Terraform Series - What enhancements does Terraform Cloud have over Terraform OSS?

Series of articles

👉 Terraform series of articles

preface

Recently using Always Free Tier to provision OCI with Terraform Cloud, I found it to be very easy to use, and it is much more worry-free than Terraform OSS.

Let’s also summarize and learn: what enhancements does Terraform Cloud have over Terraform OSS, which customers are these enhancements for, and what pain points are solved?

This can serve as our experience in developing our own IaC cloud platform based on Terraform.

Features of Terraform OSS

The features of Terraform OSS are already available Previous article Ree has been introduced.

Here is another repeat:

• IaC
• Workspace
• variable
• Run - Schedule and apply
• Resource graph
• vendor
• module
• registry
• Declarative programming
• Cloud agnostic
• Highly expressive and highly scalable
• Work together (requires further configuration)
• Lifecycle management
• Test
• HCL
• Security and key management (requires further configuration)

Introduction to Terraform Cloud

Terraform Cloud is HashiCorp’s SaaS-based version of Terraform.

Terraform Cloud, of course, is used for all of the above features of Terraform OSS.

Terraform Cloud vs. Terraform OSS

What enhancements does Terraform Cloud have over Terraform OSS? The details are as follows:

IaC enhancements

• Remote State: Terraform Cloud comes with out-of-the-box backend, making it easy to manage remote states, ensuring deployment consistency, shared goals, and a single source of truth
• VCS connection: Terraform Cloud connects VCS such as Github and can use VCS + Terraform seamlessly. Enable multiple team members to work on separate code flows in a project and merge changes back into the core project in a structured manner with a simple rollback path.
• Workspace management: Terraform Cloud provides richer workspace management capabilities and UI
• Security and key management: Terraform Cloud is based on Terraform VaultWorks right out of the boxStorage of security variables (security and keys).
• Remote operation and status: Terraform Cloud supports local and remote running, remote operation does not need to install Terraform, directly use Terraform provided by Terraform Cloud. This means that all deployments are done from a centralized location
• Private module registry: Private module repositories allow access to a single source of truth for module code across multiple workspaces and projects, reducing the possibility of discrepancies and thus improving code stability.

△ Remote State

VCS (GitHub) connection

△ Workspace management

△ Security and key management

△ Remote operation

△ Running status

△ Private module registry

Team management enhancements

• Team management: Team management is a sub-feature of workspace management that enables workspace administrators to manage access levels for cloud users by creating teams based on their company’s organizational structure. These teams are granted permissions based on organizations that reflect coding responsibilities or operational responsibilities, such as: manage policies, manage workspaces, manage VCS settings
• Cost estimates: Provides the best estimate of the cost estimate associated with code deployment in the workspace. It will clearly show how many dollars of overhead will be added/decreased by this run.
• Policy as code: Integration with HashiCorp Sentinel to automate governance, security, and compliance-based policy provisioning. Sentinel is an embeddable framework for policies and code. For example, you can define that if you are deploying to Dev, none of your EC2 build instances can be larger than size XXX, and if you attempt to build a larger instance, the run will fail. It can also be used to enforce CIS benchmarks and other compliance frameworks.
• Configure the designer: GUI-based workflow for selecting, combining, defining variables, and creating unique workspaces. Reduce the mental burden on developers to use by developers to build configurations from predefined IaC modules; On-demand provisioning.

△ Team management

△ Cost estimate

△ Strategy as code

△ Configuration designer

Security/compliance/governance enhancements

• Single sign-on (SSO): Integrate with your enterprise identity provider to provide a seamless sign-in process for your team members. Currently, Terraform Cloud supports the following identity providers:
  • Azure AD
  • Okta
  • SAML
• Audit logs: It is absolutely necessary to enable forensic investigations after an incident or even when trying to drill down while solving a problem.
• Self-hosted proxy: Allows Terraform Cloud businesses to efficiently view private data centers using self-hosted agents.

△ SSO

Summarize the thoughts 🤔

Q: If we want to make an internal IaC cloud service based on Terraform OSS, what features should we enhance?
A: You need to start from the following aspects:

1. Enhance the functionality and experience of Terraform
   1. Provides out-of-the-box backend and Remote State based on S3
   2. Provides seamless integration with internal repositories such as GitLab
   3. Develop a friendly UI based on Terraform Workspace, and extend the concepts of environment, project, etc. according to the actual situation of the enterprise
   4. Based on HashiCorp Vault, it provides out-of-the-box security and key management capabilities
   5. Automatically create temporary VMs or pods with Terraform provisioned to run Terraform out of the box on cloud services, without requiring users to run Terraform locally; It also provides a history of the state after each Terraform application
   6. Provides an internal private Terraform Registry
   7. Develop complete and rich API interfaces for integration with other systems within the enterprise, such as DevOps.
2. Rich team management features:
   1. Enrich team management features, settings, and UI
   2. Introduce the FinOps concept: connect with mainstream public cloud fee APIs and estimate costs in the plan stage.
   3. ~~ (Optional) Policies and codes ~~
3. Security/compliance/governance enhancements
   1. Integrate intra-enterprise single sign-on
   2. Develop audit logging functionality
   3. ~~ Self-hosted proxies are not required because they are inside the enterprise ~~

💪💪💪