FAQ & Troubleshooting

ops0 supports AWS, Google Cloud Platform (GCP), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). You can connect multiple accounts from each provider and manage them all from one interface.

ops0 supports Terraform, OpenTofu, and Oxid for infrastructure provisioning, with Pulumi and CloudFormation support upcoming. For configuration management, we support Ansible, Chef, and Puppet.

Yes. Connect your existing GitHub or GitLab repository and ops0 syncs your IaC files (Terraform, OpenTofu, Oxid, etc.) automatically with two-way sync. Your existing code, modules, providers, and state work without modification. You can also use Discovery to scan existing cloud resources and generate IaC code automatically.

Yes. ops0 supports both GitHub and GitLab for repository sync, including self-hosted GitLab instances. You can sync IaC projects, create merge requests, and manage branches. See the GitLab integration docs.

Yes. ops0 compares live cloud infrastructure against your IaC state to detect out-of-band changes across AWS, GCP, and Azure. See Drift Detection for details.

Yes. Cost estimation works across AWS, GCP, Azure, and Oracle Cloud. ops0 queries real-time pricing APIs and shows estimated monthly costs before you deploy. See Cost Estimation.

Yes. ops0 offers SaaS, single-tenant, and self-hosted deployment options. Self-hosted and single-tenant are available for Enterprise customers with full data sovereignty and air-gapped environment support. See Architecture for details.

ops0 uses OPA/Rego for IaC and configuration policies, Kyverno for Kubernetes policies, and Checkov for static vulnerability scanning of Terraform code. See Policies.

Yes. The Variable Graph auto-detects cross-project dependencies via terraform_remote_state references and visualizes them as an interactive DAG with impact analysis. See Variable Graph.

Yes. ops0 uses encryption at rest and in transit, role-based access controls, and enterprise-grade security practices. SOC 2 Type II certification is in progress (expected Q1 2026). Credentials are stored encrypted and never logged. See our security documentation for details.

For AWS, we recommend using IAM Assume Role which doesn't require storing long-lived credentials. For other providers, credentials are encrypted at rest using AES-256 and are only decrypted at runtime.

Click "Forgot Password" on the login page, enter your email, and follow the link sent to your inbox. The link expires in 1 hour.

Use one of your recovery codes to log in. If you don't have recovery codes, contact your organization admin to disable 2FA on your account. If you're the only admin, use the contact options on ops0.com.

Go to Settings → General → SSO. ops0 supports SAML 2.0 and OIDC providers including Okta, Auth0, Azure AD, and Google Workspace. See the Authentication docs for setup instructions.

Yes. One email can belong to multiple organizations. Use the organization switcher in the top-left corner to switch between them.

Common causes:

• Invalid credentials - Check your AWS/GCP/Azure integration is connected
• Missing provider - Ensure you have a provider block configured
• Syntax errors - Check the error message for line numbers
• State lock - Another deployment may be in progress

Use the Discovery feature: Go to Discovery → Run Scan → Select resources → Import to Project. ops0 generates the IaC code (Terraform, OpenTofu, etc.) and imports the state automatically.

By default, ops0 manages state for you in encrypted storage. You can also configure a remote backend (S3, GCS, Azure Blob) in your Terraform configuration if you prefer.

Check the deployment logs for errors. If it's waiting on a resource, there may be a dependency issue. You can cancel the deployment and retry. If state is corrupted, contact support.

Go to the deployment history, find the previous successful deployment, and click "Restore". This creates a new deployment that reverts to that state. Review the plan before applying.

Common causes:

• Agent not installed - Run the helm install command shown in Add Cluster
• Network issues - Ensure the agent can reach ops0's API endpoint
• Expired credentials - Regenerate the cluster token
• RBAC issues - Verify the service account has required permissions

The agent needs read access to pods, deployments, services, and events. For incident response features, it needs write access to restart pods. See the Kubernetes docs for the full RBAC manifest.

Navigate to Kubernetes → Clusters → Select cluster → Pods → Click on a pod → Logs tab. You can filter by container if the pod has multiple containers.

ops0 creates incidents for pod crashes, OOMKills, and failed health checks. You can adjust sensitivity in Settings → Notifications or suppress specific incident types.

Verify the IAM role or user has the required permissions. For Assume Role, check the trust policy allows ops0's AWS account. Test the connection in the integration settings.

Check that:

• The GitHub App is installed on the repository
• The correct branch is configured
• There are no merge conflicts
• The repository hasn't been archived or deleted

Verify the Slack integration is connected and the correct channel is selected. Check that the ops0 bot has permission to post in the channel. Test with the "Send Test" button.

Read the policy violation message to understand what's wrong. Fix the issue in your code (e.g., add encryption, fix security group rules). If the policy is incorrect, ask your admin to update it or suppress the violation with justification.

Policies are written in Rego (Open Policy Agent's language). Go to Policies → Create Policy, choose a template or start from scratch. See the Creating Policies docs for examples and syntax.

Yes. Go to Compliance → Find the violation → Suppress. You must provide a justification and optionally an expiration date. Suppressed violations don't affect your compliance score.