Projects in Terraform Cloud allow users to isolate particular subsets of workspaces and define permissions within a single organization.
We are excited to announce the release of a new organizational structure called projects, now generally available for Terraform Cloud. Projects help users organize and centrally manage their workspaces at scale while providing more granular permissions to a subset of workspaces. This post discusses why we changed the way Terraform Cloud workspaces are organized and reviews the details of the new feature.
As the number of workspaces and teams in a Terraform Cloud organization grows, several management and access challenges emerge:
Terraform Cloud users are unable to group related workspaces and can apply permissions only at the organization or individual workspace level. This has led some customers to split their workspaces across multiple organizations to work around the resource-hierarchy limitations. These multi-org workarounds result in additional complexity and overhead and require context switching to access all of the workspaces.
Previously, organization-level admin permissions were needed to create workspaces. If a general user wanted to create new workspaces, they would need to request approval from the organization admin. This situation created potential bottlenecks and pushed admins to create multiple organizations or assign excessive admin rights to achieve their desired permissions, which could open the platform to more security risks.
Projects are a new layer below the organization level and above the workspace level that gives users a way to logically group workspaces. Projects allow teams to safely self-manage workspaces and enables organization admins to create logical ownership boundaries to ensure security.
The Workspaces page in the Terraform Cloud UI is now called “Projects and Workspaces”. This page allows users to:
Team-based permissions can be applied to a project instead of an entire organization. Read or admin permissions can be assigned to each team so teams have only the access necessary to do their jobs:
Projects allow users to group workspaces and define permissions to enable safe and efficient workflows.
Related workspaces can be added to projects to simplify and organize a team's workspace view. Teams can now create and manage infrastructure in their designated project without requesting admin access at the organizational level.
Project permissions allow teams to have admin access to a subset of workspaces. This helps users safely manage their workspaces without interfering with other teams’ infrastructure and enables organization owners to maintain the principle of least privilege.
In October 2022, Terraform Cloud introduced greater self-service capabilities with a no-code provisioning workflow. No-code provisioning is now integrated with projects, which means teams with project-level admin permissions can provision no-code modules directly into their project without requiring organization-wide workspace management privileges.
To ensure safe and efficient workflows, workspace groupings and their permissions must align with how teams are structured. Projects provide simplified workspace organization and granular permissions to meet team requirements without additional overhead.
Get started with Terraform Cloud for free to begin provisioning and managing your infrastructure in any environment.
Native Open Policy Agent (OPA) support allows customers who have standardized on OPA to bring their policies into Terraform Cloud.
Dynamic provider credentials for Terraform Cloud provide a simple and safe authentication workflow for Vault and official cloud providers.
CDK for Terraform (CDKTF) 0.15 improves on its ease of use with Terraform Cloud and Terraform Enterprise through automatic Terraform workspace creation.