What is HCP?
HCP (HashiCorp Cloud Platform) = managed cloud service โดย HashiCorp ที่ provide Terraform Cloud, Vault, Consul, Boundary, Packer, Waypoint ในที่เดียว
HCP Platform
Terraform Cloud (TFC) — ส่วนสำคัญที่สุด
managed Terraform service:
- Remote state — เก็บ state ใน HashiCorp infra
- Remote runs — apply ใน HashiCorp ไม่ใช่ laptop
- VCS integration — auto plan ตาม PR
- Policy as Code (Sentinel)
- Private module registry
- Run tasks — integrate third-party tools (security scanners, cost)
- Workspaces — organize state by project/env
Pricing Tiers
| Tier | Free | Standard | Plus | Enterprise |
|---|---|---|---|---|
| Users | 5 | Unlimited | Unlimited | Unlimited |
| Workspaces | Free 500 | $$ | $$$ | Self-hosted |
| Sentinel | ❌ | ❌ | ✅ | ✅ |
| Run Tasks | ❌ | ✅ | ✅ | ✅ |
| SSO | ❌ | ❌ | ✅ | ✅ |
| Audit logs | ❌ | ✅ | ✅ | ✅ |
| Private modules | ✅ | ✅ | ✅ | ✅ |
ดู pricing ล่าสุดที่ hashicorp.com/products/terraform/pricing
When to Use HCP?
✅ ใช้ HCP เมื่อ:
- ทีม > 5 คนที่ใช้ Terraform
- ต้องการ centralized state management
- ต้องการ VCS-driven workflow
- ต้องการ Policy as Code (Sentinel)
- ไม่อยาก self-host backend infrastructure
- ต้องการ private module registry
❌ ไม่ต้อง HCP เมื่อ:
- 1-2 คนใช้ Terraform
- ทุกอย่างใน 1 cloud (ใช้ S3 backend ก็พอ)
- Budget จำกัด
- มี infrastructure ของตัวเองพร้อม (S3 + DynamoDB + GitHub Actions)
เปรียบเทียบ: TFC vs Self-Hosted
| Feature | Terraform Cloud (HCP) | Self-Hosted (S3 + GitHub Actions) |
|---|---|---|
| Setup | 5 นาที | 1 ชั่วโมง |
| State backend | Built-in | Manual setup S3 + DynamoDB |
| VCS integration | Built-in | GitHub Actions yaml |
| Sentinel | ✅ Easy | ❌ Need OPA + integrate |
| Run UI | ✅ Beautiful | ❌ GitHub logs |
| Cost | Per workspace/user | Cloud bill (S3, DynamoDB) |
| Vendor lock-in | High | Low |
| Customization | Limited | Full control |
Sign Up
- Go to app.terraform.io
- Sign up (free tier)
- Create organization
- Create first workspace
Connect VCS
Settings → VCS Providers → Connect GitHub/GitLab/Bitbucket
Workspace → Settings → Version Control
└── Repository: myorg/my-terraform-repo
Branch: main
Auto-apply: false
Working directory: ./envs/prod
CLI-Driven vs VCS-Driven
CLI-Driven (similar to local Terraform)
terraform {
cloud {
organization = "my-org"
workspaces {
name = "prod-network"
}
}
}
terraform login # one-time auth
terraform init
terraform apply # runs in HCP, output shown locally
VCS-Driven (auto on PR/push)
- Workspace connected to GitHub
- PR → auto plan + comment
- Merge → auto apply (or manual approve)
Run Triggers
Workspace A เปลี่ยน → trigger workspace B apply:
Settings → Run Triggers → Source Workspace: prod-network
ใช้ตอน: app workspace ขึ้นกับ network workspace
Private Module Registry
Publish modules ของ org:
module "vpc" {
source = "app.terraform.io/my-org/vpc/aws" # private registry
version = "1.0.0"
}
Sentinel Policy
Org-wide policies ที่ enforce ก่อน apply:
sentinel.hcl
policy "no-public-s3" {
source = "./policies/no-public-s3.sentinel"
enforcement_level = "hard-mandatory"
}
ดูเพิ่มใน Section 18: Compliance & Sentinel
Run Tasks
Integrate third-party services ระหว่าง plan-apply:
| Service | Use Case |
|---|---|
| Snyk | Security scan |
| Bridgecrew | Compliance |
| Infracost | Cost estimation |
| Lightlytics | Drift detection |
Settings → Run Tasks → Add → Snyk
└── Endpoint: https://...
HMAC Key: ***
→ ทุก plan จะเรียก Snyk → ผลปรากฏใน Run UI
Audit Logs
Standard tier+: ดู:
- ใคร trigger run
- Plan/apply history
- Variable changes
- Workspace settings changes
SSO
Plus tier+: Connect SAML/OIDC:
- Okta
- Azure AD
- Google Workspace
- OneLogin
→ ผู้ใช้ org sign in ผ่าน corporate IdP
Terraform Enterprise (Self-Hosted)
ใช้ HCP บน infrastructure ของตัวเอง:
- Same features as HCP Plus
- Air-gapped deployment supported
- Bring your own database (Postgres)
- ใช้กับ regulated industries (banking, government)
ทางเลือก
| Service | Vendor | Notes |
|---|---|---|
| HCP Terraform | HashiCorp | Original, most features |
| env0 | env0 | Cheaper, similar features |
| Spacelift | Spacelift | Strong on policy + GitOps |
| Scalr | Scalr | Multi-tenant, RBAC focus |
| Atlantis | Open-source | Free, self-host |
| Self-built (S3 + GitHub Actions) | DIY | Most flexible, most work |
ตัวอย่าง: Migrate to HCP
Step 1: Create Workspace
# In HCP UI: New Workspace → CLI-Driven
Step 2: Add Cloud Block
terraform {
cloud {
organization = "my-org"
workspaces {
name = "prod-network"
}
}
}
Step 3: Login + Init
terraform login
terraform init
# → migrate state from S3 to HCP
Step 4: Set Variables in HCP UI
Workspace → Variables → Add:
aws_access_key_id(sensitive)aws_secret_access_key(sensitive)region(terraform variable)
Step 5: Run Apply
terraform apply
# → runs in HCP, output streams to laptop
Pros & Cons
Pros ✅
- Easy setup (no S3 bootstrap)
- Beautiful UI for plans/applies
- VCS-driven workflow
- Sentinel + private modules
- SSO + audit logs (paid tiers)
Cons ❌
- Cost (above free tier)
- Vendor lock-in
- Need internet to apply (vs offline self-hosted)
- BUSL license concerns (some enterprises avoid)
OpenTofu Alternative
OpenTofu = open-source fork ของ Terraform — รองรับ TFC backend ได้ส่วนใหญ่:
terraform {
cloud {
organization = "my-org"
workspaces { name = "prod" }
}
}
tofu init
tofu apply
(บาง edge case ของ Sentinel / TFC features อาจไม่ work)
สรุป
- HCP = HashiCorp's managed cloud platform
- Terraform Cloud (TFC) = managed Terraform service
- มี Free tier สำหรับ ทีม < 5 คน
- 2 modes: CLI-driven + VCS-driven
- Features: state management, run UI, Sentinel, private modules, run tasks
- ทางเลือก: env0, Spacelift, Atlantis, self-hosted
- เหมาะกับ ทีม ≥5 คน ที่ใช้ Terraform จริงจัง
ต่อไป → Enterprise Features