Bringing Collaboration to the HashiCorp Terraform CLI: Introducing Remote Operations
HashiCorp Terraform has revolutionized the way that infrastructure is managed by providing a common workflow across providers: write, plan, and apply. Today we're introducing the ability to execute plans remotely in Terraform Enterprise using the Terraform command-line interface (CLI).
As teams collaborate on Terraform code, a few challenges quickly emerge: state storage and synchronization, provider access credential distribution, a history of Terraform plan/applies, and more. Terraform Enterprise has existed for over a year to address these challenges, but it required CLI users to learn a separate web-based workflow.
In Terraform 0.11.8, we're introducing a preview of remote operations, beginning with remote plan. Remote operations execute the Terraform code remotely in Terraform Enterprise while CLI behaves exactly as if everything were still local. This solves all the above challenges of working with Terraform without changing the core workflow.
To read more about the Terraform Core Workflow in the context of an individual, team, and organization see the Core Workflow Guide we have published alongside this new feature.
» The Remote Backend
Terraform 0.11.8 has a preview release of a remote backend that connects local configuration with Terraform Enterprise and enables remote operations.
When using the remote backend, all access credentials, variable values, and state are stored within Terraform Enterprise. No secret material needs to be requested or exist on the user's machine except for a Terraform Enterprise API key, since the secret-accessing parts of Terraform are executed remotely. This simplifies developing infrastructure with Terraform for any configuration to a single API token.
Once you have your API token configured in Terraform's CLI Configuration file, the first step to using remote operations is to configure the backend:
terraform {
backend "remote" {
organization = "my-org"
workspaces {
prefix = "my-app-"
}
}
}
Once you run terraform init
, Terraform will recognize this backend, automatically create Terraform Enterprise Workspaces, and copy the state files from your local Workspaces into Terraform Enterprise.
After this step, all state manipulation commands will operate against the remotely stored state automatically. Commands like terraform taint
and terraform state mv
work just like they do when working locally.
» Remote Plan
With the backend configured, the terraform plan
command will automatically trigger a remote plan.
The plan outputs almost identically as if it were run locally, but the entire operation was executed directly in Terraform Enterprise. The plan can also be viewed directly within Terraform Enterprise for users more comfortable with a UI or for sharing with teammates.
» Benefits of Remote Operations
Preserving the core workflow: Whether you're using Terraform as an individual or with a team using Terraform Enterprise, the workflow is always the same and can be executed via the CLI: write, plan, apply. Remote plan is a major step towards enabling the core workflow from the CLI that is uniform across all of Terraform.
Securing secrets: With remote plan, access credentials and other secret values only need to exist on the machine executing Terraform. This eliminates the complexity of distributing and securing cloud access credentials to every Terraform user. Instead, each Terraform user only needs a Terraform Enterprise account and API key.
Non-public infrastructure access: Many companies use Terraform to automate providers that aren't publicly accessible, such as VMware vSphere installations. In this scenario, only Terraform Enterprise may have access to the vSphere API. Using remote plans, developer machines can still develop Terraform configurations without access directly to the underlying infrastructure control plane.
History, policy, approvals, and more: Terraform Enterprise provides a number of additional features that are automatically used with remote plans. Terraform Enterprise stores a history of executed plans, requires approval prior to apply, can execute policies to prevent non-compliant infrastructure change, and much more. This happens automatically by running terraform plan
.
» Apply
The apply step of the workflow currently still happens in the browser, having been triggered via the UI or the API. An upcoming version of Terraform will support remote terraform apply
from the CLI as well.
» Future
A preview release of remote plans is available for Terraform Enterprise users in Terraform 0.11.8. Remote applies will be supported in an upcoming Terraform release.
We have designed Terraform Enterprise to provide the best experience for teams collaborating on infrastructure, and we are continuously honing and improving that experience every day. We plan for the full core Terraform workflow to be the same across both open source and enterprise products. We're also introducing access to more enterprise functionality directly from the CLI in future releases.
Terraform 0.11.8 is available for download today and the preview functionality works with the Terraform Enterprise SaaS. Private Terraform Enterprise will gain support for remote plans in the September release. To learn more about remote backends, please read the documentation. To learn more about Terraform Enterprise, please see our page on Terraform Enterprise and request a demo today.
Sign up for the latest HashiCorp news
More blog posts like this one
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
Speed up app delivery with automated cancellation of plan-only Terraform runs
Automatic cancellation of plan-only runs allows customers to easily cancel any unfinished runs for outdated commits to speed up application delivery.