Introduction
Note
This document provides helpful recommendations for implementing Terraform infrastructure-as-code (IaC) as a shared service for your organization. The team responsible for this task may be called different names, such as the Platform Team or cloud center of excellence (CCoE). Regardless of the name, this guide is designed to assist teams responsible for owning, implementing, and operating Terraform IaC in their organization. For more detailed information on platform teams, please refer to the Operating Guides.
Our objective in providing HashiCorp Validated Designs is to offer prescriptive guidance based on our experience partnering with hundreds of organizations. We understand that the industry is complex and that there are many permutations and combinations for implementing solutions. However, we believe that the most important thing is that you are able to safely provision and manage cloud resources at scale and experience the business benefits and value that automated Terraform Enterprise workflows provide.
This version covers installation of Terraform Enterprise on RHEL with Podman and Ubuntu with Docker on AWS, GCP and Azure. It also provides guidance on deployment on EKS, AKS and GKE.
HashiCorp introduced the Validated Designs program to give enterprise customers and partners a set of recommendations to deliver a resilient, secure, and high-performance deployment of HashiCorp solutions. The purpose of this document is to provide the Platform Team with HashiCorp's validated design for deploying Terraform Enterprise, enabling your organization to embrace and accelerate infrastructure automation practices. By following this approach, you will eliminate ambiguity in deployment options and be able to make project-level decisions with confidence.
Audience
This document is intended for platform engineers, infrastructure architects, DevOps administrators, and cloud operators who want to design, deploy and administer a highly scalable, resilient infrastructure-as-code platform with Terraform Enterprise.
Document structure
| Document section | Purpose |
|---|---|
| Architecture | An overview of Terraform Enterprise's logical architecture. Terraform Enterprise requirements, components, and deployment modes listed. |
| Personnel and access | Description of people skills and access required to accomplish the deployment. |
| Deployment (VM + container) | Installation of Terraform Enterprise on VMs with Podman/Docker using our validated Terraform modules. |
| Deployment (managed Kubernetes) | Installation of Terraform Enterprise on EKS/AKS/GKE using our validated Terraform modules. |
| Manual install | Manual installation steps that can be used to install Terraform Enterprise in a VM/bare metal private cloud/datacenter environment. |
| Security hardening | Guidance and recommendation to harden the Terraform Enterprise VM images used in the installation. |
| Next steps | Configure the artifacts with the data collected from your environment, and use them for installing Terraform Enterprise. |
Supported versions
This guide has been validated with the following versions of Terraform Enterprise:
- Terraform Enterprise v202309-1 and above
Language and definitions
HashiCorp is an enabler of multi-cloud strategies, and as such we take this into account when writing designs. While every attempt has been made to use technology-agnostic terminology, we primarily aim to support the three largest cloud service providers (CSPs) together with an on-premise/datacenter architecture. There are some terms which do not translate perfectly between the public cloud and the datacenter. For the sake of clarity, our definitions for these terms are included below.
| Term | Definition |
|---|---|
| Availability zone | A separate failure domain within a logical datacenter. |
| Region | A separate logical datacenter. |
| Public subnet | A network accessible from the public Internet, containing publicly-addressable infrastructure. |
| Private subnet | A network not accessible from the public Internet and whose infrastructural objects are either blocked from connecting to the public Internet or do through a NAT gateway. |