HCP Terraform Plans and Features

HCP Terraform is a platform that performs Terraform runs to provision infrastructure, either on demand or in response to various events. Unlike a general-purpose continuous integration (CI) system, it is deeply integrated with Terraform's workflows and data, which allows it to make Terraform significantly more convenient and powerful.

Hands On: Try our What is HCP Terraform - Intro and Sign Up tutorial.

Free and paid plans

HCP Terraform is a commercial SaaS product developed by HashiCorp. Many of its features are free for small teams, including remote state storage, remote runs, and VCS connections. We also offer paid plans for larger teams that include additional collaboration and governance features.

HCP Terraform manages plans and billing at the organization level. Each HCP Terraform user can belong to multiple organizations, which might subscribe to different billing plans. The set of features available depends on which organization you are currently working in.

Refer to Terraform pricing for details about available plans and their features.

Free organizations

Small teams can use most of HCP Terraform's features for free, including remote Terraform execution, VCS integration, the private module registry, single-sign-on, policy enforcement, run tasks, and more.

Free organizations are limited to 500 managed resources. Refer to What is a managed resource for more details.

Paid features

Some of HCP Terraform's features are limited to particular paid upgrade plans.

Each higher paid upgrade plan is a strict superset of any lower plans — for example, the Standard edition includes all of the features of the Essentials edition. The Premium edition includes all of the features of the Standard and Essentials editions. Paid feature callouts in the documentation indicate the lowest edition at which the feature is available, but any higher plans also include that feature.

To learn more about HCP Terraform's paid plans and features, refer to the pricing page.

Terraform Enterprise generally includes all of HCP Terraform's paid features, plus additional features geared toward large enterprises. However, some features are implemented differently due to the differences between self-hosted and SaaS environments, and some features might be absent due to being impractical or irrelevant in the types of organizations that need Terraform Enterprise. Cloud-only or Enterprise-only features are clearly indicated in documentation.

Changing Your Payment Plan

Organization owners can manage an organization's billing plan. The plan and billing settings include an integrated storefront, and you can subscribe to paid plans with a credit card.

To change an organization's plan:

1. Sign in to HCP Terraform.
2. Choose Settings from the sidebar.
3. Click Plan and billing. The Plan and Billing page appears showing your current plan and any available invoices.
4. Click Change plan.
5. Select a plan, enter your billing information, and click Update plan.

Terraform Workflow

HCP Terraform runs the Terraform CLI to provision infrastructure. In its default state, the Terraform CLI uses a local workflow, performing operations on the workstation where it is invoked and storing state in a local directory.

In HCP Terraform, there are two main ways of organizing your infrastructure:

• Workspaces are ideal for managing a self-contained infrastructure of one Terraform root module.
• Stacks are ideal for managing multiple infrastructure modules and repeating that infrastructure at scale.

To learn if a workspace or a Stack works best for your use case, refer to Choose workspaces or Stacks.

Since teams must share responsibilities and awareness to avoid single points of failure, working with Terraform in a team requires a remote workflow. At minimum, state must be shared; ideally, Terraform should execute in a consistent remote environment.

HCP Terraform offers a team-oriented remote Terraform workflow, designed to be comfortable for existing Terraform users and easily learned by new users. The foundations of this workflow are remote Terraform execution, a workspace or Stacks-based organizational model, version control integration, command-line integration, remote state management, data sharing across workspaces or Stacks, and a private Terraform module registry.

Remote Terraform Execution

HCP Terraform runs Terraform on disposable virtual machines in its own cloud infrastructure by default. You can leverage HCP Terraform agents to run Terraform on your own isolated, private, or on-premises infrastructure. Remote Terraform execution is sometimes referred to as "remote operations."

Remote execution helps provide consistency and visibility for critical provisioning operations.

To learn more about workspace runs, refer to Runs and Remote Operations. To learn more about Stacks runs, refer to Stack deployment runs.

Workspace support for local execution

Remote execution can be disabled on specific workspaces with the "Execution Mode" setting. The workspace will still host remote state, and Terraform CLI can use that state for local runs via the HCP Terraform CLI integration.

Organize infrastructure with projects

Terraform's local workflow manages a collection of infrastructure with a persistent working directory, which contains configuration, state data, and variables. You can use separate directories to organize infrastructure resources into meaningful groups, and Terraform will use the configuration in the directory you invoke Terraform commands from.

HCP Terraform organizes infrastructure into projects that contain workspaces and Stacks. Each workspace contains everything necessary to manage a single Terraform configuration. Stacks use a component architecture based on modules to repeatedly deploy infrastructure, letting Terraform manage your infrastructure at scale.

You can use projects to organize your workspaces and Stacks into groups. Organizations with HCP Terraform Essentials edition can assign teams permissions for specific projects.

Projects let you grant access to collections of workspaces and Stacks, instead of using workspace or organization-wide permissions, making it easier to limit access to only the resources required for a team member's job function.

Refer to Projects for more details.

Remote State Management and data storage

HCP Terraform acts as a remote backend for your Terraform state. In workspaces, state storage is tied to that workspace, helping keep state associated with the configuration that created it. In Stacks, each deployment stores and updates of its own isolated remote state.

Workspaces can share information between each other with root-level outputs. Separate groups of infrastructure resources often need to share a small amount of information, and workspace outputs are an ideal interface for these dependencies.

Workspaces that use remote operations can use terraform_remote_state data sources to access other workspaces' outputs, subject to per-workspace access controls. And since new information from one workspace might change the desired infrastructure state in another, you can create workspace-to-workspace run triggers to ensure downstream workspaces react when their dependencies change.

Stacks can also directly share information with each other Stacks in the same project, letting you manage the infrastructure independently. Refer to Pass data from one Stack to another for more details.

Version Control Integration

Like other kinds of code, infrastructure-as-code belongs in version control, so HCP Terraform is designed to work directly with your version control system (VCS) provider.

Each workspace can be linked to a VCS repository that contains its configuration, optionally specifying a branch and subdirectory. You can also link Stacks to a VCS repository. By default, HCP Terraform automatically retrieves configuration content from linked repositories, and watches the repository for changes:

• When new commits are merged, linked workspaces and Stacks automatically run Terraform plans with the new code.
• When pull requests are opened, linked workspaces and Stacks run speculative plans with the proposed code changes and post the results as a pull request check; reviewers can see at a glance whether the plan was successful, and can click through to view the proposed changes in detail.

VCS integration is powerful, but optional; if you use an unsupported VCS or want to preserve an existing validation and deployment pipeline, you can use the API or Terraform CLI to upload new configuration versions. You'll still get the benefits of remote execution and HCP Terraform's other features.

• More info: VCS-driven workspace runs and Stack runs.
• More info: Supported VCS Providers

Command Line Integration

Remote execution offers major benefits to a team, but local execution offers major benefits to individual developers; for example, most Terraform users run terraform plan to interactively check their work while editing configurations.

HCP Terraform offers the best of both worlds, allowing you to run remote plans from your local command line. Configure the HCP Terraform CLI integration, and the terraform plan command will start a remote run in the configured HCP Terraform workspace. The output of the run streams directly to your terminal, and you can also share a link to the remote run with your teammates.

Remote CLI-driven runs use the current working directory's Terraform configuration and the remote workspace's variables, so you don't need to obtain production cloud credentials just to preview a configuration change.

The HCP Terraform CLI integration also supports state manipulation commands like terraform import or terraform taint.

If you are working with a Stack, you can use the terraform stacks commands to manage your Stack and its configuration, deployments, and more from the command line. Refer to the terraform stacks commands for more information.

Private Registry

Even small teams can benefit greatly by codifying commonly used infrastructure patterns into reusable modules.

Terraform can fetch providers and modules from many sources. HCP Terraform makes it easier to find providers and modules to use with a private registry. Users throughout your organization can browse a directory of internal providers and modules, and can specify flexible version constraints for the modules they use in their configurations. Easy versioning lets downstream teams use private modules with confidence, and frees upstream teams to iterate faster.

The private registry uses your VCS as the source of truth, relying on Git tags to manage module versions. Tell HCP Terraform which repositories contain modules, and the registry handles the rest.

• More info: Private Registry

Integrations

In addition to providing powerful extensions to the core Terraform workflow, HCP Terraform makes it simple to integrate workspace infrastructure provisioning with your business's other systems.

Full API

Nearly all of HCP Terraform's features are available in its API, which means other services can create or configure workspaces or Stacks, upload configurations, start Terraform runs, and more. There's even a Terraform provider based on the API, so you can manage your HCP Terraform teams and workspaces as a Terraform configuration.

• More info: API

Notifications

HCP Terraform can send notifications about workspace runs to other systems, including Slack and any other service that accepts webhooks. Notifications can be configured per-workspace.

• More info: Notifications

Run Tasks

Run Tasks let workspaces execute tasks in external systems at specific points in the HCP Terraform run lifecycle.

There are several partner integrations already available for workspaces, or you can create your own based on the API.

• More info: Run Tasks

Access Control and Governance

Larger organizations are more complex, and tend to use access controls and explicit policies to help manage that complexity. HCP Terraform's paid upgrade plans provide extra features to help meet the control and governance needs of large organizations.

• More info: Free and Paid Plans

Team-Based Permissions System

With HCP Terraform's team management, you can define groups of users that match your organization's real-world teams and assign them only the permissions they need. When combined with the access controls your VCS provider already offers for code, workspace, project, and Stack permissions are an effective way to follow the principle of least privilege.

• More info: Users, Teams, and Organizations

Policy Enforcement

Policy-as-code lets you define and enforce granular policies for workspaces to control how your organization provisions infrastructure. You can limit the size of compute VMs, confine major updates to defined maintenance windows, and much more.

You can use the Sentinel and the Open Policy Agent (OPA) policy-as-code frameworks to define policies. Depending on the settings, policies can act as advisory warnings, firm requirements that prevent Terraform from provisioning infrastructure, or soft requirements that your compliance team can bypass when appropriate.

Refer to Policy Enforcement for details.

Cost Estimation

Before making changes to infrastructure in the major cloud providers, workspaces can display an estimate of their total cost, as well as any change in cost caused by the proposed updates. Cost estimates can also be used in Sentinel policies to provide warnings for major price shifts.

• More info: Cost Estimation