Talk to Your Cloud: Why We're Open-Sourcing the AWS Orchestrator Agent

April 7, 2026 · 8 min read

Open-Source Multi-Agentic DevOps Platform

We've all been there. It's 2:00 AM, you're staring at a terminal, and you just ran terraform plan. Your heart sinks as the screen flashes:

Plan: 0 to add, 0 to change, 8 to destroy.

You double-check every line of HCL, praying a small subnet change didn't just decide to recreate your entire production database. This is the "Toil Gap" of modern cloud operations—we spend roughly 30% of our IT budgets on cloud, yet we waste a massive chunk of that on idle resources, manual configuration errors, and tribal knowledge trapped in the heads of two senior engineers who are always on vacation when you need them.

Today, we're releasing the AWS Orchestrator Agent as open source. It's not a chatbot that hallucinates half-working scripts. It's a multi-agent framework, built on LangGraph, that researches live provider schemas, enforces security compliance, generates production-grade Terraform, validates it in a sandbox, and ships it to GitHub—all from a single natural language prompt.

The Problem: Cloud Complexity Has Outgrown Human Bandwidth

For years, we've been the "mechanics" of the cloud—writing every line of HCL by hand, managing state file locks, and hunting down cryptic IAM permission errors that somehow only surface at 3 AM on a Friday.

The uncomfortable truth? Our cloud environments have become more complex than any one engineer can reliably manage. A single "simple" S3 bucket today requires versioning configuration, KMS encryption setup, public access blocks, lifecycle policies, logging, and tagging—easily 200+ lines of Terraform before you even think about variables and outputs. Multiply that across VPCs, RDS clusters, EKS node groups, and Lambda functions, and you start to see why infrastructure teams are perpetually underwater.

We built the AWS Orchestrator Agent because we believe the industry is ready for a fundamental shift: from writing infrastructure code to orchestrating infrastructure intent.

What Makes This Different: The "Deep Agent" Architecture

Most AI coding tools follow a simple pattern: take a prompt, generate code, hope for the best. The AWS Orchestrator doesn't work that way. It uses a Deep Agent architecture—a multi-stage pipeline where specialized sub-agents each own a narrow slice of the problem.

Here's what actually happens when you type "Create an S3 bucket with versioning and KMS encryption":

Phase 1: Research Before Writing

A dedicated Requirements Analyser agent doesn't guess what attributes an S3 bucket needs based on stale training data. Instead, it queries the live Terraform Registry through the Model Context Protocol (MCP) to fetch the latest AWS provider schemas, version constraints, and required inputs. Think of MCP as the "hands" that let the LLM "brain" reach out and touch real-world data sources in real time.

A separate Security & Best Practices agent then cross-references your request against SOC 2 and HIPAA compliance patterns—enforcing rules like "always use server-side encryption with KMS" and "never allow public access by default" before a single line of HCL is generated.

Phase 2: Deterministic Code Generation

The planning phase produces a structured SKILL.md blueprint—essentially a contract that the code generator must follow. This eliminates the randomness problem. The tf-generator agent doesn't freestyle; it writes main.tf, variables.tf, outputs.tf, and versions.tf according to strict, hardcoded rules:

Never hardcode values. ARNs, regions, and IPs are always abstracted into variables.
Enforce merge tagging. Every resource uses tags = merge({"Name" = var.name}, var.tags).
Pin provider versions. Breaking API updates don't silently destroy your infrastructure.
Guard with conditionals. Resources use count or for_each with boolean gates for flexible composition.

Phase 3: The Agent Tests Its Own Code

This is the part that changes everything. The Orchestrator doesn't just generate code and hand it to you with a "good luck." It runs an internal evaluation loop:

Generated code is flushed to a physical sandbox via sync_workspace_to_disk().
The tf-validator agent executes terraform init, terraform fmt, and terraform validate.
If errors appear, the raw stderr is injected back into the graph state, and the generator rewrites the code automatically.
This loop continues until validation passes 100%.

The validator acts as an un-bribeable code reviewer that catches every missing provider block, every invalid argument, and every syntax error—before you ever see a Pull Request.

Phase 4: Human-Approved Delivery

Validated code hits a Human-in-the-Loop (HITL) gate. Nothing gets committed without your explicit approval. Upon approval, a JIT (Just-in-Time) GitHub agent uses the GitHub MCP Server to push code directly via API endpoints—no brittle git clone or git add shell commands that break in containerized environments.

The entire workflow follows a strict Propose → Approve → Ship philosophy. The agent is proactive, but never cowboy.

Try It in 60 Seconds

You don't need to clone anything. Just create two files and run one command:

.env

GOOGLE_API_KEY=your_google_api_key
GITHUB_PERSONAL_ACCESS_TOKEN=your_github_pat
TERRAFORM_WORKSPACE=./workspace/terraform_modules

docker-compose.yml

services:
  aws-orchestrator:
    image: sandeep2014/aws-orchestrator-agent:latest
    ports:
      - "10102:10102"
    env_file: .env
    volumes:
      - ./workspace:/app/workspace
    restart: unless-stopped

  talkops-ui:
    image: talkopsai/talkops:latest
    environment:
      - TALKOPS_AWS_ORCHESTRATOR_URL=http://aws-orchestrator:10102
    ports:
      - "8080:80"
    depends_on:
      - aws-orchestrator
    restart: unless-stopped

docker compose up -d
# Open http://localhost:8080 and start talking to your cloud.

The system uses a Three-Tier LLM Architecture—fast models for validation routing, mid-tier models for planning, and high-context models for deep code generation. It ships configured for Google Gemini, but swapping to OpenAI or Anthropic is a one-line .env change. Check the full configuration guide for details.

Addressing the Elephant in the Room: Trust

"I wouldn't give a new hire root access on day one, so why would I trust a bot?"

Fair. Here's how we think about it:

The agent generates code. It never runs terraform apply. Your existing CI/CD pipeline and approval process remain the final gate.
Every decision is observable. Through our A2UI streaming protocol, you watch the agent's reasoning in real time—tool calls, security checks, validation results—not a black box.
HITL gates are mandatory, not optional. The agent literally pauses execution and asks for human approval before any code leaves the sandbox.
It's open source. You can audit every prompt, every tool binding, and every routing decision in the source code.

We're not asking you to blindly trust AI with your infrastructure. We're asking you to let it do the research, write the first draft, and validate it—while you retain full veto power.

The Landscape: How Teams Write Terraform Today

The Agentic DevOps space is heating up. If you're evaluating how your team produces infrastructure code, here's how the current approaches stack up:

Approach	Example	Trade-off
Write it by hand	Engineers + HashiCorp docs	Full control, but slow and error-prone at scale
General-purpose AI copilots	GitHub Copilot, Amazon Q Developer	Fast autocomplete, but no validation—it generates code and hopes for the best
Cloud-native generators	AWS CDK, Pulumi	Strong typing and loops, but you're learning a new framework, not writing HCL
Purpose-built deep agents	TalkOps AWS Orchestrator	Researches live schemas, generates, self-validates, and ships—with human approval at every gate

The key differentiator for us is the evaluation loop. Most tools in this space generate code and stop. The AWS Orchestrator generates, validates, self-corrects, and only then asks for approval. That closed feedback loop is what transforms "AI-assisted" into "AI-reliable."

What's Next

This is just the beginning. Here's what's on the roadmap:

Azure and GCP Orchestrators — The Deep Agent pattern is provider-agnostic. AWS is first, but the same architecture will extend to multi-cloud.
Terraform State Import — Teaching the agent to understand and work with existing infrastructure, not just greenfield deployments.
Cross-Agent Collaboration via A2A — The AWS Orchestrator can already talk to other TalkOps agents (like the CI-Copilot) over the Agent-to-Agent protocol. We're building more composable workflows where agents delegate to each other autonomously.

Get Involved

The cloud is getting bigger, but your team doesn't have to stay underwater. We built this in public because we believe the best infrastructure tools are the ones you can audit, extend, and trust.

⭐ Star the repo to follow releases
📖 Read the docs for the full architecture deep-dive
💬 Join our Discord to talk shop about multi-agent systems
🐛 Open an issue if something breaks

It might be time to stop writing Terraform and start talking to your infrastructure.

The Problem: Cloud Complexity Has Outgrown Human Bandwidth​

What Makes This Different: The "Deep Agent" Architecture​

Phase 1: Research Before Writing​

Phase 2: Deterministic Code Generation​

Phase 3: The Agent Tests Its Own Code​

Phase 4: Human-Approved Delivery​

Try It in 60 Seconds​

Addressing the Elephant in the Room: Trust​

The Landscape: How Teams Write Terraform Today​

What's Next​

Get Involved​