ataiva.com/forge/v1
kind: Module
metadata:
name: user-management
spec:
resources:
# Install development tools
- type: pkg
name: git
state: present
# Create user
- type: user
name: devuser
state: present
# Create home directory
- type: file
name: devuser-home
state: present
path: /home/devuser
file_type: directory
mode: "0755"
owner: devuser
# Configure shell
- type: file
name: devuser-bashrc
state: present
path: /home/devuser/.bashrc
content: |
alias ll='ls -alF'
export EDITOR=vim
mode: "0644"
owner: devuser
# Setup workspace
- type: shell
name: create-workspace
command: mkdir -p /home/devuser/workspace
creates: /home/devuser/workspace- Concurrent execution: Parallel SSH connections with dependency resolution
- Efficient planning: Incremental graph computation
- Minimal footprint: Single binary, no runtime dependencies
- Fast startup: Sub-second initialization
- Smart caching: Resource state caching for performance
- mTLS: All communication encrypted with mutual TLS
- RBAC: Role-based access control (planned)
- Audit: Immutable audit trails (planned)
- Secrets: Integration with Vault, AWS Secrets Manager, etc. (planned)
- Supply Chain: Signed modules and provenance tracking (planned)
MIT License - see LICENSE file for details.
- Website: ataiva.com
- GitHub: github.com/ataiva-software/forge
- Discussions: GitHub Discussions
- Issues: GitHub Issues
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
- Check the roadmap - See what's planned
- Create an issue - Discuss your idea first
- Follow TDD - Write tests first, then implement
- Submit a PR - Include tests and documentation
- Real provider implementations - Replace mock implementations with actual SSH/WinRM operations
- Error handling - Robust error handling and recovery
- Cloud integrations - Additional cloud providers (GCP, DigitalOcean, etc.)
- Documentation - More examples and tutorials
Forge follows semantic versioning. Alpha releases are available for testing:
- v0.1.0-alpha - Initial alpha release with core functionality
- Check releases page for latest versions
- Alpha (Current) - Core functionality, mock implementations
- Beta (Q1 2024) - Real provider implementations, production testing
- v1.0 (Q2 2024) - Production ready, full feature set
Forge learns from and builds upon the excellent work of:
- Terraform (HashiCorp)
- Ansible (Red Hat)
- Puppet (Puppet Inc.)
- Chef (Progress Software)
- SaltStack (VMware)
"The best way to predict the future is to invent it." - Alan Kay