What is Terraform Cloud? A Comprehensive Guide

Discover Terraform Cloud: its features, workflows, pricing, and quick-start steps—condensed in one practical, comprehensive guide.

Sebastian Stadil

9 min read

Terraform has revolutionized how organizations approach infrastructure as code (IaC), allowing teams to define and provision infrastructure using a declarative configuration language. As adoption grows, managing Terraform workflows, state files, and collaboration across teams can become complex. This is where Terraform Cloud steps in.

This post will dive deep into Terraform Cloud, exploring its features, benefits, costs, and how it compares to other Terraform offerings and alternatives.

What is Terraform Cloud?

Terraform Cloud is a managed service offering from HashiCorp that provides a consistent workflow for teams to collaborate on Terraform configurations. It aims to simplify the complexities of using Terraform at scale by providing a central place for storing state, managing configurations, enforcing policies, and integrating with version control systems (VCS).

Think of it as an execution environment and collaboration hub for your Terraform projects. Instead of running terraform apply locally and figuring out how to share state files securely, Terraform Cloud handles these aspects for you, enabling better governance, visibility, and teamwork.

Terraform Cloud Features

Terraform Cloud comes packed with features designed to streamline your IaC operations:

  • Workspaces: Workspaces are the fundamental organizational unit in Terraform Cloud. Each workspace represents a distinct collection of infrastructure resources, often corresponding to a specific environment (dev, staging, prod), project, or component. They manage their own state files, variables, and run history.
  • Remote State Management: One of the most critical features. Terraform Cloud securely stores your Terraform state files, preventing accidental deletion, corruption, or exposure. It also provides locking to prevent concurrent modifications, ensuring state integrity.
  • Version Control System (VCS) Integration: Seamlessly connect your Terraform Cloud workspaces to repositories in popular VCS providers like GitHub, GitLab, Bitbucket, and Azure DevOps. This enables a GitOps workflow where changes to your infrastructure code automatically trigger Terraform runs.
  • Private Module Registry: Publish, share, and version your internal Terraform modules within your organization. This promotes code reuse, consistency, and best practices across projects.
  • Policy as Code (Sentinel & OPA): Enforce governance and compliance with Sentinel (available in paid tiers) or Open Policy Agent (OPA) (available in Plus Edition). Define policies to control costs, enforce security standards, and ensure configurations adhere to organizational guidelines before infrastructure is provisioned.
  • Cost Estimation: (Available in paid tiers) Get visibility into the potential cost implications of your infrastructure changes before they are applied. This helps in managing budgets and avoiding unexpected expenses.
  • Team Management and RBAC: Organize users into teams and assign role-based access control (RBAC) to workspaces, ensuring that only authorized personnel can make changes to specific infrastructure.
  • Notifications: Configure notifications for run completions, failures, or policy checks, integrating with tools like Slack or email.
  • API & CLI Driven Workflows: While the UI is user-friendly, Terraform Cloud also supports automation through its API and allows CLI-driven runs, providing flexibility for different operational models.
  • Run Triggers: Configure dependencies between workspaces, allowing a successful run in one workspace to automatically trigger a run in another. This is useful for managing complex, multi-layered infrastructure.
  • Secure Variable Storage: Store sensitive data like API keys, passwords, and certificates securely as variables at the workspace or organization level.

Terraform vs Terraform Cloud

It's important to distinguish between Terraform (the open-source CLI tool) and Terraform Cloud (the managed service).

Feature

Terraform (CLI)

Terraform Cloud

Execution

Local machine or custom CI/CD pipeline

Managed service in the cloud

State Storage

Local, or self-managed remote backends (S3, etc.)

Secure, managed remote state storage with locking

Collaboration

Requires manual setup for sharing configurations

Built-in features for team management, VCS integration, and shared workflows

Governance

Relies on external tools or manual processes

Integrated policy as code (Sentinel/OPA), RBAC

UI

Command-line interface only

Web-based UI for managing workspaces, runs, state, and settings

Automation

Requires custom scripting and CI/CD integration

VCS integration for automated runs, API for custom automation

Cost

Free (open-source)

Tiered pricing (Free, Standard, Plus, Enterprise)

In essence, Terraform CLI is the engine, while Terraform Cloud is the vehicle that provides the framework, safety features, and collaboration tools for driving your infrastructure provisioning.

Terraform Cloud vs Terraform Enterprise

Terraform Enterprise is HashiCorp's self-hosted distribution of Terraform Cloud. It's designed for organizations with strict security, compliance, or data governance requirements that prevent them from using a SaaS solution.

Feature

Terraform Cloud

Terraform Enterprise (TFE)

Hosting

SaaS (managed by HashiCorp)

Self-hosted (on-premises or private cloud)

Management

HashiCorp manages the platform

Customer manages the platform (installation, upgrades, maintenance)

Control

Less control over the underlying infrastructure

Full control over the environment

Compliance

Standard compliance certifications (SOC 2, etc.)

Can be deployed in environments meeting specific, stringent compliance needs

Features

Generally the same core features

May have additional features like audit logging, clustering, and private networking options

Target Audience

Teams of all sizes, from individuals to large enterprises

Large enterprises with specific security/compliance needs for self-hosting

Cost Model

Subscription-based tiers

Typically higher cost, licensed based on usage/features, plus operational overhead

Choose Terraform Cloud if you want a managed service with minimal operational overhead. Opt for Terraform Enterprise if your organization requires a self-hosted solution due to regulatory or policy constraints.

Terraform Cloud Benefits

Adopting Terraform Cloud offers several key advantages:

  • Improved Collaboration: Centralized workflows, state management, and VCS integration make it easier for teams to work together on infrastructure projects.
  • Enhanced Security: Securely stores state files and sensitive variables, reducing the risk of exposure. RBAC and policy enforcement further strengthen security posture.
  • Increased Efficiency: Automates Terraform runs through VCS integration, reducing manual effort and speeding up provisioning cycles. The private module registry promotes reuse and standardization.
  • Better Governance and Compliance: Policy as code (Sentinel/OPA) allows organizations to enforce standards and compliance requirements automatically. Audit logs provide visibility into changes.
  • Reduced Operational Overhead: As a managed service, Terraform Cloud handles the underlying infrastructure, state backend, and version upgrades, freeing up your team to focus on defining infrastructure.
  • Scalability: Designed to handle the needs of growing teams and increasingly complex infrastructure deployments.
  • Visibility and Control: The web UI provides a clear overview of all your workspaces, runs, and state, giving you better control over your infrastructure.

Terraform Cloud Cost

Terraform Cloud offers several pricing tiers:

  • Free: Suitable for individuals and small teams getting started. Includes core features like remote state management, VCS integration, and up to 500 resources under management. Limited to one concurrent run.
  • Standard: (Per user/month) Aimed at growing teams. Includes everything in Free, plus features like team management, RBAC, and more concurrent runs.
  • Plus: (Per user/month) For larger organizations needing advanced governance and collaboration. Includes everything in Standard, plus features like Sentinel policies, cost estimation, and OPA integration.
  • Enterprise: Custom pricing. Offers all features, including options for Terraform Enterprise (self-hosted), premium support, and features tailored for large-scale deployments.

It's always best to check the official HashiCorp Terraform Cloud pricing page for the most up-to-date information.

How to Create a Terraform Cloud Account

Getting started with Terraform Cloud is straightforward:

  1. Navigate to the Terraform Cloud website: Go to app.terraform.io.
  2. Sign Up: Click on "Create a free account" or "Sign up." You can sign up using your email address or by linking your GitHub, GitLab, or Bitbucket account.
  3. Create an Organization: After signing up, you'll be prompted to create an organization. This is the top-level container for your users, workspaces, and modules. Choose a unique name for your organization.
  4. Verify Your Email (if applicable): If you signed up with an email, you'll need to verify it by clicking the link sent to your inbox.
  5. Explore Your Dashboard: Once your organization is created, you'll land on your Terraform Cloud dashboard. From here, you can start creating workspaces, inviting team members, and configuring VCS integrations.

Terraform Cloud Workflows

Terraform Cloud supports several common workflows:

  1. VCS-Driven Workflow (Recommended):
    • Store your Terraform code in a VCS repository (e.g., GitHub).
    • Connect your Terraform Cloud workspace to this repository.
    • When you push changes to the specified branch, Terraform Cloud automatically triggers a plan.
    • Review the plan in the Terraform Cloud UI.
    • If the plan is acceptable, manually approve it to trigger an apply. (This can also be automated for certain branches).
    • This is the most common and recommended workflow as it leverages GitOps principles.
  2. CLI-Driven Workflow:
    • Configure your local Terraform CLI to use Terraform Cloud as a remote backend.
    • Run terraform login to authenticate.
    • Initialize your configuration with terraform init.
    • Run terraform plan and terraform apply from your local machine.
    • Terraform Cloud will execute these operations, store the state, and stream logs back to your CLI.
    • This is useful for local development or when you prefer to use the CLI directly.
  3. API-Driven Workflow:
    • Use the Terraform Cloud API to programmatically manage workspaces, trigger runs, and retrieve information.
    • This is suitable for integrating Terraform Cloud into custom automation scripts or CI/CD pipelines that don't directly use the VCS integration.

Terraform Cloud Getting Started (Tutorial)

Let's walk through a simple tutorial to create a workspace and run a basic configuration using the VCS-driven workflow.

Prerequisites:

  • A Terraform Cloud account and organization.
  • A GitHub account (or GitLab/Bitbucket).

Steps:

  1. Create a New Repository on GitHub:
    • Go to GitHub and create a new public or private repository (e.g., terraform-cloud-demo).
    • Commit this file to the main branch.
  2. Create a New Workspace in Terraform Cloud:
    • In your Terraform Cloud organization, click on "New workspace."
    • Choose the "Version control workflow."
    • Connect to your VCS provider (GitHub). You might need to authorize Terraform Cloud.
    • Select the terraform-cloud-demo repository you just created.
    • Configure the workspace:
      • Workspace Name: my-first-workspace (or any name you prefer).
      • Terraform Working Directory: Leave blank if main.tf is in the root.
      • VCS branch: main (or your default branch).
      • Automatic Speculative Plans: Keep this checked.
    • Click "Create workspace."
  3. Queue a Plan:
    • Once the workspace is created, Terraform Cloud will automatically detect the configuration and queue a plan.
    • Alternatively, you can go to the "Runs" tab and click "Queue plan."
  4. Review and Apply the Plan:
    • Terraform Cloud will execute the terraform plan. You'll see the output in the UI.
    • It will show that one resource (random_pet.this) will be created.
    • If the plan looks good, click "Confirm & Apply."
    • Add a comment (optional) and click "Confirm Plan."
    • Terraform Cloud will now execute terraform apply.
  5. Check the Output:
    • Once the apply is complete, go to the "States" tab. You can see the current state.
    • Go to the "Outputs" tab. You should see the pet_name output with a randomly generated name.
  6. Make a Change and Observe:
    • Commit the change to the main branch.
    • Terraform Cloud will automatically detect this change and queue a new plan.
    • Review and apply this new plan. You'll see the random_pet resource being updated.

Go back to your GitHub repository and edit main.tf. For example, change the length in random_pet:

resource "random_pet" "this" {
  length = 3 // Changed from 2 to 3
}

Create a file named main.tf in this repository with the following content:

terraform {
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "~> 3.1"
    }
  }
}

resource "random_pet" "this" {
  length = 2
}

output "pet_name" {
  value = random_pet.this.id
}

Congratulations! You've successfully set up a VCS-driven workflow with Terraform Cloud.

Publishing a Module to the Private Registry with Terraform Cloud

The private module registry allows you to share and version modules within your organization.

Module Structure Requirements:

Your module repository needs a specific structure and tagging for Terraform Cloud to recognize it as a module.

  • Repository Name: Must follow the format terraform-<PROVIDER>-<NAME>, e.g., terraform-aws-vpc.
  • Tags: Use semantic versioning for your tags (e.g., v1.0.0, v1.0.1).

Standard Module Structure:

.
├── main.tf
├── variables.tf
├── outputs.tf
├── README.md
└── versions.tf (optional, for provider versions)

Steps to Publish:

  1. Prepare Your Module Repository:
    • Ensure your module code is in a VCS repository (e.g., GitHub) and follows the naming and structure conventions.
    • Tag a release (e.g., git tag v1.0.0 and git push origin v1.0.0).
  2. Add the Module to the Registry in Terraform Cloud:
    • In Terraform Cloud, navigate to "Registry" in the main navigation.
    • Click "Publish" and select "Module."
    • Select your VCS provider and the repository containing your module.
    • Terraform Cloud will validate the module structure and tags.
    • If successful, it will display the module versions it found.
    • Click "Publish module."
  3. Using the Private Module:
    • <YOUR_ORG_NAME> is your Terraform Cloud organization name.
    • <NAME> is the name part from your module repository (e.g., vpc from terraform-aws-vpc).
    • <PROVIDER> is the provider part (e.g., aws).

Once published, you can reference this module in your Terraform configurations within the same Terraform Cloud organization:

module "my_vpc" {
  source  = "<YOUR_ORG_NAME>/vpc/aws" // Format: <ORGANIZATION>/<NAME>/<PROVIDER>
  version = "~> 1.0.0"

  # ... other module inputs
}

Terraform Cloud Alternatives

While Terraform Cloud is a powerful offering from HashiCorp, several alternatives provide similar or specialized functionality:

  • Scalr: The most similar Terraform Cloud alternative, and effectively a drop-in replacement. It supports Terraform and OpenTofu. Offers features like policy as code (OPA), drift detection, and custom workflows.
  • Env0: An IaC automation platform focusing on self-service infrastructure for developers. Supports Terraform, Terragrunt, and other IaC tools. Provides cost management and governance features.
  • Atlantis: An open-source tool that automates Terraform pull request workflows via webhooks. It runs as a standalone application and comments on pull requests with terraform plan output, allowing you to apply from the PR comments.
  • Terrateam: Similar to Atlantis, Terrateam provides GitOps for Terraform, allowing teams to collaborate on Terraform changes through pull requests. It's a SaaS offering.
  • Jenkins/GitLab CI/GitHub Actions (with custom setup): You can always build your own Terraform automation pipelines using general-purpose CI/CD tools. This offers maximum flexibility but requires more setup and maintenance effort for state management, locking, and collaboration features.

Each alternative has its strengths and weaknesses, and the best choice depends on your specific requirements, team size, and existing toolchain.

Conclusion

Terraform Cloud significantly enhances the experience of using Terraform, especially for teams. By providing managed remote state, collaborative workflows, VCS integration, and governance features, it addresses many of the operational challenges associated with managing infrastructure as code at scale. Whether you're a small team just starting or a large enterprise with complex needs, Terraform Cloud (or its self-hosted counterpart, Terraform Enterprise) offers a robust platform to build, manage, and evolve your infrastructure reliably and efficiently.