HashiCorp : Terraform Cloud

Terraform Cloud Workspaces

Lab Solution Remote Execution

In this guide, we’ll convert an existing Terraform Cloud workspace (devops-aws-myapp-dev) from local to remote execution. You’ll learn how to rename variable files, configure the remote backend, authenticate, and manage runs in Terraform Cloud—all while securely handling AWS credentials.

1. Log in and Select Your Workspace

  1. Navigate to https://app.terraform.io/ and log in.
  2. Choose your organization Mastering-Terraform-Cloud.
  3. Under Workspaces, click devops-aws-myapp-dev.

The image shows a Terraform Cloud workspace interface for "devops-aws-myapp-dev," displaying options for settings like General, Locking, SSH Key, Version Control, and Destruction and Deletion. The workspace has no resources, and the Terraform version is 1.2.7.

2. Enable Remote Execution

  1. Go to SettingsGeneral.
  2. Change Execution Mode from Local to Remote.
  3. Click Save settings.

The image shows the General Settings page of a Terraform Cloud workspace, with options for setting the workspace ID, name, description, execution mode, and apply method.

3. Rename Your Variables File

Terraform Cloud automatically loads any file ending in .auto.tfvars. Rename your local terraform.tfvars to:

mv terraform.tfvars terraform.auto.tfvars

Example contents of terraform.auto.tfvars:

prefix        = "app"
project       = "clumsy-bird"
environment   = "development"
instance_type = "t2.micro"

Note

Files with the *.auto.tfvars suffix are auto-loaded by Terraform Cloud—no manual variable uploads required.

The image shows a Terraform Cloud workspace interface, specifically the "Variables" section, where no variables or variable sets have been added.

4. Configure the Remote Backend

In your Terraform configuration (e.g., backend.tf), point to your Terraform Cloud organization and workspace:

terraform {
  cloud {
    organization = "Mastering-Terraform-Cloud"

    workspaces {
      name = "devops-aws-myapp-dev"
    }
  }
}

5. Authenticate with Terraform Cloud

Run the login command to link your CLI to Terraform Cloud:

terraform login

When prompted, paste your API token. Generate or copy it from User SettingsTokens in the web UI.

The image shows a web interface for creating an API token, with a warning to save the token securely as it will not be displayed again. The token is visible along with options to copy it and a "Done" button.

6. Initialize Terraform

Initialize the backend, providers, and modules. This will register your workspace with Terraform Cloud:

terraform init

Example output:

Initializing modules...
Downloading registry.terraform.io/terraform-aws-modules/vpc/aws 3.14.4 for vpc...
...
Terraform Cloud has been successfully initialized!

7. Set Environment Variables in the Workspace

In the Terraform Cloud UI, go to Variables and add:

Variable NameCategorySensitive
AWS_ACCESS_KEY_IDEnvironmentNo
AWS_SECRET_ACCESS_KEYEnvironmentYes

Warning

Mark AWS_SECRET_ACCESS_KEY as Sensitive to prevent it from being exposed in logs or state files.

The image shows a Terraform Cloud workspace interface displaying variables, including sensitive AWS keys, with a success message indicating a variable was saved.

8. Run a Remote Plan

From your CLI, execute:

terraform plan

The plan will run remotely in Terraform Cloud and stream logs back to your terminal:

Running plan in Terraform Cloud. Output will stream here...
Preparing the remote plan...
To view this run in a browser, visit:
https://app.terraform.io/app/Mastering-Terraform-Cloud/devops-aws-myapp-dev/runs/run-HCZ7HSw
...

You can also watch progress in the UI:

The image shows a Terraform Cloud interface with a speculative plan triggered via CLI for a development workspace. It includes details of the plan running and a log output.

At the end, you’ll see:

Plan: 23 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  clumsy-bird-ip  = (known after apply)
  clumsy-bird-url = (known after apply)

9. Apply the Run

Approve and apply your plan:

  • CLI:

    terraform apply
    

    Type yes when prompted.

  • UI: Click Confirm & Apply in the Runs tab.

The image shows a Terraform Cloud workspace interface with a run triggered via CLI. It indicates that the plan has finished and the apply process is currently running.

Once complete, outputs appear:

clumsy-bird-ip  = "http://50.16.35.225:8001"
clumsy-bird-url = "http://ec2-50-16-35-225.compute-1.amazonaws.com:8001"

10. Inspect State Versions

Terraform Cloud automatically versions your state. Under States, you can browse previous versions or view the latest state JSON:

{
  "version": 4,
  "terraform_version": "1.2.7",
  "serial": 2,
  "outputs": {
    "clumsy_bird_ip": {
      "value": "http://50.16.35.225:8001",
      "type": "string"
    },
    "clumsy_bird_url": {
      "value": "http://ec2-50-16-35-225.compute-1.amazonaws.com:8001",
      "type": "string"
    }
  },
  "resources": []
}

11. Teardown (Optional)

To destroy all resources managed by this workspace:

terraform destroy

You can confirm via CLI or by clicking Confirm & Apply in the Runs tab of Terraform Cloud.


Congratulations! You’ve successfully switched your Terraform Cloud workspace to remote execution, centralized state and runs, and managed sensitive variables securely.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Lab Solution Local Execution