Terraform Cloud - A Complete Overview, Key Features & Getting Started Guide

Over the past decade, the way organizations manage infrastructure has fundamentally changed. Static, manually provisioned resources have given way to dynamic, code-driven environments. Today, Infrastructure as Code (IaC) is the standard approach — but running it securely and efficiently at scale brings its own set of challenges: state management, access control, policy enforcement, and configuration drift are just a few.

Terraform Cloud is a managed SaaS platform built on top of the Terraform CLI. It enhances the core tool with features designed for team-based collaboration, remote execution, and governance. It is now part of a broader cloud platform and is referred to as HCP Terraform in its latest branding.

At its core, Terraform Cloud helps developers and DevOps engineers work together more effectively, simplifies infrastructure workflows, and strengthens overall security practices around infrastructure management.

Terraform Cloud Features

1. Workspaces

Workspaces are the fundamental building blocks of Terraform Cloud. Each workspace is linked to a specific Terraform configuration and is responsible for:

• Storing the Terraform state file
• Executing runs including initialization, planning, and applying configurations
• Storing environment variables and Terraform input variables

Access control is configured at the workspace level, allowing administrators to define which users and teams can read, write, or administer a given workspace. Remote operations can also be triggered against workspaces from the local CLI, while the actual computation happens on the platform's infrastructure.

2. Projects

Projects act as containers for workspaces. Every workspace belongs to a project, making it easier to group related workspaces and assign access permissions to different teams within an organization.

3. Runs

A run in Terraform Cloud manages the full lifecycle of a Terraform operation against a workspace. The typical stages a run goes through include:

• Queuing — The run waits until a worker is available to process it
• Planning — A Terraform plan is executed against the workspace configuration
• Cost Estimation — An estimated cost for the planned resources is displayed
• Policy Checking — If policies are configured, the run is evaluated against them
• Applying — If planning and policy checks pass, the configuration is applied to the target infrastructure

4. Variables and Variable Sets

Terraform Cloud stores variables securely, encrypting them at rest. Both plain-text and sensitive values are supported, with sensitive variables stored in write-only mode for added security.

Variable Sets allow teams to define a collection of variables once and reuse them across multiple workspaces, eliminating the need for duplicate declarations and reducing the risk of configuration inconsistencies.

5. Policies and Policy Sets

Terraform Cloud supports policy enforcement through two frameworks: Sentinel and Open Policy Agent (OPA). These policies can be used to enforce security practices, govern resource configurations, manage costs, and restrict certain resource parameters.

Policy Sets group multiple policies together and can be applied to multiple workspaces simultaneously, making it easy to enforce organization-wide standards.

6. Run Tasks

Run Tasks allow Terraform Cloud to integrate with external third-party tools at defined stages of a run. Data is sent to external services, which analyze it and return a response. Based on that response and the enforcement level configured for the task, Terraform Cloud decides whether the run should proceed or be halted.

7. Single Sign-On (SSO)

Terraform Cloud supports SSO through identity providers such as Okta, SAML-compliant systems, and Microsoft Azure Active Directory. When SSO is enabled for an organization, all non-admin users must authenticate through SSO. Administrators retain access via standard credentials to handle any SSO configuration issues.

8. Remote State

By default, when Terraform is used locally, the state file is stored on the developer's machine. In a team environment, this creates access and collaboration problems. Remote State resolves this by storing the state file in a central, managed backend. Terraform Cloud provides its own backend for this purpose, along with state locking to prevent concurrent modifications.

9. Private Registry

Terraform Cloud includes a private registry where organizations can host their own Terraform modules and providers. It functions similarly to the public Terraform registry, supporting versioning and documentation rendering, while restricting access to authorized members of the organization.

10. Agents

By default, all runs in Terraform Cloud execute on shared, public workers. For organizations that need runs to happen within their own isolated network environments, self-hosted agents are available. These agents enable Terraform Cloud to communicate with private networks, allowing computer instances or containers to act as dedicated runners.

11. Drift Detection

In real-world environments, infrastructure drift is inevitable. Quick manual fixes often go undocumented, creating hidden inconsistencies between what the code describes and what actually exists. Drift detection periodically compares the Terraform configuration against the actual state and flags any differences. Teams are notified with detailed information about detected drift, enabling them to address it before it leads to larger failures. This keeps infrastructure consistent and reliable over time.

12. Stacks

Stacks are a feature designed to orchestrate multiple components and environments — such as development, staging, and production — as a unified unit. With Stacks, teams can:

• Group related modules into named components
• Deploy the same stack across multiple environments while independently tracking changes per environment
• Automatically manage dependencies and orchestrate rollouts between components

This feature addresses use cases that teams previously handled with custom orchestration or external tooling.

Terraform vs. Terraform Cloud: What's the Difference?

Terraform is an open-source IaC tool that operates as a command-line utility. It allows users to write configuration files, generate execution plans, and apply those plans to provision and manage infrastructure resources.

Terraform Cloud, on the other hand, is a managed platform built on top of Terraform. It adds remote state management, collaboration features, CI/CD integration, access controls, policy enforcement, and more. In essence, Terraform is the engine, and Terraform Cloud is the platform that surrounds and enhances it for team-based use.

Terraform Cloud vs. Terraform Enterprise

The key distinction between Terraform Cloud and Terraform Enterprise is the deployment model. Terraform Cloud is a SaaS product hosted and managed by HashiCorp. Terraform Enterprise is a self-hosted solution that organizations deploy and manage within their own infrastructure.

Self-hosting can be advantageous for organizations that require fully isolated networks, stricter data control, or regulatory compliance that prevents the use of external SaaS platforms.

Terraform Cloud Benefits

Terraform Cloud belongs to a category of tools known as Terraform Automation and Collaboration Software (TACOS). These platforms typically offer the following benefits:

• Role-Based Access Control — Define who can access, trigger, and manage specific workspaces
• Remote State Management — Centralized, secure state storage with locking to prevent conflicts
• Policy as Code — Enforce compliance and governance rules that automatically block or warn on policy violations
• Version Control Integration — Use a version control system as the single source of truth for infrastructure configurations
• Observability — Full visibility into run history, enabling accountability and faster debugging
• Drift Detection — Proactive alerts when infrastructure changes outside of code

Terraform Cloud Cost

Terraform Cloud uses a Resource Under Management (RUM) pricing model. Every resource tracked in the state counts toward billing including granular resources like security group rules.

The available tiers are:

• Free — Supports up to 500 managed resources at no cost
• Standard — A per-resource hourly rate applies beyond the 500-resource threshold
• Plus — Custom pricing available through a sales inquiry

Several features are only available at higher tiers, which may push teams toward the Plus plan for production use cases. Because pricing has been revised multiple times, it's always best to verify the latest rates on the official pricing page.

How to Create a Terraform Cloud Account

To get started, navigate to the Terraform Cloud sign-up page and create a free account. You can sign up using an existing HashiCorp Cloud Platform (HCP) account or by providing a username, password, and email address.

Terraform Cloud Workflows

Once your account is set up, there are two primary workflow types to choose from:

CLI-Driven Workflow

This approach integrates Terraform Cloud's features directly into the standard Terraform command-line workflow. It does not depend on a version control system, although using one is recommended for rollback capability and version history.

To get started, authenticate from the command line using terraform login, which redirects to a browser-based token creation flow. Once the token is pasted back into the terminal, all subsequent Terraform commands plan, apply, and others execute remotely on Terraform Cloud infrastructure while output streams back to the local terminal.

VCS-Driven Workflow

The VCS-driven workflow is generally the recommended approach. It uses a version control repository as the single source of truth and enables GitOps practices where infrastructure changes follow the same review and merge processes as application code.

To set it up, a VCS repository containing the Terraform configuration is connected to a new workspace in Terraform Cloud. Once connected, any push to the configured branch automatically triggers a plan. If the plan passes all policy checks, it can be reviewed and applied through the Terraform Cloud interface.

Terraform Cloud Getting Started Tutorial

Below is a step-by-step walkthrough using an AWS network configuration as a practical example.

Step 1: Log In

Sign in to your Terraform Cloud account using your credentials or a connected identity provider.

Step 2: Create a Credentials Variable Set

Go to Settings → Variable Sets and create a new variable set. Configure it with a name, optional description, and a scope (global or scoped to specific projects and workspaces).

For AWS connectivity, add AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables. Mark the secret access key as sensitive to prevent it from being displayed after saving.

Step 3: Create a Policy

Navigate to Settings → Policies and create a new Sentinel policy. Choose a hard mandatory enforcement level so that any policy failure automatically blocks the run.

Step 4: Create a Workspace

Create a new VCS-driven workspace linked to the repository containing your AWS Terraform code. Once the workspace is created, the policy will be automatically evaluated during every run.

If a VPC is missing the required owner tag, the policy will fail the run with a detailed error. After fixing the tag in the code and pushing the update, the policy check passes and the run can proceed to apply.

Step 5: Make Configuration Changes

After the initial application succeeds, changes can be made to the configuration — such as adding new VPCs or updating tag values. A push to the repository automatically triggers a new plan. If no policy violations are detected, the plan can be reviewed and applied.

Step 6: Destroy Resources

To clean up, navigate to the workspace settings, select Destruction and Deletion, and click Queue Destroy Plan. You will be prompted to confirm by typing the workspace name. Once confirmed, a destroy run is queued and all managed resources are removed. A summary of the operation is displayed upon completion.

Publishing a Module to the Private Registry

To publish a module, navigate to the Registry tab and select the publish option. Choose the VCS provider and select the repository containing the module code.

After publishing, the module detail page provides:

• Readme:- Documentation explaining what the module does and how to use it
• Inputs:- All required and optional input variables
• Outputs:- Values exported by the module for use in other configurations
• Dependencies:- External modules referenced by this module
• Resources:- The infrastructure resources this module creates

Versioning is handled through git tags. Usage instructions and download metrics are displayed on the right side of the module detail page.

Key Takeaways

TACOS platforms like Terraform Cloud are rapidly becoming the standard for managing Terraform and other IaC tools at scale. They improve collaboration, reduce deployment risk and configuration drift, and shorten time-to-market for infrastructure changes.

Organizations evaluating their options should consider factors like pricing model, supported tools, workflow flexibility, policy enforcement capabilities, and whether a SaaS or self-hosted deployment model better fits their requirements.

If you are looking for reliable Terraform Cloud services, we are here to help with infrastructure automation, cloud management, deployment optimization, and secure DevOps solutions tailored to your business needs.

Conclusion

In today’s fast-moving cloud environments, managing infrastructure manually is no longer practical for growing teams and enterprises. Terraform Cloud simplifies Infrastructure as Code operations by combining automation, collaboration, security, and governance into a single managed platform. From remote state management and policy enforcement to drift detection and scalable workflows, it helps organizations deploy infrastructure more consistently and efficiently. Whether teams are just beginning their IaC journey or managing large-scale multi-environment deployments, Terraform Cloud provides the tools needed to improve reliability, reduce operational complexity, and accelerate modern infrastructure delivery.

FAQ’s

Are HCP Terraform and Terraform Cloud the same product?

Yes. HCP Terraform is simply the updated branding for what was originally called Terraform Cloud, now offered under the HashiCorp Cloud Platform umbrella.

Is Terraform Cloud free to use?

There is a free tier that supports individuals and small projects, including remote state storage, version control integration, and limited run capacity. Policy enforcement, larger quotas, SSO, and private agents require a paid plan.

Can Terraform Cloud be self-hosted?

No. Terraform Cloud is a SaaS-only product. For self-hosted deployments, Terraform Enterprise is the appropriate option.

What are Terraform Cloud workspaces used for?

Workspaces isolate Terraform state, variables, runs, and access controls for different environments or deployments. They allow the same configuration to run independently for development, staging, and production without state conflicts.

How does Terraform Cloud pricing work?

Pricing is based on the number of Resources Under Management (RUM). Different tiers offer different per-resource rates and feature sets, with billing applied at the organization level.