Terraform on AWS
by Sergey Okinchuk
Plan/Apply Approval WorkflowsDrift Detection and Reconciliation
Chapter 10: Collaboration and Automation
Topic 60

HCP Terraform

PlatformManaged

HCP Terraform — formerly Terraform Cloud — is HashiCorp's managed service for running Terraform: remote state, remote runs with a built-in approval UI, a private module registry, policy enforcement, and team controls. It is the buy option for everything the last three topics had you build. Instead of standing up an S3 backend and writing a CI pipeline, you connect a repository and get plans on pull requests and applies on merge out of the box.

That convenience comes with a dependency and a pricing model — per-user or per-run, depending on tier. The honest question is not whether HCP Terraform works (it does) but whether buying the run platform saves more than building it costs you, which depends entirely on how much your team's time is worth against how much control you want.

Buy vs build
HCP Terraform
Managed remote runs, state, a private registry, and Sentinel policy out of the box — paid per-user or per-run, with an external dependency. Buy when the team's time matters more than full control.
Self-managed
An S3 backend plus a CI pipeline you write — free of that dependency and entirely under your control, but yours to build, secure, and operate forever.

What HCP Terraform Provides

Five things, roughly: managed remote state with locking (no S3 backend to bootstrap), remote runs that execute plan and apply on HashiCorp's infrastructure, a run approval UI where a human gates the apply, a private module registry for sharing modules across the organization, and policy enforcement through Sentinel (or OPA) to block plans that violate rules. Each of those is something you would otherwise assemble from S3, CI, and a pile of glue.

Workspaces in HCP

HCP Terraform uses the word "workspace" for something different from a CLI workspace, and the overlap trips people up constantly. A CLI workspace is multiple state files under one configuration — dev, prod as named states. An HCP workspace is a managed environment that pairs one state with its run history, variables, and settings — closer to "a directory with its own backend and pipeline" than to a CLI workspace. Same word, genuinely different concept; say which one you mean.

VCS-Driven Runs

Connect a repository to an HCP workspace and the plan-on-PR, apply-on-merge flow happens without you writing a pipeline. A pull request triggers a remote plan whose output appears both in HCP and on the PR; merging to the tracked branch queues an apply, gated by the workspace's approval setting. The configuration that points the CLI at HCP is a small cloud block in the terraform settings.

terraform settings — point the CLI at an HCP workspace
terraform {
  cloud {
    organization = "acme"
    workspaces {
      name = "network-prod"
    }
  }
}

This cloud block replaces the backend "s3" block — state lives in HCP, runs execute remotely, and the named workspace ties this configuration to its managed environment. There is no bucket, no lock table, and no pipeline YAML to maintain.

Policy and Governance

Sentinel and OPA let you enforce rules on every run as managed features — block a plan that creates an unencrypted bucket, forbid instance types above a size, require a tag. Combined with team permissions that scope who can apply to which workspace and an audit log of every run, this is the governance layer that is laborious to build yourself on raw CI. If policy enforcement is a hard requirement, it is one of the strongest reasons to buy rather than build.

Build vs Buy

The decision is HCP Terraform against a self-built S3 backend plus GitHub Actions. Buy when the managed state, approval UI, private registry, and policy save more engineer-time than the subscription costs, and when an external dependency is acceptable. Build when you want full control of the pipeline and credentials and the team can operate it. A two-person project rarely needs HCP; a regulated organization that would otherwise spend months reinventing Sentinel often does.

HCP Terraform vs Self-Managed

HCP Terraform — managed remote state, a run and approval UI, a private registry, and Sentinel policy out of the box, for a per-user or per-run cost and an external dependency. Buy it when the team's time matters more than full control, or when governance like Sentinel is a hard requirement you would otherwise build from scratch.

Self-managed (S3 backend + CI) — free of that dependency and entirely under your control, but yours to build, secure, and operate forever. Build it when you want full ownership of state, credentials, and pipeline, and the team has the time to run it.

Common Mistakes
  • Confusing HCP Terraform workspaces (a managed run-plus-state environment) with CLI workspaces (multiple states for one config) — different concepts, same word.
  • Adopting HCP Terraform for a tiny two-person project where a plain S3 backend would have sufficed, paying for run automation nobody needed.
  • Self-building an elaborate pipeline that reinvents the run UI, private registry, and policy HCP Terraform already offers, then maintaining it forever.
  • Assuming HCP Terraform is the only way to get remote runs and approvals, when Atlantis and a CI pipeline cover most of the same ground.
  • Leaving a backend "s3" block in place alongside the cloud block, since the cloud block replaces the backend rather than supplementing it.
Best Practices
  • Say which workspace you mean — HCP or CLI — explicitly in docs and conversation, since the word collides on two different concepts.
  • Choose HCP Terraform when managed state, approvals, a private registry, and policy save more engineer-time than the subscription costs.
  • Build on S3 plus CI when you want full control of state and credentials and the team can operate the pipeline.
  • Use HCP Terraform's Sentinel or OPA policy enforcement when governance is a hard requirement rather than reimplementing it on raw CI.
  • Scope team permissions per workspace so the right people apply to the right environments, and rely on the run audit log for accountability.
Comparable tools Atlantis open-source self-hosted run automation Spacelift / env0 competing managed IaC platforms Pulumi Cloud the equivalent managed service for Pulumi

Knowledge Check

How does an HCP Terraform workspace differ from a CLI workspace?

  • An HCP workspace is a managed run-plus-state environment with its own variables; a CLI workspace is just named states under one config
  • They are exactly the same underlying feature offered under two different names; the distinction between the two is purely a historical one
  • A CLI workspace runs every plan and apply remotely while an HCP workspace runs them locally on your machine
  • An HCP workspace can hold only a single resource, while a CLI workspace can hold as many as you like

What does the cloud block in the terraform settings replace?

  • The backend block — state lives in HCP and runs execute remotely instead of against a self-managed backend
  • The required_providers block, since HCP downloads and supplies all of the provider plugins for you on its own
  • The provider "aws" block, since HCP already holds the AWS credentials for the run
  • Nothing at all — it is simply added alongside the existing S3 backend block in the config

When is buying HCP Terraform the better call over self-building S3 plus CI?

  • When managed state, approvals, a private registry, and policy like Sentinel save more engineer-time than the subscription costs
  • Always, in every single case, because a hand-rolled self-built S3-plus-CI pipeline simply cannot ever apply Terraform to AWS at all
  • For a small two-person project, where the flat per-user subscription cost happens to be at its lowest
  • Only when your stack must avoid taking on any kind of external third-party dependency whatsoever

What governance capability is a strong reason to choose HCP Terraform?

  • Sentinel or OPA policy enforcement on every run, blocking plans that violate rules without you building it from scratch
  • Automatic blanket encryption of the entire AWS account and all of its resources, which is otherwise simply impossible to achieve
  • The ability to run Terraform plans and applies without keeping any state file at all
  • A hard guarantee that no plan will ever show a destructive resource replacement

You got correct