Appearance

About Terramate ​

Terramate is the Infrastructure as Code (IaC) Development Platform that helps platform teams, developers, and AI agents deploy and manage cloud infrastructure at scale with Terraform, OpenTofu, Terragrunt, and Kubernetes so they can ship faster across teams, reduce risk and platform toil, and maximize the value of their existing IaC investment.

The platform consists of two components:

Terramate CLI OSS

Structure, orchestrate, and automate IaC locally and in any CI/CD.

  • Stacks
  • Environment management
  • Code generation
  • Dependency-aware orchestration
  • Change detection
  • Parallel execution
  • State-aware retries
  • CI/CD & GitOps automation
  • Self-service infrastructure

Terramate Cloud SaaSBYOC

Observe, collaborate, and govern infrastructure delivery at scale.

  • Dashboard
  • Pull request previews
  • Deployment tracking
  • Drift management
  • Alerts
  • Policy controls
  • DORA insights
  • AI agents
  • MCP server & skills
  • SlackOps workflows
  • Integrations

Terramate Overview

Architecture ​

Terramate CLI runs locally or in your CI/CD and executes infrastructure workflows where your code already lives. It then pushes metadata and workflow outcomes to Terramate Cloud for visibility, governance, and collaboration.

Terramate CLI orchestrates Terraform/OpenTofu inside your CI/CD runner, then pushes deployment, preview, and drift metadata to Terramate Cloud. Cloud closes the loop by reporting results back to your pull requests as comments, status checks, and alerts.

Important

Terramate is not a CI/CD platform. It runs inside your existing delivery setup, so you keep your current CI/CD, secrets management, and permissions model (for example, GitHub Actions, GitLab CI/CD, Bitbucket, Azure DevOps, Atlantis, CircleCI, and Jenkins).

Terramate Cloud does not require access to your source code / repositories, Terraform state backend, or cloud accounts.

How a typical workflow works ​

  1. Define: Organize infrastructure into environments with bundles, components, and stacks, and keep them DRY by using reusable code generation patterns.
  2. Orchestrate: Change detection identifies which environments contain changes and orchestrates plan/apply only there, instead of running across the entire repository.
  3. Preview: Run plans in pull requests to review impact and risk before applying changes.
  4. Deploy: Execute dependency-aware applies with parallel execution and state-aware retries.

Day-2 operations ​

Once infrastructure is running, Terramate keeps it healthy:

  • Observe: Track deployments, detect drift, and route alerts through Terramate Cloud.
  • Maintain: Use AI agents to update, remediate, and maintain infrastructure with less day-2 effort.

CLI in action ​

Run terraform apply only in changed stacks and sync deployment data to Terramate Cloud:

sh
terramate run \
  --changed \
  --parallel 5 \
  --sync-deployment \
  --terraform-plan-file=out.tfplan \
  -- \
  terraform apply -input=false -auto-approve out.tfplan

What this command does:

  • terramate run executes any command across targeted stacks. In this example, it orchestrates terraform apply.
  • --changed runs only in stacks affected by your changes, not across the whole repository.
  • --parallel 5 executes up to five eligible stacks concurrently for faster delivery.
  • --terraform-plan-file=out.tfplan explicitly sets the plan filename created in each stack, which Terramate uses to extract resources and metadata for Terramate Cloud sync.
  • --sync-deployment is explicit opt-in; remove this flag to run locally or in CI without syncing to Terramate Cloud.

Security and data handling ​

Terramate uses a push-based model: execution happens in your local or CI environment, and Terramate CLI pushes workflow data to Terramate Cloud. Terramate Cloud does not require direct access to your source code, Terraform state files, or cloud provider accounts.

  • Execution control stays with you: Keep Terraform/OpenTofu execution in your own runtime and permission boundary.
  • Data flow is explicit: Send only the deployment, preview, and drift metadata needed for visibility and collaboration.
  • Client-side sanitization: When extracting resources from plan files, Terramate CLI redacts all sensitive values -- such as secrets, certificates, and credentials -- on the client side before pushing any data to Terramate Cloud. No sensitive data ever leaves your environment.
  • Security docs: Learn more in Security and Data Processing.

Next steps ​

Learn more ​