Feature | Terraform Open Source | Terraform Enterprise (TFE) / Cloud |
Cost | Free | Paid (TFE), Free tier for Terraform Cloud |
UI / Web Console
| ❌ None | ✅ Web-based GUI dashboard |
Collaboration
| Manual (Git, CLI) | ✅ Teams, RBAC, VCS integrations |
Remote State Management
| Manual via S3, etc. | ✅ Built-in and secure |
State Locking
| Manual with backend (e.g., DynamoDB) | ✅ Automatic |
Policy as Code (Sentinel)
| ❌ Not available | ✅ Enforce policies before changes |
Runs / Plans in Browser
| ❌ CLI only | ✅ Web-based plans and apply |
Audit Logging
| ❌ No | ✅ Full audit logs and activity history |
Private Registry
| ❌ Only public module registry | ✅ Custom module and provider registry |
SAML/SSO/LDAP
| ❌ | ✅ Enterprise authentication |
VCS Integration | Manual | ✅ GitHub, GitLab, Bitbucket, Azure Repos |
Notifications (Slack/email)
| ❌ | ✅ Built-in |
Agent Execution (Runner)
| ❌ | ✅ Runs behind firewall with agents |
Drift Detection
| ❌ | ✅ In TFC (Terraform Cloud) |
🧪 Terraform Cloud (TFC) vs Enterprise (TFE)
Feature | Terraform Cloud | Terraform Enterprise |
Hosted by HashiCorp
| ✅ | ❌ (You host it) |
Cost
| Free / Paid tiers | Paid (custom pricing) |
SAML/SSO
| Paid tier only | ✅ Built-in |
Self-managed infrastructure
| ❌ | ✅ Yes |
🏢 Key Terraform Enterprise Features (with Technical Examples)
1. 🔐 Role-Based Access Control (RBAC)
What it does: Lets you define what actions users/teams can perform on specific workspaces.
🔧 Example:
You have two teams:
DevOps Team: Can run plan, apply, manage state.
Developers: Can only view outputs.
In TFE:
You assign:
DevOps → Workspace Admin
Developers → Workspace Read
Benefit: Enforces principle of least privilege.
2. 🧠 Sentinel Policy as Code
What it does: Enforces security/compliance policies before apply, like "no public S3 buckets" or "must tag all resources".
🔧 Example: Block Public S3 Buckets
# policy.sentinel
import "tfplan/v2" as tfplan
main = rule {
all tfplan.resource_changes as rc {
rc.type is "aws_s3_bucket" and
rc.change.after.acl is not "public-read"
}
}
Result: terraform apply fails if someone tries to create a public bucket.
3. 🌐 VCS Integration (GitOps)
What it does: Connects directly with GitHub/GitLab/Bitbucket/Azure Repos. A Git push triggers Terraform run.
🔧 Example:
# You push code to GitHub
git commit -m "Add RDS"
git push origin main
TFE:
Automatically detects change
Runs plan
Waits for approval (if configured)
Applies changes on approval
Benefit: Automates Infra-as-Code with Git-based workflows (CI/CD).
4. 📦 Private Module Registry
What it does: Internal module marketplace for your org. Teams can reuse approved modules.
🔧 Example:
You publish a VPC module:
# In your project
module "vpc" {
source = "app/internal/vpc/aws"
version = "1.2.0"
cidr_block = "10.0.0.0/16"
}
Source points to internal registry.
TFE tracks versioning, ownership, docs.
Benefit: Enforces consistency and reuse.
5. 🗃️ Remote State Management
What it does: Stores state files securely in TFE backend with locking and versioning.
🔧 Example:
No need for S3 + DynamoDB anymore:
terraform {
backend "remote" {
organization = "my-org"
workspaces {
name = "prod-networking"
}
}
}
Benefit: Eliminates manual backend setup. No more state conflicts or corruption.
6. 🔒 State Locking
What it does: Prevents multiple terraform apply actions at the same time on the same workspace.
🔧 Example:
If one user starts an apply, another user trying to do the same will see:
Workspace is locked. Please wait until the previous run completes.
Benefit: Avoids race conditions and broken infrastructure.
7. 📋 Audit Logging
What it does: Tracks all changes — who ran plan, apply, changed variables, created modules, etc.
🔧 Example:
In the TFE UI or logs:
User: abc@abcd.xomm
Action: terraform apply
Workspace: eks-prod
Time: 2025-06-27 13:41 UTC
Changes: 3 resources added, 1 changed
Benefit: Crucial for compliance, forensics, and internal audits.
8. 🔧 Execution Modes & Agents
A. Remote Execution Mode
TFE runs Terraform remotely in a secure environment
You don’t need Jenkins or local runners
B. Agent Execution Mode (for private networks)
You install a TFE agent behind your firewall
It fetches the plan from Terraform Enterprise and applies it inside your VPC
🔧 Example:
EKS module applies only from private subnet
TFE agent in subnet with no internet runs the apply
module "eks" {
source = "git@github.com:corp/modules/eks.git"
cluster_name = "secure-cluster"
}
Benefit: Secure, air-gapped deployments for sensitive infra
9. 🧪 Run Triggers and Workflows
What it does: Automatically trigger downstream workspaces when upstream ones change.
🔧 Example:
# Infra layer
workspace "networking" -> outputs VPC ID
# App layer
workspace "app" depends on "networking"
Any time you change networking, app automatically gets re-applied with updated values.
10. 📥 Variables with Sensitive Marking
What it does: Manage input variables securely via UI or API, with the option to mark them as "sensitive".
🔧 Example:
You add a variable in TFE UI:
Key | Value | Sensitive |
db_pass | MySecretPassword | ✅ |
Terraform CLI won't print this in logs or outputs.
✅ Summary
Feature | Terraform Enterprise Benefit |
RBAC | Enforce team-level access and permissions |
Sentinel | Compliance-as-code (e.g., prevent public infra) |
VCS Integration | GitOps-style workflow |
Private Registry | Module reuse, governance |
Remote State + Locking | Secure, automatic, versioned |
Audit Logging | Track every change for compliance |
Agent Execution | Run Terraform securely behind firewalls |
Run Triggers | Link infra layers for modular orchestration |
No comments:
Post a Comment