Terraform is almost ubiquitous in the Infrastructure-as-Code market. It can be used to deploy Virtual Machines, Container Images, Networking, Storage constructs, even deploy to bare metal servers and deploy serverless functions. Best of all: it is free and there is a massive community of Terraform users sharing their solutions to common and difficult problems in their Git repositories and blog posts. Hashicorp has two Terraform editions that provide more functions and capabilities which are only available on these platforms; these are Hashicorp Enterprise and Terraform Cloud.
Now the above statement is not entirely true as there is a free version of Terraform Cloud, but that is fairly limited compared to the costed versions, but more about this later. Terraform Enterprise is for those that have a requirement to keep their deployments self-hosted (on-prem or in the cloud). This version is an installable product that runs in your data center on a dedicated Linux instance. So what exactly do you get for your money, as you can see below is a table of the features of the various Terraform editions of Cloud and Enterprise against the OSS version.
| OSS | Cloud | Self-Hosted | |||
| Free | Team & Governance | Business | Enterprise | ||
| IaC | Yes | Yes | Yes | Yes | Yes |
| Workspaces | Yes | Yes | Yes | Yes | Yes |
| Variables | Yes | Yes | Yes | Yes | Yes |
| Runs (plan & apply) | Yes | Yes | Yes | Yes | Yes |
| Resource Graph | Yes | Yes | Yes | Yes | Yes |
| Providers | Yes | Yes | Yes | Yes | Yes |
| Module | Yes | Yes | Yes | Yes | Yes |
| Public Module Library | Yes | Yes | Yes | Yes | Yes |
The first set of features are the same as those that we know and love from the free version. So we are not going to discuss those.
Differences between Cloud, Enterprise and OSS versions
Terraform Cloud is HashiCorp’s SaaS-based version of Terraform that runs on disposable virtual machine instances that are deployed in their own Cloud infrastructure, whereas Terraform Enterprise runs a private implementation that is deployed on Linux machines either on-premises or in your public cloud providers deployed instances.
Cloud (Free) and Enterprise features
If you are already working in a collaborative manner, it may be the case that you are already using Terraform Cloud as they have a free version. The benefits are laid out below, if you are not, why not? As there are many reasons, for a very good price point.
| OSS | Cloud | Self-Hosted | |||
| Collbarative Infrastructure as Code (IaC) | Free | Team & Governance | Business | Enterprise | |
| Remote State | Yes | Yes | Yes | Yes | |
| VCS Connection | Yes | Yes | Yes | Yes | |
| Workspace Management | Yes | Yes | Yes | Yes | |
| Secure Variable Storage | Yes | Yes | Yes | Yes | |
| Remote runs | Yes | Yes | Yes | Yes | |
| Private Module Registry | Yes | Yes | Yes | Yes | |
As can be seen from the table laid out above even the free entry-level version of Terraform Cloud adds many features that allow will allow for better collaboration between teams of coders. When building code in teams, a centralized and remote state file is an absolute minimum to aid consistency in deployments, a common target, and a single source of truth. Yes, this can be done without using the Cloud edition, as we showed in our article on creating resilient Terraform Code.
Where Terraform Cloud Free edition excels is by bringing to the table a team-based culture to your Infrastructure as Code deployments. Introducing concepts such as remote terraform execution; meaning that all deployments are done from a centralized location again a single common truth, a code organization based on a workspace model. Projects are delineated into separate complete and independent entities.
Another key benefit of the free version is the ability to link into your favorite code repository and a private Terraform module registry. They enable multiple team members to work on separate code streams within a project and merge the changes back into the core project in a structured way, with a simple rollback path.
Private module repositories allow for a single truth source of your module code to be accessible across multiple workspaces and projects, lowering the chances of differences, thereby increasing your code stability.
Cloud (Team & Governance) and Enterprise
The next edition of Cloud enterprise is the Team and Governance edition. This version includes all the features of the open-source version and the free edition of Terraform Cloud.
| OSS | Cloud | Self-Hosted | |||
| Team Management & Governance | Free | Team & Governance | Business | Enterprise | |
| Team Management | Yes | Yes | Yes | ||
| Sentinel Policy as Code Management | Yes | Yes | Yes | ||
| Cost Estimation | Yes | Yes | Yes | ||
Team Management is a sub-feature of Workspace management, with this feature Workspace Admins can manage the access levels of Cloud users by creating teams based on the organizational structure of their company. These teams are granted permissions based on Organizations that reflect coding responsibilities or operational responsibilities for example:
- Manage Policies,
- Manage Workspaces
- Manage VCS Settings
The second feature of this edition is Cost Estimation, this is an excellent feature that provides best-guess estimation of the costings associated with your code deployment in a workspace.
The final feature is the money button, Sentinel Policy as Code, this is a policy as code framework that is embedded into both the Cloud and Enterprise editions. This allows fine-grained logic-based decisions to be made based on defined rules. So you can define that if you are deploying to the Dev, then none of your EC2 build instances can be bigger than size XXX or your EKS container images can deploy no bigger than the YYY, if any attempt is made to build a bigger instance the run will fail. It can even be used to enforce CIS Benchmarks and other compliance frameworks.
Terraform Cloud (Business) and Enterprise.
Again, building on the features of the OSS version and the Free and Team & Governance editions of Terraform cloud the Business edition builds on the Governance basics introduced in the previous edition. If you at the table below there appears to be a feature that is a part of TFC that is not replicated in Enterprise, more about this later.
| OSS | Cloud | Self-Hosted | |||
| Advanced Security, Compliance and Governance | Free | Team & Governance | Business | Enterprise | |
| Single Sign on (SSO) | Yes | Yes | |||
| Audit Logging | Yes | Yes | |||
| Self-Hosted Agents | Yes | ||||
The first feature of the Business edition is the ability to integrate your corporate identity provider to provide a seamless login process for your team members. Currently, TFC and Enterprise support the following Identity Providers:
- Microsoft Azure AD
- Okta
- SAML
Most Identity providers support one of those three options so the 80/20 rule applies.
Audit logging provides an additional level of visibility with regards to Governance and is an absolute must to enable a forensic investigation after an incident or even when attempting a deep dive when troubleshooting an issue. This is presented in the form of an API service called Audit Trails.
The final feature to be discussed here is that of Self-Hosted-Agents, this is a Terraform Cloud-only feature that allows Terraform Cloud Business to effectively seen into private Datacenters, using a self-hosted agent. The best way to think about this is as a reverse VPN from your Terraform Cloud Instance into your private environment, so that your remote code can run against locally deployed infrastructure without having to modify any ingress traffic access rules. Now as to the reason why this feature is not available in the Enterprise version, the simple reason is that it makes no sense as Terraform Enterprise is a fully private deployment, deployed within the confines of your existing infrastructure and fully under your control.
Performance features on Terraform Cloud and Enterprise
| OSS | Cloud | Self-Hosted | |||
| Performance Operations | Free | Team & Governance | Business | Enterprise | |
| Concurrent Runs | One only | Up to 2 | Yes | Yes | |
| Operations | Local CLU | Cloud | Cloud | Cloud | Private |
With Enterprise the number of Concurrent runs, ie deployments that can be undertaken by your organization is dependent on the level of your subscription in the Cloud edition. One other key point is the operational method, with the Free OSS version, Terraform can only be interacted with from the CLI, there is no graphical interface. This only becomes available with Cloud or Enterprise.
Terraform Cloud and Enterprise support options
| OSS | Cloud | Self-Hosted | |||
| Support | Free | Team & Governance | Business | Enterprise | |
| Community | Yes | Yes | |||
| Bronze | Yes | Yes | Yes | ||
| Silver | Yes | Yes | |||
| Gold | Yes | Yes | |||
On paper the above table appears to lay out in a fairly simple manner the support options available to users of Open-Source and the free version of TFC, Community help only so effectively the Hashicorp Community; the Forum, user groups, etc. With the paid versions of TFC and Enterprise, there are three tiers of support available to customers, these are the traditional Bronze Silver and Gold editions, one thing to note is that if you do not have a Business or Enterprise license you are limited to bronze level support.
For a full outline of the support features see the table below.
This means that those that are not paying for Teams & Governance or above will only receive email base support and support for Teams and Governance is limited to the Bronze tier.
Summary
Hopefully, this has been a good overview of the benefits of the paid versions of Terraform, this is the first of a set of post that will delve deeper into the usage of Terraform Clouds features, this will be using the venerable Lamp stack code from our first series of posts, the next one in this series will discuss moving your state file to Terraform Cloud.
