Terraform Cloud - Overview, Key Features, Pricing

Here's what's weird about the infrastructure automation debate: everyone focuses on features, but the real story is in the economics. After analyzing dozens of implementations, I've found that Terraform Cloud's 2023 pricing change fundamentally altered the equation. And yeah, there are alternatives worth considering.

The Architecture Nobody Explains Properly

Terraform Cloud (now called HCP Terraform, because rebranding) runs your infrastructure code on HashiCorp's servers. Simple enough. But here's what actually happens:

# Your typical terraform backend configuration for Terraform Cloud
terraform {
  cloud {
    organization = "your-org"
    workspaces {
      name = "production"
    }
  }
}

Compare that to self-hosted state management:

# In-house S3 backend with DynamoDB locking
terraform {
  backend "s3" {
    bucket         = "terraform-state-prod"
    key            = "infrastructure/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-state-lock"
    encrypt        = true
  }
}

The difference? With Terraform Cloud, you're done. With in-house, you just started a journey involving IAM policies, backup strategies, and access controls that'll consume weeks.

The Features That Actually Matter

Let's cut through the marketing fluff. Here's what you get with each approach:

Terraform Cloud's features:

• Remote execution on disposable VMs (no "works on my machine" issues)
• Sentinel policies for governance (block unencrypted databases before they happen)
• Private module registry with versioning
• VCS integration that actually works with GitHub, GitLab, Bitbucket
• Cost estimation before you apply (powered by Infracost)

In-house advantages:

• Complete control over execution environment
• Custom workflows that match your exact needs
• No resource limits or pricing surprises
• Air-gapped deployments for paranoid industries
• Direct database access for when things go sideways

But here's where it gets interesting. Setting up equivalent features in-house isn't just time-consuming—it's expensive.

The Money Talk: RUM Pricing Changed Everything

Terraform Cloud's Resources Under Management (RUM) pricing hits different at scale:

Free tier: 500 resources
After that: $0.00014/hour per resource

Quick math:
- 1,000 resources = $350/month
- 5,000 resources = $2,450/month  
- 10,000 resources = $10,200/month
- 50,000 resources = $51,000/month

Plot twist: security groups, IAM policies, and every little resource counts. One company saw their 1,500 resources jump to over 2,000 when they realized what counted.

Real Code Examples: State Management

Here's how state locking actually works in practice:

Terraform Cloud (automatic):

# Just works. No configuration needed.
resource "aws_instance" "web" {
  ami           = "ami-123456"
  instance_type = "t3.micro"
}

In-house with proper locking:

#!/bin/bash
# create-backend.sh - One-time setup for in-house state management

# Create S3 bucket for state
aws s3api create-bucket \
  --bucket terraform-state-prod \
  --region us-east-1 \
  --acl private

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket terraform-state-prod \
  --versioning-configuration Status=Enabled

# Create DynamoDB table for locking
aws dynamodb create-table \
  --table-name terraform-state-lock \
  --attribute-definitions AttributeName=LockID,AttributeType=S \
  --key-schema AttributeName=LockID,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST

That's just the beginning. You still need IAM policies, encryption, backup procedures, and monitoring.

Security: The Part Everyone Gets Wrong

Terraform Cloud gives you:

• SOC 2 Type II compliance
• AES-256 encryption everywhere
• Automatic key rotation every 365 days
• Envelope encryption with HashiCorp Vault

But remember the 2021 Codecov incident? HashiCorp's GPG keys got exposed. They handled it well, but it happened.

In-house security means you control everything, but you also must handle everything:

# Example: Encrypting state in S3 (in-house)
resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
  bucket = aws_s3_bucket.terraform_state.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.terraform.arn
    }
  }
}

# Don't forget the KMS key policy!
data "aws_iam_policy_document" "kms" {
  statement {
    sid    = "Enable IAM User Permissions"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
    }
    actions   = ["kms:*"]
    resources = ["*"]
  }
  
  statement {
    sid    = "Allow Terraform to use the key"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = [aws_iam_role.terraform.arn]
    }
    actions = [
      "kms:Decrypt",
      "kms:Encrypt",
      "kms:GenerateDataKey"
    ]
    resources = ["*"]
  }
}

The Comparison Nobody Shows You

Here's the real breakdown:

*Including Scalr, Spacelift, env0

**Includes infrastructure + 0.5 FTE DevOps engineer

Real-World Migration Story

TV4 migrated away from Terraform Cloud after their costs jumped under RUM pricing. Their approach:

# Migration script excerpt
#!/bin/bash
# download-state.sh - Pull state files from Terraform Cloud

WORKSPACES=$(curl -s \
  -H "Authorization: Bearer $TF_CLOUD_TOKEN" \
  "https://app.terraform.io/api/v2/organizations/$ORG/workspaces" \
  | jq -r '.data[].id')

for ws in $WORKSPACES; do
  # Get current state version
  STATE_VERSION=$(curl -s \
    -H "Authorization: Bearer $TF_CLOUD_TOKEN" \
    "https://app.terraform.io/api/v2/workspaces/$ws/current-state-version")
    
  # Download the actual state file
  STATE_URL=$(echo $STATE_VERSION | jq -r '.data.attributes."hosted-state-download-url"')
  curl -s "$STATE_URL" > "states/${ws}.tfstate"
done

They switched to Scalr and cut their costs 80%. Just saying.

Performance Reality Check

Cisco ACI deployments with 7,000 resources? Over an hour for plan and apply. That's not a Terraform Cloud problem—that's a Terraform problem. But here's where it matters:

• Terraform Cloud Free/Standard: 1 concurrent run (brutal for teams)
• Terraform Enterprise: 10 concurrent runs (configurable)
• In-house: Whatever your infrastructure allows
• Modern alternatives: Often better parallelization

The Decision Framework

Choose Terraform Cloud if:

• You have < 500 resources (it's free!)
• You need compliance checkboxes fast
• Your team lacks platform engineering skills
• You're a startup that needs to move quickly

Build in-house if:

• You have > 10,000 resources
• You need custom workflows
• You're in a regulated industry with specific requirements
• You already have platform engineers

Consider alternatives like Scalr if:

• Your application is single tenant, and you deploy a copy for each customer
• You want Terraform Cloud features without the price shock
• You want to give many developers self-service and don't want them to be limited by concurrency
• You like transparent, usage-based pricing

Also, vendor lock-in exists everywhere. The question is which cage you prefer.

Setting Up a Basic In-House Pipeline

For the brave souls going in-house, here's a minimal GitHub Actions setup:

# .github/workflows/terraform.yml
name: Terraform

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
          
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.0
          
      - name: Terraform Init
        run: terraform init
        
      - name: Terraform Plan
        run: terraform plan -out=tfplan
        
      - name: Save plan for approval
        if: github.event_name == 'pull_request'
        uses: actions/upload-artifact@v3
        with:
          name: tfplan
          path: tfplan
          
      - name: Terraform Apply
        if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve tfplan

This is missing: notifications, policy checks, cost estimation, security scanning, and about 20 other things Terraform Cloud does automatically.

Bottom Line

Terraform Cloud solved real problems when it launched. Remote execution, state management, and team collaboration were game-changers. But the RUM pricing model fundamentally changed the value proposition.

At 10,000 resources, you're looking at $120,000 annually. That buys a lot of engineering time—or a lot of alternative platform licenses.

My take? The sweet spot has shifted. Small teams should absolutely use Terraform Cloud's free tier. Large enterprises with existing platform teams should probably build their own. But that middle ground—teams with 1,000-10,000 resources—that's where modern alternatives shine.

Companies like Scalr understood this gap. They offer Terraform Cloud's benefits without the resource-based pricing model that punishes growth. Plus actual FinOps features that help you understand where your cloud spend is going. Not a bad deal when you're trying to manage costs while scaling infrastructure.

The infrastructure automation landscape keeps evolving. OpenTofu is gaining momentum. Alternative platforms are innovating faster than HashiCorp. The "obvious" choice isn't so obvious anymore.

Choose based on your actual needs, not the marketing. And maybe check out those alternatives before committing to a $10,000 monthly bill. Your CFO will thank you.