Terrateam

At a Glance:

Terrateam is an open-source GitOps tool that automates Terraform and OpenTofu plans and applies in pull requests, supporting tag-based configuration across thousands of workspaces in monorepos or polyrepos with policy enforcement and a full visibility UI.

Overview:

Terrateam is an open-source infrastructure-as-code automation tool that operates within pull requests to orchestrate Terraform, OpenTofu, Terragrunt, CDKTF, and Pulumi workflows. It is designed to manage complex, large-scale environments by using a tag-based configuration model, allowing operators to define automation rules, policies, and dependencies across hundreds or thousands of workspaces from a single repository. The platform provides apply-only locking for safe parallel execution, cost estimation, and infrastructure drift detection. It includes a built-in UI for tracking run history, viewing execution logs, and debugging workflows. Terrateam can be used as a hosted SaaS or self-hosted, where it runs statelessly alongside user-managed runners, state backends, and secrets.

Key Decision Points:

• Configuration model: Uses tag-based rules in a .terrateam/config.yml file to apply workflows across workspaces, which is suited for monorepos or large multi-repo environments rather than per-workspace configs.

• Operational scale: Explicitly built to handle thousands of workspaces with complex dependencies, making it relevant for teams managing extensive infrastructure footprints.

• Policy engine: Supports policy enforcement through OPA, Rego, Checkov, and built-in rules, combined with RBAC and OIDC integration, allowing conditional rules like tag:production AND team:payments.

• Deployment options: Available as a hosted SaaS or as a self-hosted, stateless server component where users retain control over runners, state files, and secrets.

• Supported IaC tools: Works with Terraform, OpenTofu, Terragrunt, CDKTF, and Pulumi, and can invoke any CLI tool, providing flexibility beyond a single IaC ecosystem.

Core Features:

• GitOps pull request automation: Automatically runs plans on PR creation and applies on merge, with support for pre-merge and post-merge apply workflows.

• Tag-based workspace management: Applies configuration rules via tag queries, enabling bulk management without per-workspace duplication.

• Smart parallel locking: Enforces apply-only locks so that multiple plans can run in parallel against the same state safely.

• Policy enforcement: Integrates OPA/Rego, Checkov, and built-in policies with role-based approval requirements.

• Cost estimation and drift detection: Surfaces cost estimates and detects infrastructure drift automatically within PR comments.

• Full execution UI: Provides a complete UI in the open-source version for viewing run history, execution logs, and debugging workflow failures.

Use Cases:

• Platform engineering teams operating large-scale monorepos who need to automate Terraform plans and applies across thousands of workspaces without per-directory pipeline definitions.

• Operators managing complex infrastructure dependencies across environments who can express orchestration logic through tag-based rules and composable policies.

• Organizations requiring policy-compliant infrastructure changes where enforcement checks, team-based approvals, and RBAC integrate directly into pull request workflows.

Open-Source Alternative Value:

Terrateam provides its full feature set, including the run-tracking UI, in its open-source release, which can be self-hosted in a stateless deployment model. Users keep control of their own runners, state backends, and secrets. The tool is designed to replace simpler per-directory GitOps workflows with a configuration system that scales across many workspaces while integrating policy-as-code enforcement and cost visibility directly into pull request automation.