Terraform Cloud: A First Look

Floris van der Grinten on 17 May 2019

Terraform just announced the GA of their SaaS offering Terraform Cloud. This brings a sweet feature of Terraform Enterprise to a bigger audience: sharing .tfstate files 🎉

We’re super excited that HashiCorp offers this for free and with us are many Terraform users that experienced the hassle of managing a shared .tfstate file. But before getting too excited, we thought it would be wise to check it out and write down our first impressions.

So let’s curb our enthusiasm for a sec and see what’s what.

✅ It’s very easy to get started

You can have your first shared Terraform project on Terraform Cloud in minutes:

  • Sign up
  • Enter a name for your organization
  • Generate a credential and save it at $HOME/.terraformrc
  • Add the remote backend config to your Terraform code containing your organization name and the name of your project
  • Run terraform init

Then from the GUI, you can invite a team member to join in. This really is all there is to it, pretty sweet!

✅ State history

Terraform Cloud .tfstate versions

Terraform Cloud gives you a very useful overview of the history of your state, including which team members modified it at what time. You can inspect previous state and also see a nice diff.

✅ More insight on concurrency

Terraform Cloud lock management

Previously, concurrent activity on your Terraform projects may give you a not-so-helpful Error acquiring the state lock: workspace already locked error message. In Terraform Cloud you can now see who actually acquired the current lock. They’re not stopping there, the roadmap promises even more features that make collaboration more prominent and insightful.

⚠️ Limited access control

When you add team members to your organization, they immediately become admins. There’s no way to give someone access to just a few .tfstate files. I’m sure HashiCorp will improve this later on, but this may be a blocker.

⚠️ Plaintext secrets

The way Terraform treats your .tfstate did not change. The state file gets transmitted to the Terraform Cloud as a whole, including all of your infrastructure secrets. This means that you’re now trusting a SaaS with your plaintext infrastructure secrets:

Tweet of Mitchellh: "The data sent to us is the same as what’s in the state file today. In the backend we encrypt with Vault and store. We’ll probably share more of this data publicly, but that’s the gist today." Tweet of Mitchellh: "But at the end of the day, if you don’t trust us, we’re not locking you in, we support many remote backends that can store state. We provide higher level features (like viewing and history and diffs and so on) but if you care about protecting the bits, there are options!"

Even though your .tfstate is encrypted at rest on the server, it’s encrypted with keys owned and operated by HashiCorp. This is something to keep in mind when shopping for .tfstate backends.

If you’d like to read more about secret management for Terraform and how to protect your .tfstate with keys you control, see our previous blog post.

Conclusion

All in all, this is an awesome development. It’s great to see that HashiCorp listened to the community and started to relieve the pain users experience when managing a shared .tfstate.

Aside from the security considerations mentioned above, we’re happy about the release and can’t wait to see where it goes next.

Plus, the interface looks freakin beautiful 😍

Happy coding!

The SecretHub Team