Terraform Cloud

Overview of Terraform Cloud

Terraform Cloud is a service that makes it easy for small teams to manage shared infrastructure with Terraform. This page provides a brief overview of the components of Terraform Cloud and of the changes it makes to your existing Terraform workflow.

For practical instructions on using the Terraform Cloud, see Getting Started.

The Application

The Terraform Cloud application, located at https://app.terraform.io, provides a UI and API for storing, viewing, and controlling access to Terraform state. The application manages state in terms of organizations and workspaces:

  • A workspace is a named container for a single timeline of Terraform state, used to manage a collection of infrastructure resources over time.

    Each workspace belongs to an organization, and only members of that organization can access it.

  • An organization is a group of users who can collaborate on a shared set of workspaces. An organization is created by an initial user, who can then add other members.

The application manages access in two ways:

  • UI access is managed with usernames and passwords, with optional two-factor authentication.
  • API and CLI access is managed with API tokens, which can be generated in the UI. Each user can generate any number of personal API tokens, which allow access with their own identity and permissions. There is also an optional owners team token, which has similar abilities but is not tied to an individual user's account.

The Backend

The Terraform Cloud free state storage application's remote backend is built into Terraform 0.11.13 and allows for native operation with the Terraform CLI.

The backend requires an API token, which is created by an application user and then stored in Terraform's CLI config file. Once a token is configured, Terraform can work with any workspace accessible to the user who created the token.

Terraform still defaults to storing state locally, but any Terraform configuration can enable remote state with a backend configuration that specifies which remote workspace to use.

The Workflow

Terraform Cloud uses the standard Terraform CLI workflow, with some enhancements:

  • Users continue to run Terraform on their local machines, but state is stored remotely instead of in the local working directory.
  • Remote workspaces are automatically created when you need them. To create a new workspace, specify a new workspace name in a Terraform configuration's backend block.
  • Terraform protects state from conflicts by locking the remote state during plans and applies; other users can't begin new plans or applies until the current one ends.

Access management tasks outside the scope of Terraform's CLI workflow are available in the Terraform Cloud UI and API. These tasks include:

  • Adding and removing organization members
  • Deleting workspaces
  • Locking workspaces out-of-band, to prevent plans and applies for an arbitrary period
  • Viewing historical state, either raw or as a diff against the previous state
  • Creating or disabling API tokens