Introducing Terraform Cloud

Introducing Terraform Cloud

In this article, I will talk about Terraform Cloud and the most important things to know before exploring this amazing tool.

What is Terraform Cloud ?

Terraform Cloud is a platform that helps teams to collaborate on infrastructure configurations. It manages Terraform runs to provision infrastructure in a consistent and reliable environment. TF Cloud includes easy access to shared state and secret data, access controls and more.

Terraform Cloud offers a number of basic functionalities free of charge, as well as additional functionalities in paid levels. more details


Sign up for Terraform Cloud


Terraform can manage resources on many different [providers]( and connect to many popular Version Control Systems (VCS's), this guide requires:

  • An AWS account
  • A GitHub account

Create an account

Create a Terraform Cloud account at sign up here.


Confirm your email address before moving on.

Create your organization

You can create a new organization after you sign in for the first time.

Enter an organization name and an admin email address .

Note: If you're joining an existing team of Terraform Cloud users, you have to ask the admin of the organization to add your email before you can perform any provisioning tasks.


Set Up Workspace

After creating an account and an organization on Terraform Cloud. In this section you will learn how to create a TF Cloud workspace by connecting to a VCS repository.

1. Connect to GitHub

On the "New Workspace" page, choose GitHub from the drop-down to continue.


Then you have to click the green "Allow" button to connect Terraform Cloud to your GitHub account and a request will be sent to your Github organization/account admin to allow access from Terraform Cloud.


Note: If you are a user under a Github organisation, you need to ask the repository admin to allow the access.

2. Choose the repository

Choose the repository that hosts your Terraform source code from the list of your GitHub repositories.

3. Create the workspace

A workspace name should tell your colleagues what the workspace is used for. For example: project_name_env

  • Select the working directory that Terrafrorm will use to execute the plan if any file has been changed in the folder.

  • Choose triger run planning (always trigger run or based on th paths added).

  • Select the branch which to import new version (default to master).

Finnaly, you can also create a Terrform cloud workspace using Terrform code. For example:

resource "tfe_workspace" "prd_eu-west-1" {
  name         = "project_name_prd"
  organization = "organization_name"
  auto_apply        = false
  operations        = true
  queue_all_runs    = true
  terraform_version = "0.11.13"
  file_triggers_enabled = true
  working_directory     = "providers/aws/eu-west-1/prd"
  vcs_repo {
    identifier         = "${var.identifier}"
    branch             = "master"
    ingress_submodules = false
    oauth_token_id     = "${tfe_oauth_client.github.oauth_token_id}"

resource "tfe_oauth_client" "github" {
  organization     = "organization_name"
  api_url          = ""
  http_url         = ""
  oauth_token      = "${var.github_token}"
  service_provider = "github"

4. Configure workspace variables

Within the Terraform Cloud UI, you will notice several menus and options for your workspace, including "Runs", "States", "Variables", "Settings", and the "Queue plan".


You can edit variables as soon as you've created a workspace, by clicking the workspace's "Variables" tab.

Terraform Cloud supports both Terraform Variables (as declared in your Terraform configurations) and Environment Variables. We'll use both types in this guide.

  • Environment variables

Scroll down to the "Environment Variables" section, and create two variables.

Click the "+ Add Variable" button to add your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Don't forget to hide secrets using "Sensitive" checkbox. Marking a variable as sensitive prevents anybody (including you) from viewing/updating its value in Terraform Cloud's UI or API.

  • Terraform variables

Variable values are strings by default. To enter list or map values, click the variable's "HCL" checkbox. For example:

    public_cidr_ranges = [

    private_cidr_ranges = [

If a workspace is configured to use Terraform 0.10.0 or later, you can commit any number of *.auto.tfvars files to provide default variable values. Terraform will automatically load variables from those files.

Note: It's not recomended to push your tfvars that holds secrets to your VCS.

Migrating your Terraform state to Terraform Cloud

Note: We recommend using Terraform v0.11.13 or newer with this backend.

If the Terraform configuration has an existing backend configuration block (s3,local...), delete it now.

Add a new backend block to the configuration:

terraform {
  backend "remote" {
    hostname = ""
    organization = "my-org"

    workspaces {
      name = "my-workspace"

Use the remote backend.

  • In the organization attribute, specify the name of your Terraform Cloud organization.
  • The hostname attribute is only necessary with Terraform Enterprise instances. You can omit it if you're using the SaaS version of Terraform Cloud.
  • Specify the name of your workspace.
  • Run terraform init to migrate the workspace (answer "yes" and Terraform will migrate your state).

In order to retrieve state data from a Terraform backend don't forget to replace your remote state with:

data "terraform_remote_state" "vpc" {
  backend = "remote"

  config = {
    organization = "hashicorp"
    workspaces = {
      name = "vpc-prod"

Now you will be able to see tfstate file of your workspace, this will also be generated after each successful run.


Queue a run in the new workspace

Each workspace has its own queue of races that are started automatically after by pushing one or more new commits to the master branch of that repo. You can also queue plans manually with the "Queue Plan" button, usually after changing variables.


By default, execution plans must be confirmed before Terraform Cloud applies them. Only users with write access can "Confirm and Apply" or "Cancel Plan" button to complete or cancel an execution. If necessary, use the "View Plan" button to get more details on the changes made to the run.

Note: You can enable automatic applies in the workspace settings.

Thanks for reading! I hope you get enough to start using Terraform Cloud.

Other recommended readings:

@aitsim :)

Mohamed Ait Si Hamou
Mohamed Ait Si Hamou
2020-06-01 | 6 min read
Share article

More articles