Project OpenTaco is an effort to create a fully open-source, self-hostable alternative to Terraform Cloud / Terraform Enteprise, brought to you by the team behind Digger.dev. This post explains motivations behind it - what it is and why we chose to name it separately from Digger.
The acronym stands for “Terraform Automation and Collaboration Software”, coined in 2022 by Piotr Zaniewski. The need for additional software on top of Terraform itself arises from the fact that Terraform is a CLI and to operate it needs privileged access to the cloud environments it manages. Which means that every developer using Terraform needs to have this level of access on their machine. This may be ok for a small startup team where often there’s only one person managing infra, but in larger organisations there are often hundreds or even thousands of environments and everyone having access to everything is not a good option security-wise.
A seemingly straightforward solution to the security problem is centralising Terraform execution - perhaps in a CI/CD system. Terraform runs centrally and access is guarded by code review in a version control system. But if you do that, then developers lose ability to validate their changes before they are pushed and merged - not a good option at again, this time from developer productivity standpoint. This tradeoff is called “merge/apply dilemma” - Yi Lu describes it in great detail in his Pains in Terraform Collaboration article.
This is why TACO software exists - to provide a robust layer of security for Terraform without slowing teams down.
The very first piece of TACO software, unsurprisingly, was Terraform Enterprise by Hashicorp - announced at HashiConf’2017 alongside Sentinel and Terraform Module Registry. It was intended for self-hosting (not SaaS), but not open source. It focused around securing access to state files and introduced the concept of Workspaces to support splitting large state files into smaller pieces to reduce blast radius.
Then in 2018 Luke Kysow launched Atlantis, an open-source service written in golang runs the terraform binary on the server. It wasn’t a TFE equivalent strictly speaking - it was only concerned with automating Terraform deployments from pull requests, leaving state management and other aspects to the user. Atlantis pioneered the “apply-before-merge” workflow - you can comment “atlantis apply” in an open pull request and Atlantis will start an apply job with your changes - before they are merged. This is considered by many an elegant solution to the merge/apply dilemma; but it is also somewhat controversial because it breaks the standard ci/cd flow. Luke joined Hashicorp in late 2018.
In 2019 Hashicorp announced Terraform Cloud - a fully managed backend and web application for Terraform, hosted on Hashicorp servers. It built upon ideas of TFE but now with a better user interface and SaaS pricing model. Below is the screenshot of its key features at the time of announcement:
Soon after, other commercial TACOs were launched - notably Spacelift, Env0 and Scalr. Like TFE and TFC these solutions allowed centralised management of Terraform state and runs, but improved upon various aspects of it. For example Spacelift introduced powerful concepts like Stacks and Dependencies, and used supported OPA policies natively. In 2023 Hashicorp added native support of OPA to Terraform Cloud because Sentinel did not gain broad adoption.
We launched Digger in 2023 initially as a lightweight alternative to Atlantis. It allowed for similar before-merge PR automation workflow but without the need to host a server, instead using GitHub Actions natively for unning plan / apply jobs. Later it evolved into an orchestrator service that could start jobs in parallel, allowing for faster runs without sacrificing security and scalability.
Other open-source takes on solve the TACO problem include Terrakube, OTF, Terramate, Terrateam.
Evolution of TACOs
The history and evolution of Terraform Automation and Collaboration Software (TACOs) from 2017 to present
2017
Terraform Enterprise Launch
The very first piece of TACO software by HashiCorp, announced at HashiConf'2017 alongside Sentinel and Terraform Module Registry. It focused on securing access to state files and introduced Workspaces to reduce blast radius.
2018
Atlantis Open Source Launch
Luke Kysow launched Atlantis, an open-source service written in Go that runs the terraform binary on the server. It pioneered the 'apply-before-merge' workflow, allowing users to comment 'atlantis apply' in pull requests.
Late 2018
Luke Kysow Joins HashiCorp
The creator of Atlantis joined HashiCorp, bringing his expertise in Terraform automation and collaboration workflows to the company.
2019
Terraform Cloud Announcement
HashiCorp announced Terraform Cloud - a fully managed backend and web application for Terraform, hosted on HashiCorp servers. It built upon TFE ideas with a better user interface and SaaS pricing model.
2019+
Commercial TACOs Emerge
Other commercial TACOs were launched including Spacelift, Env0, and Scalr. These solutions improved upon TFE and TFC with features like Stacks, Dependencies, and native OPA policy support.
2023
HashiCorp Adds OPA Support
HashiCorp added native support of OPA to Terraform Cloud because Sentinel did not gain broad adoption, following the success of other platforms like Spacelift.
2023
Digger Launch
Launched as a lightweight alternative to Atlantis, allowing similar before-merge PR automation workflow without hosting a server, using GitHub Actions natively. Later evolved into an orchestrator service for parallel jobs.
2025
Terraform's Backstage Moment
Digger launches project OpenTaco to create an open standard for terraform automation.
