Automating infrastructure has transformed how businesses manage resources, making your organization more efficient while reducing errors. Without a proper system in place to guard your automations, they can quickly spiral out of control, eliminating control in favor of speed. This is where infrastructure orchestration platforms shine, providing the necessary oversight and management to keep all your automations aligned.
Infrastructure orchestration refers to how you approach infrastructure as code (IaC), configuration management (CM), container orchestration (CO), continuous integration, and continuous delivery (CI/CD), and how you implement the guardrails that maintain your governance, compliance, and security. This is where Spacelift comes in.
What we will cover:
Spacelift is an infrastructure orchestration platform that increases your infrastructure deployment speed without sacrificing control.
With Spacelift you can provision, configure, and govern with one or more automated workflows that orchestrate Terraform, OpenTofu, Terragrunt, Pulumi, CloudFormation, Ansible, and Kubernetes.
You don’t need to define all the prerequisite steps for installing and configuring the infrastructure tool you are using, nor the deployment and security steps, as they are all available in the default workflow.
The default workflow for each of these infrastructure tools can be modified to suit your needs. You can even define what happens before and after runner phases and integrate with any tools you want, so you have all the flexibility you need.
Spacelift shines for every organization that uses tools from the infrastructure orchestration sphere. It is a robust alternative to generic CI/CD tools, as it comes packed with many features that reduce the overall complexity of your infrastructure automations while enabling faster times to market securely.
Spacelift was built with DevOps/platform engineers in mind, but it developed to become the go-to platform for software engineers too because they can increase their velocity with self-service infrastructure that implements all your organization’s guardrails. It greatly enhances collaboration among engineers, offering them a central location to make infrastructure-related decisions.
Spacelift helps companies build platforms for deploying, governing, observing, and managing their infrastructure with a variety of tools. It integrates seamlessly with all your favorite tools and can help you build swift, robust workflows that streamline your infrastructure automation without sacrificing the necessary guardrails that keep you safe.
With Spacelift, software engineers can focus on new feature development rather than infrastructure, offering them self-serve templates pre-approved by the DevOps/platform engineering teams.
Spacelift offers the following benefits:
- Sustained scaling – Build scalable workflows that adhere to the standards you impose, enabling your organization to deploy, scale, and manage your infrastructure.
- Increased observability – See all the infrastructure Spacelift has deployed in a single view, get information about it, and even see if there is any infrastructure drift.
- Easily implement infrastructure governance – Standardize the way your infrastructure is managed, from integration, security checks, and policy enforcement to the actual deployment.
- Increased security – Spacelift’s security-first development approach ensures everything that you do with the product stays safe. Click the link to find out more about Spacelift’s security architecture and features.
- Amplified developer velocity – Build self-service infrastructure templates that free up your developers and let them focus on what matters.
- Eliminates collaboration bottlenecks – You can easily preview the implications of applying a change to your infrastructure while deciding as a team if the changes make sense.
- Uplift flexibility – Spacelift offers engineers all the flexibility they need to build workflows that suit their needs.
- Schedule away – With Spacelift, you can create schedules for different kinds of activities, such as creating/deleting infrastructure, checking for drift, and even running arbitrary tasks.
Before diving into the features, let’s explore one of Spacelift’s core concepts – stacks. A Spacelift stack is an isolated, independent entity that combines your source code (from a VCS), the tool you are using (e.g. OpenTofu), environment variables, mounted files, the current state of your infrastructure, and lifecycle hooks.
Spacelift stacks are the building blocks of your infrastructure, and all the infrastructure you are deploying will be deployed using a stack.
Now, we are ready to dive into Spacelift’s key features.
1. Streamlined complex workflows
Building a complex workflow can be difficult with more generic IaC tools. With CI systems generally, it’s a challenge to map multiple deployment targets to a single codebase, and the problem is exacerbated by:
- the requirement for the mapping to be dynamic (i.e., new deployment targets added without code change)
- different permissions or rules for different targets
Leveraging Spacelift’s GitOps native status and features such as stack dependencies, you can build sophisticated workflows for OpenTofu, Terraform, Ansible, Terragrunt, Kubernetes, Pulumi, and CloudFormation.
With stack dependencies, you can build dependencies between your configurations, and even share outputs between them. You don’t have any constraint to the number of dependencies you want to create, and whenever a parent configuration finishes a run successfully, it will trigger runs to its children. You can even build dependencies between different tools, so a parent stack can use OpenTofu for example, and a child stack can use Kubernetes.
Check out some examples of stack dependencies:
2. Access control
Managing access can be problematic with IaC. Most generic IaC tools lack access control models and depend on comments on pull requests to drive infrastructure deployments, which introduces unacceptable risks as infrastructures become more complex. Spacelift provides multiple tools to organize access to infrastructure.
Spacelift offers a user management system in which users can be easily invited using their email and authenticated using their account’s IDP. Permissions can be assigned at the user level, or based on group membership:
Spacelift also helps you implement a more granular RBAC and give partial admin rights to your users via Spaces.
In the above example, if you give a user admin rights to the resources space, and no other rights, he will have all permissions to the resources and production space, but he won’t be able to even view resources in other spaces.
3. Robust policy framework
At Spacelift, policy as code plays a very important role in governing the platform. With Policies, you can:
- Define access control at the Space level with login policies
- Restrict runs based on resource parameters with plan policies
- Require multiple approvals for a run by leveraging the approval policies
- Use push policies to control what happens when a PR or a merge occurs
- Define notifications for runs with the notification policies
We understand that OPA can be hard if you don’t have any experience with it, so that’s why we offer:
- Policy Workbench – This is a sampling mechanism for policies that makes testing policies easier. It can be used when you are developing the policies per se by providing input, or you can leverage this mechanism on a run to use the input you get from your Terraform plan.
- Policy Library — You can leverage this collection of over 50 reusable policies in your automation.
Custom Inputs is another Spacelift built-in feature that helps safeguard your complex workflows. By defining just three steps, you can accomplish an integration with any security tool, for example. Using Custom Inputs, you can also easily run policies to ensure engineers are not introducing vulnerabilities with their code.
4. Advanced scheduling
With Spacelift, you can schedule everything from drift detection, stack deletion, tasks, and runs.
Drift is one of the worst problems you can have in your infrastructure. For example, if you fix something manually and then re-apply the code later, you will reintroduce the bug into your configuration.
Spacelift’s drift detection mechanism runs a schedule that informs you about drift and optionally remediates it:
Other schedules you can define are:
- Stack deletion – You can delete a stack based on a schedule, and you also can delete all your resources
- Task – You can schedule any task you would like on your stack (e.g. delete all your resources without deleting your stack, run a workload on your existing infrastructure, etc.)
- Run – You can schedule runs on your stack (e.g. you may want to use a task schedule to delete all the resources from your stack on the weekend, and you would want to create a run schedule to create the resources at the start of the week)
5. Resource visualization
General-purpose CI/CD platforms provide little or no insight into the resource lifecycle from either a real-time or historical perspective, but with infrastructure orchestration, it is vital to have a detailed understanding of managed resources – not only each resource’s current status but also its historical context.
With Spacelift, you can easily see all the resources that have been deployed into your Spacelift account (based on the permissions you have), details about them, and their health:
Observability is taken to the next level with this feature, as engineers can gain an understanding of the lifecycle of each resource managed by Spacelift and document it, regardless of the technology used.
6. Self-service infrastructure
Spacelift’s self-service deployment mechanism enables users without deep infrastructure expertise to deploy infrastructure. Blueprints are templates for environments that let the administrators configure all defaults, guardrails, and other settings to make it easier for anyone who needs infrastructure to deploy it.
This could be developers, managers, or other administrators. Any setting available when configuring a stack can be configured as a default value or within specific parameters in Blueprints. Blueprints also allow you to build unified stacks, which decreases management overhead.
Blueprints increase developer velocity because they don’t have to worry about defining the infrastructure needed to test their applications. They simply self-serve by filling in a simple form that takes care of everything for them. The platform team usually develops these templates, so all the necessary guardrails are in place to ensure control without compromising speed:
Spacelift’s K8s operator also enables self-service infrastructure. With this operator, it is possible to manage Spacelift resources from your K8s cluster, meaning that you can deploy your infrastructure and your application in a single workflow, reducing human error and overall time to market.
kubectl get run run-sample -w
NAME STATE ID
run-sample READY 01J4P7Q...
run-sample PREPARING 01J4P7Q...
run-sample PLANNING 01J4P7Q...
run-sample UNCONFIRMED 01J4P7Q...
7. Enriched user experience
Spacelift doesn’t just give you the necessary tools to improve your workflow, it also offers tools to make the process enjoyable. We understand that infrastructure workflows can get frustrating, especially when you have to repeat chunks of pipelines to make things work, so that’s why we offer some mechanisms to eliminate blockages and frustration.
Contexts are logical containers that contain environment variables, mounted files, and lifecycle hooks, and can be shared between multiple configurations, making it easier to ensure reusability and idempotency. They can be attached to as many stacks as you want, making your processes easier.
If you’re wondering how you can automatically attach policies/contexts to your stack, Spacelift’s got you covered, with magic labels. You simply add to your policy/context autoattach:whatever_label_you_want and every stack that has the whatever_label_you_want will automatically attach the policy/context.
Static credentials are easily intercepted and can be used with malicious intent, so Spacelift offers you the ability to integrate natively with AWS, Microsoft Azure, and Google Cloud to generate dynamic credentials. Based on the roles you are using, these integrations can offer as few or as many permissions as you want:
While this seems more like a security-related feature, it also makes handling authentication to your cloud providers easier.
Tasks provide a powerful audited way of running one-off administrative commands on an initialized Terraform environment – subject to their own policy constraints.
Stack locking allows a single individual to take exclusive control over a stack, ensuring nobody can modify its state while crucial changes are being made.
8. CI/CD for private module and provider registry
Spacelift’s private module and provider registries differ from the ones you are accustomed to using because they offer a full CI solution for your modules and an easy way to publish and use your providers.
It offers compelling advantages over other registries, including the ability to write test cases and even extend them via hooks. Providing everything you need to make your module easily maintainable and usable, it is also deeply integrated with stack features such as Environments, Policies, Contexts, and Worker Pools.
With the release of a GUI for the private Terraform provider registry, you can now easily view and manage your providers and their versions. Admins can also handle the registration of GPG keys within the organization.
9. Programmatic configuration
What would you say if you could manage all of the above Spacelift features from OpenTofu/Terraform? Spacelift offers a OpenTofu/Terraform provider that allows you to programmatically manage the lifecycle of its own resources. Administrative stacks get credentialless access to the subset of our GraphQL API that does not involve managing the actual infrastructure. For more sophisticated use cases, Spacelift allows you to generate API keys subject to the same access controls as normal users, allowing you to create single-purpose tokens for restricted use by your internal scripts.
provider "spacelift" {}
terraform {
required_providers {
spacelift = {
source = "spacelift-io/spacelift"
}
}
}
resource "spacelift_stack" "this" {
for_each = var.stacks
branch = each.value.branch
description = each.value.description
name = each.key
project_root = each.value.project_root
repository = each.value.repo
terraform_workflow_tool = each.value.terraform_workflow_tool
terraform_version = each.value.version
labels = each.value.labels
space_id = each.value.space_name
}
Spacelift also has its own CLI called spacectl, which is a wrapper over our GraphQL API that can be used either locally or in any CI/CD environment you want. It provides limited capabilities for creating and editing resources, as we believe that automating Spacelift from OpenTofu/Terraform is the way to go.
As mentioned in the section related to self-service infrastructure, Spacelift also has its own K8s operator that can create Spacelift resources from inside your K8s cluster.
10. Spacelift integrations
At Spacelift, we understand that you want to leverage the tools and products you already use, so we enable you to integrate with any tool you’d like via lifecycle hooks, bringing your own image, webhooks, and our notification policy.
We integrate natively with:
- Infracost – to estimate the cost of your infrastructure based on the infrastructure as code (IaC) configuration you have defined
- Slack – to confirm and discard tracked runs, and view planned and actual changes
- Microsoft Teams – same capabilities as our Slack integration
- Datadog – to monitor various metrics about your Spacelift account (e.g failing runs, stacks with the most activity, load on private workers, etc.)
- Prometheus – same capabilities as Datadog
11. Security-first development approach
Whether it is SSO via OIDC or SAML2.0, private workers for your workflows, IdP independent MFA, Audit trail, Private VCS, or even self-hosted capabilities, Spacelift has you covered.
If you want to deep-dive into how these are implemented, check out this article.
Why Spacelift?
Spacelift is a powerful infrastructure orchestration platform that helps you deploy your infrastructure fast, without sacrificing the guardrails required by your organization.
Spacelift offers a unique set of infrastructure orchestration capabilities such as:
- An intuitive streamlined versatile workflow that can implement dependencies between your IaC, CM, and CO, enhancing your ability to scale
- Robust RBAC, which can be implemented on account/group level and project level and works hand-in-hand with your identity provider via SSO
- Enhanced governance that enables all of your guardrails, which can be implemented with our versatile policy framework based on OPA
- Self-service infrastructure capabilities via Blueprints or our K8s operator, to improve your developer velocity, freeing developers to implement application changes rather than focus on infrastructure
- Programmatic access to manage all Spacelift resources via our OpenTofu/Terraform provider
- Improved observability due to our resource visualization, which shows all the resources deployed with your Spacelift account and details about them — and also due to our integrations with Datadog and Prometheus
- Reduced infrastructure drift via drift detection and optional remediation
- Advanced scheduling for stack runs, stack deletion, and running arbitrary tasks
- Flexibility to customize your workflow by integrating any tools you want, defining policies for them, and bringing your own image
- Native integrations with AWS, Microsoft Azure, and Google Cloud for dynamic credentials
- Elevated compliance via private workers, private VCS access, and the self-hosted version of Spacelift
- Built-in private module and provider registries
- Creature comforts such as contexts, tasks, stack locking
Spacelift helps your platform teams stay in control while increasing developer velocity. Provision, configure, and govern with a single automated workflow to deliver secure, cost-effective, and high-performance infrastructure.
Building multi-tool-dependent workflows has always been challenging, but solving infrastructure-related problems such as scaling, observability, and flexibility is now within reach. By integrating various tools seamlessly into your workflow, you can streamline operations, automate repetitive tasks, and ensure that your systems are both resilient and adaptive to changing demands.
If you would like to start using Spacelift, create a free account today or book a demo with one of our engineers.
Solve your infrastructure challenges
Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation, and controls to simplify and accelerate the provisioning of cloud-based infrastructures.