Migrating Off Terraform Cloud/Enterprise: Part 3

Leave Terraform Cloud/Enterprise smoothly: manage state, pipelines & policies with our step-by-step guide—part 3 of the migration series.

Sebastian Stadil

4 min read

Part 3: Exploring Alternative Paths: The Open-Source Stack vs. TACOs

Having successfully navigated the "why" (Part 1) and the "how" (Part 2) of migrating your Terraform state and configurations away from Terraform Cloud (TFC) or Terraform Enterprise (TFE), you're now at a pivotal juncture. With your IaC workflows decoupled, the next step is to decide on the operational model that will best serve your team's needs. This third part explores two prominent alternative paths: embracing a fully open-source stack for maximum control, or leveraging a Terraform Automation and Collaboration Software (TACO) for a more managed experience.

1. Path 1: The Full Open-Source Stack – Maximum Control, Maximum Responsibility

Opting for a full open-source stack means you assemble and manage all the components necessary for your IaC workflows. This path offers unparalleled control and customization but also demands significant expertise and ongoing maintenance.

  • Concept: You select, integrate, and maintain a suite of open-source tools to replicate and potentially enhance the functionalities you had with TFC/TFE, tailored precisely to your requirements.
  • Key Components & Considerations:
    • Version Control System (VCS): (e.g., Git with GitHub, GitLab, Bitbucket) – This remains the foundation for your HCL code, as it likely was with TFC/TFE.
    • CI/CD Automation:
      • Tools: Jenkins, GitLab CI, CircleCI, Tekton, Argo Workflows, or even GitHub Actions (which we'll explore as a more focused path in Part 4).
      • Responsibilities: Designing pipelines for init, validate, plan, apply; managing runner infrastructure; handling approvals and notifications.
    • Remote State Management:
      • Solution: As detailed in Part 2, using cloud object storage (AWS S3, Azure Blob, GCS) with appropriate locking mechanisms (DynamoDB, Azure Blob leases, GCS native locking).
      • Responsibilities: Ensuring secure access, versioning, backups, and disaster recovery for state files.
    • Policy as Code (PaC):
      • Tools: Open Policy Agent (OPA) with Rego is the de-facto standard. Alternatives include Checkov, tfsec, or custom scripts.
      • Responsibilities: Writing policies, integrating policy checks into CI/CD pipelines (e.g., pre-plan or post-plan), managing policy versions, and interpreting results.
    • Secrets Management:
      • Tools: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager.
      • Responsibilities: Securely storing and injecting sensitive data (API keys, credentials) into Terraform runs, managing access to secrets.
    • Collaboration and Auditing:
      • Mechanisms: Git-based workflows (pull/merge requests, code reviews), CI/CD pipeline logs, and potentially custom logging solutions for audit trails.
    • Notifications and Reporting: Custom scripting or CI/CD platform integrations for run status, plan outputs, and apply confirmations (e.g., Slack, email).
  • Deep Dive: Terragrunt for Enhanced Open-Source Workflows Terragrunt is a popular open-source thin wrapper for Terraform that provides extra tools for keeping your configurations DRY, working with multiple Terraform modules, and managing remote state.
    • Purpose: To simplify the management of complex Terraform deployments by allowing you to define Terraform configurations once and reuse them across multiple environments or components.
    • Key Features:
      • DRY Configurations: Define backend configurations, provider versions, and common input variables in a terragrunt.hcl file at a higher level in your directory structure, inheriting them into child modules.
      • Remote State Configuration: Automates the configuration of remote state backends.
      • Dependency Management: Define explicit dependencies between modules/stacks, ensuring they are applied in the correct order (e.g., networking before compute).
      • Before/After Hooks: Execute custom scripts or commands at various stages of Terraform execution.
    • Typical Project Structure: Often involves a hierarchical directory structure representing environments (dev, staging, prod) and infrastructure components (VPC, EKS, RDS), with terragrunt.hcl files orchestrating the underlying Terraform modules.
    • Developer Experience:
      • Pros: Significant reduction in code duplication, improved consistency across environments, better automation of complex deployments.
      • Cons: Adds another layer of abstraction and a learning curve; can feel like overkill for very simple setups.
  • Pros of the Open-Source Path:
    • Maximum Control & Customization: Tailor every aspect of your IaC workflow.
    • No Vendor Lock-in: Freedom to choose and switch individual components.
    • Potential Cost Savings: Avoids SaaS subscription fees (though consider operational/engineering costs).
    • Deep Integration Capabilities: Integrate with any tool that has an API or CLI.
  • Cons of the Open-Source Path:
    • High Operational Overhead: Requires significant engineering effort to set up, integrate, and maintain.
    • Steep Learning Curve: Teams need expertise across multiple tools.
    • "You Build It, You Run It": Full responsibility for uptime, security, and upgrades of the toolchain.
    • Slower Time to Value (Initially): Setting up a robust open-source stack takes time.

2. Path 2: Leveraging TACOs (Terraform Automation and Collaboration Software)

TACOs are specialized SaaS platforms (or sometimes self-hosted software) designed to streamline and enhance Terraform operations. They offer a managed experience, often bundling features that would otherwise require integrating multiple open-source tools. Scalr itself is an example of a TACO.

  • Concept: Adopt a platform that provides a cohesive environment for Terraform state management, CI/CD, collaboration, governance, and cost management, reducing the need to build and maintain these components yourself.
  • What TACOs Typically Offer:
    • Managed State Backend: Secure and reliable storage for Terraform state files, often with built-in locking, versioning, and UI visibility.
    • Integrated CI/CD for Terraform: Purpose-built pipelines for Terraform runs, often triggered by VCS events, with UI for monitoring and managing runs.
    • Collaboration Features:
      • Role-Based Access Control (RBAC) to define granular permissions.
      • Approval workflows for Terraform plans.
      • Audit logs for all actions and changes.
      • Workspace/Environment management to organize projects.
    • Policy Enforcement & Governance:
      • Integration with OPA or similar policy engines.
      • UI for managing policies and viewing compliance.
      • Drift detection capabilities.
    • Cost Management/Visibility: Features to estimate costs from Terraform plans or track actual spending related to managed resources.
    • Self-Service Capabilities: Enabling developers to provision infrastructure within predefined guardrails.
    • VCS Integration: Deep integration with GitHub, GitLab, Bitbucket, etc.
  • Pros of the TACO Path:
    • Reduced Operational Overhead: The vendor manages the underlying platform infrastructure.
    • Faster Time to Value: Quicker to get up and running with a feature-rich environment.
    • Built-in Best Practices: Often incorporate proven workflows and security measures.
    • Vendor Support: Access to support for platform-related issues.
    • Focus on IaC, Not Tooling: Allows platform teams to focus more on defining infrastructure and governance, less on maintaining the toolchain.
    • Improved Developer Experience: Often provides a user-friendly UI and streamlined workflows for application developers interacting with infrastructure.
  • Cons of the TACO Path:
    • Subscription Costs: Involves ongoing SaaS fees, which need to be weighed against the cost of a self-managed solution.
    • Potential Vendor Lock-in: While your Terraform code remains portable, your operational workflows become tied to the TACO platform.
    • Less Flexibility (Potentially): You are generally constrained by the features and integration points offered by the vendor, though many TACOs are highly extensible.
    • Feature Sets Vary: Not all TACOs are created equal; thorough evaluation is needed to match features to requirements.

Choosing between a fully open-source stack and a TACO depends heavily on your organization's size, engineering capacity, budget, desire for control, and the complexity of your IaC needs. Both paths offer viable alternatives to TFC/TFE, empowering you to regain control and tailor your Terraform operations.

Next in the Series (Part 4): Alternative Paths Continued (GitHub Actions-Centric Architecture) & Making Your Strategic Choice.