Terraform Cloud: A Practical Guide to Collaboration and Governance
Learn advanced Terraform Cloud features for collaboration, governance, and automation, from VCS integration to Sentinel policies.
📋 Prerequisites
- A Terraform Cloud account (Free or Paid tier).
- A version control system (VCS) account (e.g., GitHub, GitLab).
- Strong understanding of the local Terraform CLI workflow (init, plan, apply).
- Basic understanding of cloud provider IAM and authentication.
What You'll Learn
🏷️ Topics Covered
Why Use Terraform Cloud?
While the Terraform CLI is excellent for individual practitioners, working in a team requires additional capabilities. Terraform Cloud builds on the open-source workflow by providing features essential for collaboration, governance, and security at scale.
💡 Key Benefits Over Open-Source
- Centralized & Secure State Management: Securely stores and encrypts your state files with locking to prevent concurrent applies.
- Consistent Run Environment: Ensures all Terraform runs execute in a consistent, managed environment.
- Collaboration Features: Provides a UI for reviewing plans, adding comments, and managing team permissions.
- Governance & Policy: Enforces security, compliance, and cost policies using Sentinel and cost estimation.
Step 1: Setting Up Your First VCS-Driven Workspace
The most powerful workflow in Terraform Cloud is the VCS-driven (Version Control System) workflow. This creates a GitOps model where your repository is the source of truth for your infrastructure.
Connect to Your VCS Provider
In your Terraform Cloud organization settings, navigate to Providers and add a new provider for your VCS (e.g., GitHub). Follow the OAuth workflow to grant TFC access to your repositories.
Create a New Workspace
Click New Workspace and select the "Version control workflow." Choose your VCS provider, select the repository containing your Terraform code, and give the workspace a name (e.g., my-app-prod).
Configure Variables
In the new workspace, go to the Variables tab. Add the cloud credentials needed for Terraform to authenticate with your provider (e.g., AWS_ACCESS_KEY_ID). Mark any sensitive values as "Sensitive".
Queue the First Plan
Once configured, you can queue your first plan manually by clicking Start new plan. This will verify that your setup is working correctly.
Step 2: The GitOps Workflow in Action
With the workspace connected to your repository, Terraform Cloud will now automate your workflow based on pull requests and merges.
Developer Opens a Pull Request
A team member makes a change to the Terraform code in a feature branch and opens a pull request against your main branch.
Terraform Cloud Runs a Plan
TFC automatically detects the PR, clones the repository, and runs a speculative terraform plan. The output of the plan is posted directly as a comment in the pull request for review.
Team Reviews and Merges
Your team reviews the plan and any policy checks within the PR. If approved, the PR is merged into the main branch.
Terraform Cloud Runs an Apply
The merge event triggers a new run in Terraform Cloud. This time, it will automatically run terraform apply (after a confirmation step, if configured) to provision the infrastructure changes.
Step 3: Enforcing Governance
Terraform Cloud provides powerful tools to enforce organizational standards and control costs before an `apply` is ever run.
🛡️ Sentinel Policies
Define and enforce granular, logic-based policies on your infrastructure. You can restrict which modules can be used, what regions resources can be deployed to, and ensure resources meet security standards.
→ Learn more in the Sentinel guide
💰 Cost Estimation
Terraform Cloud can estimate the monthly cost of infrastructure changes *before* they are applied. This provides crucial visibility into the financial impact of a pull request, preventing budget overruns.
Advanced Features for Automation
Beyond the core GitOps loop, Terraform Cloud offers features for building complex, automated infrastructure workflows.
📦 Private Registry
Publish and share your organization's internal, versioned Terraform modules and providers. This promotes reuse, consistency, and makes it easy for developers to discover and use pre-approved infrastructure patterns.
🔗 Run Triggers
Chain workspaces together. A successful `apply` in one workspace (e.g., a networking workspace) can automatically trigger a run in another (e.g., an application workspace), creating sophisticated deployment pipelines.
🤖 API-Driven Workflows
Terraform Cloud has a comprehensive API that allows you to programmatically manage workspaces, variables, and runs. This is perfect for integrating Terraform into larger automation platforms or building custom tooling.
Best Practices for Terraform Cloud
💡 Key Takeaways
- Workspace per Environment: Create a separate workspace for each environment (e.g.,
app-dev,app-staging,app-prod). Do not use a single workspace for everything. - Use Variable Sets for Secrets: Store shared credentials (like cloud provider keys) in Variable Sets and apply them to multiple workspaces. Always mark them as "Sensitive."
- Embrace the VCS Workflow: Prioritize the VCS-driven workflow for all infrastructure changes. It provides the best audit trail, collaboration experience, and enables a true GitOps model.
- Enforce Policies Early: Use Sentinel policies to catch issues at the
planstage. It is cheaper and safer than fixing problems after they have been deployed. - Leverage the Private Registry: Invest in creating and publishing shared, versioned modules. This is a key accelerator for developer productivity and platform consistency.