Migrating Off Terraform Cloud/Enterprise: Part 1
Step-by-step series on leaving Terraform Cloud/Enterprise: prep, move your state, automate CI/CD, keep policies—cut costs without losing control.
Part 1: The "Why" and "What": Understanding Motivations and Auditing Your Current State
Deciding to migrate away from an established platform like Terraform Cloud (TFC) or Terraform Enterprise (TFE) is a significant undertaking. It's rarely a sudden choice but rather a culmination of evolving needs, growing frustrations, or strategic shifts. This first part of our series explores the common catalysts for such a migration and details the essential groundwork: thoroughly understanding and documenting your current Terraform environment.
1. Common Triggers: Why Consider a Migration?
Several factors can prompt platform engineering teams to look for alternatives to TFC/TFE. Recognizing these triggers within your own organization is the first step in evaluating whether a migration is the right path.
- Cost Concerns:
- Resources Under Management (RUM) Pricing: For many, the RUM-based pricing model of Terraform Cloud can become a significant and sometimes unpredictable operational expense, especially as infrastructure scales. As the number of managed resources grows, so does the bill, often leading teams to seek more cost-effective or predictable pricing structures.
- Tier Limitations: Specific features or capacities might be locked behind higher-priced tiers, forcing an upgrade that might not be justifiable for the overall feature set.
- Workflow Rigidity and Limitations:
- Lack of Native Dependency Workflows: TFC/TFE has historically lacked sophisticated built-in capabilities to define, visualize, and manage complex dependencies between different workspaces or infrastructure components. This can make orchestrating multi-stage deployments or environment promotion strategies cumbersome, often requiring external tooling or manual workarounds.
- Limited Control Over Runner Phases: Users often find they have restricted ability to inject custom logic or scripts at specific points within the Terraform run lifecycle (e.g., before
init, afterplan, beforeapply). This limits the integration of custom validation, security checks, or notification steps directly into the core workflow. - Run Task Limitations: While Run Tasks offer a way to integrate third-party tools, there can be limitations on the number of tasks, their applicability across workspaces, or restrictions based on pricing tiers, hindering comprehensive automation efforts.
- Desire for Greater Control and Autonomy:
- Vendor Lock-in: Relying on a specific vendor's ecosystem for critical infrastructure management can raise concerns about long-term flexibility and the ability to adapt to changing technological landscapes or business needs.
- Customization Constraints: Teams may find the platform too prescriptive, limiting their ability to tailor the IaC environment, CI/CD processes, or policy enforcement mechanisms to their specific internal standards and tooling.
- Uncertainty Due to Licensing Changes:
- Business Source License (BSL): HashiCorp's shift to the BSL for its products, including Terraform, introduced uncertainty and concern for some organizations. While aimed at protecting against commercial exploitation by competitors, some users prefer to rely on purely open-source (e.g., MIT-licensed) tools for foundational infrastructure, prompting a re-evaluation of their IaC stack. This has led to the rise of alternatives like OpenTofu.
- New or Evolving Business Requirements:
- Integration Challenges: As an organization's toolchain evolves, TFC/TFE might not offer the seamless integrations required with newer security, monitoring, or GitOps tools.
- Scalability and Performance: In some high-demand scenarios, teams might encounter performance bottlenecks or scalability limits within the TFC/TFE environment that hinder their operational efficiency.
- Specific Compliance or Governance Needs: Unique or stringent compliance and governance requirements might be difficult to fully implement or automate within the confines of the platform's existing features.
2. Initial Preparatory Steps: Know Your Current State
Before embarking on any migration, a thorough understanding of your current TFC/TFE setup is paramount. This foundational knowledge will inform your migration strategy, help identify potential challenges, and ensure a smoother transition.
- Inventory Existing Setup:
- Identify All Workspaces: Compile a comprehensive list of every Terraform Cloud or Terraform Enterprise workspace currently in use. For each workspace, document:
- Its purpose and the environment it manages (e.g.,
networking-prod,app-staging-eu,shared-services-dev). - The primary owners or teams responsible for it.
- Its purpose and the environment it manages (e.g.,
- Document VCS Repositories: For each workspace linked to a Version Control System (VCS) provider (like GitHub, GitLab, Bitbucket):
- Note the specific repository URL.
- Identify the branch(es) being used for deployments.
- Specify the working directory within the repository if it's not the root.
- List Terraform Versions: Record the Terraform version(s) configured for each workspace. Discrepancies in versions can impact migration if the new target environment has different compatibility.
- Map Variables and Variable Sets: Document all Terraform variables and environment variables configured within each workspace, as well as any shared Variable Sets being used. Note their scope, sensitivity, and how they are populated.
- Identify Run Triggers and Notifications: Note how runs are triggered (e.g., VCS pushes, API calls, manual) and any configured notifications.
- Identify All Workspaces: Compile a comprehensive list of every Terraform Cloud or Terraform Enterprise workspace currently in use. For each workspace, document:
- State File Audit and Backup:
- Confirm Current Resource State: For each workspace, verify that the actual deployed infrastructure aligns with the resources defined in its current state file. Use
terraform planto check for drift. Addressing significant drift before migration can prevent complications. - Crucially, Back Up All Existing State Files: This is the most critical preparatory step. State files are the source of truth for your Terraform-managed infrastructure.
- Using the TFC/TFE API: Terraform Cloud and Enterprise provide APIs that can be used to download state file versions. Scripting this process is recommended for a large number of workspaces.
- Using
terraform state pull: For individual workspaces, you can use the Terraform CLI commandterraform state pull > <workspace_name>.tfstate(after configuring the CLI to point to the correct TFC/TFE backend). - Secure Storage: Store these backups in a secure, versioned location (e.g., a protected S3 bucket with versioning enabled, or an artifact repository). This backup is your safety net.
- Understand State File Size and Complexity: Note the size and complexity of your state files. Very large state files can sometimes pose challenges for certain backend types or migration tools.
- Confirm Current Resource State: For each workspace, verify that the actual deployed infrastructure aligns with the resources defined in its current state file. Use
Thoroughly completing these initial steps—understanding your motivations and meticulously documenting your current environment—will lay a solid foundation for the subsequent phases of your migration journey. The insights gained here will be invaluable as you move towards decoupling your workflows and choosing a new operational model.
Next in the Series (Part 2): The "How": Core Migration Steps for Decoupling.