Terraform
Project Best Practices
Projects let you group and scope access to your workspaces. You can group related workspaces into projects and give teams more permissive access to individual projects rather than granting them permissions to the entire organization.
Projects offer several advantages to help you further develop your workspace strategy:
- Focused workspace view: You can scope which workspaces HCP Terraform displays by project, allowing for a more organized view.
- Simplified workspace management: You can create project-level permissions and variable sets that apply to all current and future workspaces in the project. For example, you can create a project variable set containing your cloud provider credentials for all workspaces in the project to access.
- Reduced risk with centralized control: You can scope project permissions to only grant teams administrator access to the projects and workspaces they need.
Recommendations
When using projects, we recommend the following:
- Automate with Terraform: Automate the creation of projects, variable sets, and teams together using the TFE provider.
- Designate a landing zone project: Landing zone projects contain workspaces used to create all other projects, teams, and workspaces. This lets you have a variable set that includes the organization token, which the TFE provider can use to create other resources in your organization. You can also create a Sentinel policy to prevent users in other projects from accessing the organization token.
- Maintain least privilege: Restrict the number of project administrators to maintain the principal of least privilege.
Project boundaries
Finally, decide on the logical boundaries for your projects. Some considerations to keep in mind include:
- Provider boundaries: For smaller organizations, creating one project per cloud account may make it easier to manage access. Projects can use dynamic credentials by configuring a project variable set to avoid hard-coding long-lived static credentials.
- Least privilege: You can create teams and grant them access to projects with workspaces of similar areas of ownership. For example, a production networking workspace should be in a separate project from a development compute workspace.
- Variable set usage: Project-wide variable sets let you configure and reuse values such as default tags for cost-codes, owners, and support contacts.
- Practitioner efficiency: Consider if it makes sense for a practitioner to need to visit multiple projects to complete a deployment.
Next steps
This article introduces some considerations to keep in mind as your organization matures their project usage. Being deliberate about how you use these to organize your infrastructure will ensure smoother and safer operations. To learn more about HCP Terraform and Terraform Enterprise best practices, refer to Workspace Best Practices. To learn best practices for writing Terraform configuration, refer to the Terraform Style Guide.
HCP Terraform provides a place to try these concepts hands-on, and you can get started for free.