Terraform
Realm9 provides a full Terraform execution platform — connect your Git repositories and cloud accounts, then plan, apply, and destroy infrastructure through a governed workflow with policy checks, approval flows, drift detection, and an AI-assisted editor.
Concepts
| Concept | What it is |
|---|---|
| Project | A Git repository connected to a cloud account. The top-level unit of Terraform configuration. |
| Workspace | An environment-specific execution context within a project — each has its own state file, variables, and lifecycle stage. |
| Run | A single execution of terraform plan, apply, destroy, or refresh within a workspace. |
| Starter Project | A pre-built Terraform template that creates a ready-to-use project and workspace from a form — no code required. |
| Project Template | A form-based workspace creation template defined within a project. Admins configure which variables are exposed as form fields; users deploy workspaces by filling in the form without touching raw Terraform variables. |
| Infrastructure Template | A VM or OS image (ISO, OVA, AMI, etc.) available for use in Terraform-provisioned infrastructure. |
Projects
Navigate to Terraform → Projects to see all projects in your organisation.
Creating a Project
When creating a new project, choose between two modes:
- Bring Your Own Project — connect your own Git repository
- Use a Starter — create a project from a pre-built template (see Starter Projects below)
Bring Your Own Project
Admins configure:
Git Repository:
- Provider (GitHub, GitLab, Gitea, etc.)
- Repository URL and branch
- Subdirectory path (if Terraform files are in a subfolder)
- Git token for repository access
Cloud Provider:
- Provider (AWS, Azure, GCP, On-Premises)
- Cloud Connection and Connection Role
- See Cloud Connections for setup
Automation Settings:
- Auto Plan — automatically trigger a plan on every Git push to configured branches
- Auto Plan Branches — specify which branch names trigger auto-plan
- Auto Apply — automatically apply after a successful plan (use with caution)
- Requires Approval — require manual approval before applying
Approval Configuration:
- Designate specific approvers (empty = any Admin or Provisioner can approve)
- Minimum number of approvals required
State Backend:
- AWS projects — S3 bucket and DynamoDB table for state and locking
- Azure projects — Azure Blob Storage
- GCP projects — S3-compatible backend
- State configuration applies to all workspaces in the project
Policy Profile:
- Override the organisation default policy profile for this project, or skip policy checks entirely
Advanced Settings:
- Custom Init Script — run a custom bash script before
terraform init(useful for installing custom providers) - Notification Channels — comma-separated email addresses to notify on run events
- Validation Settings — timeout and concurrency controls for validation runs
What the Projects List Shows
- Project name, description, status (Active, Inactive, Analyzing, Error)
- Cloud provider and Git branch
- Workspace count and run count
- Tags: Auto Apply, Approval Required
Starter Projects
Requires Infrastructure Enterprise or Ultimate tier.
Starter Projects are pre-built Terraform templates that create a fully configured project and workspace from a form — no code required.
Available Starters
| Cloud | Starters |
|---|---|
| AWS | VPC (Networking), EC2 (Compute), EKS (Containers), S3 Static Website (Storage), RDS PostgreSQL (Database), 3-Tier Architecture (Full Stack) |
| Azure | VNet (Networking), VM (Compute), AKS (Containers), Storage Account (Storage), PostgreSQL (Database) |
| Proxmox | VM (Compute), 3-Tier Architecture, HA 3-Tier Architecture, Zabbix Server (Monitoring) |
| VMware | VM (Compute), 3-Tier Architecture, HA 3-Tier Architecture, Zabbix Server (Monitoring) |
Using a Starter
- Go to Terraform → Projects → New Project
- Select Use a Starter
- Browse and select a starter template
- Fill in the starter form — field types include text, number, yes/no, dropdown, multi-select, key-value pairs
- Submit — Realm9 creates the project, workspace, and infrastructure template automatically
Notes:
- Starter projects lock Git configuration after creation — it cannot be edited
- A remote starter catalog can also be configured by administrators via environment variables for custom organisational templates
Workspaces
Each project can have multiple workspaces — one per environment or deployment target.
Lifecycle Stages
| Stage | Use |
|---|---|
| Development | Active development work |
| Testing | QA and test infrastructure |
| Staging | Pre-production validation |
| Production | Live infrastructure |
| Deprecated | Scheduled for decommission |
Lifecycle stage is set at workspace creation and cannot be changed afterwards.
Workspace Variables
Realm9 automatically extracts variable definitions from your .tf files. Each workspace can then have its own values for those variables. Variables can be marked sensitive to hide their values in the UI.
Sync Status:
| Status | Meaning | Effect |
|---|---|---|
| In Sync | Variables match the project's definitions | Runs can be created normally |
| Needs Sync | New or changed project variables are available | Run creation is blocked — click Sync from Project to pull changes |
| Pending Input | New required variables have no values yet | Run creation is blocked — edit variables to provide values |
After a project reactivation, a dismissible banner shows what changed (new variables, removed variables, preserved values) and when variables were last refreshed.
State Management
Each workspace has its own remote state file. State locking prevents concurrent operations from corrupting state.
State Viewer — the workspace detail page has a State tab showing the raw Terraform state with lock status. If the state is currently locked, the lock ID, owner, and timestamp are shown. Admins can Force Unlock State from this tab — a confirmation dialog warns that unlocking during an active operation can corrupt state.
State Import — if you have an existing Terraform state file from another backend, you can import it:
- Go to workspace settings and generate a time-limited import token
- Upload the state file using the token
- Realm9 migrates it to the configured backend on the next run
Workspace Settings
Each workspace has five settings tabs:
| Tab | What you can configure |
|---|---|
| General | Working directory (subdirectory within the repo), custom Kubernetes service account for runs that need specific RBAC |
| Variables | View and edit all workspace variable values |
| Resources | Override Kubernetes job resource limits per workspace: volume size, memory request/limit, CPU request/limit, ephemeral storage, job timeout (300–7200 seconds) |
| Retention | Run history retention policy: keep runs for N days, keep last N runs, or both |
| Danger Zone | Delete the workspace |
Linking Workspaces
Workspaces can be linked to environments and bookings:
- Environment Workspace — provisions the environment's underlying infrastructure
- Booking Workspace — provisioned automatically when a booking starts and destroyed when it ends
Project Templates
Project Templates let admins define a form-based workspace creation experience within a project. Instead of requiring users to manually edit raw Terraform variables, a template presents a clean form with only the fields the admin wants to expose. Submitting the form creates a new workspace automatically.
Templates are managed from the Templates tab on the project detail page.
Creating a Project Template
Only Admins can create and manage templates. Open a project, go to the Templates tab, and click New Template.
Template Metadata
| Field | Notes |
|---|---|
| Name | Display name shown to users when picking a template |
| Description | Optional — explains what the template provisions |
| Category | Optional grouping label |
| Default Lifecycle Stage | Lifecycle stage auto-assigned to workspaces created from this template (Development, Testing, Staging, Production, Deprecated) |
| Workspace Name Pattern | Optional pattern hint shown to users when naming the workspace — e.g. prod-{region} |
| Active | Only active templates appear in the deploy dialog |
Form Fields
Form fields map directly to Terraform variables defined in the project. For each field you add:
| Property | Notes |
|---|---|
| Variable | The Terraform variable this field controls — picked from the project's variable list |
| Label | Human-readable field label shown in the form |
| Field Type | Controls the input widget rendered (see Field Types below) |
| Required | Whether the field must be filled before deployment |
| Default Value | Pre-populated value (user can override) |
| Description / Help Text | Shown beneath the field to guide users |
| Placeholder | Hint text shown inside empty inputs |
| Section | Group related fields under a named heading in the form |
| Validation | Type-specific constraints: min/max length for text, min/max value for numbers, regex pattern for text |
Fields can be reordered using the up/down controls — order determines the sequence in the form.
Field Types
| Type | Widget | When to use |
|---|---|---|
| Text | Single-line input | Short strings: names, IDs, regions |
| Number | Numeric input with optional min/max | Instance counts, port numbers, sizes |
| Boolean | Toggle switch | Yes/No flags |
| Select | Dropdown | One choice from a fixed list |
| Multiselect | Toggle chips | Multiple choices from a fixed list |
| Textarea | Multi-line input | Scripts, long strings, multi-line values |
| JSON | Monospace textarea with JSON validation | Structured config objects |
| Key-Value | Key–value pair editor | Maps, tag sets, environment variables |
Key-Value fields support preset keys — fixed keys the admin defines upfront (with optional required flag and default value) — plus optional free-form custom keys the user can add.
Hidden Variables
Variables that should have a fixed value without being shown to users go in Hidden Variables. Specify the Terraform variable name and a static value. Realm9 injects these automatically when the workspace is created.
Every required variable in the project must be covered by either a form field, a hidden variable, or a default value in the project — the form builder validates this and blocks saving if any required variable is uncovered.
Enabling and Disabling Templates
Each template has an Active toggle. Inactive templates are hidden from the deploy dialog but remain in the database. Use this to retire old templates without deleting them — workspaces already created from a deactivated template are unaffected.
If a template is deactivated while workspaces still reference it, deleting it performs a soft-delete (deactivation) rather than hard-delete to preserve the workspace relationship.
Deploying from a Template
Any user with access to the project can deploy from an active template. The flow is two steps:
Step 1 — Pick a template Open the project detail page and click Deploy from Template. A dialog lists all active templates for the project with a field count and hidden variable count shown for each.
Step 2 — Fill the form Select a template to open its form. Fill in the required fields, optionally provide a workspace name (auto-generated from the workspace name pattern if left empty), and click Add.
Realm9 creates the workspace with the provided values merged with any hidden variables, and assigns the template's default lifecycle stage.
Role-Based Access for Templates
| Action | Viewer | User | Provisioner | Admin |
|---|---|---|---|---|
| View and deploy from templates | — | — | ✓ | ✓ |
| Create / edit / delete templates | — | — | — | ✓ |
| Enable / disable templates | — | — | — | ✓ |
Runs
A run is a single Terraform operation. Navigate to Terraform → Runs to see all runs across all workspaces.
Run Types
| Type | What it does |
|---|---|
| Plan | Runs terraform plan — previews changes without applying |
| Apply | Runs terraform apply — executes the planned changes |
| Destroy | Runs terraform destroy — removes all resources tracked in state |
| Refresh | Runs terraform refresh — updates state from actual cloud resources |
Run Statuses
| Status | Meaning |
|---|---|
| Queued | Waiting in the job queue |
| Planning | Running terraform plan |
| Planned | Plan complete, awaiting approval or apply |
| Pending Approval | Waiting for a user to approve the apply |
| Applying | Running terraform apply |
| Applied | Apply completed successfully |
| Destroying | Running terraform destroy |
| Destroyed | Destroy completed |
| Completed | Run finished successfully |
| Failed | Run failed with errors |
| Policy Failed | Blocked by a hard mandatory policy check |
| Rejected | Approval was denied |
| Cancelled | Manually cancelled |
Apply Approval
When a project has Requires Approval enabled:
- Run a Plan first
- Once the plan completes, the approver reviews the planned changes (add/change/destroy resource counts are shown)
- The approver clicks Approve (with optional notes) or Reject (with reason)
- On approval, the apply is queued automatically
If the Git commit SHA changes between the plan and the apply (e.g. a new commit is pushed), the Apply button is disabled — you must run a new plan against the latest commit first.
Run Detail
The run detail page has six tabs:
| Tab | Content |
|---|---|
| Console | Live-streaming log output from the Terraform execution |
| Resources | Plan summary — add/change/destroy resource counts and per-resource breakdown |
| Outputs | Terraform output values from the run |
| Variables | Variables used for this run |
| Policy | Full policy check results per scanner — severity, file, line number, check ID, remediation guidance |
| Related Runs | Parent and child runs (e.g. the plan that preceded this apply) |
Logs stream in real time via Server-Sent Events during active runs.
Policy Checks
Before each plan and apply, configured policy scanners run automatically. If a hard mandatory policy check fails, the run is blocked with a Policy Failed status. Admins and Provisioners can override the block with a written justification recorded in the audit log.
See the Policies section for full details.
Policies
Policy profiles define which scanners are active and how violations are enforced. Configure profiles under Settings → Terraform Policies.
Scanners
| Scanner | What it checks | Notes |
|---|---|---|
| Checkov | IaC security misconfigurations (AWS, Azure, GCP, Kubernetes) | Configure skip check IDs |
| TruffleHog | Secrets and credentials accidentally committed to code | "Only Verified Secrets" toggle available |
| Trivy | Secondary IaC scanner | Filters by severity (High, Critical by default) |
| Infracost | Cloud cost estimation | Schema support only — no UI controls yet |
| OPA / Conftest | Custom Rego policies | Schema support only — no UI controls yet |
| Custom Scanner | Your own scanner image | Requires Enterprise tier — provide a Docker image and optional registry credentials |
Enforcement Modes
| Mode | Effect |
|---|---|
| Advisory | Report findings, never block a run |
| Soft Mandatory | Block on violations; can be overridden |
| Hard Mandatory | Block on violations; override requires Admin or Provisioner |
When Scanners Run
Each profile lets you configure which run types trigger scanning:
| Run Type | Default |
|---|---|
| Plan | On |
| Apply | On |
| Destroy | Off |
Severity-Based Blocking (Hard Mandatory)
| Severity | Blocked by default |
|---|---|
| Critical | ✓ |
| High | ✓ |
| Medium | — |
| Low | — |
| Secrets found | ✓ |
Profile Settings
Each profile has:
- Enable / Disable toggle — inactive profiles are not applied to any runs
- Exclusions — glob patterns for paths to skip (default:
**/test/**,**/examples/**) - Set as Default — used for all projects that have no profile override
Drift Detection
Drift detection monitors for divergence between your Terraform state and your cloud infrastructure. Alerts appear under Terraform → Drift Alerts.
What Triggers Drift Alerts
- Git push — a webhook from your Git provider triggers analysis on code push
- Periodic scan — background job checks for cloud-side changes
- Pre-run check — validation before each plan or apply
Drift Types
| Type | What it means |
|---|---|
| Permission Added | New IAM permissions required by updated Terraform code |
| Permission Removed | IAM permissions removed from Terraform code |
| Resource Added | New resources added to Terraform code |
| Resource Removed | Resources removed from Terraform code |
Each alert shows the triggering Git commit (SHA and message), the affected IAM role or resource, and a recommendation for remediation.
Alert Statuses
| Status | Meaning |
|---|---|
| Open | Newly detected, not yet actioned |
| Acknowledged | Reviewed, planned for resolution |
| Resolved | Fixed — resolution notes required |
| Ignored | Dismissed as expected or acceptable |
Resolving an Alert
Click on an alert to open the detail view. Enter resolution notes and click Resolve Alert. Resolved alerts show the resolver's name, timestamp, and notes.
The alerts page shows summary cards: Total, Open, Critical, and Resolved counts. Filter by status or severity.
Infrastructure Templates
Navigate to Terraform → Templates.
Infrastructure templates are VM and OS images available for use when provisioning compute resources through Terraform. Each template represents a specific build artifact.
Template Fields
| Field | Notes |
|---|---|
| OS Family | Linux or Windows |
| OS Type / Version | e.g. Ubuntu 22.04 |
| Architecture | e.g. x86_64, arm64 |
| Source Type | ISO, OVA, OVF, Cloud Image, AMI, Azure Image, GCP Image, Packer Build |
| Hypervisor Types | Compatible hypervisors |
| Hardened | Whether the image meets a hardening standard (e.g. CIS) |
| Hardening Standard | The standard applied (e.g. CIS Level 1) |
| Supports Cloud-Init | Whether the image accepts cloud-init user data |
| Version | Image version string |
Approval Flow
Templates go through an approval process before they can be used:
- Upload or register a new template (status: Draft)
- Publish the template (status: Published)
- An Admin approves the template (status: Approved — template is now available for use)
Templates can be downloaded directly from the list page.
Editor & AI Assistant
Each project has a built-in code editor accessible from the project detail page.
Editor Features
- File Explorer — browse, create, rename, and delete files and folders in the repository
- Multi-tab editing — open multiple files simultaneously with tab switching
- Monaco Editor — code editing with HCL syntax highlighting
- Visual Resource View — graphical diagram of Terraform resources, variables, outputs, modules, and providers parsed from your code
- Terminal — run
terraform validate,init, orplandirectly in the editor - Git Operations — commit changes, switch branches, create new branches, view diffs and status
- Refresh from Git — pull the latest files from the remote repository
- Fullscreen mode — toggle fullscreen editing (ESC to exit)
- Undo AI change — revert the last change made by the AI agent on a per-file basis
- Undo delete — restore a file deleted by the AI agent
Editor state (open tabs, modified files) is persisted across page reloads.
AI Chat
An AI assistant is built into the editor. It can:
- Analyse your Terraform files and suggest improvements
- Generate resource configurations from a description
- Explain existing code
- Help write and validate variable definitions
- Apply suggested changes directly to files
@mention context — type @ in the chat input to inject structured context into your prompt:
| Mention | Injects |
|---|---|
@project: | Current project details |
@workspace: | Workspace configuration |
@run: | A specific run's output |
@connection: | Cloud connection details |
@role: | IAM role information |
The AI supports extended thinking — shows its reasoning steps before the final response for complex infrastructure questions.
Role-Based Access
| Action | Viewer | User | Provisioner | Admin |
|---|---|---|---|---|
| View projects, workspaces, runs | ✓ | — | ✓ | ✓ |
| Trigger runs (plan, apply, destroy) | — | — | ✓ | ✓ |
| Approve / reject runs | — | — | ✓ | ✓ |
| Override policy checks | — | — | ✓ | ✓ |
| Create / edit projects | — | — | — | ✓ |
| Create / edit workspaces | — | — | — | ✓ |
| Manage drift alerts | — | — | ✓ | ✓ |
| Configure policy profiles | — | — | — | ✓ |
| Manage infrastructure templates | — | — | — | ✓ |