Spacelift

Spacelift is a flexible infrastructure management platform designed to bring enterprise-grade controls, collaboration, and automation to infrastructure-as-code workflows. Supporting Terraform, OpenTofu, Pulumi, Ansible, CloudFormation, and Kubernetes, Spacelift acts as the orchestration and governance layer that sits on top of these tools, providing policy enforcement, audit logging, drift detection, and self-service infrastructure capabilities.

The Stack is the fundamental unit in Spacelift. A Stack connects a Git repository containing infrastructure code to a set of environment variables, policies, cloud credentials, and runtime configuration. When code is pushed to the connected repository, Spacelift automatically triggers a plan run that shows the proposed infrastructure changes. Plans can be reviewed in the Spacelift interface and approved or rejected before an apply is initiated, providing a human checkpoint for infrastructure changes in collaborative environments.

Policies in Spacelift are written in Rego, the policy language used by Open Policy Agent (OPA). These policies can enforce rules on plans before they are applied, control which users can approve or apply changes, filter which Git notifications trigger runs, and define login policies that control user access. The policy engine makes it practical to implement infrastructure governance rules such as preventing deletion of production databases, requiring approval for changes above a certain cost threshold, or restricting which instance types can be provisioned.

Drift detection is a critical operational feature in Spacelift that continuously monitors the actual state of infrastructure against the desired state defined in code. When Spacelift detects that the real infrastructure has diverged from the code definition (due to manual changes, cloud provider events, or other tools), it notifies the team and can optionally initiate an automatic reconciliation run to restore the desired state. This ensures that infrastructure remains consistent and prevents configuration drift from accumulating silently.

The private worker pool feature allows Spacelift runs to execute on the customer's own infrastructure, inside the VPC or network that has access to the target cloud resources. This is essential for organizations that cannot allow an external service to hold cloud credentials or whose infrastructure is in a private network that is not accessible from the internet.

Module registry in Spacelift provides a private Terraform module registry for sharing reusable infrastructure modules across teams. Modules can be versioned and tested, and policies can enforce that only approved module versions are used in infrastructure definitions, ensuring consistent, security-reviewed infrastructure patterns are applied across the organization.

Spacelift integrates with GitHub, GitLab, Bitbucket, and Azure DevOps for version control, and with Slack, OpsGenie, and webhooks for notifications. The REST API and Terraform provider enable infrastructure management workflows to be automated and integrated with internal developer platforms.