April 2, 2026 · Anton Grishko
You own the IaC. You own the infra.
On the difference between a managed PaaS and a managed service. Why the eject path matters more than any feature.
TL;DR — Most managed platforms hold your state files and your abstractions. Kuberly writes every line of OpenTofu + Terragrunt into your Git repo and stores state in your S3 bucket. Revoke our IAM role and we are gone — the Kubernetes cluster keeps running.
The lock-in question
Every managed platform sits somewhere on a spectrum:
- Black-box PaaS — Heroku, Vercel, Render. Push code, get a URL. Easy to start. Ejecting means rebuilding from scratch.
- Managed wrapper — vendor-controlled state files, vendor-controlled abstractions, vendor-controlled escape velocity.
- Customer-owned IaC — the platform writes standard infrastructure code into your repo. You read it. You can leave with it.
Kuberly is the third one. By design.
What that looks like in practice
The full OpenTofu + Terragrunt stack lands in your GitHub or Bitbucket repository on day one — GitLab support is coming. No proprietary DSL. No bespoke abstractions. Anyone who has worked with OpenTofu, Terragrunt, and Kubernetes can read it. The Terragrunt-specific reasoning is in Why we ship Terragrunt, not raw Terraform.
your-stack/
├── live/
│ ├── prod/
│ │ ├── eks/
│ │ ├── vpc/
│ │ ├── observability/
│ │ └── workloads/
│ └── staging/
└── modules/
├── eks/
├── ecs-fargate/
├── lambda-vpc/
└── bedrock-agentcore/
Branch it. Fork it. Audit it. Bring your own reviewers. We commit on PRs and the autopilot applies on merge. You see every change before it ships — that flow is described in DevOps on autopilot.
The eject scenario
Cancel Kuberly. What happens?
- The cluster keeps running. We don't touch it.
- The OpenTofu + Terragrunt code is yours. It already lives in your repo.
- The state files are yours. They live in S3 in your AWS account.
- The cloud account is yours. We have a scoped, cross-account IAM role that you can revoke.
- Application data, logs, traces, secrets — all in your AWS account. We never had a copy.
Revoke the IAM role. Cluster keeps running. We're gone. No migration project.
Why this matters more than features
The defensible business question is not "can we ship this faster than Northflank?" — it's "what happens to the customer if we go away?"
Northflank, Qovery, Porter, and most others are PaaS-shaped: they hold the state. Walking away means a migration project. We made a deliberate choice to be the opposite. The autopilot does the work. The customer keeps the artifacts.
That's the only contract that scales.
Further reading
- OpenTofu manifesto — why an open fork of Terraform matters.
- Terragrunt state management — DRY remote-state primer.
- AWS IAM cross-account roles — the access model we use.
- Vendor lock-in (Wikipedia) — the failure mode we designed away.
- GitOps principles — why Git is the system of record.
- Why we ship Terragrunt, not raw Terraform — the stack you inherit.
- DevOps on autopilot — what the autopilot does on top of the repo.
If the eject path matters to you, talk to us — we built the contract around it.