Terraform Enterprise is a self-hosted, on-premises or private cloud deployment of Terraform that offers advanced features for large organizations. Terraform Cloud is a SaaS offering that provides a managed Terraform experience.
Let’s look at Terraform Cloud first, as it’s the simpler entry point. Imagine you’re running Terraform locally on your machine. You execute terraform plan and terraform apply, and you store your state file in a version control system like Git. Terraform Cloud takes this local workflow and moves it to a managed, collaborative platform.
Here’s a simple workflow in Terraform Cloud:
- Version Control Integration: You push your Terraform code to a Git repository (GitHub, GitLab, Bitbucket).
- Triggering Runs: When you push changes to a designated branch (e.g.,
main), Terraform Cloud automatically detects it. - Plan Execution: It spins up a workspace, downloads your code, and runs
terraform plan. The plan output is displayed in the web UI. - Policy Checks (Optional): If you have Sentinel policies defined, they are evaluated against the plan.
- Apply Confirmation: You review the plan and any policy checks, then click "Confirm" in the UI.
- Apply Execution: Terraform Cloud runs
terraform applyand updates your infrastructure.
Consider this main.tf for a simple S3 bucket:
resource "aws_s3_bucket" "example" {
bucket = "my-unique-tf-enterprise-example-bucket-12345"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
When you push this to your connected Git repository, Terraform Cloud will provision this bucket. The state file is managed securely by Terraform Cloud, not in your Git repo.
Now, Terraform Enterprise. Think of it as Terraform Cloud, but you own and manage the infrastructure it runs on. This gives you more control over security, networking, and integration with your existing on-premises systems.
Key Differentiating Features and Trade-offs:
-
Self-Hosting vs. SaaS:
- Terraform Enterprise (TFE): You install and manage TFE on your own infrastructure (VMs, Kubernetes, private cloud). This offers maximum control over data residency, network access, and security policies. Trade-off: Requires significant operational overhead for installation, maintenance, upgrades, and scaling. You are responsible for securing the TFE instance itself.
- Terraform Cloud (TFC): HashiCorp manages the infrastructure. You simply sign up and use it. This dramatically reduces operational burden. Trade-off: Less control over the underlying infrastructure, data residency is dictated by TFC’s regions, and you rely on HashiCorp’s security practices for the platform.
-
Private Module Registry:
- TFE/TFC: Both offer a private module registry. This allows you to version, document, and share your internal Terraform modules across teams. You can reference modules like
module "vpc" { source = "app.terraform.io/myorg/vpc/aws" version = "1.2.0" }. - TFE Specific: Because TFE is self-hosted, your private registry is entirely within your network perimeter, which can be a crucial requirement for highly regulated environments.
- TFE/TFC: Both offer a private module registry. This allows you to version, document, and share your internal Terraform modules across teams. You can reference modules like
-
Policy as Code (Sentinel):
- TFE/TFC: Sentinel is HashiCorp’s policy-as-code framework. You can write policies in Sentinel to enforce organizational standards before infrastructure changes are applied. For example, you can prevent the creation of public S3 buckets or ensure all resources have specific tags.
- TFE Specific: Policies in TFE are evaluated on your self-hosted infrastructure, offering enhanced security for sensitive policy definitions.
-
Cost and Licensing:
- TFE: Typically licensed per user, with a minimum commitment. The cost reflects the enterprise-grade features and the self-managed nature.
- TFC: Offers a free tier for individuals and small teams. Paid tiers (Standard, Plus, Premium) unlock additional features like private registry, Sentinel, and team management, priced based on features and usage.
-
Networking and Security:
- TFE: You have full control over network access to TFE, including firewall rules, VPNs, and private endpoints. This is critical for organizations that cannot expose management interfaces to the public internet.
- TFC: Access is via the public internet (or private endpoints for higher tiers). You configure connections to your cloud providers (AWS, Azure, GCP) using credentials stored securely within TFC.
-
Scalability and Performance:
- TFE: You are responsible for provisioning and scaling the underlying infrastructure for TFE to meet your demands. This means monitoring resource utilization and adding more nodes or compute power as needed.
- TFC: HashiCorp handles the scaling of the platform. You don’t need to worry about the underlying compute or storage for TFC itself, only the resources your Terraform code provisions.
-
Integrations:
- TFE: Can be more deeply integrated with on-premises identity providers (LDAP/AD), custom logging solutions, and internal security tools due to its self-hosted nature.
- TFC: Integrates with common SaaS identity providers (Okta, Azure AD via SAML) and cloud-native services.
The one thing that often surprises people is how much operational overhead a self-hosted solution like Terraform Enterprise introduces. It’s not just about running terraform apply on your own servers; it’s about managing the TFE application itself, including its database, networking, and lifecycle. This includes regular upgrades, security patching, and ensuring high availability.
Ultimately, the choice boils down to your organization’s security requirements, compliance needs, operational capacity, and desired level of control. If you need to keep all management tooling within your own network perimeter and have the resources to manage it, Terraform Enterprise is the path. If you prefer a managed service and want to offload infrastructure management, Terraform Cloud is the more straightforward choice.