Important Additional Functions

In general, it is worth taking a closer look at the additional functions and convenience add-ons in Spacelift. After all – and the developers behind Spacelift know this – it's not overly complicated to implement a CI/CD solution for IaC that rolls out applications and monitors their lifecycles. IT hipsters rely almost exclusively on Kubernetes for this task anyway with one of the countless solutions on the market, including Argo CD (Figure 4), which essentially pursues very similar goals to Spacelift and even works in a similar way under the hood. However, you need a running Kubernetes setup for Argo CD, which is offered along with superior alternatives by hyperscalers in most markets. Argo CD can also be used to create an existing setup from scratch in a relatively short time.

Figure 4: Existing projects on the market, such as Argo CD, promise similar features to Spacelift but require deployment by Kubernetes. Spacelift can also roll out "real" IaaS with the large hyperscalers and offers more flexibility. © Cinchy Project

The bells and whistles, then, are an integral part of the Spacelift product, and the Spacelift developers are doing a great deal to set themselves apart from the field with these additional functions, starting with compliance. Larger companies with several development teams, in particular, need binding specifications to enforce their internal standards when rolling out applications in the cloud. In addition to system configuration, these specifications also include monitoring mechanisms. For example, for user authentication standards to take effect, you first need to implement them correctly in your stack or blueprint, although it does not automatically mean they will work. Several features that Spacelift provides in terms of security and compliance come into play.

The solution is primarily concerned with compliance within your own field of responsibility. Spacelift offers an API for this purpose, which you can access from either the graphical user interface provided for all platforms or a command-line client for Linux and macOS. In many companies, logging staff actions is a prerequisite so that changes can be tracked retrospectively and any errors in the configuration and workflow can be identified and rectified.

Linking to existing user directories is not a problem for Spacelift. Security assertion markup language (SAML) and OAuth are available as authentication mechanisms and therefore offer connection to the identity and access management services of the major providers, to a self-operated Keycloak with LDAP in the background, or to a local Active Directory. However, Spacelift also offers the logging function for audit trails. Depending on the configuration, the service then logs everything done by individual users, including the complete payload of an API call. To ensure that Spacelift itself does not run out of space, the tool can also use various standard protocols such as Amazon Simple Storage Service to save the audit logfiles. Spacelift also monitors the upload, preventing audit logs from disappearing down the drain because of an unnoticed misconfiguration.

So that the boundary between the platform and the workload does not become an insurmountable hurdle for Spacelift, the service can also automatically roll out the OPA as part of a deployment (Figure 5). If these are part of a stack's configuration, Spacelift enforces them completely automatically at the administrator's request.

Figure 5: Policies are a special feature of Spacelift: Compliance and security rules can be enforced within rolled-out Spacelift stacks, to the delight of security officers. © Spacelift

Communication and Monitoring

Spacelift is also extremely communicative. To meet the modern requirements of ChatOps collaboration models, the tool offers native interfaces to Microsoft Teams and Slack. For example, certain actions in Spacelift can be configured to trigger automatic messages on previously configured Teams or Slack channels.

Spacelift also enables extensive remote control of external services. It can use webhooks to send commands to external Git directories when certain events occur. Additionally, Spacelift exposes an interface for you to execute webhooks, ensuring that a commit in the remote Git directory automatically triggers an adjustment of the stack in Spacelift, including any security precautions. You can build entire command sequences at this point: A Git commit then initially leads to a proposed run taking place. A run completing without error in turn triggers an update of the tracked run.

In combination, these features are much more powerful than anything that, say, Argo CD can achieve, and this is all the more true because Spacelift is quite open in terms of the internal communication of its individual services. Stacks, for example, can now be set in relation to each other with the use of dependencies. In this way, something will only happen in one stack once another task has successfully completed in another stack, although you need to be aware that this kind of setup will significantly increase complexity in Spacelift.

Spacelift aims to mitigate errors caused by complexity by offering a number of monitoring options. Datadog and Prometheus are part of the standard repertoire, including the respective metrics collectors, but you need at least to define the setup in the stack or in blueprint configurations. Logically, if an application has a native interface to Datadog, the interface also needs to be enabled in the configuration.

By the way, Spacelift does not view the tools as peers. Prometheus is primarily intended for monitoring Spacelift itself, whereas Datadog can also monitor services running in stacks within Spacelift.

Pricing

Small teams that do not need many of the features described and do not need too many workloads can use the free version of Spacelift, although it only supports two users and one project. That said, most of the features are already integrated. If you need the described dependencies on stacks or deeper integration with cloud and authentication services, you can opt for the cloud option – which costs $250 per month and includes five users, with each additional user costing $10 – and multitenant capability.

The Enterprise package includes the described audit trail feature and single sign-on with SAML or OpenID Connect; it also supports private Git directories. Unfortunately, I cannot give you a price for this option. If you want to order the Enterprise product including commercial support, you have to call Spacelift beforehand, which is extremely annoying. However, it can be assumed that there will be a significant surcharge for the Enterprise version compared with the cloud option.

Two things annoyed me. Most companies probably need many of the functions reserved for the expensive Enterprise version, and Spacelift is not cheap. The manufacturer's response to this criticism is that its CI/CD and IaC solution can save the average corporation several full-time equivalents (FTEs) over the years, which has to be factored into the price. In most companies, however, procurement is unlikely to wave Spacelift through quickly, because the prices are too stiff.