Terraform Cloud: A First Look
Terraform just announced the GA of their SaaS offering Terraform Cloud. This brings a sweet feature of Terraform Enterprise to a bigger audience: sharing .tfstate
files 🎉
We’re super excited that HashiCorp offers this for free and with us are many Terraform users that experienced the hassle of managing a shared .tfstate
file.
But before getting too excited, we thought it would be wise to check it out and write down our first impressions.
So let’s curb our enthusiasm for a sec and see what’s what.
✅ It’s very easy to get started
You can have your first shared Terraform project on Terraform Cloud in minutes:
- Sign up
- Enter a name for your organization
- Generate a credential and save it at
$HOME/.terraformrc
- Add the
remote
backend config to your Terraform code containing your organization name and the name of your project - Run
terraform init
Then from the GUI, you can invite a team member to join in. This really is all there is to it, pretty sweet!
✅ State history
Terraform Cloud gives you a very useful overview of the history of your state, including which team members modified it at what time. You can inspect previous state and also see a nice diff.
✅ More insight on concurrency
Previously, concurrent activity on your Terraform projects may give you a not-so-helpful Error acquiring the state lock: workspace already locked
error message.
In Terraform Cloud you can now see who actually acquired the current lock.
They’re not stopping there, the roadmap promises even more features that make collaboration more prominent and insightful.
⚠️ Limited access control
When you add team members to your organization, they immediately become admins.
There’s no way to give someone access to just a few .tfstate
files.
I’m sure HashiCorp will improve this later on, but this may be a blocker.
⚠️ Plaintext secrets
The way Terraform treats your .tfstate
did not change.
The state file gets transmitted to the Terraform Cloud as a whole, including all of your infrastructure secrets.
This means that you’re now trusting a SaaS with your plaintext infrastructure secrets:
Even though your .tfstate
is encrypted at rest on the server, it’s encrypted with keys owned and operated by HashiCorp.
This is something to keep in mind when shopping for .tfstate
backends.
If you’d like to read more about secrets management for Terraform and how to protect your .tfstate
with keys you control, see our previous blog post.
Conclusion
All in all, this is an awesome development.
It’s great to see that HashiCorp listened to the community and started to relieve the pain users experience when managing a shared .tfstate
.
Aside from the security considerations mentioned above, we’re happy about the release and can’t wait to see where it goes next.
Plus, the interface looks freakin beautiful 😍
Happy coding!
The SecretHub Team