Compare: Terraform Cloud Agents, Scalr Agents, Spacelift Workers
Terraform Cloud, Scalr, and Spacelift use agents/workers to manage infrastructure as code. Learn the differences.
The majority of large enterprises using a Terraform automation platform will potentially need to use a self-hosted agent to execute runs. In this blog, we'll review the various options available to you.
In IaC platforms like HCP Terraform Cloud, Scalr, and Spacelift, agents are secure, self-hosted runners that you operate within your own private network.
Think of them as a bridge. The main SaaS platform (e.g., Scalr) orchestrates the "what" and "when" of an infrastructure job, but the agent handles the actual "how" and "where."
Why Use Agents
They are used for two primary reasons:
- Accessing Private Resources: The most common reason to use an agent is to manage infrastructure that isn't exposed to the public internet. This includes on-premises data centers, private cloud (VPC) subnets, databases behind firewalls, Kubernetes APIs, or other air-gapped environments. Since the agent lives inside your network, it has the necessary access to communicate with these private resources.
- Enhanced Security and Compliance: By using a self-hosted agent, you ensure that sensitive credentials (like database passwords or private keys) never leave your network boundary. The agent fetches the job from the cloud platform and applies it locally, using credentials that can be sourced directly from your internal secrets managers or the host's environment. This model is often a requirement for organizations with strict security postures or those in regulated industries (finance, healthcare, government).
How Agents Work
All three platforms design their agents to be secure by default, using an outbound-only polling model. This means the agent initiates a secure connection to the platform to ask for jobs, so you do not need to open any inbound firewall ports, significantly reducing the attack surface.
While we don't know the internals of Terraform Cloud or Spacelift, we ca share more about Scalr. Scalr agents work as secure HTTP relays that run within your private network and poll scalr.io for job instructions. The agent maintains an outbound-only connection to Scalr's cloud platform, meaning no inbound firewall rules or VPN connections are required. When Scalr needs to execute Terraform or OpenTofu runs, the agent receives the job, executes it locally within your private network where it has direct access to internal APIs, databases, and cloud resources, then reports the results back to Scalr. This architecture ensures that Scalr never has direct access to your private infrastructure while still enabling automated infrastructure management.
Platform Differences
When choosing a Terraform automation platform, understanding how each handles private infrastructure access through agents is crucial for security and cost considerations. The three major platforms—Terraform Cloud, Scalr, and Spacelift—take different approaches to agent architecture, pricing models, and feature availability that can impact your Terraform management strategy.
| Feature | Terraform Cloud Agents | Scalr Agents | Spacelift Agents |
|---|---|---|---|
| Agent Architecture | Has a single agent type for runs. Supports Kubernetes, Docker, or VM based deployments. | Offers two distinct agent types (for Runs and VCS). The "golden image" approach simplifies managing multiple Terraform or OpenTofu versions. Supports Kubernetes, Docker, or VM based deployments. | Provides two separate solutions with its "Private Workers" and "VCS Agents." Supports Kubernetes, Docker, or VM based deployments. |
| Concurrency | Agents do not impact run concurrency. Must purchase more concurrency regardless of agents. | Every agent deployed gives the Scalr account five more concurrent runs. If five agents were to be deployed, then the customer would get 25 concurrent runs. | Agents do not impact run concurrency. Must purchase more concurrency regardless of agents. |
| Terraform & OpenTofu Support | Terraform ✅ but OpenTofu isn't supported 🚫 | Terraform ✅ and OpenTofu ✅ | Terraform ✅ and OpenTofu ✅ |
| Security & Control | You control the host. Credentials can be injected as environment variables from the TFC workspace. | You control the host. Offers flexible credential management with provider configurations, including sourcing from instance profiles or custom hooks at runtime. | Gives you complete control over the worker's execution environment. |
Terraform Agent Pricing
The cost model for using agents across the three platforms is the biggest difference:
| Cost Type | Terraform Cloud Agents | Scalr Agents | Spacelift Agents |
|---|---|---|---|
| Direct Cost | Yes. Depends on the tier. The price is not documented, but the agent limit per tier is: • Free: 1 • Standard: 1 • Plus: 10 • Premium: 50 | $0. There is no extra charge for private agents/workers. All customers, including the free tier, start with 25 agents, which can be increased for free. | Yes. Spacelift's pricing is tiered, and each tier includes a specific number of private workers: • Free: No private workers • Starter: No private workers • Starter +: 1 private worker • Business: 3 private workers • Enterprise: 5 private workers |
| Indirect Cost / Impact | The use of agents is tied to your overall plan and its limitations. The primary cost driver is the Resources Under Management (RUM) and a feature gating pricing model. The number of concurrent runs you can execute is limited by your plan (Free and Standard tiers have low concurrency). While agents enable runs on private infrastructure, those runs still consume your plan's concurrency. In essence, the cost is baked into the platform fee, which can become substantial as your resource count grows. Hashicorp's pricing can be opaque and force you into a sales call, so we wrote this guide on Terraform Cloud pricing. | Scalr's pricing is strictly run-based. The key benefit is that each self-hosted agent you add increases your overall concurrency by five at no extra platform cost. This makes scaling your execution capacity highly cost-effective. You only pay for the runs you execute, regardless of whether they are on Scalr's runners or your own agents. Scalr pricing is super transparent, no talking to sales needed. | If you need more concurrency than your plan includes or workers provide, you must purchase additional workers or upgrade your plan. The number of private workers directly dictates your maximum concurrency on your own infrastructure, making the cost of scaling concurrency more explicit. |
In all three cases, you are also responsible for the cost of the underlying infrastructure (the VMs or container platforms) on which you run the agents. For the latest pricing, please go to the pricing page for the corresponding product.
Summary
All three platforms are very similar when it comes to run agents. The technology and use cases for run agents appear to be largely the same. Scalr and Spacelift have dedicated VCS agents, allowing users to connect to private VCS providers. The major difference between the platforms is the cost of agents. Scalr gives users the most agents by far and does not charge for extra agents or concurrency if requested. Both Spacelift and Terraform Cloud have multiple tiers to their pricing model that are gated by features as well as the number of agents available.
Scalr offers the most flexibility and is likely the most affordable platform if the number of agents and run concurrency are a main requirement.