Terraform Cloud Plans and Features
Terraform Cloud is a platform that performs Terraform runs to provision infrastructure, either on demand or in response to various events. Unlike a general-purpose continuous integration (CI) system, it is deeply integrated with Terraform's workflows and data, which allows it to make Terraform significantly more convenient and powerful.
Hands On: Try our What is Terraform Cloud - Intro and Sign Up tutorial.
Terraform Cloud is a commercial SaaS product developed by HashiCorp. Many of its features are free for small teams, including remote state storage, remote runs, and VCS connections. We also offer paid plans for larger teams that include additional collaboration and governance features.
Terraform Cloud manages plans and billing at the organization level. Each Terraform Cloud user can belong to multiple organizations, which might subscribe to different billing plans. The set of features available depends on which organization you are currently working in.
Refer to Terraform pricing for details about available plans and their features.
Small teams can use most of Terraform Cloud's features for free, including remote Terraform execution, VCS integration, the private module registry, and more.
Free organizations are limited to five active members.
Some of Terraform Cloud's features are limited to particular paid upgrade plans.
Each higher paid upgrade plan is a strict superset of any lower plans — for example, the Plus edition includes all of the features of the Standard edition. Paid feature callouts in the documentation indicate the lowest edition at which the feature is available, but any higher plans also include that feature.
Terraform Enterprise generally includes all of Terraform Cloud's paid features, plus additional features geared toward large enterprises. However, some features are implemented differently due to the differences between self-hosted and SaaS environments, and some features might be absent due to being impractical or irrelevant in the types of organizations that need Terraform Enterprise. Cloud-only or Enterprise-only features are clearly indicated in documentation.
Organization owners can manage an organization's billing plan. The plan and billing settings include an integrated storefront, and you can subscribe to paid plans with a credit card.
To change an organization's plan:
- Click Settings in the navigation bar.
- Click Plan and billing. The Plan and Billing page appears showing your current plan and any available invoices.
- Click Change plan.
- Select a plan, enter your billing information, and click Update plan.
Terraform Cloud runs Terraform CLI to provision infrastructure.
In its default state, Terraform CLI uses a local workflow, performing operations on the workstation where it is invoked and storing state in a local directory.
Since teams must share responsibilities and awareness to avoid single points of failure, working with Terraform in a team requires a remote workflow. At minimum, state must be shared; ideally, Terraform should execute in a consistent remote environment.
Terraform Cloud offers a team-oriented remote Terraform workflow, designed to be comfortable for existing Terraform users and easily learned by new users. The foundations of this workflow are remote Terraform execution, a workspace-based organizational model, version control integration, command-line integration, remote state management with cross-workspace data sharing, and a private Terraform module registry.
Terraform Cloud runs Terraform on disposable virtual machines in its own cloud infrastructure by default. You can leverage Terraform Cloud Agents to run Terraform on your own isolated, private, or on-premises infrastructure. Remote Terraform execution is sometimes referred to as "remote operations."
Remote execution helps provide consistency and visibility for critical provisioning operations. It also enables powerful features like Sentinel policy enforcement, cost estimation, notifications, version control integration, and more.
- More info: Terraform Runs and Remote Operations
Remote execution can be disabled on specific workspaces with the "Execution Mode" setting. The workspace will still host remote state, and Terraform CLI can use that state for local runs via the Terraform Cloud CLI integration.
Terraform's local workflow manages a collection of infrastructure with a persistent working directory, which contains configuration, state data, and variables. You can use separate directories to organize infrastructure resources into meaningful groups, and Terraform will use the configuration in the directory you invoke Terraform commands from.
Terraform Cloud organizes infrastructure into projects and workspaces instead of directories. Each workspace contains everything necessary to manage a given collection of infrastructure, and Terraform uses that content when it runs in the context of that workspace.
You can use projects to organize your workspaces into groups. Organizations with Terraform Cloud Standard Edition can assign teams permissions for specific projects.
This lets you grant access to collections of workspaces instead of using workspace-specific or organization-wide permissions, making it easier to limit access to only the resources required for a team member's job function.
Terraform Cloud acts as a remote backend for your Terraform state. State storage is tied to workspaces, which helps keep state associated with the configuration that created it.
Terraform Cloud also enables you to share information between workspaces with root-level outputs. Separate groups of infrastructure resources often need to share a small amount of information, and workspace outputs are an ideal interface for these dependencies.
Workspaces that use remote operations can use
terraform_remote_state data sources to access other workspaces' outputs, subject to per-workspace access controls. And since new information from one workspace might change the desired infrastructure state in another, you can create workspace-to-workspace run triggers to ensure downstream workspaces react when their dependencies change.
Like other kinds of code, infrastructure-as-code belongs in version control, so Terraform Cloud is designed to work directly with your version control system (VCS) provider.
Each workspace can be linked to a VCS repository that contains its Terraform configuration, optionally specifying a branch and subdirectory. Terraform Cloud automatically retrieves configuration content from the repository, and will also watch the repository for changes:
- When new commits are merged, linked workspaces automatically run Terraform plans with the new code.
- When pull requests are opened, linked workspaces run speculative plans with the proposed code changes and post the results as a pull request check; reviewers can see at a glance whether the plan was successful, and can click through to view the proposed changes in detail.
VCS integration is powerful, but optional; if you use an unsupported VCS or want to preserve an existing validation and deployment pipeline, you can use the API or Terraform CLI to upload new configuration versions. You'll still get the benefits of remote execution and Terraform Cloud's other features.
Remote execution offers major benefits to a team, but local execution offers major benefits to individual developers; for example, most Terraform users run
terraform plan to interactively check their work while editing configurations.
Terraform Cloud offers the best of both worlds, allowing you to run remote plans from your local command line. Configure the Terraform Cloud CLI integration, and the
terraform plan command will start a remote run in the configured Terraform Cloud workspace. The output of the run streams directly to your terminal, and you can also share a link to the remote run with your teammates.
Remote CLI-driven runs use the current working directory's Terraform configuration and the remote workspace's variables, so you don't need to obtain production cloud credentials just to preview a configuration change.
The Terraform Cloud CLI integration also supports state manipulation commands like
terraform import or
Note: When used with Terraform Cloud, the
terraform plan command runs speculative plans, which preview changes without modifying real infrastructure. You can also use
terraform apply to perform full remote runs, but only with workspaces that are not connected to a VCS repository. This helps ensure that your VCS remains the source of record for all real infrastructure changes.
- More info: CLI-driven Runs
Even small teams can benefit greatly by codifying commonly used infrastructure patterns into reusable modules.
Terraform can fetch providers and modules from many sources. Terraform Cloud makes it easier to find providers and modules to use with a private registry. Users throughout your organization can browse a directory of internal providers and modules, and can specify flexible version constraints for the modules they use in their configurations. Easy versioning lets downstream teams use private modules with confidence, and frees upstream teams to iterate faster.
The private registry uses your VCS as the source of truth, relying on Git tags to manage module versions. Tell Terraform Cloud which repositories contain modules, and the registry handles the rest.
- More info: Private Registry
In addition to providing powerful extensions to the core Terraform workflow, Terraform Cloud makes it simple to integrate infrastructure provisioning with your business's other systems.
Nearly all of Terraform Cloud's features are available in its API, which means other services can create or configure workspaces, upload configurations, start Terraform runs, and more. There's even a Terraform provider based on the API, so you can manage your Terraform Cloud teams and workspaces as a Terraform configuration.
- More info: API
Terraform Cloud can send notifications about Terraform runs to other systems, including Slack and any other service that accepts webhooks. Notifications can be configured per-workspace.
- More info: Notifications
Run Tasks allow Terraform Cloud to execute tasks in external systems at specific points in the Terraform Cloud run lifecycle.
- More info: Run Tasks
Larger organizations are more complex, and tend to use access controls and explicit policies to help manage that complexity. Terraform Cloud's paid upgrade plans provide extra features to help meet the control and governance needs of large organizations.
- More info: Free and Paid Plans
With Terraform Cloud's team management, you can define groups of users that match your organization's real-world teams and assign them only the permissions they need. When combined with the access controls your VCS provider already offers for code, workspace permissions are an effective way to follow the principle of least privilege.
- More info: Users, Teams, and Organizations
Note: Terraform Cloud Free Edition includes one policy set of up to five policies. In Terraform Cloud Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to Terraform Cloud pricing for details.
Policy-as-code lets you define and enforce granular policies for how your organization provisions infrastructure. You can limit the size of compute VMs, confine major updates to defined maintenance windows, and much more.
You can use the Sentinel and the Open Policy Agent (OPA) policy-as-code frameworks to define policies. Depending on the settings, policies can act as advisory warnings, firm requirements that prevent Terraform from provisioning infrastructure, or soft requirements that your compliance team can bypass when appropriate.
Refer to Policy Enforcement for details.
Before making changes to infrastructure in the major cloud providers, Terraform Cloud can display an estimate of its total cost, as well as any change in cost caused by the proposed updates. Cost estimates can also be used in Sentinel policies to provide warnings for major price shifts.
- More info: Cost Estimation