GitOps CI/CD Orchestration

Run Terraform in pull requests without the constraints

Zero lock-in GitOps orchestration for Terraform and OpenTofu. Unlimited users, unlimited runs, unlimited concurrency. Dependency-aware execution with policy enforcement.

Zero Lock-in Unlimited Everything Dependency Aware Policy Enforcement Professional & Enterprise

Infrastructure changes, right in your pull requests

Complete visibility into every change before it hits production

stategraph-bot

commented

Stategraph Plan Output

production/compute

+ google_compute_instance.api_server

n2-standard-4 instance in us-central1-a

+ google_compute_disk.data

500GB SSD persistent disk

Plan: 2 to add, 0 to change, 0 to destroy

Downstream: 1 output consumed by production/networking updates in this plan

Cost Estimation

+$266.24

Total Monthly Difference (+14%)

Approval Requirements

✓ Platform team

1/1 approved

⏱ Security team

0/1 required

Production changes require security team approval

To apply all these changes, comment:

stategraph apply

Enterprise GitOps without the enterprise tax

Dependency-aware orchestration

Automatically handles execution order and parallelization. Network infrastructure runs first, then databases, then applications.

Layer 0: Validation

terraform validate

Layer 1: Foundation

prod/networking

Layer 2: Data & Compute (Parallel)

prod/database

prod/eks

Layer 3: Applications

prod/application

Granular Apply Policies

development: Anyone

staging: 1× platform

prod: 2× platform + security

Policy Override

FAILED

→

OVERRIDE

→

APPLY

Drift Detection

Drift Detected

- retention: 7 → 14

+ multi_az: false → true

CODEOWNERS & RBAC

iam/*.tf → @security

cost > $500 → @finance

A transactional backend under the workflow

The PR automation is the visible half. Underneath, every plan and apply runs through Stategraph's transaction engine.

Atomic multi-state changes

A change that spans networking, compute, and application states applies as one transaction. No partial applies, no hand-written ordering scripts, no "apply A, then remember to apply B".

Conflict detection at commit

Non-overlapping pull requests apply in parallel—even against the same root module. When two changes do touch the same resources, the second is rejected with the conflicting transaction IDs instead of corrupting state.

Per-run credentials

CI runs authenticate with short-lived session tokens minted per transaction—no long-lived admin keys sitting in pipeline secrets. API keys can be limited to what an operation actually needs.

An audit trail you can query

Who changed what, when, in which state—recorded automatically for every run, from CI or a laptop, and queryable with SQL. Evidence for auditors is a query, not an archaeology project.

Flexible deployment options

Cloud hosted

Get started instantly with our secure, fully-managed cloud offering. We handle updates, scaling, and maintenance.

✓ Zero maintenance overhead
✓ Automatic updates & security patches
✓ Global availability

BYOC (Bring Your Own Cloud)

We operate Stategraph inside your AWS, GCP, or Azure account. Combines a fully managed experience with the control of running in your own infrastructure.

✓ Dedicated infrastructure
✓ Data residency control
✓ Fully managed
✓ AWS, GCP, or Azure support

Self-hosted

Deploy in your own infrastructure. Complete control over data residency and security policies.

✓ Full data sovereignty
✓ Air-gapped environments
✓ Docker Compose or Kubernetes
✓ Custom security controls

Included with Professional and Enterprise: unlimited users, unlimited runs, unlimited concurrency, unlimited private runners.

No per-user fees, no per-run charges. Orchestration scales with your team, not your invoice.

Works with Stategraph Backend

Use Stategraph's PostgreSQL backend for state storage with SQL queries, drift detection, and blast radius analysis—all orchestrated through pull requests.

Start Running Terraform in Pull Requests

Available with Professional and Enterprise tiers. Unlimited users, unlimited runs, unlimited concurrency.

See pricing Read the docs