Spacelift Review 2026: Is It Worth It for Terraform GitOps?

Spacelift is a CI/CD platform specifically designed for infrastructure-as-code. It supports Terraform, OpenTofu, Pulumi, Ansible, and Kubernetes, with deep GitOps workflows. After using it on a mid-sized AWS estate (~300 resources across 12 stacks), here's an honest take.

What Spacelift Actually Does

At its core, Spacelift provides:

• Stacks: Each stack tracks a Terraform workspace, its state, and drift
• Policies: OPA-based policies that gate applies (approval rules, compliance checks)
• Contexts: Reusable environment variables/secrets injected into stacks
• Blueprints: Templated stacks you can deploy from a service catalog

When a PR is opened, Spacelift automatically runs terraform plan. Engineers see the plan diff in the PR. Applies are triggered on merge (or require manual approval depending on policy).

What's Actually Good

Policy-as-Code is Excellent

This is where Spacelift shines. Instead of hoping people follow process, you codify the rules:

# policy/require-approval-for-prod.rego
package spacelift
 
# Require human approval for any production stack change
deny[msg] {
    input.run.stack.labels[_] == "production"
    not input.run.approved
    msg := "Production changes require approval"
}
 
# Block destroys of databases
deny[msg] {
    change := input.terraform.resource_changes[_]
    change.type == "aws_db_instance"
    change.change.actions[_] == "delete"
    msg := sprintf("Destroying database %s requires explicit override", [change.address])
}

You write policies in OPA/Rego and they enforce automatically. No more "did someone forget to approve this?"

Drift Detection

Spacelift can detect when real infrastructure drifts from your Terraform state — someone manually clicked in the console, a resource was modified outside Terraform. It runs periodic plans and flags drift.

# Scheduled drift detection
schedules:
  drift:
    cron: "0 */4 * * *"  # every 4 hours
    timezone: "UTC"

Worker Pools

You can run Spacelift workers inside your own VPC instead of their SaaS runners. This is essential if your Terraform needs to reach private resources (RDS, internal APIs).

# docker-compose for self-hosted worker pool
services:
  spacelift-worker:
    image: public.ecr.aws/spacelift/runner-terraform:latest
    environment:
      SPACELIFT_TOKEN: ${WORKER_TOKEN}
      SPACELIFT_POOL_ID: ${POOL_ID}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Stack Dependencies

If Stack B (application) depends on Stack A (networking), Spacelift can auto-trigger B after A applies successfully. This replaces complex CI scripting:

# Stack B configuration
dependencies:
  - stack: networking-prod
    reference: vpc_id  # pass output from Stack A to Stack B

What's Not Great

Rego Learning Curve

OPA/Rego is powerful but not beginner-friendly. Writing non-trivial policies takes time. The docs are decent but there's a cliff after "hello world."

Cost at Scale

Spacelift pricing is per user and per run. For small teams or hobbyists, it's expensive relative to self-hosted Atlantis. It makes financial sense at 10+ engineers who are actively running infrastructure changes.

At the time of writing: Spacelift pricing starts at $99/month for teams.

UI Can Be Slow

The runs list and stack view load slowly when you have 50+ stacks. Not a dealbreaker but noticeable.

Spacelift vs Atlantis vs Terraform Cloud

My Verdict

Spacelift is the right choice if:

• You have 5+ engineers making infrastructure changes
• You need policy enforcement (compliance, security gates)
• You use more than just Terraform (Pulumi, Ansible, etc.)
• Drift detection matters for your environment

Stick with Atlantis if:

• You're Terraform-only
• You want self-hosted with no SaaS cost
• Your team is small (< 5 engineers on infra)

Score: 7.5/10

The policy system and drift detection are genuinely excellent. The cost and Rego learning curve keep it from being a universal recommendation. For teams that need governance, there's nothing better in the market right now.

Try Spacelift | Atlantis | OpenTofu