At Gruntwork, we’re well known for our Terraform expertise, including our open source tools such as Terragrunt and Terratest, our book, Terraform: Up & Running, and our IaC Library that contains dozens of battle-tested Terraform modules to help you launch production-grade infrastructure in a fraction of the time it would otherwise take. Somewhat lesser known is the fact that Gruntwork is compatible with two popular HashiCorp products: Terraform Cloud (TFC) and Terraform Enterprise (TFE). You can use TFC & TFE to deploy modules from our infrastructure-as-code library directly from the UI. You can even retain the familiar and efficient Terragrunt command-line experience while leaning on TFC & TFE to build your infrastructure.
In this post, we’ll briefly introduce the workflows you can use to integrate Gruntwork and TFC/TFE. We’ll also point you to our production deployment guide where you can find all the details.
What are Terraform Cloud and Terraform Enterprise?
While the open source edition of Terraform is quite powerful and flexible as a standalone project, some organizations need better support for teams of engineers. HashiCorp, the developers of Terraform, offer a hosted version of Terraform with a multitude of premium features, including:
- A web-based UI for creating Terraform Workspaces
- Remote execution, allowing you to run Terraform plan and apply operations on infrastructure hosted in the cloud (TFC) or on a central system that you can control (TFE)
- Users, teams, and organizations, with a variety of permissions for performing operations.
- The Sentinel policy as code framework, which works across multiple HashiCorp products (Terraform, Vault, Nomad, and Consul)
- Cost estimation, which estimates how much a Terraform configuration will cost in cloud provider charges
Terraform Cloud is free for small teams, with various pricing tiers for some of the advanced features. Terraform Enterprise is a self-hosted distribution of Terraform Cloud, that allows you to have your own private Terraform Cloud instance, with additional enterprise-grade features like audit logging and single sign-on.
How does Gruntwork integrate with Terraform Cloud and Terraform Enterprise?
There are two primary ways to use Gruntwork with TFC and TFE:
- Call a Gruntwork module from your own Terraform configuration, leveraging our library to do all the heavy lifting, and dramatically simplifying your own code.
- Use Terragrunt to execute remote runs on TFC or TFE, allowing you to leverage the myriad benefits of Terragrunt, such as keeping your code and variables, CLI args, etc DRY, and adding support for applying changes across multiple accounts/modules/environments.
Calling Gruntwork modules from Terraform Cloud
When writing Terraform code, you can include a set of outside resources by using a module. Modules can be included from a variety of sources, such as from the local filesystem, from a Terraform Registry, or from a Git URL.
provider "aws" {
region = "us-east-1"
}module "vpc" {
source = "git::git@github.com:gruntwork-io/module-vpc.git//modules/vpc-app?ref=v0.8.7"aws_region = "us-east-1"
vpc_name = "my-vpc"
cidr_block = "10.0.0.0/16"
num_nat_gateways = 3
}The Terraform configuration above creates a production-grade, multi-tier VPC with just a few lines of code. Such is the power of modules: they can reduce a highly complex cloud configuration to just a few simple inputs by using a module from the Gruntwork IaC Library. (Note: this module is private and only accessible to Gruntwork subscribers.)
To use this with TFC or TFE, you’d simply:
1. Create a workspace, connect it to the version control system (such as GitHub, GitLab, or Bitbucket) that contains your Terraform configuration.
2. Set up your AWS API credentials and add an SSH key with access to the Gruntwork GitHub repository.
3. Once connected, you can queue runs in the TFC or TFE UI. It will execute the Terraform plan and apply stages, during which it will clone Gruntwork’s module-vpc using the provided SSH key for authentication, and apply the configuration to your account.
That’s all it takes to create a production-grade VPC using Gruntwork with TFC! Check out our deployment guide for more detailed step-by-step instructions, including how to connect your version control system, configure SSH keys, and more.
Using Terragrunt with Terraform Cloud and Terraform Enterprise
The TFC and TFE UI runs only Terraform commands, but Terragrunt expects you to run it directly, and it, in turn, will run Terraform. Therefore, it currently is not possible to use the TFC UI to trigger Terragrunt.
However, you can set up Terraform to run remote operations such as plan and apply. That is, you use Terragrunt to organize your code and keep it DRY, and you can configure it so that when you run terragrunt apply on your computer (or on a CI server), it runs terraform apply in TFC rather than on your local system.
This all works thanks to the magic of Terraform remote backends. This feature of Terraform allows you to designate a remote URL and workspace on which will store the state and execute the plan and apply operations. The logs will stream to the local command line, but the run history will be retained within TFC/TFE, giving you the freedom of the local CLI while retaining the benefits of the controlled, hosted environment.
The screenshot below shows the plan output for the same VPC module shown above, but this time in a terminal window after running terragrunt apply on the command line:
The TFC UI shows the same plan, allowing you to approve the plan either on the command line, or in the UI. This might be useful if you needed an approval workflow, where one engineer runs plan, and another approves the plan and moves forward with the apply.
We have all the details you need to configure Terragrunt with TFC and TFE in the guide, including details on how to configure the remote backend, how to send variable inputs to TFC, and more.
Conclusions
Terraform Cloud and Terraform Enterprise are powerful products from HashiCorp that allow organizations even greater control over their infrastructure. Gruntwork’s module library saves organizations from spending thousands of hours writing undifferentiated infrastructure code, allowing them to focus on developing and deploying their applications instead. Terragrunt adds a host of features to Terraform to help organize your code and simplify re-usability. It’s easy to use them in parallel using the techniques described above.
Special thanks to Yevgeniy Brikman for his help in identifying these patterns and providing feedback on this content.