First impressions of Terraform Enterprise Free Tier (Beta)

Carl Javier
Mar 26, 2019

So a few weeks ago, I received an invite to trial Terraform Enterprise Free Tier. During last year’s Hashiconf 2018, it was announced that Hashicorp will start offering free tier state storage for Terraform deployments. This excited me as my past deployments have always had a bit of discussion, debate and setup of Terraform statefiles.

 

Existing Terraform backends

Now if you are a seasoned Infracoder, you quickly learn that the Terraform state file is a key piece of the puzzle when deploying infrastructure via the Terraform workflow. The state file allows infrastructure engineers the ability to compare/perform a dry run of expected what changes will be made to their infrastructure with the simple terraform plan. Choosing where this lives and who has access to the statefile is a critical decision when initialising your terraform infra deployment. Over the years, terraform has provided a few backend options where your Terraform state file can live:

 

Statefile Location

Description

Insights

Local

Local workstation

Quick and easy when working on your own, but what if you wanted to collaborate with others or have your statefile backed up?

Cloud storage solutions

eg AWS S3 buckets, Azure or GCP blob storage ) is used to store the state.

This requires further setup from your preferred cloud provider.

Security access and controls are required (eg ACLs, encryption)

Some cloud backends provide state locking and some require further setup. (State locking is the ability for practitioners to lock the state file so no one else can make changes.)

Consul

Hashicorp’s KeyValue store typically used for service discovery and service mesh capabilities

Consul’s maximum KV limit is 512KB, therefore your statefile cannot grow larger than 512KB.

Postgres

Popular database

Needs database setup

Does support state locking if Postgres 9.5+

Terraform Enterprise

Allows TFE SaaS or private version to manage workflow deployment and state.

Provides statefile storage and locking for teams.

Often for large teams of infracoders

 

Most of the above remote backend requires further configuration and setup to get your remote state backend working , as well as secured storage encryption with state locking.

 

Terraform Enterprise Free Tier Beta (Remote State)

Terraform enterprise Free tier unlocks the remote state feature for practitioners as a backend option. Now infracoders can utilise the free tier for their small’ish/private projects.

I wanted to go through and demonstrate the steps of converting a simple AWS project deployed via Terraform with a local statefile into Terraform Enterprise.

Starting with https://github.com/vibrato/demo-terraform-101/tree/after-tfe as a base branch and creating https://github.com/vibrato/demo-terraform-101/tree/after-tfe-remote-state.

 

Initial Setup

Firstly getting setup in Terraform Enterprise remote state required the following :

  • Terraform Enterprise account with an Organisation setup.
  • Terraform Enterprise Token
    • Setting up your local ~/.terraformrc to use the token

 To change the backend in main.tf so terraform realises to do a remote state within Terraform Enterprise organisation and a workspace instead of using local state. 

The following demonstrates a clean terraform enterprise free tier account.

 image-20190303-111525
 

Performing a terraform init to migrate the existing backend (in our case the local statefile) to the remote backend of Terraform Enterprise.

image-20190303-100010

 

Within Terraform Enterprise, a new workspace will be created based on your terraform configuration stanza.

 image-20190303-093710
 

Once the statefile backend is migrated, the rest of the terraform workflow is the same:

terraform plan

image-20190318-002108

terraform apply

image-20190303-112125

image-20190318-004244

Within Terraform enterprise, the state file will be created in the workspace

 image-20190303-112314

 

Users with access will be able to view the statefile.

 image-20190318-003410

A statefile history of changes can be viewed as your infracode changes over time.

 image-20190318-104446
 

Adding collaborators

To add others to collaborate with your terraform project, add them via Terraform Enterprise settings.

 image-20190318-002752
 

Statefile Locking

When a terraform plan or apply is running, Terraform enterprise will inform the statefile is locked.

image-20190318-004414

 

Terraform enterprise also allows manual locking of the state:

 image-20190318-010425
 
image-20190318-010440
 

If ever a team member locks the state (this happens in the real word), you can perform a force unlock via the UI.

 image-20190318-102635-1
 

I have often had to go into dynamoDB when using S3 as a backend for my statefile to unlock terraform states.

 

Summary and first impressions

So we have another backend to use with Terraform projects. The following are some advantages of using remote state free tier with Terraform Enterprise.

  • Setup of remote state is one less step to setting up a remote backend (eg S3 bucket)
  • Setup of state locking feature is taken care of for you with Terraform Enterprise
  • The statefile can be manually locked and  via Terraform Enterprise UI.
  • Collaborating with others is as easy as sharing your infra code repository and controlling who has access to the state file via Terraform Enterprise
  • All your terraform projects can be viewed centrally from Terraform Enterprise

 

Some further questions, issues and suggestions I do have for the free tier and remote states:

  • How much storage and allowed workspaces do we get in Terraform Enterprise Free tier?
  • How many collaborators (team members) can I add under Terraform Enterprise Free Tier?
  • The age old hiding “secrets” within your statefile is still a security issue for some.
  • It would be nice if there were more settings and permissions around the state file within TFE (eg who can read/write/edit the statefile)