Skip to content

Terraform cloud

Team collaboration

Terraform Cloud provides several features that facilitate team collaboration. Some of these features include:

  • Remote Operations: Terraform Cloud allows you to run Terraform from the local CLI or in a remote environment, trigger operations through your version control system, or use an API to integrate Terraform Cloud into your existing workflows.
  • Role-Based Access Control: Terraform Cloud ensures that only approved teams can access, edit, and provision infrastructure with Terraform Cloud workspaces, single sign-on, and role-based access controls.
  • State Management: Terraform Cloud securely stores and versions Terraform state remotely, with encryption at rest. Versioned state files allow you to access state file history.
  • Private Module Registry: Terraform Cloud offers a private registry for sharing modules and providers. You can publish configuration modules in the Terraform Cloud private registry that define approved infrastructure patterns.
  • Team Management: Teams are groups of Terraform Cloud users within an organization. If a user belongs to at least one team in an organization, they are considered a member of that organization. The organization can grant workspace permissions to teams that allow its members to start Terraform runs, create workspace variables, read and write state, etc. Teams can only have permissions on workspaces within their organization, although individual users can belong to teams in other organizations.

Cost estimation

  • Terraform Cloud provides cost estimates for resources in Terraform configuration
  • Hourly and monthly costs, along with monthly delta, are displayed for each resource
  • Total cost and delta of all estimable resources is also shown
  • This feature is enabled by default and can be toggled in organization settings
  • Cost estimate is performed for every run when enabled
  • Estimated costs are shown in the run UI between plan and apply phases
  • Default display is total monthly cost, but estimate can be expanded to see itemized list of resource costs and unestimated resources

Sentinel

Sentinel is a policy as code framework that allows you to define custom policies that can be automatically enforced within your Terraform workflow. With Sentinel, you can create cost-centric policies that are automatically assessed against changes. Administrators then have the ability to approve significant changes or to completely prevent specific workspaces from exceeding predetermined thresholds.

Remote Backend

Terraform Cloud allows you to run Terraform remotely through the UI, API, or CLI. When you use the CLI workflow, operations like terraform plan or terraform apply are remotely executed in Terraform Cloud’s run environment by default, with log output streaming to the local terminal. This lets you use Terraform Cloud features within the familiar Terraform CLI workflow, including variables encrypted at rest in a Terraform Cloud workspace, cost estimates, and policy checking.

Here is an example of how to achieve this:

  • First, you need to add a cloud block to your configuration to enable Terraform Cloud support. Here is an example:
terraform {
  backend "remote" {
    hostname = "app.terraform.io"
    organization = "my-org"

    workspaces {
      name = "my-workspace"
    }
  }
}
  • Next, you need to initialize your working directory by running terraform init. This will configure the backend and download any required providers.
  • Now you can run terraform plan or terraform apply as usual. These commands will be remotely executed in Terraform Cloud’s run environment by default.

Here is an example of the output you might see when running terraform plan:

$ terraform plan
Running plan in the remote backend. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:
<https://app.terraform.io/app/my-org/my-workspace/runs/run-abc123>

Waiting for the plan to start...

Terraform v0.12.24
Configuring remote state backend...
Initializing Terraform configuration...
2020/04/14 15:21:07 [DEBUG] Using modified User-Agent: Terraform/0.12.24 TFC/abc123

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_instance.example will be created
  + resource "aws_instance" "example" {
      + ami                          = "ami-abc123"
      + arn                          = (known after apply)
      + associate_public_ip_address  = (known after apply)
      ...
    }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Policies and Policy sets

In Terraform Cloud, policies are rules that are enforced on Terraform runs. You can use policies to validate that the Terraform plan complies with security rules and best practices. Policy sets are collections of policies that you can apply globally or to specific projects and workspaces in your organization. For each run in the selected workspaces, Terraform Cloud checks the Terraform plan against the policy set.

Here is an example of how to create and manage a policy set in Terraform Cloud:

  1. First, you need to have the appropriate permissions to manage policies and policy sets for your organization.
  2. Next, you can choose one of the following workflows to manage policies and policy sets for your organization:
    • Individually Managed: Add policies directly in the Terraform Cloud UI, and Terraform Cloud stores your policy code.
    • Version Control: Connect Terraform Cloud to a version control repository containing a policy set. When you push changes to the repository, Terraform Cloud automatically uses the updated policy set.
    • Automated: Push versions of policy sets to Terraform Cloud with the Terraform Cloud Policy Sets API. For Sentinel only, you can also use the tfe provider tfe_policy_set resource.
  3. Once you have created a policy set, you can apply it globally or to specific projects and workspaces in your organization.
  4. For each run in the selected workspaces, Terraform Cloud checks the Terraform plan against the policy set. Depending on the enforcement level, failed policies can stop a run in a workspace.

Here is an example of how to create a policy set using the Individually Managed workflow:

  1. In the Terraform Cloud UI, navigate to your organization’s settings page.
  2. Click on “Policy Sets” in the left sidebar.
  3. Click on “Create a new policy set”.
  4. Enter a name for your policy set and select “Manually managed” as the source.
  5. Click on “Create policy set”.
  6. Click on “Add policies” and select existing policies or create new ones.

Air gapped systems support

An air gapped system is a computer or network that is physically isolated from the internet or any other unsecured network. This is done to prevent unauthorized access or data exfiltration. An example of an air gapped system is a computer used to control critical infrastructure such as a power plant or water treatment facility.

Terraform Cloud is a provisioning platform that accounts for air gap restrictions. An air-gapped environment is a network that is isolated from other networks, usually both physically and logically. This means no internet or outside connectivity, which presents unique challenges to the installation and maintenance of applications.

Terraform Enterprise can be installed using either an online or air-gapped method. The online method is easier and requires less preparation, but both result in fully functioning Terraform Enterprise environments. The air-gapped method requires some additional effort, such as manually installing prerequisite software like Docker and staging the Terraform Enterprise installation files in a location accessible within the air-gapped network.

Here is an example of how to perform an air-gapped install of Terraform Enterprise:

  1. First, download the Terraform Enterprise installation script file and make it available to the target system.
  2. Manually install Docker on the target system.
  3. Download the Terraform Enterprise air gap bundle for the desired release and stage it in a location accessible within the air-gapped network.
  4. Run the Terraform Enterprise installation script, specifying the location of the air gap bundle.