Posted on 28 March 2025.
For the past 2 years, at Theodo Cloud, we’ve been developing Burrito, our open-source TACoS. We used it on real projects, to gather feedbacks, let’s recap what Burrito is and what it’s helped us solve!
Burrito is our open-source TACoS
Burrito is a TACoS, a Terraform Automation and Collaboration Software. This typology of tools offers a variety of features to automate Terraform / OpenTofu usage and ease collaboration on small to large infrastructure codebases. TACoS emerged based on the observation that it was difficult to create a great Terraform CI/CD.
A TACoS should provide:
- Environment Management: support a wide range of Terraform runtimes (Terraform versions, Terragrunt…), environment variables / secrets…
- Observability: provide an easy way to check if a layer (a remote Terraform state) needs to be planned/applied, this enables drift detection, a problem that grows with your codebase.
- Workflow Management: provide the ability to trigger Terraform plan/apply based on events (e.g. run apply when merge on
main
, plan for a Pull Request…). - Access Control: not everyone in your organization should have the right to create a new layer nor modify or apply one.
HCP Terraform Cloud or Spacelift can qualify as TACoS. However those solutions are proprietary software and self-hosting is an option only in the highest tiers of pricing.
In the open-source world Atlantis or FluxCD Tofu Controller exist but they do not provide the full features expected for a TACoS.
Burrito is our proposition of an open-source TACoS that runs as a Kubernetes operator.
A real-world use-case of Burrito
At Theodo Cloud, we leveraged Burrito on a major Platform Engineering project involving extensive infrastructure supporting dozens of micro-services and micro-frontends.
This represents around 600 Terraform layers. We identified two key areas where Burrito delivers significant value:
- Drift Detection:
- Burrito provides built-in drift detection, allowing the Platform team to quickly identify differences between infrastructure-as-code (IaC) and actual deployed infrastructure.
- Though drift incidents are infrequent, having continuous monitoring reassures teams and facilitates rapid troubleshooting, significantly reducing potential downtime.
- Empowering Developers with Autonomous Deployments:
- Developers independently manage frontend deployments using Burrito’s intuitive PR/MR workflow integration.
- With standardized Terraform code structures, developers autonomously instantiate frontend modules, such as consistent S3 + CloudFront setups.
- The Burrito runners are configured with the principle of least privilege (
overrideRunnerSpec
), ensuring secure deployments restricted solely to frontend infrastructure. - Burrito’s user interface (UI) streamlines visibility and allows manual synchronization, further enhancing developer autonomy and operational efficiency.
Main view of Burrito UI, offering a direct view to all the layers
With so many layers, we also addressed several challenges:
- I/O Issues: Managing numerous Terraform layers caused significant network I/O operations when downloading Terraform providers. We solved this by using Hermitcrab as a provider pull-through cache.
- Resource Optimization and Parallelism: To better handle resources, we added features to Burrito such as maximum parallelism settings and synchronization windows.
Thanks to Burrito, our developer and Platform teams experience increased productivity and reduced infrastructure deployment bottlenecks, directly translating into faster releases and improved operational safety.
What we plan for the future
Burrito aims to become a reference open-source TACoS for Platform Engineering.
Our near-future roadmap includes (but is not limited to):
- Repository Content Polling: Making Burrito autonomous in detecting changes within an IaC repository, eliminating the dependency on webhooks.
- Layer Auto-Discovery: Automatically adding new
TerraformLayers
when new IaC code appears, and intelligently managing dependencies between layers. - Advanced Monitoring: Exporting meaningful metrics to integrate seamlessly with monitoring solutions.
- Advanced Automations: Implementing pre-hook and post-hook mechanisms to seamlessly run additional tools around your IaC codebase, such as checkcov, tflint, or guacamole.
We warmly welcome community contributions, including issues, questions, pull requests, and most importantly feedbacks !
We aim to expand Burrito’s user base and build a vibrant open-source community around it, see you on GitHub!