Terraform
HCP Terraform Plans and Features
HCP Terraform is a platform that performs Terraform runs to provision infrastructure, either on demand or in response to various events. Unlike a general-purpose continuous integration (CI) system, it is deeply integrated with Terraform's workflows and data, which allows it to make Terraform significantly more convenient and powerful.
Hands On: Try our What is HCP Terraform - Intro and Sign Up tutorial.
Free and Paid Plans
HCP Terraform is a commercial SaaS product developed by HashiCorp. Many of its features are free for small teams, including remote state storage, remote runs, and VCS connections. We also offer paid plans for larger teams that include additional collaboration and governance features.
HCP Terraform manages plans and billing at the organization level. Each HCP Terraform user can belong to multiple organizations, which might subscribe to different billing plans. The set of features available depends on which organization you are currently working in.
Refer to Terraform pricing for details about available plans and their features.
Free Organizations
Small teams can use most of HCP Terraform's features for free, including remote Terraform execution, VCS integration, the private module registry, single-sign-on, policy enforcement, run tasks, and more.
Free organizations are limited to 500 managed resources. Refer to What is a managed resource for more details.
Paid Features
Some of HCP Terraform's features are limited to particular paid upgrade plans.
Each higher paid upgrade plan is a strict superset of any lower plans — for example, the Plus edition includes all of the features of the Standard edition. Paid feature callouts in the documentation indicate the lowest edition at which the feature is available, but any higher plans also include that feature.
Terraform Enterprise generally includes all of HCP Terraform's paid features, plus additional features geared toward large enterprises. However, some features are implemented differently due to the differences between self-hosted and SaaS environments, and some features might be absent due to being impractical or irrelevant in the types of organizations that need Terraform Enterprise. Cloud-only or Enterprise-only features are clearly indicated in documentation.
Changing Your Payment Plan
Organization owners can manage an organization's billing plan. The plan and billing settings include an integrated storefront, and you can subscribe to paid plans with a credit card.
To change an organization's plan:
- Click Settings in the navigation bar.
- Click Plan and billing. The Plan and Billing page appears showing your current plan and any available invoices.
- Click Change plan.
- Select a plan, enter your billing information, and click Update plan.
Terraform Workflow
HCP Terraform runs Terraform CLI to provision infrastructure.
In its default state, Terraform CLI uses a local workflow, performing operations on the workstation where it is invoked and storing state in a local directory.
Since teams must share responsibilities and awareness to avoid single points of failure, working with Terraform in a team requires a remote workflow. At minimum, state must be shared; ideally, Terraform should execute in a consistent remote environment.
HCP Terraform offers a team-oriented remote Terraform workflow, designed to be comfortable for existing Terraform users and easily learned by new users. The foundations of this workflow are remote Terraform execution, a workspace-based organizational model, version control integration, command-line integration, remote state management with cross-workspace data sharing, and a private Terraform module registry.
Remote Terraform Execution
HCP Terraform runs Terraform on disposable virtual machines in its own cloud infrastructure by default. You can leverage HCP Terraform agents to run Terraform on your own isolated, private, or on-premises infrastructure. Remote Terraform execution is sometimes referred to as "remote operations."
Remote execution helps provide consistency and visibility for critical provisioning operations. It also enables powerful features like Sentinel policy enforcement, cost estimation, notifications, version control integration, and more.
- More info: Terraform Runs and Remote Operations
Support for Local Execution
Remote execution can be disabled on specific workspaces with the "Execution Mode" setting. The workspace will still host remote state, and Terraform CLI can use that state for local runs via the HCP Terraform CLI integration.
Organize Infrastructure with Projects and Workspaces
Terraform's local workflow manages a collection of infrastructure with a persistent working directory, which contains configuration, state data, and variables. You can use separate directories to organize infrastructure resources into meaningful groups, and Terraform will use the configuration in the directory you invoke Terraform commands from.
HCP Terraform organizes infrastructure into projects and workspaces instead of directories. Each workspace contains everything necessary to manage a given collection of infrastructure, and Terraform uses that content when it runs in the context of that workspace.
You can use projects to organize your workspaces into groups. Organizations with HCP Terraform Standard Edition can assign teams permissions for specific projects.
This lets you grant access to collections of workspaces instead of using workspace-specific or organization-wide permissions, making it easier to limit access to only the resources required for a team member's job function.
Refer to Workspaces and Organizing Workspaces with Projects for more details.
Remote State Management, Data Sharing, and Run Triggers
HCP Terraform acts as a remote backend for your Terraform state. State storage is tied to workspaces, which helps keep state associated with the configuration that created it.
HCP Terraform also enables you to share information between workspaces with root-level outputs. Separate groups of infrastructure resources often need to share a small amount of information, and workspace outputs are an ideal interface for these dependencies.
Workspaces that use remote operations can use terraform_remote_state
data sources to access other workspaces' outputs, subject to per-workspace access controls. And since new information from one workspace might change the desired infrastructure state in another, you can create workspace-to-workspace run triggers to ensure downstream workspaces react when their dependencies change.
- More info: Terraform State in HCP Terraform, Run Triggers
Version Control Integration
Like other kinds of code, infrastructure-as-code belongs in version control, so HCP Terraform is designed to work directly with your version control system (VCS) provider.
Each workspace can be linked to a VCS repository that contains its Terraform configuration, optionally specifying a branch and subdirectory. HCP Terraform automatically retrieves configuration content from the repository, and will also watch the repository for changes:
- When new commits are merged, linked workspaces automatically run Terraform plans with the new code.
- When pull requests are opened, linked workspaces run speculative plans with the proposed code changes and post the results as a pull request check; reviewers can see at a glance whether the plan was successful, and can click through to view the proposed changes in detail.
VCS integration is powerful, but optional; if you use an unsupported VCS or want to preserve an existing validation and deployment pipeline, you can use the API or Terraform CLI to upload new configuration versions. You'll still get the benefits of remote execution and HCP Terraform's other features.
- More info: VCS-driven Runs
- More info: Supported VCS Providers
Command Line Integration
Remote execution offers major benefits to a team, but local execution offers major benefits to individual developers; for example, most Terraform users run terraform plan
to interactively check their work while editing configurations.
HCP Terraform offers the best of both worlds, allowing you to run remote plans from your local command line. Configure the HCP Terraform CLI integration, and the terraform plan
command will start a remote run in the configured HCP Terraform workspace. The output of the run streams directly to your terminal, and you can also share a link to the remote run with your teammates.
Remote CLI-driven runs use the current working directory's Terraform configuration and the remote workspace's variables, so you don't need to obtain production cloud credentials just to preview a configuration change.
The HCP Terraform CLI integration also supports state manipulation commands like terraform import
or terraform taint
.
Note: When used with HCP Terraform, the terraform plan
command runs speculative plans, which preview changes without modifying real infrastructure. You can also use terraform apply
to perform full remote runs, but only with workspaces that are not connected to a VCS repository. This helps ensure that your VCS remains the source of record for all real infrastructure changes.
- More info: CLI-driven Runs
Private Registry
Even small teams can benefit greatly by codifying commonly used infrastructure patterns into reusable modules.
Terraform can fetch providers and modules from many sources. HCP Terraform makes it easier to find providers and modules to use with a private registry. Users throughout your organization can browse a directory of internal providers and modules, and can specify flexible version constraints for the modules they use in their configurations. Easy versioning lets downstream teams use private modules with confidence, and frees upstream teams to iterate faster.
The private registry uses your VCS as the source of truth, relying on Git tags to manage module versions. Tell HCP Terraform which repositories contain modules, and the registry handles the rest.
- More info: Private Registry
Integrations
In addition to providing powerful extensions to the core Terraform workflow, HCP Terraform makes it simple to integrate infrastructure provisioning with your business's other systems.
Full API
Nearly all of HCP Terraform's features are available in its API, which means other services can create or configure workspaces, upload configurations, start Terraform runs, and more. There's even a Terraform provider based on the API, so you can manage your HCP Terraform teams and workspaces as a Terraform configuration.
- More info: API
Notifications
HCP Terraform can send notifications about Terraform runs to other systems, including Slack and any other service that accepts webhooks. Notifications can be configured per-workspace.
- More info: Notifications
Run Tasks
Run Tasks allow HCP Terraform to execute tasks in external systems at specific points in the HCP Terraform run lifecycle.
There are several partner integrations already available, or you can create your own based on the API.
- More info: Run Tasks
Access Control and Governance
Larger organizations are more complex, and tend to use access controls and explicit policies to help manage that complexity. HCP Terraform's paid upgrade plans provide extra features to help meet the control and governance needs of large organizations.
- More info: Free and Paid Plans
Team-Based Permissions System
With HCP Terraform's team management, you can define groups of users that match your organization's real-world teams and assign them only the permissions they need. When combined with the access controls your VCS provider already offers for code, workspace permissions are an effective way to follow the principle of least privilege.
- More info: Users, Teams, and Organizations
Policy Enforcement
BEGIN: TFC:only name:pnp-callout
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
END: TFC:only name:pnp-callout
Policy-as-code lets you define and enforce granular policies for how your organization provisions infrastructure. You can limit the size of compute VMs, confine major updates to defined maintenance windows, and much more.
You can use the Sentinel and the Open Policy Agent (OPA) policy-as-code frameworks to define policies. Depending on the settings, policies can act as advisory warnings, firm requirements that prevent Terraform from provisioning infrastructure, or soft requirements that your compliance team can bypass when appropriate.
Refer to Policy Enforcement for details.
Cost Estimation
Before making changes to infrastructure in the major cloud providers, HCP Terraform can display an estimate of its total cost, as well as any change in cost caused by the proposed updates. Cost estimates can also be used in Sentinel policies to provide warnings for major price shifts.
- More info: Cost Estimation