Terrateam

Open-source infrastructure orchestration, honestly reviewed. What you actually get when you stop paying Terraform Cloud’s per-seat bill.

TL;DR

• What it is: Open-source (MPL-2.0) GitOps platform that runs Terraform, OpenTofu, Terragrunt, CDKTF, and Pulumi workflows directly inside GitHub and GitLab pull requests [3].
• Who it’s for: Engineering teams and DevOps leads managing infrastructure as code across multiple environments who are tired of paying per-seat for Terraform Cloud, Spacelift, or Scalr. Not a tool for non-technical founders — this requires people who write Terraform.
• Cost savings: Terraform Cloud charges $20/user/month on the Plus tier; Spacelift and Scalr start at roughly $200–$400/month. Terrateam self-hosted runs on your own runners with no per-seat fee [README][pricing page].
• Key strength: Stateless by design — your state, secrets, and code never touch Terrateam’s servers. The entire execution happens in your own GitHub Actions or GitLab CI runners [5].
• Key weakness: 1,204 GitHub stars and a small team means you’re betting on a younger project. RBAC, centralized configuration, and advanced approval workflows are enterprise-gated, not MIT-free. Pricing for paid tiers is not published. Built in OCaml, which limits the pool of engineers who can contribute patches [README][2].

---

What is Terrateam

Terrateam is a GitOps orchestration layer that sits between your pull requests and your infrastructure. When an engineer opens a PR that touches Terraform code, Terrateam automatically triggers terraform plan, posts the output as a PR comment with cost estimates and policy warnings, enforces approval requirements, and then executes terraform apply when someone comments terrateam apply [3][4].

The pitch is simple: stop building custom CI pipelines to handle Terraform. Stop copy-pasting GitHub Actions YAML that breaks when HashiCorp changes the provider registry. Stop paying per-seat for cloud services that sit between you and your own infrastructure. Give every PR a structured plan → review → approve → apply workflow without the maintenance overhead.

What distinguishes it architecturally from the crowd is the stateless design. Terrateam’s server processes webhook events and orchestrates workflow steps but never clones your code, stores your Terraform state, or handles your cloud credentials. Execution happens inside GitHub Actions or GitLab CI runners that you control. The security boundary is explicit: Terrateam sees PR metadata, branch names, workflow results, and user permissions from your VCS. Everything else — state files in S3, cloud credentials, source code — stays in your environment [5].

The project is built in OCaml, which is unusual enough to warrant a mention. The team built a custom async framework called Abb (Asynchronous Building Blocks) for concurrent workflow orchestration, and uses compile-time type-checked SQL queries. Performance aside, OCaml means the contributor pool is small — the language has real strengths but a fraction of the Go or Python community that backs tools like Atlantis [5][README].

As of this review, the project sits at 1,204 GitHub stars. That’s real traction but nowhere near the incumbents. It’s a younger project with a smaller community.

---

Why people choose it

The comparison that matters most for Terrateam is against Atlantis (the original open-source Terraform PR automation tool) and Terraform Cloud / HCP Terraform (HashiCorp’s managed offering). The rest — Spacelift, Scalr, env0 — are commercial SaaS products with similar positioning.

Versus Atlantis. Atlantis is the original open-source answer to this problem. It’s free, mature, widely deployed, and has a large community. Terrateam’s argument against it is scale and features: Atlantis works well for smaller setups but gets unwieldy with monorepos containing hundreds of workspaces. Terrateam offers tag-based configuration (define rules once, apply everywhere), native cost estimation, drift detection, and a full UI for tracking runs — all in the open-source version. Atlantis has none of that out of the box [README][3].

Versus Terraform Cloud. HashiCorp’s managed product charges per user per month on paid tiers, which adds up fast for teams with multiple engineers across multiple environments. Terrateam’s self-hosted version has no per-seat fees. The tradeoff is operational overhead — you manage the deployment — but for teams already running their own infrastructure, that’s familiar territory [README].

Versus Spacelift and Scalr. Both are capable commercial products with polished UIs and strong policy engines. Both cost significantly more than running Terrateam on your own runners. For teams where the engineering overhead of self-hosting is already baked in, the cost argument for Terrateam is real.

The website testimonial section mentions teams “balancing security, compliance & speed” as the core use case. The cost estimation feature — showing dollar impact directly in PR comments — is specifically called out as reducing the friction of getting finance or management buy-in for infrastructure changes [homepage].

---

Features

Core workflow:

• Auto-runs terraform plan on PR open and on every subsequent commit [4]
• Posts plan output, cost estimate, and policy violations as PR comments [homepage][4]
• Comment-triggered operations: terrateam apply, terrateam plan [4]
• Pre-merge and post-merge apply modes [3][README]
• Smart locking: apply-only locks so parallel plans run freely without blocking each other [README]
• Cross-workspace dependency coordination for complex monorepos [README]

Policy and access control:

• OPA/Rego policy enforcement [README][3]
• Conftest integration [5]
• Checkov support [README]
• CODEOWNERS enforcement — Terrateam checks that all required CODEOWNERS have approved before allowing apply [1]
• Tag-query-based approval rules: tag:production AND team:payments style composable conditions [README][homepage]
• OIDC authentication for cloud providers — no long-lived credentials stored [3][5]

Scale and monorepo support:

• Tag-based configuration: write rules once, apply to matching directories [README]
• Parallel execution across workspaces with conflict-safe locking [README]
• Drift detection runs across all managed workspaces [README]
• Caching for monorepos with multiple environments [homepage]

Visibility:

• Full run dashboard UI — track every execution, view logs, debug failures — included in the OSS version [README]
• Cost estimation in every PR with per-directory breakdown [homepage][5]
• Audit logs for all actions [5]

IaC tool support:

• Terraform, OpenTofu, Terragrunt, CDKTF, Pulumi, or any CLI you need [README][homepage]

What’s gated behind Enterprise licensing:

• RBAC (role-based access control) [README]
• Centralized configuration across multiple repositories [README]
• Gatekeeper (advanced approval workflows) [README]

The OSS version is more complete than many comparable tools — the full UI, cost estimation, and OPA integration are not community-tier features locked behind a paywall. But fine-grained team-based RBAC requires the commercial tier, which is a gap that matters once you’re past a handful of engineers [README].

---

Pricing: SaaS vs self-hosted math

Terrateam’s pricing page does not publish dollar amounts for its paid tiers. What the support documentation reveals is a three-tier structure: Free, Basic, and Enterprise [2].

Free plan: Supported via community Slack, no response time guarantee. Suitable for individuals and small teams comfortable with self-service debugging [2].

Basic plan: Community Slack plus email support, up to 4 hours/month. No SLA on response time — best-effort only [2].

Enterprise plan: Dedicated Slack channel integration, up to 4 hours/month of video call support, SLA with 4-hour critical response time 24x7, 24-hour response for major issues [2].

Pricing not published = you have to talk to sales. That’s a friction point worth noting.

The comparison that justifies self-hosting:

• Terraform Cloud Plus: $20/user/month. A 10-engineer team = $200/month, $2,400/year.
• Spacelift and Scalr: both start at several hundred dollars per month for small teams.
• Terrateam self-hosted: $0 in license fees. You pay for runners (GitHub Actions minutes, or self-hosted runners on a VPS you already operate).

For teams already running GitHub Actions self-hosted runners, the marginal cost of adding Terrateam is close to zero. For teams on GitHub-hosted runners, plan execution costs accrue per minute — but that’s the same cost you’d pay running any other CI-based Terraform tool [README].

---

Deployment reality check

Terrateam deploys via Docker Compose. The quickstart is three commands: clone the repo, navigate to docker/terrat, run docker-compose up setup, then access the setup wizard at http://localhost:3000 [README].

What you actually need:

• A server or VPS to host the Terrateam service (the stateless server component)
• PostgreSQL (the docker-compose setup includes it)
• GitHub App registration or GitLab integration — Terrateam needs to receive webhook events from your VCS
• Your existing CI runners (GitHub Actions or GitLab CI) for actual Terraform execution — Terrateam doesn’t run Terraform itself, it orchestrates your runners to do it

What can go sideways:

• The stateless design is a security feature but also means you’re responsible for your runners’ IAM permissions, secrets management, and state backend configuration. Terrateam doesn’t manage any of that — it just tells your runners what to run and when [5].
• Configuration lives in .terrateam/config.yml in each repo. For teams with many repos, managing consistent configuration across them is a problem the enterprise “Centralized Configuration” feature solves — but that’s behind the commercial tier [README].
• Built in OCaml means filing bug reports against a niche language stack. The team maintains it actively, but community contributions are structurally harder than a Go or Python project [5].
• Support outside the enterprise tier is best-effort. If you’re self-hosting this for critical infrastructure automation and hit a bug at 2am, your options are the community Slack or email with no SLA [2].

Realistic setup time for a DevOps engineer familiar with Docker and GitHub Apps: 2–4 hours for a working installation. For a team with a complex monorepo and custom policy requirements: budget a full day for configuration tuning.

---

Pros and cons

Pros

• Stateless architecture means zero credential exposure. Your state, secrets, and source code never touch Terrateam’s infrastructure. This is the most defensible security posture in the category [5].
• Full UI included in OSS. Run dashboard, execution logs, failure debugging — not gated behind commercial licensing [README].
• Cost estimation in every PR. Engineers see dollar impact before apply. Non-technical stakeholders can review PRs without understanding Terraform syntax [homepage].
• Scales to monorepos. Tag-based configuration and parallel execution with smart locking handles thousands of workspaces without per-workspace YAML duplication [README].
• Supports any IaC tool. Terraform, OpenTofu, Terragrunt, CDKTF, Pulumi, or arbitrary CLI commands — not locked to a single ecosystem [README][homepage].
• OPA/Rego policy enforcement in OSS. Policy-as-code is not a paid feature [README][3].
• CODEOWNERS integration. Enforcement of existing GitHub CODEOWNERS reviews before apply — no separate approval system to maintain [1].
• OIDC authentication. No long-lived cloud credentials to rotate or accidentally leak [3][5].

Cons

• RBAC is enterprise-only. Fine-grained role-based access control requires commercial licensing. The OSS version lacks this for multi-team setups [README].
• Pricing is opaque. No public numbers on Basic or Enterprise tier costs. You’re negotiating blind [2].
• 1,204 stars = small community. Compared to Atlantis (mature, widely deployed) or the commercial products with dedicated support teams, Terrateam has limited community resources for self-hosters hitting edge cases.
• OCaml tech stack limits contributions. Most DevOps engineers cannot read, let alone patch, OCaml. Bug fixes depend on the core team [5][README].
• GitHub-only + GitLab. No Bitbucket support mentioned. If your organization uses Bitbucket, look elsewhere [3].
• No published performance benchmarks. The architecture page describes what the system is designed to handle, but there’s no public data on actual throughput under load [5].
• Centralized configuration requires Enterprise. Managing consistent .terrateam/config.yml across many repos is a real operational problem that the free tier doesn’t solve [README].

---

Who should use this / who shouldn’t

Use Terrateam if:

• Your team manages Terraform at scale — multiple environments, dozens or hundreds of workspaces — and your current Atlantis setup is straining under complexity.
• You’re paying per-seat for Terraform Cloud or a commercial GitOps product and want to eliminate that recurring cost.
• Security requirements demand that your state and credentials never leave your network — Terrateam’s stateless design makes this achievable without custom tooling.
• Your team already runs GitHub Actions self-hosted runners and wants PR-native Terraform automation without building the orchestration layer from scratch.
• You need cost estimation and policy enforcement surfaced directly in pull requests for non-engineering stakeholders.

Skip it if:

• You’re a non-technical founder. This is a tool for engineers who write Terraform. There’s no GUI that abstracts infrastructure management — it’s all PR comments and YAML config.
• Your team is two engineers running simple infrastructure. Atlantis or manual CI scripts are sufficient and have larger communities.
• You need RBAC without paying for Enterprise — the OSS version’s access control story is limited.
• You’re on Bitbucket.
• You need 24/7 support SLA without paying for Enterprise. Free-tier support is community-only with no response guarantee [2].
• Your team wants to contribute back to the project and no one knows OCaml.

---

Alternatives worth considering

• Atlantis — the original open-source Terraform PR automation. More mature, larger community, free, Go-based so easier to contribute to. Lacks native cost estimation, drift detection, and the full run UI. The obvious alternative for teams that don’t need monorepo scale features.
• HCP Terraform (formerly Terraform Cloud) — HashiCorp’s managed offering. Better polished for non-power users, runs the execution for you, free tier up to 500 resources. $20/user/month on Plus. The incumbent you’re escaping when you pick Terrateam.
• Spacelift — commercial, polished, expensive. Strong policy engine, good for large enterprises with compliance requirements. Not a cost-saving move.
• Scalr — commercial, similar positioning to Spacelift. Multi-tenant, hierarchical workspaces. Priced for enterprise budgets.
• env0 — commercial, focuses on cost governance and environment management. Useful if cost control is the primary driver.
• Digger — newer open-source GitOps tool for Terraform, also PR-native. Go-based, simpler feature set, free. Worth a look if Terrateam’s complexity is more than you need.
• OpenTofu — if your concern is HashiCorp’s license change, switching from Terraform to OpenTofu doesn’t require changing your orchestration tool. Terrateam supports OpenTofu natively [README][homepage].

For a team managing serious infrastructure at scale and wanting to exit SaaS pricing, the realistic shortlist is Terrateam vs Atlantis. Pick Terrateam if you need cost estimation, drift detection, a run dashboard, and monorepo-scale configuration without building it yourself. Pick Atlantis if community size, contribution ease, and battle-tested stability matter more than feature depth.

---

Bottom line

Terrateam makes a coherent argument: GitOps Terraform automation shouldn’t require a per-seat SaaS subscription or a custom CI pipeline that you maintain forever. The stateless architecture is genuinely well-thought-out from a security standpoint, the run dashboard and cost estimation in the OSS tier are more than competitors offer for free, and the tag-based configuration for monorepos solves a real problem that Atlantis handles poorly at scale. The trade-offs are honest: small community, OCaml tech stack that limits self-sufficiency, opaque commercial pricing, and RBAC gated behind an enterprise tier. For a DevOps team currently paying $200–$500/month for Terraform Cloud or a commercial GitOps product, the self-hosted math is compelling. For a non-technical founder, this isn’t the right tool — but for the engineering team that founder eventually hires, it’s worth a serious look.

---

Sources

1. Terrateam Documentation — Enforcing CODEOWNERS Approval. https://docs.terrateam.io/configuration/access-control/codeowners
2. Terrateam Documentation — Support (tiers, SLAs, contact methods). https://docs.terrateam.io/support
3. Terrateam Documentation — Overview (what it is, how it works). https://docs.terrateam.io/overview/
4. Terrateam Documentation — Pull Requests and Triggers. https://docs.terrateam.io/workflows/pull-request/
5. Terrateam — Technical Architecture (OCaml stack, stateless design, security model). https://terrateam.io/technical-architecture

Primary sources:

• GitHub repository and README: https://github.com/terrateamio/terrateam (1,204 stars, MPL-2.0 license)
• Official website: https://terrateam.io
• Documentation: https://docs.terrateam.io