Infrastructure as Code, Reimagined
A standalone IaC engine that parses your .tf files natively and talks directly to Terraform providers via gRPC. No terraform binary. No baggage.
Apache-2.0 · Written in Rust · Built by ops0.com
──WATCH IT RUN
13 resources across VPC, S3, EC2 — independent branches execute in parallel, dependents fire the instant their deps complete.
──FEATURES
Better Building Blocks=Better Infrastructure
Built from the ground up in Rust for speed, correctness, and a developer experience that stays out of your way.
Native HCL Parsing
Reads your existing .tf files directly with hcl-rs. No wrapper, no transpilation. Your Terraform configs work out of the box.
Event-Driven Parallelism
Resources start the instant their dependencies complete. No wave-based batching -- every millisecond counts.
Direct gRPC to Providers
Communicates directly with AWS, GCP, Azure, and every Terraform provider via the tfplugin5/6 protocol.
SQL-Queryable State
State lives in SQLite (or PostgreSQL for teams). Query your infrastructure with full SQL instead of parsing JSON.
Drift Detection
Run oxid drift to instantly detect configuration drift across your entire infrastructure. Know before it breaks.
Import Existing State
Migrate from Terraform seamlessly. Import your .tfstate files and keep going without missing a beat.
Blast Radius Analysis
See exactly what breaks before you touch anything. Walks the dependency graph to show every affected resource — grouped by depth, with severity ratings and type summaries.
Encrypted Sensitive Outputs
Sensitive outputs are AES-256 encrypted at rest with pgcrypto. Key auto-derived from your database URL — zero config, transparent decryption on read.
Terraform State Sync
Run oxid sync to pull the latest state from Terraform's remote backend into your local database. Stay in sync without re-importing.
──BLAST RADIUS
Know the Impact Before You Change
See exactly which resources are affected by a change. Forward mode shows downstream dependents. Reverse mode (--why) shows upstream dependencies. No provider calls needed — pure graph analysis.
$ oxid blast-radius aws_vpc.main
💥 Blast radius for aws_vpc.main
Severity: HIGH (32 resources, 3 levels deep)
Types: 4 aws_subnet, 3 aws_route_table, 2 aws_nat_gateway, 1 aws_eks_cluster,
1 aws_eks_node_group, 1 aws_internet_gateway, 1 aws_security_group,
2 aws_eip, 4 aws_route_table_association, 13 output
▸ Depth 1 — direct dependent (10 resources):
~ aws_internet_gateway.main
~ aws_route_table.private[0]
~ aws_route_table.private[1]
~ aws_route_table.public
~ aws_security_group.eks_cluster
~ aws_subnet.private[0]
~ aws_subnet.private[1]
~ aws_subnet.public[0]
~ aws_subnet.public[1]
~ vpc_id (output)
▸ Depth 2 — transitive dependent (12 resources):
~ aws_eip.nat[0]
~ aws_eip.nat[1]
~ aws_eks_cluster.main
~ aws_eks_node_group.main
~ aws_nat_gateway.main[0]
~ aws_nat_gateway.main[1]
~ aws_route_table_association.private[0]
~ aws_route_table_association.private[1]
~ aws_route_table_association.public[0]
~ aws_route_table_association.public[1]
~ private_subnet_ids (output)
~ public_subnet_ids (output)
▸ Depth 3 — transitive dependent (10 resources):
~ cluster_certificate_authority_data (output)
~ cluster_endpoint (output)
~ cluster_id (output)
~ cluster_name (output)
~ cluster_security_group_id (output)
~ cluster_version (output)
~ configure_kubectl (output)
~ node_group_arn (output)
~ node_group_id (output)
~ node_group_status (output)
⚠ Changing aws_vpc.main may affect 32 other resource(s) across 3 level(s).$ oxid blast-radius aws_eks_node_group.main --why
🔍 Dependencies of aws_eks_node_group.main
14 upstream dependencies, 2 levels deep
Types: 1 aws_eks_cluster, 2 aws_iam_role, 5 aws_iam_role_policy_attachment,
1 aws_security_group, 4 aws_subnet, 1 aws_vpc
▸ Depth 1 — direct dependency (7 resources):
~ aws_eks_cluster.main
~ aws_iam_role.eks_node_group
~ aws_iam_role_policy_attachment.eks_cni_policy
~ aws_iam_role_policy_attachment.eks_container_registry_policy
~ aws_iam_role_policy_attachment.eks_worker_node_policy
~ aws_subnet.private[0]
~ aws_subnet.private[1]
▸ Depth 2 — transitive dependency (7 resources):
~ aws_iam_role.eks_cluster
~ aws_iam_role_policy_attachment.eks_cluster_policy
~ aws_iam_role_policy_attachment.eks_vpc_resource_controller
~ aws_security_group.eks_cluster
~ aws_subnet.public[0]
~ aws_subnet.public[1]
~ aws_vpc.main
ℹ aws_eks_node_group.main depends on 14 upstream resource(s).Blast Radius Commands
oxid blast-radius aws_vpc.main─Downstream impact of changing a resourceoxid blast-radius aws_eks_cluster.main --why─Upstream dependencies — why does this exist?oxid blast-radius --plan─Auto-detect from plan — blast radius for every changed resourceoxid blast-radius aws_vpc.main --state─Filter to only deployed resources in state──PERFORMANCE
Wave-Based vs Event-Driven Execution
Both tools walk the dependency graph in parallel. Terraform batches resources into synchronized waves — the next wave waits for the entire previous wave to finish. Oxid fires each resource the instant its specific dependencies are satisfied. No idle gaps.
Terraform
Oxid
Honest take: For small configs, both tools spend 90% of the time waiting on cloud APIs — timings are nearly identical. The gap widens on deeper dependency chains, larger infra, and higher parallelism settings.
──STATE INSPECTION
Query Your State Like a Database
Terraform dumps everything. Oxid stores state in SQLite/PostgreSQL — query exactly what you need with SQL.
Why SQL? Oxid stores every resource in a real database (SQLite locally, PostgreSQL for teams). Filter by type, status, module — join across resources. No more piping terraform show through grep and jq.
──COMPARE
How Oxid Stacks Up
Architectural differences that make Oxid faster and more transparent.
| Feature | Terraform / OpenTofu | Oxid |
|---|---|---|
| Execution Model | Wave-based (batch) | Event-driven per-resource |
| Parallelism | Resources in same wave wait for slowest | Dependents start instantly when deps complete |
| State Backend | JSON file or remote backend | SQLite (local) / PostgreSQL (teams) |
| Config Language | HCL only | HCL + YAML |
| Provider Protocol | Wraps binary / shared lib | Direct gRPC (tfplugin5/6) |
| Queryable State | terraform show | Full SQL queries |
| License | BSL / MPL | Apache-2.0 |
──PIPELINE
How it Works
From HCL parsing to state persistence, every step is designed for speed and transparency.
Parse
Reads .tf files using hcl-rs, extracting resources, data sources, variables, outputs, and providers.
Build DAG
Constructs a dependency graph from explicit depends_on and implicit expression references.
Start Providers
Downloads provider binaries from registry.terraform.io, starts them as subprocesses, connects via gRPC.
Plan
Calls PlanResourceChange on each provider to compute diffs, showing you exactly what will change.
Apply
Event-driven DAG walker executes resources as dependencies are satisfied, calling ApplyResourceChange via gRPC.
Store State
Persists resource attributes to SQLite database, queryable with full SQL at any time.
──ARCHITECTURE
A Clean Pipeline from Config to Cloud
──QUICK START
Up and Running in Seconds
Works on Linux and macOS. No dependencies required.
curl -fsSL https://raw.githubusercontent.com/ops0-ai/oxid/main/install.sh | bash
oxid init
oxid plan
oxid apply
More Commands
oxid destroy─Tear down infrastructureoxid state list─List all managed resourcesoxid drift─Detect configuration driftoxid query "SELECT * FROM resources"─SQL-query your stateoxid graph | dot -Tpng -o g.png─Visualize the dependency DAGoxid blast-radius aws_vpc.main─Assess downstream impact of a changeoxid blast-radius aws_eks_cluster.main --why─Show upstream dependenciesoxid blast-radius --plan─Blast radius for all planned changesoxid output --json─Show outputs in Terraform-compatible JSONoxid sync─Sync state from Terraform remote backend──OPEN SOURCE
Ready to Drop the Baggage?
Oxid is free and open source. Start managing your infrastructure with a faster, more transparent engine.