Bringing Teams Together with Terraform Cloud

In my previous blog post, I introduced Terraform. We will continue in that theme and look at Terraform Cloud in this blog post.


Why Terraform Cloud?

In its default state, Terraform CLI uses a local workflow, performing operations on the workstation where it is invoked and storing state in a local directory. In enterprise usage however, it is common to have several team members sharing responsibilities making it infeasible to have all members log in to one workstation to execute Terraform code. Further, the workstation introduces a single point of failure.

If we treat infrastructure as code, then it stands to reason that we must also apply the best practices of managing code, i.e., maintain the code in a repository, enable multiple users to contribute, review and approve code changes. Terraform Cloud addresses these needs by providing a team-oriented remote workflow through the following features:


Workspace-based Organization Model

Remote State Management

Private Module Registry



Version Control Integration

Remote Terraform Execution



Let us take a closer look at each of these features:

Workspace-based Organization Model

Workspaces: Terraform Cloud Workspaces are analogous to the working directories of local Terraform execution – this is where Terraform Cloud maintains everything needed to manage the infrastructure – configuration, state data, variables etc.

There are 3 basic units of the organizational model:

Organizations: These are high level constructs. An organization may consist of many teams. The organization owner (or owners) create teams and manage their permissions on workspaces.

Teams: Teams consist of users and reflect the organization’s structure.

Users: Users are individual members who belong to teams and are granted permissions on an organization’s workspaces.


Remote State Management

As discussed in the previous post, the Terraform state file contains the identifiers and properties of resources created as part of a configuration and is used by Terraform to manage and destroy the resources. An important point to note is that all state data, including sensitive data, is stored as a plain-text JSON file.

With remote state management, Terraform Cloud does not persist state data on the local machine, instead it is automatically stored and managed remotely, and only held in memory when needed.  Terraform Cloud always encrypts state at rest and protects it with TLS in transit. Terraform Cloud can also lock the state file while changes are being made. This is useful in situations where multiple users are attempting to make changes concurrently, as it ensures that all changes are captured, and everyone has a consistent view of the state files.


Private Module Registry

A Terraform module is a set of Terraform configuration files in a single directory. It functions as a container for resources that are used together. Instead of expressing your infrastructure as one complex, monolithic configuration, you can identify, isolate, and encapsulate the reusable components into modules.

Terraform Cloud includes a private module registry which enables you to share modules across your organization.


Version Control Integration

Terraform supports GitHub, GitLab and Bitbucket among other Version Control System (VCS) providers. This integration with a VCS repository enables Terraform Cloud to automatically initiate Terraform runs when changes are committed to a specified branch. It is also important to the functioning of a private module registry since the registry relies on VCS repositories for most of its data.


Remote Terraform Execution

Terraform needs a machine to run. In remote execution, Terraform Cloud will spin up disposable virtual machines in its own cloud infrastructure and execute Terraform runs on those machines. Remote Terraform execution is sometimes referred to as “remote operations.”



Terraform Cloud can use webhooks to notify external systems about the progress of runs. Each workspace has its own notification settings and can notify up to 20 destinations.


High-level Terraform Cloud workflow

Let us put all the above concepts together, and illustrate a sample high-level Terraform Cloud workflow as follows:

1. Create a Terraform Cloud account.
2. Create an Organization.
3. Create a Workspace.
As part of your workspace creation, you will perform the following:

  • Connect Terraform Cloud to your VCS (for e.g., GitHub etc.)
  • Choose a Repository that hosts your Terraform code.

4. Create your Infrastructure.

While the infrastructure code will be hosted in your VCS, you may be required to enter your environment-specific information (for e.g., AWS etc.) in your Terraform configuration. You may set these as Terraform variables in the “Variables” page.

5. Edit your infrastructure and commit to VCS.

  • Once your changes are committed in VCS, a Terraform run will be triggered in Terraform Cloud.
  • Terraform Plan will be kicked off as the first step of the Terraform run.
  • Once the Plan is finished, you will need to confirm the changes if you wish to go ahead and apply them.


Please look at this tutorial for a hands-on walkthrough of the above workflow.


Terraform Cloud Offerings

Terraform Cloud is free to use for up to 5 users. For larger teams, consider the paid upgrades of Terraform Team & Governance, or Terraform Business. Terraform Team & Governance includes team management, role-based access control (RBAC), cost estimation, and policy as code using Sentinel. Terraform Business includes all the features of Team & Governance, with the addition of SSO, audit logging, ServiceNow integration and a 99.9% SLA.


Terraform Cloud and Terraform Enterprise

Terraform Enterprise is a self-hosted version of Terraform Cloud. Companies that would like to utilize Terraform Cloud but host and manage it within the perimeters of their data center for governance, compliance and/or other reasons, may choose Terraform Enterprise instead of Terraform Cloud.

In this blog post, we covered the features of Terraform Cloud that make it a compelling offering for teams looking to manage their Infrastructure-as-Code in an automated and secure manner. Feel free to give it a try!

Ganesh Shankaran is a Cloud Solutions Engineer at Groupware.