Which Tier of Terraform Cloud are you Using?
Understanding the version you’re using, whether it’s Terraform Cloud for Business, the regular Terraform Cloud, or Terraform Enterprise, will influence the features and scalability options available to you. The distinction between these offerings is:
Terraform Cloud: Hosted at app.terraform.io, it has paid tiers, allowing for more users, enhanced permissions, policy enforcement, and better collaboration.
Business Tier: Ideal for large organizations. It facilitates multiple concurrent runs, infrastructure creation in private environments, Single Sign-On (SSO) for user access management, and self-service provisioning.
Terraform Enterprise: For organizations prioritizing advanced security and compliance, offering a private instance inclusive of Terraform Cloud’s advanced features.
Why Choose TFC vs TFE?
The rationale behind using TFC or TFE can be multifold.
Developer Experience: If the focus is to enable teams to utilize Terraform, consider incorporating comprehensive documentation, links, and deep dives. Inexperienced teams might also benefit from training sessions.
Guarding Terraform State Files: Ensuring strict access to state files, plans, and applications means a meticulous design of team roles, potentially involving security teams.
Enhancing Cloud Security: Implementing sentinel policies and automating policy management becomes pivotal here. A well-structured approval process for Terraform code repositories is also essential.
Optimizing Deployment Times: To achieve this, the infrastructure of the Terraform and its repositories is crucial. Efficient review processes and speculative plans for new PRs can also be helpful.
How Do You Plan to Interact with Terraform Cloud?
There are three primary ways to interact with TFC. Below is a simple representation of each workflow and also more information about each of them, pros, and cons.
graph TD
subgraph "VCS-driven Workflow"
VCS1[VCS Repository]
VCS2[Webhook to Terraform Cloud]
VCS3[Terraform Cloud Workspace]
VCS4[Infrastructure Provisioned]
VCS1 --> |"PR Creation"| VCS2
VCS2 --> |"Speculative Plan"| VCS3
VCS3 --> |"Confirm & Apply after PR Merge"| VCS4
end
subgraph "API-driven Workflow"
API1[Custom Tool/Service]
API2[Terraform Cloud API]
API3[Terraform Cloud Workspace]
API4[Infrastructure Provisioned]
Agent2[GitHub Runner]
API1 --> |"API Call"| API2
API2 --> |"Queue Plan"| API3
Agent2 --> |"Confirm & Trigger"| API1
API3 --> |"Confirm & Apply"| API4
end
subgraph "CLI-driven Workflow"
CLI1[Local Machine]
Agent1[GitHub Runner]
CLI2[Terraform Cloud Workspace]
CLI3[Terraform Cloud Remote Backend]
CLI4[Infrastructure Provisioned]
CLI1 --> |"terraform plan"| Agent1
Agent1 --> |"Trigger terraform apply"| CLI2
CLI2 --> |"Terraform Cloud Processes Apply"| CLI3
CLI3 --> |"Infrastructure Provisioned"| CLI4
end
API-Driven Workflow: This might require you to develop an app with a unique GUI. In my experience, this is rarely the chosen route.
CLI-Driven Workflow: Often preferred by power users, this method integrates with orchestrators like GitHub Actions or Azure DevOps for runs.
VCS-Driven Workflow: This involves connecting your Version Control System (like GitHub) with TFC. I’ve observed this to be the most popular choice for initial interactions. It supports speculative plans right off the bat, ensuring quick team integration.
Other Decisions to Consider
Several decisions must be finalized before proceeding:
Naming your Terraform Cloud Org
Adhere to lowercase and hyphens.
Structuring TFC Teams
Only five owners are typically allowed in TFC. The designation of workspace admins, the nature of team access, and the choice between out-of-the-box roles or custom roles (which come with overhead) are all crucial decisions.
Tokens & CLI/API-driven Workflows
Be mindful of the nuances of user, team, and org tokens in TFC.
Workspace Naming Conventions
A consistent naming pattern is vital. Remember, the character limit is 90. Inclusions like cloud platform, environment, and app abbreviations can be helpful.
SSO Integration
If you’re considering Single Sign-On or other authentication methods, be prepared for the necessary setup.
Automating TFC
Terraform offers a TFC provider for this. Automation can streamline the creation process but might be overwhelming for inexperienced teams.
Using the Private Module Registry
This requires in-depth discussions and initial setup.
Other Actions & Features
Finally, always define owners in the TFC portal. Some optional features to consider are cost estimation, drift detection, and using Terraform agents on your cloud platforms.
