Terraform Associate Exam Cram - Part 9

This is the Part 9 of the Terraform Associate Exam Cram. It covers the following Terraform Associate Certification exam objectives:

< Prev: Objective 8 - Read, generate, and modify configuration

HCP Terraform (HashiCorp Cloud Platform Terraform) is a cloud-based service for managing Terraform deployments in secure and collaborative environment. It provides:

• Remote execution - Terraform runs in secure cloud environment.
• Remote state storage - shared, versioned, encrypted.
• State locking - prevents concurrent modifications in team settings.
• Run history.
• Audit logging.
• Policy enforcement with Sentinel or OPA.
• Private registry for sharing modules and providers.
• Integration with version control systems (VCS).
• Workspaces - isolate environments.
• Cost estimation - preview cloud costs before apply.
• Integration with security, compliance, and validation tools.
• Automated drift detection.

HCP Terraform is available in several tiers or plans - Free, Essentials, Standard, Premium, and Enterprise (Self-Managed) which mainly differ by pricing, scalability, governance, and collaboration features. While all plans support core Terraform functionality (e.g., remote runs, state management, and VCS integration), advanced capabilities like team-based access control, policy enforcement (Sentinel), audit logging, and larger resource limits are only available in higher-tier or Enterprise plans.

In HCP Terraform, there are two main ways of organizing infrastructure:

• Workspaces - for managing a self-contained infrastructure of one Terraform root module.
• Stacks - for managing multiple infrastructure modules and repeating that infrastructure at scale.

A workspace contains:

• one Terraform root module (Terraform configuration),
• one set of input and environment variables,
• one state file.

Projects organize workspaces into groups. Every workspace must belong to exactly one project. By default, all workspaces belong to an organization's Default Project. The default project can be renamed, but cannot be deleted.

A workspace is assigned to a project at the time of creation and can be moved to a different project at any time.

Note: HCP Terraform workspaces and Terraform CLI workspaces function differently. Terraform CLI workspaces are associated with a specific working directory and isolate multiple state files in the same working directory, allowing to manage multiple groups of resources or environments with a single configuration.

Workspace Variables

HCP Terraform workspace variables store configuration values used during Terraform runs. Common use cases include defining environment-specific inputs, setting static credentials, or securely managing dynamic provider credentials.

There are two types of HCP Terraform variables: environment variables and Terraform variables (also known as input variables).

Variables can be set specifically for each workspace or groupped into variable sets to share the same variables across multiple workspaces. Each environment and Terraform variable can have one of the following scopes:

• Workspace run-specific - Applies to a specific run within a single workspace.
• Workspace-Specific - Applies to a single workspace.
• Workspace-Scoped Variable Set - Applies to multiple workspaces within the same organization.
• Project-Scoped Variable Set - Automatically applied and available to all current and future workspaces and stacks within a project.
• Global Variable Set - Automatically applied to all current and future workspaces and stacks within an organization.

Workflows

HCP Terraform supports the following workflows:

• VCS-driven workflow: HCP Terraform fetches your configuration from your version control repository and automatically starts plan and apply operations whenever you make changes to the repository. This keeps your repository as the single source of truth for the workspace.
• CLI-driven workflow: Use your local Terraform CLI to start remote operations in HCP Terraform. HCP Terraform runs the operation and manages the state file.
• API-driven workflow: Use the HCP Terraform API to upload Terraform configuration changes and manage Terraform operations.

Execution Modes

HCP Terraform supports the following execution modes:

• Organization Default: Uses the organization's execution mode. This is either Remote or Local.
• Remote: Plan and apply operations run on HCP Terraform's or Terraform Enterprise's infrastructure. You and your team have the ability to review and collaborate on runs within the application.
• Local: Plan and apply operations run on machines that you control. HCP Terraform and Terraform Enterprise only store and synchronize state.
• Agent: Plan and apply operations that your agent executes are managed by HCP Terraform or Terraform Enterprise.

Private Registry

HCP Terraform's private registry works similarly to the public Terraform Registry and helps you share Terraform providers and Terraform modules across your organization. It includes support for versioning and a searchable list of available providers and modules.

HCP Terraform allows users to create and confidentially share infrastructure modules within an organization using the private registry. With Terraform Enterprise, the private registry allows you to share modules within or across organizations.

Modules from the private registry can be referenced using a registry source address of the form app.terraform.io/<ORGANIZATION-NAME>/terraform/<NAME>/<PROVIDER>.

Back to Top

Teams

Teams are groups of HCP Terraform users within an organization. If a user belongs to at least one team in an organization, they are considered a member of that organization.

Team management is available in HCP Terraform Essentials, Standard, and Premium editions.

Collaboration features:

• Manage access to workspaces, projects, and organization.
• Share access to workspaces and state.
• Configure notification via Slack / Microsoft Teams / Email.

Policy Enforcement

Policies are rules that HCP Terraform enforces on Terraform runs. You can use two policy-as-code frameworks to define fine-grained, logic-based policies: Sentinel and Open Policy Agent (OPA).

• Sentinel: You define policies with the Sentinel policy language and use imports to parse the Terraform plan, state, and configuration.
• OPA: You define policies with the Rego policy language.

A policy consists of:

• The policy controls defined as code.
• An enforcement level that determines run behavior in the event of policy failure.

Policy sets are a named grouping of policies and their enforcement levels. Each policy set can apply to specific workspaces, or to all workspaces within an organization. Policy sets are the mapping between policies and workspaces.

Enforcement levels establish whether or not an operation can proceed if a policy fails. Sentinel provides three enforcement levels:

• Hard-mandatory requires that the policy passes. If a policy fails, the run stops. You must resolve the failure to proceed.
• Soft-mandatory lets an organization owner or a user with override privileges proceed with the run in the event of failure. HCP Terraform logs all overrides.
• Advisory will notify you of policy failures, but proceed with the operation.

Terraform Version

Each HCP Terraform workspace has an assigned Terraform version that it uses for all remote operations in the workspace.

When you create a new workspace, HCP Terraform automatically selects the most recent version of Terraform available. HCP Terraform lets you change the version a workspace uses on the workspace's settings page to control how and when your projects use newer versions of Terraform.

Back to Top

Back to Top

More Terraform Tutorials:
Terraform Associate Exam Cram
Understanding Terraform Variable Precedence
Terraform Value Types Tutorial
Terraform count Explained with Practical Examples
Terraform for_each Tutorial with Practical Examples
Exploring Terraform dynamic Blocks with GCP Examples
Working with External Data in Terraform
Terraform Modules FAQ