Terraform Cloud and Terraform Enterprise Overview
Running Terraform locally works for individual learning and small projects. But when a team of engineers manages hundreds of resources across multiple cloud accounts, local runs create coordination, security, and visibility problems. Terraform Cloud and Terraform Enterprise provide a managed platform that handles state storage, remote execution, access control, policy enforcement, and more.
What Is Terraform Cloud
Terraform Cloud (TFC) is a SaaS platform offered by HashiCorp at app.terraform.io. It manages Terraform's core operational concerns in a hosted environment. The free tier is available to individuals and small teams. Paid tiers add team features, SSO, audit logging, and policy enforcement.
What Is Terraform Enterprise
Terraform Enterprise (TFE) is a self-hosted version of Terraform Cloud that organisations run inside their own data centre or private cloud. It provides the same features as Terraform Cloud but gives you full control over data residency, networking, and compliance requirements — essential for regulated industries.
Core Features of Terraform Cloud
Remote State Storage
Terraform Cloud stores your state file securely with encryption, versioning, and access controls built in. No S3 bucket or DynamoDB table to set up. State is accessible to all authorised team members and pipeline runs.
Remote Execution (Runs)
Instead of running terraform plan and terraform apply on a developer's laptop, Terraform Cloud executes plans and applies in its own managed compute environment. Benefits include:
- Consistent Terraform version across all team members
- No credentials stored on developer machines — cloud credentials live only in the workspace
- Full execution history — every plan and apply is logged with who triggered it, when, and what changed
- Plans can require approval before applying
Workspaces
Terraform Cloud organises infrastructure into workspaces — similar to the local workspace concept but with added features: environment variables, state storage, run history, and team-level permissions per workspace.
Variable Management
Store Terraform variables and environment variables (including sensitive ones) securely in the workspace. Terraform Cloud injects them at run time — no .tfvars files on developer machines, no secrets in environment variables on shared runners.
Diagram: Variable and Credential Flow in Terraform Cloud
Developer pushes code to GitHub
|
v
Terraform Cloud detects change
|
v
Starts a Plan run in its managed runner
|
v
Injects workspace variables securely:
AWS_ACCESS_KEY_ID = (from TFC vault)
AWS_SECRET_ACCESS_KEY = (from TFC vault)
TF_VAR_environment = "prod"
|
v
Runs terraform plan
|
v
Posts plan output to Terraform Cloud UI
Sends notification to Slack / email
|
v
Team member reviews plan, clicks Approve
|
v
Terraform Cloud runs terraform apply
Records full output in run history
Connecting Terraform Cloud to Version Control
Terraform Cloud integrates with GitHub, GitLab, Bitbucket, and Azure DevOps. Once connected, every pull request triggers a speculative plan — a read-only preview of what that branch's changes would do. The plan result posts as a comment on the PR. Merging to main triggers the actual apply.
terraform {
cloud {
organization = "my-company"
workspaces {
name = "production-webapp"
}
}
}
Adding this cloud block to your configuration and running terraform init switches the project from local execution to Terraform Cloud execution. All subsequent plans and applies run in TFC.
Sentinel — Policy as Code
Terraform Cloud and Enterprise include Sentinel, a policy-as-code framework. Sentinel policies run between plan and apply — they check whether the planned changes comply with your organisation's rules before any change touches real infrastructure.
Example policies Sentinel can enforce:
- All EC2 instances must use approved AMIs only
- No S3 bucket can be created without server-side encryption enabled
- All resources must have specific tags (Environment, Owner, CostCenter)
- No instance type larger than t3.large may be created in dev environments
Policies are code — they live in version control, are reviewed like application code, and are automatically enforced on every apply.
Audit Logging and Compliance
Every action in Terraform Cloud is logged: who ran a plan, who approved an apply, what variables were changed, and who changed them. These logs feed into compliance reports for SOC 2, ISO 27001, and similar frameworks — something local Terraform runs cannot provide.
When to Use Terraform Cloud
| Team Size | Recommendation |
|---|---|
| 1–2 engineers, learning or solo projects | Local Terraform with S3 remote state is sufficient |
| 3–10 engineers, growing infrastructure | Terraform Cloud free tier — shared state, remote runs, basic access control |
| 10+ engineers, enterprise requirements | Terraform Cloud Business or Enterprise — SSO, Sentinel, audit logs, private module registry |
Key Points
- Terraform Cloud is a hosted platform that handles state storage, remote execution, access control, and audit logging.
- Terraform Enterprise is the self-hosted version for organisations with strict data residency or compliance requirements.
- Add a
cloudblock to your configuration and runterraform initto switch to Terraform Cloud execution. - Store all credentials and sensitive variables in the Terraform Cloud workspace vault — not in code or local files.
- Sentinel provides policy-as-code enforcement that runs between plan and apply to catch compliance violations before they reach real infrastructure.