When looking into options for running Terraform or OpenTofu in a hosted solution, like Scalr or Terraform Cloud, self-hosted agents are a critical component to review. In this blog post, we'll delve into Terraform agents, exploring the use cases, benefits, best practices, and the impact they can have on your infrastructure workflows. In Terraform Cloud you are limited to one "Terraform Cloud Agent'' unless you subscribe to a more expensive tier or purchase more. In Scalr, there is no charge for extra agents no matter what plan you are on, even the free version.
There are two types of self-hosted agents:
Self-Hosted Run Agents: These agents allow you to execute Terraform runs on your own cloud infrastructure, whether on public cloud resources or in on-premise infrastructure, giving you more control over the execution environment.
Self-Hosted VCS Agents: These agents allow you to pull Terraform configuration files and modules from a VCS provider that is not accessible to the internet.
First, we’ll talk about the benefits of using self-hosted agents for Terraform runs:
In Scalr, agents are deployed with what is called an agent pool. Agent pools can be deployed on virtual machines, docker, or in Kubernetes. When a Terraform run is triggered from scalr.io, Scalr will hand off the run operations through an HTTP relay to the Terraform agent. Any information like Terraform configuration files, secrets, environment variables, custom hooks, and more will be passed to the agent. The agent spins up a container, executes the Terraform plan, and apply in the container while relaying all of the information back to scalr.io for the developers to view. Once the Terraform run has finished, the agent will go back into idle mode waiting for the next run.
For any organization that has its VCS provider internally or behind a firewall, it is highly unlikely that it would be opened to the internet due to the possibility of their being sensitive information or just general code leaked. In most cases, all of the Terraform configuration files as well as Terraform modules come from VCS providers which is why VCS agents could act as a critical component in the setup. VCS agents allow developers to connect their VCS providers to Scalr without opening the VCS provider to the internet. This also uses a secure HTTP relay that will pass the configuration files to Scalr securely.
Scalr only charges for a Terraform run, nothing else. We don’t believe that if you want to follow best practices and make your environment more secure that you should be penalized for it. We also don’t believe that if you are hosting the agent pool on your own virtual machine or Kubernetes cluster that we should charge you more, the value of Scalr is completely around a Terraform run, and the tooling we supply to help with automation, collaboration, visibility, and more.
The option to use a self-hosted agent pool gives you more control over your Terraform operations when using a product like Scalr or Terraform Cloud. They allow you to keep control over your Terraform execution environment, while still using a SaaS platform to help scale, manage, and structure the Terraform deployments. For highly secure environments, agents are considered a best practice to ensure you meet your security and compliance requirements.