Crunchtime serves up secure, predictable deployments with Spacelift

Before 2021, Crunchtime managed its infrastructure manually — mostly through cloud consoles and ad hoc changes. A successful experiment using Terraform to manage DNS was the catalyst for standardizing on infrastructure as code.

The team adopted Terraform across their AWS environments and introduced an infrastructure management platform to orchestrate it. However, over time, that platform became a bottleneck rather than an enabler. Unreliable GitHub pull request builds and unclear support responses eroded confidence in the deployment pipeline.

In 2023, Crunchtime decided to move their Terraform (and later, OpenTofu) workflows to Spacelift. Today, they run all stacks through Spacelift, using Spacelift itself to define and manage their own stacks.

In 2021, Crunchtime standardized on IaC and introduced an infrastructure management tool to orchestrate Terraform. Over roughly two years, several issues emerged:

• Unreliable PR builds
  GitHub pull request builds would often not trigger or would do so inconsistently.
• Lack of root-cause clarity from support
  Support responses rarely led to clear explanations or durable fixes.
• Growing activity and complexity
  As more people used Terraform and more infrastructure was automated, unreliability in the pipeline made it riskier. The team needed a platform they could trust for every PR and every deployment.
  

With “builds vanishing into the ether,” as Senior Software Engineer Allison Mar describes them, it was time to switch vendors.

“That was the main thing that convinced us, hey, we need to switch to a different vendor, because the unreliability of PR builds was not what we were expecting.”
Senior Software Engineer Allison Mar

Reliable PR builds and a smoother workflow

The primary requirement for the new platform was simple: reliability. Spacelift needed to integrate cleanly with GitHub, support Terraform and then OpenTofu, and ensure PR builds always appeared where engineers expected them.

That’s exactly what the Crunchtime team saw in practice: PR builds have been consistent and traceable, with no runs “disappearing.”

“We’ve had about 800 PRs since we switched to Spacelift, and we haven’t had to debug that portion of it. There’s never been one that’s gone missing.”

Spacelift also made PR history easier to interpret:

“Our previous tool used to just update the same comment in the PR, whereas Spacelift adds one comment per build. That’s nice because we can view our history.”

Security and access: safer by default

For Allison, Spacelift’s key strength is security. “The main benefit is security-related because Spacelift centralizes all the secrets and keys, keeping everything safe and secure.”

If deployments were done locally, engineers would need broad, high-privilege access to multiple environments. With Spacelift:

• Secrets and keys reside in a secure location.
• Spacelift has the necessary AWS permissions to effect changes.
• Individual engineers operate through Git-based workflows with guardrails.

“If I were just manually deploying it through my laptop, the amount of access I would need would mean that I could do a bunch of damage. With Spacelift, all the secrets are kept secure all the way through the pipeline.”

Guardrails over speed at all costs

Crunchtime intentionally trades a bit of raw speed for governance. Their workflow includes:

• A required PR for every infrastructure change
• PR builds and plan visibility in Spacelift
• At least one reviewer/approval
• A tracked run after merging a PR
• A manual confirm step before applying changes

“We do require someone to go and make a PR, merge it, and get it reviewed before any infrastructure changes can happen. We also have a guardrail that makes people confirm the plan on the tracked run before it goes off.”

Allison is clear that this is slower than clicking directly in the console — and that’s by design:

“There are intentional guardrails, and it is slower, but I think it’s a sacrifice we’re willing to make.”

Drift detection and policies in everyday use

Drift detection is enabled on all but one stack (the exception is a special admin stack), usually running twice a day, with one stack checking drift hourly. Results feed into Slack, so the team always knows when something has changed.

• Drift is reviewed manually to avoid overwriting intentional incident-time changes.
• For some stacks, especially in lower environments, drift may reflect experimentation; in production, it reveals unplanned changes that should be either rolled back or added into the code.

Policies help coordinate when and how runs happen:

• A core policy defines when PR builds (proposed runs) and post-merge tracked runs occur.
• Another policy governs notifications and tooling around tracked runs and drift detection.
  

Using OpenTofu to manage Spacelift

Crunchtime adopted OpenTofu after Terraform switched to a BUSL license, a migration that the team found reasonably straightforward:

“The OpenTofu upgrade was pretty simple as well… people have been able to get onto Spacelift pretty easily.”

Now, Crunchtime defines all of its Spacelift stacks using the OpenTofu provider:

• Stacks are created as code.
• Policy attachments, integrations, and drift detection are configured declaratively.
  

“Almost all the stacks are made through the code. We’re basically using Spacelift to make Spacelift, which is a cool thing.”

Eliminating ClickOps for large-scale data stacks

One of Crunchtime’s largest stacks provisions around 2,000 Snowflake resources. Before Spacelift and OpenTofu, this would have required manual creation and configuration.

Now, it’s entirely automated:

“The biggest stack we have is about 2,000 resources. Because we were able to get it all created in OpenTofu and in Spacelift, we haven’t had to do the ClickOps aspect of it.”

The result is several hours saved per customer rollout, with far fewer opportunities for human error:

“So much time has been saved through not having to click and create everything manually. You could potentially make some mistakes in the middle. It’s just much safer this way.”

Easy onboarding 

Spacelift has also made it easier to onboard new engineers into the infrastructure workflow:

• New team members learn OpenTofu and Spacelift together.
• The mental shift is more about IaC than about the platform itself.

“It’s been easy to use in terms of onboarding new folks into using Spacelift and OpenTofu. People have been able to get onto Spacelift pretty easily.”

By adopting Spacelift, Crunchtime gained:

• Reliable, predictable PR builds that “never go missing”
• Stronger security by centralizing secrets and access in Spacelift
• Significant time savings by replacing manual Snowflake provisioning with IaC
• Better governance through policies, drift detection, and PR-based workflows

As Senior Software Engineer Allison Mar puts it:

“I would definitely recommend Spacelift. The main reason is that we haven’t had any problems with it. It’s just been doing what it needs to do. And when you have a lack of problems, that is the main reason to go forward.”