{"componentChunkName":"component---src-templates-blog-post-js","path":"/post/terraform-cloud","result":{"data":{"headerImage":{"childImageSharp":{"fluid":{"aspectRatio":3.3992537313432836,"src":"/static/b72d38f0a9a131a445c0798c8f11b233/85c19/blog-post-intro.png","srcSet":"/static/b72d38f0a9a131a445c0798c8f11b233/c95ef/blog-post-intro.png 911w,\n/static/b72d38f0a9a131a445c0798c8f11b233/6d938/blog-post-intro.png 1822w,\n/static/b72d38f0a9a131a445c0798c8f11b233/85c19/blog-post-intro.png 3635w","srcWebp":"/static/b72d38f0a9a131a445c0798c8f11b233/bbedc/blog-post-intro.webp","srcSetWebp":"/static/b72d38f0a9a131a445c0798c8f11b233/8f106/blog-post-intro.webp 911w,\n/static/b72d38f0a9a131a445c0798c8f11b233/4b1a2/blog-post-intro.webp 1822w,\n/static/b72d38f0a9a131a445c0798c8f11b233/bbedc/blog-post-intro.webp 3635w","sizes":"(max-width: 3635px) 100vw, 3635px"}}},"relatedPosts":{"nodes":[]},"socials":{"frontmatter":{"socials":{"linkedin":"https://www.linkedin.com/company/myops-yael","github":"https://github.com/opsguru-israel"}}},"markdownRemark":{"html":"<h2>What is Terraform Cloud?</h2>\n<p>Recently HashiCorp released Terraform Cloud to General Public. Terraform Cloud is HashiCorp solution for Terraform code executions, running in their hosted cloud. This solution simplifies environment management, code execution, state file management, as well as permissions management.</p>\n<h2>How it works?</h2>\n<p>Terraform Cloud is a Terraform Enterprise solution stripped down of some features. In order to use Terraform Cloud you will have to sign up for an account at <em><a href=\"https://app.terraform.io/\">https://app.terraform.io/</a></em>. Once you have your account you will need to setup the <em><a href=\"https://www.terraform.io/docs/commands/cli-config.html\">~/.terraformrc</a></em> file with an <em><a href=\"https://www.terraform.io/docs/cloud/users-teams-organizations/users.html#api-tokens\">API key</a></em>. This is a crucial piece if you intend to run Terraform Cloud code from your local machine.</p>\n<p>Terraform Cloud uses organizations and workspaces to organize your code and environments. To quote the official <em><a href=\"https://www.terraform.io/docs/cloud/users-teams-organizations/organizations.html\">documentation</a></em>, \"Organizations are shared spaces for teams to collaborate on infrastructure\". Each organization can have multiple workspaces that define groups of resources of your infrastructure. Normally, a user will create one organization (common use case for small and medium companies) and have multiple workspaces describing your environments. Terraform Cloud documentation provides a really good set of best practices on how to organize and name your workspaces.</p>\n<p>Please read <em><a href=\"https://www.terraform.io/docs/cloud/workspaces/naming.html\">https://www.terraform.io/docs/cloud/workspaces/naming.html</a></em> for more details.</p>\n<p>Example of an organization and workspaces:</p>\n<p><img src=\"/img/myops-terraform-cloud-blog-1.jpg\"></p>\n<p>Workspaces are the key of how your environment is organized. Each workspace has the following key features:</p>\n<ul>\n<li>Stores the state file and history of state file changes.</li>\n<li>Stores Terraform variable and environmental variables.</li>\n<li>Stores passwords, credentials, and secret keys as sensitive.</li>\n<li>Connects to a GitHub repo and monitors code changes on a specified branch.</li>\n</ul>\n<h2>State files</h2>\n<p>Workspaces eliminate the need for S3, GCS, or any other hosted storage service to store your remote Terraform state files. Terraform Cloud will store state files for you and version it at the same time. You will be able to see a detailed trail of historical changes to the state file which is great for auditing purposes.</p>\n<p><br>\nExample state file versioning:</p>\n<p><img src=\"/img/myops-terraform-cloud-blog-2.jpg\"></p>\n<p>If you are developing locally on your laptop, you will need to specify a workspace through the <em>terraform init</em> command.</p>\n<p>For example terraform <em>init -backend-config=init.tfvars</em> where <em>init.tfvars</em> looks something like this:</p>\n<p>If your workspace is connected to your GitHub repo then you don't have to do anything. You only need to set workspace to listen to your branch and push the code into your branch.</p>\n<h2>Variables</h2>\n<p>Variables can be set directly in the workspace. This feature enables one code base to be reused across multiple environments. In that case, each environment will have a different set of values for variables. You can also safely store passwords and keys by setting the <em>Sensitive</em> flag on the variable. This feature allows security teams or admins to safely set sensitive variables.</p>\n<p>One good use case for sensitive variables is GCP service account credentials key pair. This file is necessary for GCP terraform provider and it is usually hard to manage (some people store it in services like Vault). In the example below, the <em>credentials.json</em> content of a service account is stored into the <em>credentials</em> variable.</p>\n<p>Example of variables:</p>\n<p><img src=\"/img/myops-terraform-cloud-blog-3.jpg\" alt=\"A screenshot of Terraform variables.\"></p>\n<h3>GitHub connection</h3>\n<p>By connecting your workspace to your GitHub repository you get CI/CD pipeline for free with Terraform Cloud. You can set up your workspace to monitor changes in branches and folders. For example, you can set your network-stg workspace to monitor only network folder on master branch. Every time a commit is made, Terraform Cloud will run <em>terraform plan</em>. As a precautionary measure, changes will only be applied after you verify the planned changes and manually confirm.</p>\n<p><img src=\"/img/myops-terraform-cloud-blog-4.jpg\"></p>\n<p>Another cool feature of GitHub integration with Terraform Cloud is automatic run of <em>terraform plan</em> in response to Pull Requests. For example, if your workspace is monitoring master branch and you create a PR on that branch, Terraform Cloud will run <em>terraform plan</em> as part of the PR validation tests. This gives you a small sanity test before doing the PR merge.</p>\n<p>Example of PR checks:</p>\n<p><img src=\"/img/myops-terraform-cloud-blog-5.jpg\"></p>\n<h3>Workspace management</h3>\n<p>Workspaces can be managed via:</p>\n<ul>\n<li>API calls (<em><a href=\"https://www.terraform.io/docs/cloud/api/workspaces.html\">https://www.terraform.io/docs/cloud/api/workspaces.html</a></em>)</li>\n<li>Terraform Enterprise provider (<em><a href=\"https://www.terraform.io/docs/providers/tfe/index.html\">https://www.terraform.io/docs/providers/tfe/index.html</a></em>)</li>\n</ul>\n<p>Terraform Enterprise provider will require you to store a state file somewhere externally (for example, S3 or GCS bucket). API calls will require you to script your own solution. In my opinion, storing the state file for workspaces beats the purpose of having Terraform Cloud. Now you will also need to worry about proper credentials to push the state file to your external storage. I also tried creating a workspace that will hold a state file for created workspaces but that didn't work at all. I kept getting weird errors and eventually I just gave up.</p>\n<p>Investing a bit of time to come up with a script that reads a yaml file with workspace configuration is worth a while. That way your yaml config becomes a single source of truth and as long as it doesn't have any secrets in it, it can be committed to your git repo.</p>\n<p>You can find an example scripts to create workspaces and push variables in our example repository: <em><a href=\"https://github.com/ops-guru/gcp-terraform-cloud/tree/master/workspaces\">https://github.com/ops-guru/gcp-terraform-cloud/tree/master/workspaces</a></em></p>\n<h2>How does it stack up?</h2>\n<p>Terraform cloud can potentially replace a need for tools like Terragrunt or for CI/CD tools like Jenkins. For example, workspaces and variables remove a need for Terragrunt's hcl files. Integration with GitHub removes a necessity for Jenkins or Google Cloud Build for example. I'm pretty sure that we will see more features added to Terraform Cloud in the future. One that I would personally really like to see is the ability to build and execute pipelines directly in Terraform Cloud. For example, changes in <em>network-dev</em> workspace will trigger <em>terraform appl</em>y in <em>application-app</em> workspace.</p>\n<h2>Drawbacks</h2>\n<p>Some features that work with regular Terraform or Terragrunt are not currently possible with Terraform Cloud.</p>\n<p>For example:</p>\n<ul>\n<li>Very slow local <em>terraform plan/apply</em> command:</li>\n</ul>\n<p>When executing terraform command from your local machine all the code and all the plugins and providers are being uploaded to Terraform Cloud for execution. This can take 5 minutes or longer per command.</p>\n<ul>\n<li>Can't deploy Git tags:</li>\n</ul>\n<p>At the moment I was only able to deploy Git branches but not Git tags. For example, it would be very useful to deploy tags only to production workspaces.</p>\n<ul>\n<li>Can't do local-exec easily:</li>\n</ul>\n<p>Terraform Cloud executes user's code on Ubuntu OS instances/dockers. Terraform code being executed doesn't have sudo privileges to install software through apt. This feature is only available in Terraform Enterprise. That means that if your terraform code uses a linux utility to do some pre or post processing it is very likely that that utility won't be able to be installed.</p>\n<p>You can install some software following these instructions: <em><a href=\"https://www.terraform.io/docs/cloud/run/install-software.html\">https://www.terraform.io/docs/cloud/run/install-software.html</a></em></p>\n<ul>\n<li>Can't do remote-exec on private instances in your environment:</li>\n</ul>\n<p>In case of GCP you would need to create an SSH tunnel to proxy the requests. This would need the <em>gcloud</em> command installed on the machine which is not easy to achieve.</p>\n<ul>\n<li>Can't really use kubernetes provider on private clusters:</li>\n</ul>\n<p>Same reason as local-exec.</p>\n<ul>\n<li>No integration with Vault:</li>\n</ul>\n<p>At the moment there is no easy integration between Vault and Terraform Cloud.</p>\n<p>Terraform Cloud is still a very new product which means that there are bugs in the code and documentation. You can find a complete list of issues here: <em><a href=\"https://github.com/hashicorp/terraform/issues?q=is%3Aissue+is%3Aopen+terraform+cloud+label%3Aterraform-cloud\">https://github.com/hashicorp/terraform/issues?q=is%3Aissue+is%3Aopen+terraform+cloud+label%3Aterraform-cloud</a></em>.</p>\n<p>The list will likely grow as more and more adopt Terraform Cloud.</p>\n<h2>Conclusion</h2>\n<p>Terraform Cloud is definitely a game changer in the way companies will use terraform. For the very low price of $20/month/user it can bring a great value to a devops team. As the product starts gaining traction I'm sure that HashiCorp will introduce more and more features. With efficient use of workspaces and integrations with GitHub a lot of companies can stop relying on tools like terragrunt to manage their environments. At the moment I would recommend Terraform Cloud to small startups or small to medium companies that have some Terraform experience.</p>","frontmatter":{"url":"terraform-cloud","seo":{"title":"Terraform Cloud","description":"Terraform Cloud is HashiCorp solution for Terraform code executions, running in their hosted cloud. This solution simplifies environment management, code execution, state file management, as well as permissions management.","canonical":null,"image":{"childImageSharp":{"fluid":{"aspectRatio":1.4285714285714286,"src":"/static/d2b1968707a0c710d26a26104e08f133/724c8/myops-terraform-cloud-blog.jpg","srcSet":"/static/d2b1968707a0c710d26a26104e08f133/84d81/myops-terraform-cloud-blog.jpg 250w,\n/static/d2b1968707a0c710d26a26104e08f133/f0719/myops-terraform-cloud-blog.jpg 500w,\n/static/d2b1968707a0c710d26a26104e08f133/724c8/myops-terraform-cloud-blog.jpg 1000w,\n/static/d2b1968707a0c710d26a26104e08f133/d79bd/myops-terraform-cloud-blog.jpg 1500w,\n/static/d2b1968707a0c710d26a26104e08f133/a66ad/myops-terraform-cloud-blog.jpg 2000w,\n/static/d2b1968707a0c710d26a26104e08f133/55260/myops-terraform-cloud-blog.jpg 3700w","srcWebp":"/static/d2b1968707a0c710d26a26104e08f133/36ebb/myops-terraform-cloud-blog.webp","srcSetWebp":"/static/d2b1968707a0c710d26a26104e08f133/1d872/myops-terraform-cloud-blog.webp 250w,\n/static/d2b1968707a0c710d26a26104e08f133/4e6d4/myops-terraform-cloud-blog.webp 500w,\n/static/d2b1968707a0c710d26a26104e08f133/36ebb/myops-terraform-cloud-blog.webp 1000w,\n/static/d2b1968707a0c710d26a26104e08f133/fd45d/myops-terraform-cloud-blog.webp 1500w,\n/static/d2b1968707a0c710d26a26104e08f133/6e77b/myops-terraform-cloud-blog.webp 2000w,\n/static/d2b1968707a0c710d26a26104e08f133/862fd/myops-terraform-cloud-blog.webp 3700w","sizes":"(max-width: 1000px) 100vw, 1000px","maxHeight":700,"maxWidth":1000}}}},"title":"Terraform Cloud","date":"2019-12-01T17:00:00.000Z","tags":null,"author":{"name":"MyOps","photo":{"extension":"png","publicURL":"/static/3ff870573bc56665ee67e3cf3f5fc163/logo-small.png","childImageSharp":{"fluid":{"aspectRatio":0.8759124087591241,"src":"/static/3ff870573bc56665ee67e3cf3f5fc163/b460a/logo-small.png","srcSet":"/static/3ff870573bc56665ee67e3cf3f5fc163/d966b/logo-small.png 120w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/67196/logo-small.png 240w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/b460a/logo-small.png 480w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/eec14/logo-small.png 596w","srcWebp":"/static/3ff870573bc56665ee67e3cf3f5fc163/35871/logo-small.webp","srcSetWebp":"/static/3ff870573bc56665ee67e3cf3f5fc163/83552/logo-small.webp 120w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/2b5a3/logo-small.webp 240w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/35871/logo-small.webp 480w,\n/static/3ff870573bc56665ee67e3cf3f5fc163/c0cb3/logo-small.webp 596w","sizes":"(max-width: 480px) 100vw, 480px"}}}},"image":{"childImageSharp":{"fluid":{"aspectRatio":1.4285714285714286,"src":"/static/d2b1968707a0c710d26a26104e08f133/8c3c2/myops-terraform-cloud-blog.jpg","srcSet":"/static/d2b1968707a0c710d26a26104e08f133/15aed/myops-terraform-cloud-blog.jpg 300w,\n/static/d2b1968707a0c710d26a26104e08f133/a07a5/myops-terraform-cloud-blog.jpg 600w,\n/static/d2b1968707a0c710d26a26104e08f133/8c3c2/myops-terraform-cloud-blog.jpg 1200w,\n/static/d2b1968707a0c710d26a26104e08f133/cd33f/myops-terraform-cloud-blog.jpg 1800w,\n/static/d2b1968707a0c710d26a26104e08f133/1c8c6/myops-terraform-cloud-blog.jpg 2400w,\n/static/d2b1968707a0c710d26a26104e08f133/93080/myops-terraform-cloud-blog.jpg 3700w","srcWebp":"/static/d2b1968707a0c710d26a26104e08f133/e7405/myops-terraform-cloud-blog.webp","srcSetWebp":"/static/d2b1968707a0c710d26a26104e08f133/4fec1/myops-terraform-cloud-blog.webp 300w,\n/static/d2b1968707a0c710d26a26104e08f133/483a3/myops-terraform-cloud-blog.webp 600w,\n/static/d2b1968707a0c710d26a26104e08f133/e7405/myops-terraform-cloud-blog.webp 1200w,\n/static/d2b1968707a0c710d26a26104e08f133/7f800/myops-terraform-cloud-blog.webp 1800w,\n/static/d2b1968707a0c710d26a26104e08f133/7acea/myops-terraform-cloud-blog.webp 2400w,\n/static/d2b1968707a0c710d26a26104e08f133/8750d/myops-terraform-cloud-blog.webp 3700w","sizes":"(max-width: 1200px) 100vw, 1200px"}}}}}},"pageContext":{"id":"8adb27b4-eee4-5dba-b3bf-1496e7a0a838","categories":[]}},"staticQueryHashes":["2022990323","639612397"]}