Alternative to Atlantis – Spacelift

Atlantis is an old and battle-tested self-hosted tool that provides a layer of automation and collaboration for Terraform (and, as of 2024, can be integrated with OpenTofu). Lacking a user interface beyond server flags and YAML configuration files, Atlantis uses your VCS as its own, listening for pull request notifications and posting feedback as comments.

Using Atlantis has two significant benefits over running Terraform in a “generic” CI system. First, it strikes the right balance between specialized and flexible: custom workflows give you a level of control that’s not possible within a tool like Terraform Cloud. Second, it runs on your infrastructure, allowing it to access resources within a VPC or use cloud-specific dynamic credentials.

Spacelift embraces all those characteristics of Atlantis but offers them in a modern and sophisticated platform (available as SaaS or self-hosted) that provides:

• a more intuitive, versatile, and robust workflow;
• extremely granular access controls at the account and project level that work well with an identity provider of your choice (SSO);
• an automated code review and the ability to block suspicious runs and tasks using a consistent open-source policy-as-code framework (OPA);
• the ability to declare complex workflows between projects across multiple repositories;
• a built-in private module registry with a complete CI system for modules;
• effortless setup and customization with per-project environment management and Docker integration;
• programmatic configuration using Terraform;
• drift detection with the ability to auto-remediate;
• … and a myriad of creature comforts like contexts, tasks, or stack locking;

Let’s talk through each of these features one by one.

One of the most frequent challenges while using Atlantis in practice is a non-intuitive workflow driven by its reliance on pull requests. Not only is it a lot of work to set up multiple workspaces pointing to the same Git repository, but the result is fragile and nondeterministic. Since there’s no concept of mapping projects to branches or tags, Apply’s are still driven by pull request comments.

At the same time, Atlantis supports command requirements (for example, Approved, Mergeable, and UnDiverged) to gate apply; anyone who can comment can still deploy arbitrary code to production once those requirements are met, even if the approval was meant for a short-lived experimental environment.

Spacelift does not depend on pull requests. Sure, it will post beautiful comments there for your convenience, but it’s driven mainly by push and tag events, so it’s easy to build a sophisticated Git flow. Spacelift will report the outcome of its jobs as commit status checks, which then allows you to block merging the code on a failing Spacelift check. There are two main types of runs – proposed and tracked.

By default, each project points to a particular branch (and optionally a path) – pushing to that branch will trigger a tracked run, one that can be applied. This behavior can be customized using Git push policies.

Thanks to that, Spacelift can provide the same level of comfort and security to teams using one project per repository and those using monorepos with hundreds of interdependent projects. You can read more about our approach to VCS integration here.

Another pain point with Atlantis at scale is its access-control model. By relying on comments in pull requests to drive infrastructure deployments, Atlantis effectively yields control over your infrastructure to the VCS provider. While this is usually fine when a single repository drives a single Terraform project, it becomes a significant liability in more complex scenarios.

Spacelift ships with a sophisticated mechanism that allows administrators to define who can log in (and under what circumstances) and what their access level is for each managed project. Spacelift supports Single Sign-On (SSO) using SAML 2.0 or OIDC, and also supports logging in using managed identity providers like GitHub, GitLab, or Google; SAML-based SSO is available on the Enterprise plan. Even our Slack integration can be subject to policy controls, allowing an admin to grant access to a project based on Slack-specific data (e.g., team, channel, user).

For extra protection, powerful features like Tasks can be governed by policies as well; newer setups typically use approval policies (task run policies have been deprecated).

Both Spacelift and Atlantis let you use Open Policy Agent (OPA) – an open-source solution endorsed by the Cloud Native Computing Foundation (CNCF) – to ensure your infrastructure complies with industry best practices and your company policies. Atlantis integrates with conftest to achieve that and lets you verify each Terraform plan using OPA policies.

Spacelift goes a few steps further and puts policy-as-code at the center of its value proposition and builds a consistent, robust policy framework.

Apart from providing a comprehensive automated change review and ensuring compliance of your Terraform changes, Spacelift uses the same approach to allow you to declare rules around account and project access, handling push notifications, starting runs and triggering tasks, and creating relationships between projects.

It also provides the Policy Workbench, which lets you view past executions of your policy – including the inputs and decisions that have been made – and lets you interactively edit your policy, while simulating its execution on these previous inputs. You can use our starter repo to quickly provision a bunch of policies and get a feel for how you can work with them in Spacelift.

Atlantis can automate the planning and execution of your Terraform configurations and, as of 2024, can integrate with OpenTofu as well. However, if your IaC extends beyond Terraform and OpenTofu, Atlantis cannot help automate it. This makes it a strong contender for automating workflows built exclusively on these tools.

Spacelift, however, not only supports both Terraform and OpenTofu but is truly multi-IaC, including support for Terragrunt, Pulumi, CloudFormation, Kubernetes, and Ansible. This extends your IaC support from not only Day 0 operations, but Day 2 and beyond. 

Handling interdependencies between projects has always been Terraform’s Achilles’ heel, and Atlantis is no different in that regard. The usual approach to this problem is to add another layer of abstraction in the form of a Terraform wrapper, such as Terragrunt. While this breaks the problem into smaller chunks, it’s only a partial solution that comes at the cost of locking yourself into another dependency.

Spacelift’s stack dependencies (and, where needed, trigger policies) provide a smart, declarative automation layer on top of vanilla Terraform. These allow you to declare dependencies between stacks and have related tracked runs execute in the correct order following the changes that have just been applied.

Stack dependencies cover most common orchestration use cases, while trigger policies remain available for more advanced, dynamic workflows. Read more to discover other exciting possibilities.

Another problem that one needs to solve externally when using Atlantis is authoring and maintaining reusable Terraform modules for your organization. Terraform is flexible in allowing modules to come from various sources, but ensuring confidential access, as well as testing and versioning, are left to you, the user.

Until now, the golden standard in that regard has been the private module registry from HashiCorp. But Spacelift offers that, and much more. Far from being just a glorified package manager, Spacelift adds a complete CI solution for Terraform modules, out of the box. You can thus ensure that your private modules are healthy before you distribute them to the rest of your organization.

If you manage a single or a handful of rarely changing projects using Atlantis, it’s likely that you just set it up once and forget about it. But in a more dynamic environment, where microservices come and go, new environments proliferate, and new product teams require their own Terraform workspaces, the need to configure Atlantis every time becomes a major nuisance, putting a lot of pressure on your DevOps team.

Enter Spacelift. In Spacelift, much of the configuration can be handled by the project owners themselves – you can add Terraform and/or environment variables and mount files (even inject Terraform code!) programmatically or through the GUI without the need for administrative privileges or changing the central server configuration.

For administrators, adding new projects requires minimal hassle since there’s no need to set up webhooks or change any YAML. And it can all be done programmatically, using Terraform.

What comes as a pleasant surprise to long-time Atlantis users, Spacelift entities like stacks, contexts, modules or policies, as well as their configuration, can be managed in a declarative way using your favorite infra-as-code tool. Yes, that’s right – Spacelift offers a Terraform provider that allows you to manage the lifecycle of its own resources programmatically.

Administrative stacks get credential-less access to the subset of our GraphQL API that does not involve managing the actual infrastructure. For more sophisticated use cases, Spacelift allows you to generate API keys that are subject to the same access controls as normal users are, allowing you to create single-purpose tokens for restricted use by your internal scripts.

Infrastructure drift happens. Either someone will make manual changes while debugging and then forget about them, or you might have data sources whose outputs change periodically. Normally, you would notice these changes only after you execute your next plan or apply.

Spacelift has you covered here. You can configure periodic drift detection to be notified whenever drift happens and take immediate action. Note that drift detection runs on private workers. You can go a step further with optional automatic reconciliation, ensuring your infrastructure always matches your Terraform configuration.

Last but not least, Spacelift emphasises an excellent user experience, offering a myriad of creature comforts.

Contexts, for example, allow you to attach entire collections of configuration to individual stacks and modules.

Tasks provide a powerful, audited way of running one-off administrative commands on an initialized Terraform environment – subject to their own policy constraints.

Stack locking allows a single individual to take exclusive control of a stack, preventing others from modifying its state while crucial changes are being made.

The resources visualisation shows you all the resources you’re managing in your account, when and how they were last updated, and lets you slice and dice them using a plethora of views, filters and groupings.