Terraform Automation withGitHub Pull Requests

Make Terraform changes by commenting on GitHub Pull Requests. Install our GitHub App and start applying Terraform changes faster than a speeding bullet.

Bring your Terraform workflow to our centralized platform where everyone can plan and apply

First-Class GitHub App

Terraform automation by commenting on Pull Requests. Leverage GitHub Secrets for sensitive data. Safe locking with approved and mergeable apply requirements.

Third-Party Integrations

Out-of-the-box support for Terragrunt, Infracost, Driftctl, Tfsec, and Slack. Custom add-ons using pre and post command hooks and webhooks.

Role-Based Access Control

Advanced role-based access control per organization, repository, directory, or workspace. Restrict access using GitHub Code Owners.

Security-First Architecture

Remote state, plan, and apply data secured by end-to-end encryption. Customers hold their own private keys. Automatic workflow to rotate keys.

Terraform without leaving GitHub

Benefit from safe and effective change management

Terraform Plan

Open a pull request and Terrateam will automatically run a plan against your changes. Plan output securely posted back to the pull request for your team to review.

Apply Requirements

Require pull requests to be approved, mergeable, and to satisfy GitHub branch protection rules before Terrateam applies changes.

Safety First

Terrateam will only apply a plan if and only if the pull request has the lock.

Terraform Apply

Terrateam will apply any planned changes if it has the lock and all of the apply requirements are met.

Third-Party Integrations

Enable Terraform add-ons with a flick of a switch

Cost Estimation

infracost

Infracost shows cloud cost estimates using Terraform plan files. See a cost breakdown and understand costs before making changes.

Drift Detection

driftctl

A free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.

Terragrunt

terragrunt

Terragrunt is a thin wrapper that provides extra tools for keeping your configurations DRY, working with multiple Terraform modules, and managing remote state.

Static Analysis

tfsec

Tfsec uses static analysis of your terraform code to spot potential misconfigurations.

File-based Configuration

Our config.yml is used to control all aspects of Terrateam. No UI necessary.

1enabled: true
2version: "1"
3when_modified:
4  file_patterns: ["**/*.tf", "**/*.tfvars"]
5  autoplan: true
6  autoapply: false
7  module_dir_fragment: ["./modules/v1", "./modules/v2"]
8  module_root_dir_file_pattern: "main.tf"
9tf_state_dir_pattern_list: ["**/*.tf"]
10automerge:
11  enabled: true
12  delete_branch: true
13checkout_strategy: merge
14default_tf_version: "1.1.9"
15apply_requirements: ["mergeable", "approved"]
16cost_estimation:
17  enabled: true
18drift_detection_schedule:
19  enabled: true
20  schedule: "daily"
21permissions: []
22hooks:
23  plan:
24    pre:
25      - type: run
26        cmd: ["./scripts/hook-pre-plan.sh"]
27    post:
28      - type: run
29        cmd: ["./scripts/hook-post-plan.sh"]
30  apply:
31    pre:
32      - type: run
33        cmd: ["./scripts/hook-pre-apply.sh"]
34    post:
35      - type: run
36        cmd: ["./scripts/hook-post-apply.sh"]
37workflows:
38  - tag_query: iam
39    plan:
40      - type: run
41        cmd: ["./scripts/workflow-iam-plan-pre-exec.sh"]
42      - type: init
43      - type: plan
44        extra_args: ["-parallelism=20"]
45  - tag_query: workspace:production
46    apply:
47      - type: init
48      - type: apply
49      - type: run
50        cmd: ["./scripts/workflow-production-workspace-successful-apply.sh"]
51        run_on: success
52dirs:
53  iam:
54    tags: [iam]
55    when_modified:
56      file_patterns: ['iam/*.tf']
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

Security-First Architecture

It's your data. You own it.

Plan Output

Sensitive data from Terraform plan output is obfuscated to ensure secrets and passwords are never displayed in clear text.

Remote State

Backend state encrypted and decrypted using customer-provided keys securely stored in trusted GitHub Secrets. Terrateam does not store customer private keys.

End-to-end Encryption

Built from the ground up with security in mind. Only customers can read and write their data. Terrateam has no access.

Customer-Managed Keys

Peace of mind that your data is secure from the start using a privately generated key. Workflow in place to rotate keys as often as you want.

GitHub App Install to Terraform Apply 🚀