Migrating Off Terraform Cloud/Enterprise: Part 4

Part 4 of our guide walks you through a smooth exit from Terraform Cloud/Enterprise—state migration, pipeline tweaks, and cost-saving alternatives.

Sebastian Stadil

5 min read

Part 4: Alternative Paths Continued (GitHub Actions-Centric Architecture) & Making Your Strategic Choice

Welcome to the final installment of our series on migrating off Terraform Cloud (TFC) or Terraform Enterprise (TFE). In Part 1, we explored the motivations for migration and initial auditing. Part 2 detailed the core technical steps for decoupling. Part 3 delved into two major alternative paths: the full open-source stack and leveraging Terraform Automation and Collaboration Software (TACOs).

In this concluding part, we'll examine a third significant alternative: adopting a GitHub Actions-centric architecture for your IaC workflows. We will then provide a comparative analysis of all three paths and offer a framework to help you make an informed strategic choice that best suits your organization's unique context.

1. Path 3: Adopting a GitHub Actions-Centric Architecture

For organizations already heavily invested in GitHub for version control, using GitHub Actions as the primary CI/CD engine for Terraform can be a natural and powerful extension. This approach leverages GitHub's native capabilities to automate your IaC delivery pipeline.

  • Concept: Utilize GitHub Actions workflows to manage the entire lifecycle of your Terraform operations, from code commit to infrastructure deployment, using your chosen remote backend (as established in Part 2).
  • Implementation Details & Key Components:
    • Workflow Triggers: Define workflows that trigger on push or pull_request events to specific branches (e.g., main, develop, feature branches).
    • GitHub Actions Runners:
      • GitHub-hosted runners: Convenient and managed by GitHub, suitable for many use cases.
      • Self-hosted runners: Provide more control over the execution environment, hardware, and network access, often necessary for deploying to private networks or meeting specific compliance requirements.
    • Core Terraform Steps in Workflows:
      • actions/checkout: To check out your Terraform code.
      • hashicorp/setup-terraform: A dedicated action to install a specific version of Terraform CLI on the runner.
      • terraform init: With backend configuration pointing to your S3, Azure Blob, or GCS backend.
      • terraform validate: To check syntax.
      • terraform plan: Generate an execution plan. For pull requests, plans can be posted as comments for review.
      • terraform apply: Apply changes, typically on merges to a main deployment branch, often with manual approval steps integrated into the workflow.
    • Secrets Management:
      • GitHub Encrypted Secrets: Store sensitive data (cloud provider credentials, API tokens) as encrypted secrets at the repository or organization level. These are exposed as environment variables to the workflow.
      • Integration with External Vaults: For more advanced secrets management, workflows can authenticate to and retrieve secrets from HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc., using OIDC or other secure mechanisms.
    • State Locking & Concurrency:
      • Relies on the native locking capabilities of your chosen remote backend (e.g., DynamoDB for S3, Azure Blob leases).
      • GitHub Actions workflows can be configured to prevent concurrent runs on the same environment/branch if needed, using concurrency groups.
    • Plan Reviews and Approvals:
      • For pull requests, workflow can generate a plan and add it as a PR comment.
      • GitHub Environments can be used to require manual approval from designated reviewers before a workflow proceeds with an apply step, especially for production environments.
    • Policy as Code (PaC) Integration:
      • Integrate OPA, Checkov, tfsec, etc., as steps within the workflow to scan Terraform code or plans against defined policies. Failed policy checks can prevent deployment.
    • Notifications: Utilize GitHub Actions marketplace actions or custom scripts to send notifications (e.g., to Slack, Microsoft Teams) about workflow status, plan results, or deployment outcomes.
  • Pros of GitHub Actions-Centric Path:
    • Native Integration with GitHub: Seamless experience if your code already resides in GitHub.
    • Large Ecosystem & Marketplace: Access to a vast number of pre-built actions for various tasks.
    • Managed Runner Options: GitHub-hosted runners reduce operational overhead.
    • Scalability: Scales with GitHub's infrastructure.
    • Cost-Effective (Potentially): Generous free tier for public repositories and reasonable pricing for private repositories, though costs for self-hosted runners or extensive usage should be factored in.
    • Strong Community Support: Widely adopted with plenty of documentation and community examples.
  • Cons of GitHub Actions-Centric Path:
    • Primarily GitHub-Focused: Less ideal if your organization uses other VCS platforms like GitLab or Bitbucket extensively for IaC.
    • Complexity for Advanced Scenarios: While flexible, orchestrating very complex multi-stage deployments with intricate dependencies might require sophisticated workflow design.
    • Secrets Management Nuances: While GitHub secrets are convenient, managing a large number of secrets or complex rotation policies might necessitate integration with a dedicated secrets manager.
    • Limited Built-in IaC-Specific UI: Unlike TACOs, GitHub Actions doesn't provide a dedicated UI for Terraform workspace management, state visualization, or cost estimation beyond what you build with workflow outputs.

2. Comparative Analysis & Decision-Making Framework

Now that we've explored three primary alternative paths—the Full Open-Source Stack, Leveraging TACOs, and a GitHub Actions-Centric Architecture—let's compare them and outline a framework for making your strategic choice.

Feature/Consideration

Full Open-Source Stack

TACOs (e.g., Scalr)

GitHub Actions-Centric

Control & Customization

Highest

Medium to High (vendor-dependent)

High (within GitHub's ecosystem)

Operational Overhead

Highest (self-managed)

Lowest (vendor-managed platform)

Medium (workflow design, runner mgmt if self-hosted)

Initial Setup Time

Longest

Shortest

Medium

Cost Model

Primarily engineering/operational costs

Subscription fees, usage-based

GitHub usage fees, runner costs

Vendor Lock-in

Lowest (component-level)

Medium (platform-level for operations)

Medium (to GitHub ecosystem for CI/CD)

IaC-Specific Features (UI, RBAC, Cost Mgmt)

Built/Integrated by you

Often built-in and extensive

Limited built-in; build/integrate as needed

Learning Curve

Steep (multiple tools)

Moderate (platform-specific)

Moderate (YAML, GitHub Actions concepts)

Integration Capabilities

Very High (any API/CLI)

Vendor-dependent, often good

Very High (Marketplace, custom actions)

Team Expertise Required

Broad & Deep (DevOps, multiple tools)

Terraform, platform usage

Terraform, GitHub Actions, YAML

Best Suited For

Teams needing ultimate control, with strong DevOps capabilities & capacity to manage complexity.

Teams wanting a managed, feature-rich IaC platform, faster time-to-value, reduced operational burden.

Teams heavily invested in GitHub, preferring native CI/CD, comfortable with workflow automation.

Decision-Making Framework - Key Questions to Ask:

  1. Team Skills & Capacity:
    • Do we have the in-house expertise and bandwidth to build, integrate, and maintain a complex open-source toolchain?
    • How steep is the learning curve for each option for our current team?
  2. Control vs. Convenience:
    • How critical is granular control over every aspect of the IaC pipeline versus the convenience of a managed service?
    • Are there specific customization needs that one path accommodates better than others?
  3. Budget & Cost Structure:
    • What is our budget for IaC tooling?
    • Do we prefer operational expenditure (SaaS subscriptions) or capital/internal engineering expenditure?
    • How do the long-term total cost of ownership (TCO) models compare?
  4. Time to Value & Agility:
    • How quickly do we need a fully functional, robust IaC platform?
    • How will each option impact our ability to iterate and adapt our IaC processes?
  5. Existing Toolchain & Ecosystem:
    • How well does each option integrate with our existing VCS, monitoring, security, and collaboration tools?
    • Are we already heavily invested in a particular ecosystem (e.g., GitHub)?
  6. Governance, Compliance & Security Requirements:
    • What are our specific needs for RBAC, policy enforcement, audit trails, and secrets management?
    • How does each path help us meet these requirements?
  7. Scalability & Future Growth:
    • How will each option scale as our infrastructure and team grow?
    • What are the potential bottlenecks or limitations?

3. Finalizing the Migration and Moving Forward

Regardless of the path chosen, a successful transition involves more than just technical changes.

  • Phased Rollout: Migrate workspaces or projects in phases, starting with less critical ones to build confidence and refine processes.
  • Documentation: Thoroughly document your new architecture, workflows, and operational procedures.
  • Training & Enablement: Ensure your team is adequately trained on any new tools or processes.
  • Continuous Improvement: Regularly review and iterate on your IaC platform. Solicit feedback from users and adapt to evolving needs.
  • Celebrate Success: Acknowledge the effort involved in such a significant migration!

Migrating off Terraform Cloud or Enterprise is a strategic decision that can unlock greater flexibility, control, and potentially cost savings. By carefully evaluating your organization's needs against the capabilities and trade-offs of a full open-source stack, a TACO, or a GitHub Actions-centric architecture, you can choose a path that empowers your platform engineering team and supports your business objectives for years to come.