Terraform Enterprise — Should I Consider It?
Hashicorp Terraform is a very popular infrastructure-as-a-code tool and has been used across small to large enterprise organizations. Terraform is cloud-agnostic i.e. it supports all public clouds and also can be used with your on-premise infrastructure. While the opensource version is more popular, Terraform Enterprise version provides many more features/capabilities in the context of collaboration and governance.
In this article, I will explore a typical journey of an organization in using Hashicorp Terraform and when it makes sense to seriously consider using Terraform Enterprise. I will also provide a quick overview of Terraform Enterprise features by building a basic Network/Compute resources on AWS.
Terraform Journey :
A member of Infra or DevOps team normally start with an open source version of Terraform and does a POC to build infrastructure. Initially, a small team uses Terraform and resources/ state files are managed with mutual understanding. Terraform stores state about managed infrastructure and configuration in a file. This state is used by Terraform to map real-world resources to the configuration, keep track of metadata, and to improve performance for large infrastructures.
People share state files with each other and without any additional controls, attempt to keep infrastructure in the right state. For this kind of small team, Terraform opensource really serves the purpose and team wouldn’t see a need to think about the enterprise version.
As team size grows, managing and maintaining Terraform related resources can become a challenge. In such cases, mostly admin teams create a process using other tools (e.g. GitHub) to streamline usage of Terraform. Though the new processes help streamline the usage of Terraform, lots of time is spent on creating processes and tools around usage of Terraform.
Now comes the large enterprise organizations. These companies and their teams are located across multiple physical locations..sometimes across the globe. Different teams are responsible for different parts of setting up a cloud deployment. For large organizations, there is always a need for having better access controls on usage of the cloud. I have seen teams spending lots of time creating and supporting tools/processes.
One common approach I have seen is to create a team that reviews each and every update to Terraform files, approve it and then run it. Though this approach keeps things under control, it does create a dependency on the review team. Enforcing policies becomes difficult and things can quickly get out-of-control in such scenarios. That’s when the question comes up — is there a better way to do all this?
Terraform Enterprise
When I looked at the features and capabilities provided by Terraform Enterprise, I realized that not only it has all the things that people are building from scratch but more features that can streamline the creation of infrastructure in a secure and consistent manner. Below are some of the features that I really liked in enterprise version. This is a high level overview of Terraform Enterprise (TFE).
Workspaces: Infrastructure is organized using Workspaces in TFE. Workspace consists of Terraform configuration, variables, run history and Terraform state information.
Terraform Statefile Management: This may not sound a big deal but I have seen 100s of state files created. Managing a large volume of state files can get tricky. TFE takes care of managing state files.
Private Module Registry: A central service registry to publish Terraform modules. Modules work as building blocks of complex infrastructures.
Sentinel — Integrated policy-as-a-code framework — You can implement policies that are enforced at the Terraform plan level. For example — admins can easily set up a policy that would stop developers from spinning up large instances in AWS. This violation is caught as soon as developers check-in Terraform files. This is one example of many, powerful, policy-based protections we can put in place.
On availability side, TFE is available as SaaS and can be a private install.
Using Terraform Enterprise — Create Infrastructure
Create A Workspace :
It is recommended to create a workspace per application per environment. E.g. For a given app, there can be workspaces for Dev, Test and Prod environment.
Setup Variables (Terraform & Environment Variables):
Setup Terraform variables and environment variables. In Environment Variable image below, note the checkbox to indicate that variable has sensitive information. If this checkbox is selected, data is encrypted and can not be read or updated. This allows admins to store secrets/keys in a secure way.
Queue Plan (Run the Terraform configuration):
First, it runs a Terraform plan and then waits for confirmation to run Terraform apply.
Using Terraform Enterprise — Destroy Infrastructure
Before you destroy any infrastructure, TFE wants to make sure that any infra is not destroyed by mistake. TFE has a safety check added as an environment variable. You need to set environment variable CONFIRM_DESTROY = 1 otherwise destroy process will not work.
These are some basic functions of Terraform Enterprise, with many more including Creating a Sentinel policy, module registry, API Keys etc.
If you want to try Terraform Enterprise, it can be requested as a trial version for 30 days.
In summary, Terraform Enterprise provides a secure & elegant way for medium/large enterprises to collaborate and streamline their infrastructure creation and maintenance. with Sentinel — Policy-As-A-Code integration, TFE becomes a very powerful tool to maintain standards across the organization.
Here are some useful related links :
Terraform Enterprise — https://app.terraform.io
