HashiCorp has been busy over the last few weeks with plenty of interesting announcements and updates. One of the more exciting announcements was related to an update on Terraform Cloud. TFC, as we know, is a cloud-based platform for managing infrastructure as code and collaboration on provisioning, deploying, and updating resources.
There are now three tiers of Terraform Cloud the Free tier is free for up to 500 resources for all time; the standard tier is free for the first 500 resources and charged at a very reasonable $0.00014 per subsequent resource per hour thereafter. To put this into perspective, that is less than a third of a cent (US) daily or $1.23 a year. One definition that I feel is important here is what exactly is considered a resource to Terraform Cloud for billing purposes. This is quite simple. According to their developer site, “a “Managed Resource” or a “Resources Under Management (RUM)” is a resource in a Terraform-Cloud-managed state file where mode = “managed””. Therefore, Hashicorp will bill a resource per hour for every hour of its existence in any billing month. The final TFC tier is the Plus version, akin to the old Business and Teams version.
The free tier was always valuable, supporting global variables and enhanced remote state management capabilities. Still, with this update, it has been vastly improved, with a focus on security.
The Free Tier now includes everything needed to use Terraform in a team setting, including, as already stated, remote state, remote runs, private registry, secure variables, dynamic provider credentials, and security features that provide a robust security posture from the start. However, the new features added to the free tier take it to a new level, enhancing security with single sign-on (SSO) capabilities, Policy as Code, Run Tasks and the Terraform Cloud Agent.
We will discuss these additions in detail and explain how they enhance the capabilities of TFC; then, we will see how it now compares to one of its significant competitors Env-0.
SSO
The Free tier now allows the configuration of SAML single sign-on (SSO) per organisation, an alternative to traditional user management. This addition enables the integration of TFC into a corporate AD and Okta domain or any other customer SAML provider. Review the following webpage for a deeper dive into the capabilities this opens up: Single Sign-on – Terraform Cloud | Terraform | HashiCorp Developer.
Policy as code with HashiCorp Sentinel and OPA
From earlier posts, you will remember that Hashicorp Sentinel and Open Policy Agent (OPA) are policy-as-code frameworks that can be used with Terraform Cloud to define fine-grained, logic-based policies1. These policies can act as advisory warnings or firm requirements that prevent Terraform from provisioning infrastructure. However, previously Sentinel was only available in the higher editions or the standalone Enterprise version. Sentinel allows the definition of policies using the Sentinel policy language, and imports are used to parse the Terraform plan, state, and configuration1. With OPA, policies are defined using the Rego policy language1. One thing to note is that OPA Policies, unlike Sentinel policies, require a Terraform Cloud Agent to be evaluated.
Terraform Cloud Free Edition includes one policy set of up to five policies. This may seem a little low, but it is a massive improvement over no capability.
Run Tasks
One of the oblique side effects of granting access to Sentinel and Open Policy Agents is that it automatically gives access to Run Tasks. What are Run Tasks? Run Tasks allow direct integration with third-party tools and services at certain stages in the Terraform Cloud run lifecycle. These will enable run tasks to validate Terraform configuration files, verify and inspect execution plans before applying them, scan for security vulnerabilities, or perform other custom actions.
The addition sounds excellent; however, you only get one run task per workspace with the free tier; this means that it is either OPA or Sentinel; if you want to use a packer integration as a run task, you cannot assign a sentinel or OPA policy.
Terraform Cloud Agent
Of all the additions to the free tier, Terraform Cloud Agent excites me the most. Terraform Cloud can use TCAs to connect to isolated, private, or on-premises infrastructure. In addition, you can build a simple link between your environment and Terraform Cloud by deploying lightweight agents within a specified network segment, allowing for provisioning operations and maintenance. This is ideal for on-premises infrastructure types like vSphere, Nutanix, OpenStack, enterprise networking providers, and anything else in a protected enclave.
These enhancements to Terraform Cloud make even the free tier a robust and flexible platform for administering infrastructure as code and collaborating on it in the cloud. It is also superior to env-0 in terms of features, compatibility, and adaptability. Try out Terraform Cloud if you’re searching for a free platform that can help you automate infrastructure workflows and ensure infrastructure compliance.
How does Terraform Cloud compare to Env-0, another platform with comparable capabilities?
Env-0 is a cloud-based platform that enables users to provision and administer ephemeral application environments using infrastructure as code tools such as Terraform. Env-0 also provides a free plan with unrestricted environments, runs, and users for teams with up to five members.
Looking at the image above, it seems that the two offerings have similar capabilities. However, there are significant distinctions between TFC and Env-0 that may influence your choice of platform. Here are some examples:
- Terraform Cloud supports any cloud provider or service with a Terraform provider, for example, VMware on Premises, Nutanix and even Cisco UCS, whereas env-0 free tier only directly supports the three hyperscalers of AWS, Azure, and GCP; Env-0 can indeed support VMware platforms; however, it needs a self-hosted agent to act as a pass-through agent, which of course is not a part of the feature set of their free tier.
- Terraform Cloud supports state locking, which prevents concurrent processes from modifying the same state file and causing errors or conflicts. Env-0 lacks support for state locking.
- Terraform Cloud supports Sentinel policies, which enable users to define and enforce infrastructure-specific norms and policies. Env-0 does not implement Sentinel policies; it does, however, support OPA.
- Terraform Cloud supports GitHub Actions integration, enabling users to initiate Terraform deployments within their GitHub workflows. Env-0 does not support such integration with GitHub Actions.
- But to me, the lack of ability of the free Tier of Env-0 to be able to utilise SAML to provide a standard single sign-on process is the most significant gap between Env-0 and TFC.
To sum up, Hashicorp’s enhancements to the free tier of Terraform Cloud have made it a robust and flexible platform for administering infrastructure as code and collaborating on IaC in the cloud. TFC is also superior to Env-0 regarding features, compatibility, and adaptability. I urge you to try out Terraform Cloud if you’re searching for a free platform to help you automate infrastructure workflows and ensure infrastructure compliance.
