100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
HCL

Terraform Cloud and Terraform Enterprise

Understand HashiCorp's managed and self-hosted platforms for running Terraform collaboratively, including remote runs, workspaces, and policy enforcement.

Terraform in ProductionIntermediate9 min readJul 9, 2026
Analogies

Terraform Cloud and Terraform Enterprise

Running terraform apply from a developer's laptop works fine for a solo project, but it breaks down quickly as teams grow: state can be overwritten by concurrent runs, credentials get scattered across machines, and there is no consistent record of who ran what and why. Terraform Cloud (TFC) is HashiCorp's managed SaaS platform that solves this by centralizing state storage, executing runs remotely in a consistent environment, and layering collaboration features like run approvals, variable sets, and policy checks on top of core Terraform. Terraform Enterprise (TFE) is the same platform packaged as self-hosted software for organizations with data residency, air-gapped, or compliance requirements that rule out a SaaS offering.

🏏

Cricket analogy: Running terraform apply from a laptop is like one player unofficially updating the team's batting order on a scrap of paper — fine solo, but chaos once two selectors edit it at once; TFC is the official, centrally-managed team sheet everyone reads from.

Workspaces as the Unit of Isolation

In Terraform Cloud, a workspace is roughly analogous to a working directory plus a state file plus a set of variables, but it is a first-class managed object rather than a local folder. Each workspace is tied to a version control repository (or a CLI-driven / API-driven workflow), holds its own state history, and can be configured with its own Terraform version, environment variables, and run triggers. Teams typically create one workspace per environment per component — for example, networking-prod, networking-staging, app-prod — so that a change to one environment cannot accidentally affect another.

🏏

Cricket analogy: A TFC workspace is like a franchise's dedicated dossier for one format — T20 squad, ODI squad kept separately — each with its own history, playing conditions, and roster, so a change to the T20 side never accidentally touches the ODI lineup.

The Remote Run Workflow

When a workspace is connected to VCS, pushing a commit automatically triggers a remote plan inside TFC's run environment, not on the developer's machine. This guarantees every plan is produced with the same Terraform version, the same provider versions, and the same variable set, eliminating the classic 'works on my machine' drift. A human (or a policy check) reviews the plan output, and only after approval does TFC execute the apply, again remotely, streaming logs back to the UI.

🏏

Cricket analogy: A VCS-connected workspace auto-triggering a remote plan on push is like a franchise's analytics team automatically re-running match simulations the moment a new player is signed, always using the same simulation engine version, then a selector approves before the change goes live.

hcl
terraform {
  cloud {
    organization = "acme-corp"

    workspaces {
      name = "networking-prod"
    }
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

Policy as Code with Sentinel and OPA

TFC/TFE let organizations enforce guardrails on every plan before it can be applied, using Sentinel (HashiCorp's policy language) or Open Policy Agent. A policy might block any plan that would create an S3 bucket without encryption enabled, or reject a plan that provisions an instance type outside an approved list. Policies run as a distinct stage between plan and apply, giving platform teams centralized control without having to review every pull request by hand.

🏏

Cricket analogy: Sentinel policies gating every plan are like the ICC's playing-condition checks that automatically flag an illegal bat thickness before a match starts, or reject a boundary rope set at an unapproved distance, without an umpire reviewing every single prep by hand.

Think of Terraform Cloud's run pipeline as an assembly line with quality gates: plan (build the proposal), policy check (inspect against rules), and apply (ship it) — each gate can halt the line before a defective change reaches production.

Migrating an existing local or S3-backed state file into Terraform Cloud is a one-way operation from the perspective of workflow: once a workspace is 'cloud-managed' and teams stop running apply locally, losing access to the TFC organization (e.g., expired trial, billing lapse) can strand your ability to make further changes. Always keep a documented export/backup path for state.

  • Terraform Cloud is HashiCorp's managed SaaS; Terraform Enterprise is the self-hosted equivalent for compliance-sensitive orgs.
  • Workspaces isolate state, variables, and run history per environment/component.
  • VCS-connected workspaces trigger remote plans automatically on commit, ensuring consistent tooling versions.
  • Applies require explicit approval by default, giving teams a human checkpoint before infrastructure changes.
  • Sentinel and OPA enable policy-as-code guardrails enforced between plan and apply.
  • TFC centralizes state storage and access control, removing the need for teams to manage their own S3/DynamoDB backend.

Practice what you learned

Was this page helpful?

Topics covered

#HCL#TerraformInfrastructureAsCodeStudyNotes#DevOps#TerraformCloudAndTerraformEnterprise#Terraform#Cloud#Enterprise#Workspaces#CloudComputing#StudyNotes#SkillVeris