Sprintsail is an opinionated TypeScript IaC SDK. Declare your app — Function, Database, Bucket… — then sail deploy to AWS. When you're ready, sail migrate to a managed Kubernetes runtime you own — infrastructure, secrets, and data. Same handler code. Apache 2.0.
Five steps from npm install to a workload running on the runtime you choose. Same handler code, every step.
Add @sprintsail/sdk + @sprintsail/cli to your project. Node 20+. Apache 2.0. Nothing to license.
npm install @sprintsail/sdk @sprintsail/cliinfra.ts describes your app — Function, WebApp, Database, Secret, … Nine primitives, one mental model.
new WebApp(app, …)Bind resources to compute primitives. Your handler imports db from infra.ts and calls db.query(...). The runtime adapter wires it up.
bindings: { db, apiKey }One command provisions Lambda + ECS + RDS + S3 + … on AWS, or Knative + CNPG + MinIO + … on the Sprintsail Runtime. Idempotent.
sail deploy --yesWhen you're ready to leave your cloud, sail migrate moves the infra, secrets, and data to the new target. Handler code doesn't change.
sail migrate --from aws --to sprintsail-runtime
Each primitive is a stable contract — Database means "managed Postgres I can db.query(sql) against." Below: nine of those contracts, with the open-source resources they map to on each target.
Event-driven, scale-to-zero unit of compute. AWS Lambda. Knative Service on the runtime. Same handler code.
Queue consumer. AWS Lambda + SQS event-source mapping. In-process consume loop on the runtime — with dead-letter handling.
Scheduled handler. EventBridge + Lambda on AWS. Native Kubernetes CronJob on the runtime. Linux cron, EventBridge cron, or rate() all accepted.
Long-running HTTP server. ECS Express (Fargate) on AWS. Deployment + Service + Contour Ingress on the runtime. DB pools persist; no cold starts.
Request-driven HTTP. Lambda + API Gateway v2 on AWS. In-cluster gateway shim + Ingress on the runtime. Same event shape on both.
Managed Postgres. RDS on AWS. CloudNativePG on the runtime. db.query(sql) works identically on both.
Object store. S3 on AWS. MinIO on the runtime. S3-compatible API on both — your code uses @aws-sdk/client-s3 against either.
Durable message queue. SQS on AWS. RabbitMQ Cluster Operator on the runtime. queue.publish(msg) on both.
Encrypted credential. AWS Secrets Manager. sealed-secrets on the runtime (encrypted at rest). secret.value() on both.
Your code imports primitives from infra.ts and calls methods on them — db.query(), bucket.put(), secret.value(). The primitive contract is the stable boundary; everything below is the target's implementation detail.
This is exactly what makes sail migrate possible. Swap the target; the contract holds; the handler doesn't change.
await db.query(sql)Your codeEverything you do is one of these. Full reference in the docs.
Walks every primitive in infra.ts, provisions each (adopting existing where present), threads attributes to downstream bindings, then runs the deploy phase. Re-run anytime — it only rolls what changed.
# first time and every time$ sail deploy --yes[aws/database] creating orders-orders[aws/webapp] docker push 107…ecr…/orders-web✓ Deploy complete.
Reads source state, provisions equivalents on the destination, copies stateful data — RDS rows to CloudNativePG via in-cluster pg_dump | psql, Secrets Manager values into sealed-secrets, S3 to MinIO. Generates a cutover script.
# the killer workflow$ sail migrate \--from aws:us-east-1 \--to sprintsail-runtime:prod✓ Migration complete.
Each provider declares the primitives it supports and at what maturity (stable / alpha / planned). The output is the source of truth — it's what the docs' capability matrix mirrors.
# what works where$ sail target capabilities awsCOMPUTE — Function, Worker, CronJob…STORAGE — Database (RDS) · Bucket (S3)SECRETS — Secret (Secrets Manager)
Walks primitives in reverse and asks each provider to destroy. Non-empty buckets refuse to delete; databases schedule a 7-day recovery window on AWS; secrets are soft-deleted. State file removed on success.
# clean teardown$ sail destroy --target aws:us-east-1 --yes[aws/webapp] deletion scheduled[aws/database] deletion scheduled✓ Destroy complete.
SDK is TypeScript. Handler runtimes today: Node.js, Python. More land as adapters ship.
On the Sprintsail Runtime, every Secret is a SealedSecret CR encrypted with the cluster's sealing key (RSA-OAEP + AES-GCM, strict-scoped). On AWS, Secrets Manager with a 7-day soft-delete window. Same secret.value() on both.
Both targetsRuntime WebApps and APIs get a per-host certificate from cert-manager when a sail-issuer ClusterIssuer is present. Plain HTTP fallback otherwise. AWS ECS Express terminates HTTPS by default.
Both targetsA Worker's handler that throws republishes the failing message to <queue>.dlq with x-sail-error / x-sail-failed-at headers — preserving poison messages instead of dropping them. No infinite redelivery loop.
RuntimeThe runtime provider auto-opens the source RDS security group to the destination cluster's egress IP, fetches RDS creds from Secrets Manager, and runs an in-cluster pg_dump | psql Job. No host pg_dump, no manual coordination.
aws → runtimeSet SAIL_IMAGE_REGISTRY=<ecr-or-other> and the SDK builds linux/amd64 images, pushes to your registry, and the cluster pulls from there. Or skip the env var and load directly into kind for local dev.
RuntimeEvery primitive provision is adopt-on-exists. sail deploy can be re-run any time and only rolls what changed. sail migrate can be re-run if a step fails — the data copy is --clean --if-exists on the destination Postgres.
Both targetsThe SDK and CLI are open source under Apache 2.0 — you'll always be able to run your app on AWS in your own account, no Sprintsail account required. Sprintsail Runtime is the managed K8s tier; pricing scales with the cluster.
The whole IaC SDK, every primitive, both providers, the runtime adapters, the sail CLI. Forever free. No phone-home, no telemetry-by-default, no rugpull. Use it against your own AWS account today.
sail migrate end-to-end, including cross-provider DB
A managed Kubernetes runtime running the open-source operator stack — Knative, CloudNativePG, MinIO, RabbitMQ, sealed-secrets, Contour, cert-manager — so sail deploy --target sprintsail-runtime just works.
sail-issuer, Sprintsail Runtime image registryCandidates earn a Verified credential through a graded assessment, a lab, and a 45-minute SME session. Hire from a pool that's already proven.
Push source code, get a routed and TLS-secured app. Buildpacks under the hood. Built on Korifi (CNCF), operated by Orion.
cf push + org/space RBAC
Install. Declare. Deploy. sail migrate when you're ready to leave.