Skip to content
Terrateam

Editions and Licensing

Terrateam ships in two editions: the Open Source Edition (MPL-2.0, free) and the Enterprise Edition (commercial, included with Hosted SaaS or available via a self-hosted Enterprise license). This page is the canonical reference for which features live in each edition.

At a Glance

Section titled “At a Glance”
CapabilityOpen SourceEnterprise
GitOps pull request automation (plan / apply)
Pre-merge and post-merge applies
Multi-environment / multi-workspace coordination
Tag queries and tag system
Locking and parallel execution
Config builder (dynamic config, Terragrunt, tree builder)
Custom workflows and custom runners
Cost estimation (Infracost)
Policy enforcement: OPA/Rego, Checkov, built-in
Stacks and dependency coordination
Audit trail
Full UI for runs, logs, and debugging
Private runners
Drift detection — single schedule
Drift detection — multiple schedules per repo
Access Control / RBAC (access_control.enabled: true)
CODEOWNERS enforcement (require_completed_reviews)
Gatekeeper (manual approval gates with tokens)
Centralized Configuration (defaults/overrides across repos)
API Access Tokens (/api/v1/{vcs}/access-token)
Self-hostable✅ (Enterprise license)
LicenseMPL-2.0Commercial

Open Source Edition

Section titled “Open Source Edition”

The Open Source Edition includes the full core Terrateam workflow engine — the same engine that the Enterprise Edition (and Hosted SaaS) is built on, minus the Enterprise-only governance features listed below. It is licensed under MPL-2.0, the source is on GitHub, and you can self-host it on Docker, Kubernetes, or AWS ECS.

Included:

  • The complete pull-request automation engine: triggers, dirspaces, plan and apply, pre- and post-merge runs, automerge, rollbacks
  • The full configuration system (.terrateam/config.yml) including hooks, custom workflows, parallel runs, batch runs, layered runs, stacks, tag queries, and the config builder
  • All IaC tool integrations (Terraform, OpenTofu, Terragrunt, Pulumi, CDKTF) and all cloud provider integrations
  • All policy and cost integrations: OPA, Checkov, Infracost, built-in policy
  • Drift detection with a single schedule per repository
  • Audit trail, private runners, plan file storage
  • The full UI for tracking runs, viewing logs, and debugging workflows

Enterprise Edition

Section titled “Enterprise Edition”

The Enterprise Edition includes everything in the Open Source Edition, plus the governance features below. It is included automatically with all Hosted SaaS plans, and is available for self-hosted deployments via an Enterprise license.

Access Control / RBAC

Fine-grained policies that control who can plan, apply, apply-force, apply-autoapprove, unlock, and update CI or Terrateam config — by user, GitHub team, or repo role (admin, maintain, write, triage, read). Rules can be scoped with tag queries and combined with super-approval. See RBAC and the access_control reference.

CODEOWNERS Enforcement

The require_completed_reviews apply requirement enforces that all CODEOWNERS-required reviewers have approved a pull request before any apply can run. See the CODEOWNERS guide.

Gatekeeper

Manual approval gates inside workflow steps. When a gated step (security scan, policy check, custom validation) fails, the workflow pauses and posts an approval request — authorized users approve via a terrateam gate approve <token> PR comment to let the workflow continue. See Gatekeeper.

Centralized Configuration

Maintain global defaults, global overrides, per-repo defaults, per-repo overrides, and forced configurations in a single terrateam repository, layered onto each repo’s local .terrateam/config.yml. See Centralized Config.

Multiple Drift Schedules

Configure more than one drift schedule per repository (for example, an hourly tag-scoped schedule for production plus a daily schedule for staging). The Open Source Edition supports a single schedule per repo. See Drift Detection.

API Access Tokens

Programmatic API access via POST /api/v1/{vcs}/access-token. Create, list, refresh, and delete scoped tokens for KV-store reads/writes and other operations. See Access Tokens API.

What happens if I enable an Enterprise feature in Open Source?

Section titled “What happens if I enable an Enterprise feature in Open Source?”

Terrateam validates every repo configuration when it loads. If your .terrateam/config.yml enables an Enterprise-only setting on an Open Source server, Terrateam rejects the config and posts a comment on the pull request explaining which feature requires Enterprise. The feature does not silently no-op.

The configurations that are rejected on Open Source are:

  • access_control.enabled: true
  • More than one entry under drift.schedules
  • Any apply_requirements.checks[].approved.require_completed_reviews: true
  • Calling terrateam gate approve <token> (or any workflow gate with a token)

Centralized Configuration and the API access-token endpoints are simply not present on Open Source — the Open Source server only reads each repo’s local .terrateam/config.yml, and the access-token routes are not registered.

How to Get Each Edition

Section titled “How to Get Each Edition”

Open Source Edition

Section titled “Open Source Edition”

Enterprise Edition

Section titled “Enterprise Edition”
  • Hosted SaaS: Included on all plans at terrateam.io. The fastest way to use the Enterprise feature set with no infrastructure to run.
  • Self-hosted Enterprise: A licensed build of the Enterprise server you run yourself — contact sales.

Choosing the Right Edition

Section titled “Choosing the Right Edition”

Open Source is the right fit when:

  • You have a single team or a small number of repos and don’t need org-wide governance
  • A single drift schedule per repo is sufficient
  • Your existing GitHub branch protection rules are enough; you don’t need Terrateam to enforce CODEOWNERS or fine-grained RBAC inside the apply flow
  • You’re comfortable self-hosting and running upgrades

Enterprise is the right fit when:

  • Multiple teams share infrastructure and you need policies that scope who can apply what
  • You need CODEOWNERS approvals enforced as a hard gate before apply
  • You want to manage configuration centrally across many repositories
  • You need manual approval gates on security or policy failures (Gatekeeper)
  • You want different drift cadences for production vs. non-production
  • You want managed SaaS with no infrastructure to operate

Upgrading from Open Source

Section titled “Upgrading from Open Source”

If you are running the Open Source Edition and need Enterprise features:

  1. Switch to Hosted SaaS — get started immediately at terrateam.io. All Enterprise features are enabled out of the box.
  2. Self-hosted Enterprise license — keep your existing self-hosted deployment and switch to the Enterprise build. Contact sales.