Enterprise Features

Features ของ Terraform Enterprise (TFE) + HCP Terraform Plus tier ที่ free tier ไม่มี

Tier Comparison

Feature	Free	Standard	Plus	Enterprise
Users	5	Unlimited	Unlimited	Unlimited
Sentinel Policy	❌	❌	✅	✅
Run Tasks	❌	✅	✅	✅
SSO (SAML)	❌	❌	✅	✅
Audit Logs	❌	✅	✅	✅
Private Network	❌	❌	✅	✅
SLA	❌	❌	✅	✅
Self-Hosted Agents	❌	❌	✅	✅
Self-Hosted Platform	❌	❌	❌	✅
Air-Gapped	❌	❌	❌	✅

1. Sentinel Policy as Code

Plus+ — enforce policies ก่อน apply

sentinel.hcl
policy "require-tags" {
  source            = "./policies/require-tags.sentinel"
  enforcement_level = "hard-mandatory"
}

policy "allowed-instance-types" {
  source            = "./policies/instance-types.sentinel"
  enforcement_level = "soft-mandatory"
}

policies/require-tags.sentinel
import "tfplan/v2" as tfplan

required_tags = ["Environment", "Owner", "CostCenter"]

main = rule {
  all tfplan.resource_changes as _, rc {
    rc.change.after.tags is not null and
    all required_tags as t {
      rc.change.after.tags contains t
    }
  }
}

→ Block apply ถ้าไม่ตรง policy

ดูเพิ่มใน Compliance & Sentinel

2. SSO (SAML / OIDC)

Plus+ — connect to corporate IdP

Supported:

Okta
Azure AD
Google Workspace
OneLogin
Custom SAML/OIDC

Settings → Authentication → SAML
└── Identity Provider: Okta
    Entity ID: ...
    SSO URL: ...
    Certificate: ...

→ ผู้ใช้ login ด้วย corporate account

3. Audit Logs

Standard+ — log ของทุก action

ตัวอย่าง events:

User invited / removed
Workspace created / deleted
Variable updated
Run triggered / canceled
State accessed

# Export audit logs (API)
curl -H "Authorization: Bearer $TOKEN" \
  https://app.terraform.io/api/v2/organizations/my-org/audit-trail

Forward to SIEM:

Splunk
Datadog
Sumo Logic
ELK Stack

4. Run Tasks

Standard+ — integrate third-party services

ตัวอย่าง:

Snyk Security Scan

Settings → Run Tasks → Add Task
└── Name: Snyk Security
    Endpoint: https://api.snyk.io/...
    HMAC Key: ***
    Enforce: Hard mandatory

→ ระหว่าง plan-apply เรียก Snyk → block ถ้าเจอ vulnerability

Bridgecrew (Checkov)

Run Task: Bridgecrew Checkov
Endpoint: https://www.bridgecrew.cloud/api/v1/...

Infracost

Run Task: Infracost Cloud
→ แสดง cost diff ใน run UI

Custom (Webhook)

Run Task: Custom
Endpoint: https://my-internal-tool.example.com/scan
HMAC Key: ***

→ Run task ส่ง plan JSON ไป endpoint ของคุณ

5. Private Module Registry

ทุก tier — แต่ Plus+ มี features เพิ่ม:

module "vpc" {
  source  = "app.terraform.io/my-org/vpc/aws"
  version = "~> 1.0"
}

Plus features:

Module lifecycle management (deprecated, archived)
Module statistics (usage)
Module versioning + tagging

6. Self-Hosted Agents

Plus+ — run Terraform ใน your network (not HashiCorp's)

ใช้ตอน:

Terraform ต้องเข้า private VPC
Compliance — code/state ห้ามออก network

# ใน VM ใน VPC
docker run -d \
  -e TFC_AGENT_TOKEN=xxx \
  -e TFC_AGENT_NAME=my-agent \
  hashicorp/tfc-agent:latest

Workspace → Settings → Execution Mode → Agent
└── Pool: my-agent-pool

→ Run executes ใน agent, ผ่าน internal network

7. Cost Estimation (built-in)

Standard+ — auto-estimate cost ใน plan UI

Plan complete!

Cost estimation:
+ Hourly cost: $0.0848/hr
+ Monthly cost: $61.99/mo

Detailed breakdown ↗

→ ไม่ต้องตั้ง Infracost — built-in

8. Drift Detection

Plus+ — auto detect drift

Workspace → Settings → Drift Detection
└── Schedule: Daily at 09:00 UTC
    Notify on drift: ✅

→ Daily check ว่า reality ตรงกับ state ไหม → notify ถ้า drift

9. Continuous Validation

Plus+ — validate workspace ตามเวลา

Workspace → Health Assessments
└── Schedule: Daily
    Tests: precondition + postcondition checks

→ ทดสอบ assumption ของ workspace ตามเวลา (เช่น AMI ยังมี, certificate ไม่หมดอายุ)

10. Private Network (Connect)

Plus+ — VPC Peering between TFC + your AWS VPC

Settings → Networking → VPC Peering
└── Your VPC: vpc-12345
    Region: us-east-1

→ TFC runs สามารถเข้า private resources ของคุณ

11. Workspace Templates

Plus+ — share config across workspaces

terraform {
  cloud {
    organization = "my-org"

    workspaces {
      tags = ["prod", "webapp"]   # match by tag
    }
  }
}

→ Apply config to multiple workspaces ตาม tag

12. SLA & Support

Plus+:

99.9% uptime SLA
8x5 support
Priority response

Enterprise:

99.95% uptime SLA
24x7 support
Dedicated CSM

13. Self-Hosted Platform (TFE Enterprise)

Enterprise tier:

Run TFC ใน your data center
Air-gapped deployment
Bring your own Postgres
HSM integration (FIPS 140-2)

ใช้กับ:

Government / defense
Banking
Healthcare (ที่ห้ามใช้ public cloud)

14. Run Tasks Library

Pre-integrated:

Snyk
Aqua
Bridgecrew (Prisma Cloud)
Wiz
Datadog
Splunk

ตั้งใน UI ไม่ต้องเขียน webhook

15. Notifications

ทุก tier:

Slack
MS Teams
Email
Webhook

Settings → Notifications → Add
└── Type: Slack
    URL: https://hooks.slack.com/...
    Triggers: needs_attention, applying, completed, errored

ตัวอย่าง: Enterprise Setup

organization-setup.yml
organization: my-bank
plan: Plus

settings:
  sso:
    type: SAML
    idp: Okta

  default_execution_mode: agent
  agent_pool: corporate-agents

  policy_sets:
    - name: security-policies
      enforcement: hard-mandatory
      policies:
        - require-encryption
        - no-public-resources
        - tagging-policy

  run_tasks:
    - name: Snyk
      enforce: hard
    - name: Bridgecrew
      enforce: soft

  vcs:
    type: GitHub Enterprise
    url: https://github.mybank.internal

workspaces:
  prod-network:
    auto_apply: false
    notifications:
      - slack: "#prod-deployments"
    drift_detection: enabled
    health_assessments: enabled

Cost Considerations

Free Tier

$0
5 users, 500 free workspaces
Basic features

Standard

~$20/user/month
Unlimited users
Run tasks, audit logs

Plus

~$80/user/month
All Standard + Sentinel + SSO + agents

Enterprise

Contact sales
Self-hosted, air-gapped, dedicated support

→ Total cost depends on team size + features

ทางเลือก Cheaper

Tool	Vendor	Approx Cost
HCP Terraform Plus	HashiCorp	$$$
env0	env0	$$
Spacelift	Spacelift	$$
Scalr	Scalr	$$
Atlantis	Open-source	$ (self-host)

สรุป

TFC Plus+ features: Sentinel, SSO, agents, drift detection, private network
Run Tasks integrate Snyk, Bridgecrew, Infracost
Self-hosted agents สำหรับ private network
Cost estimation + drift detection built-in (no Infracost needed)
Enterprise = self-hosted platform
เหมาะกับ regulated industries + ทีมใหญ่

ต่อไป → Authentication

Tier Comparison​

1. Sentinel Policy as Code​

2. SSO (SAML / OIDC)​

3. Audit Logs​

4. Run Tasks​

Snyk Security Scan​

Bridgecrew (Checkov)​

Infracost​

Custom (Webhook)​

5. Private Module Registry​

6. Self-Hosted Agents​

7. Cost Estimation (built-in)​

8. Drift Detection​

9. Continuous Validation​

10. Private Network (Connect)​

11. Workspace Templates​

12. SLA & Support​

13. Self-Hosted Platform (TFE Enterprise)​

14. Run Tasks Library​

15. Notifications​

ตัวอย่าง: Enterprise Setup​

Cost Considerations​

Free Tier​

Standard​

Plus​

Enterprise​

ทางเลือก Cheaper​

สรุป​