OpenTofu
OpenTofu
May 20, 2025

Scalr support for IaC tools Terraform, OpenTofu, Terragrunt

By
Sebastian Stadil

Okay, let's talk about managing your Infrastructure as Code (IaC) when you're juggling Terraform, OpenTofu, or Terragrunt. We all know the power these tools bring, but scaling them across teams and projects can turn into a real headache pretty fast. That's where a platform like Scalr can make a difference, not by getting in your way, but by smoothing out the rough edges.

Scalr support for Tools Terraform, OpenTofu, Terragrunt

The core idea behind Scalr is to provide a consistent operational framework around your chosen IaC tool. Think centralized state management, sensible access controls, and visibility into what's happening, without forcing you to completely change how you write your code.

Taming Terraform with Scalr

Terraform is fantastic, no doubt. But as soon as you're not a solo developer on a single project, things like state file management, concurrent runs, and ensuring everyone has the right permissions become non-trivial.

Pain Point: State File Chaos and ConflictsRemember the "who has the latest state file?" dance or accidentally stomping on someone else's apply? Scalr steps in by providing a remote backend for your Terraform state. This means no more S3 bucket policies to wrestle with for every new project or worrying about state locking.

A typical backend configuration in your Terraform code when using Scalr might look something like this:

Terraform

terraform {
 backend "remote" {
   hostname     = "your-scalr-account.scalr.io"
   organization = "your-organization-name"

   workspaces {
     name = "your-workspace-name"
   }
 }
}

Scalr handles the storage, encryption, and locking of that state file for you.

Pain Point: "It Works On My Machine" and Inconsistent EnvironmentsScalr allows you to define workspaces that are linked directly to your VCS repositories (like GitHub, GitLab, etc.). You can map branches to workspaces, ensuring that a push to main triggers a run in your production workspace, while a push to a feature branch can deploy to a dev environment. This brings consistency. Variables, including sensitive ones, are managed within Scalr and injected at runtime, so no more .tfvars files with secrets floating around.

Success Indicator: Fewer "oops, I deployed to prod" moments. Faster, more reliable deployments because the environment configuration is managed centrally. You'll also see quicker onboarding for new team members as they don't need to configure a complex local setup.

Pain Point: Who Ran What, and Was it Allowed?Scalr provides Role-Based Access Control (RBAC) and integrates with Open Policy Agent (OPA). This means you can define who can plan, apply, or approve runs for specific workspaces. OPA integration lets you enforce custom policies on your Terraform code before an apply happens, catching potential issues early.

For example, you might have a policy that prevents deploying oversized VMs. If a terraform plan violates this, Scalr can flag it or even block the apply.

Success Indicator: Clear audit trails. Reduced risk of unauthorized changes. Compliance requirements are easier to meet because policies are enforced automatically.

OpenTofu: The Open Source Path with Scalr

For those of us moving to or starting with OpenTofu, the good news is that Scalr's support is pretty much seamless because OpenTofu maintains compatibility with Terraform. The pain points and how Scalr addresses them are largely the same.

Pain Point: Ensuring a Smooth Transition and Future-ProofingIf you're migrating from Terraform to OpenTofu, Scalr can act as a consistent management layer. You point your OpenTofu configurations to Scalr just like you would with Terraform. Scalr's execution environment can run your tofu commands.

Your backend configuration for OpenTofu would be identical to the Terraform example:

Terraform

terraform { // Yes, it's still 'terraform' block for OpenTofu compatibility
 backend "remote" {
   hostname     = "your-scalr-account.scalr.io"
   organization = "your-organization-name"

   workspaces {
     name = "your-opentofu-workspace"
   }
 }
}

Pain Point: Parity in Tooling and CollaborationScalr offers the same set of features for OpenTofu as it does for Terraform: version control integration, workspace management, RBAC, OPA policy enforcement, and centralized run viewing. This means your team doesn't have to learn a new set of operational tools if they switch to OpenTofu.

Success Indicator: Teams can adopt OpenTofu without disrupting their existing IaC workflows managed by Scalr. Consistent policy enforcement and collaboration features work out-of-the-box.

Getting a Grip on Terragrunt with Scalr

Terragrunt is awesome for keeping your Terraform configurations DRY (Don't Repeat Yourself) and managing multiple environments or modules. Scalr complements Terragrunt by providing the execution and governance layer.

Pain Point: Orchestrating Terragrunt Runs at ScaleWhile Terragrunt helps organize your code, you still need a way to trigger runs, manage approvals, and see the output across many Terragrunt modules or stacks. Scalr can trigger your Terragrunt commands (terragrunt apply-all, terragrunt plan-all) within its managed execution environment.

You would typically structure your repository with Terragrunt HCL files, and Scalr workspaces would point to the directories containing these files. Scalr then executes Terragrunt, which in turn calls Terraform/OpenTofu.

A simplified Terragrunt setup might look like this in your terragrunt.hcl:

Terraform

remote_state {
 backend = "remote"
 config = {
   hostname     = "your-scalr-account.scalr.io"
   organization = "your-organization-name"

   workspaces = {
     // Terragrunt can dynamically set this or you can configure it
     name = "terragrunt-${path_relative_to_include()}"
   }
 }
}

inputs = {
 // Your common variables
}

Scalr becomes the unified place to see the status of these apply-all or plan-all operations.

Pain Point: Environment Promotion and ConsistencyTerragrunt is often used to manage dependencies between modules and promote changes through environments (dev -> staging -> prod). Scalr’s VCS integration helps here. For example, merging a feature branch into develop could trigger Terragrunt runs for your dev environment workspaces in Scalr. Merging develop into main could then trigger runs for staging or production.

Success Indicator: Clearer visibility into complex Terragrunt deployments. Easier promotion of configurations across environments with predictable outcomes. The same RBAC and OPA policies apply, ensuring governance even with Terragrunt's layered approach.

Pain Point: Debugging and Visibility into Terragrunt RunsDebugging a terragrunt apply-all failure can sometimes mean digging through a lot of console output. Scalr provides a centralized view of all the logs from your Terragrunt runs, making it easier to pinpoint where things went wrong within a specific module.

Success Indicator: Reduced time spent debugging Terragrunt deployments. Developers can quickly identify which part of a multi-module deployment failed and why.

In essence, Scalr aims to take away the operational burdens of using Terraform, OpenTofu, or Terragrunt at scale, letting you focus on writing good IaC. It’s about providing that governance, visibility, and collaboration layer without making you throw out the tools you already know and like.Scalr enhances infrastructure as code (IaC) workflows by providing a unified platform for Terraform, OpenTofu, and Terragrunt. It centralizes state management, simplifies collaboration, and integrates policy enforcement and cost estimation across these tools.

Streamlining IaC with Scalr: Terraform, OpenTofu, and Terragrunt Support

Managing infrastructure as code (IaC) can get complicated, especially when you're juggling different tools or scaling up. If you're using Terraform, its open-source fork OpenTofu, or the wrapper Terragrunt, you know the power they offer but also the potential headaches. Scalr steps in to provide a smoother experience across these tools, addressing common pain points like state management, collaboration, and consistent execution.

Terraform Integration: Taming State and Collaboration

A major challenge with Terraform is managing state files, especially in a team. Scalr acts as a remote backend, securely storing your Terraform state. This means no more clobbering each other's state files or complex S3 bucket permission setups.

Key Benefits:

  • Centralized State Management: Scalr handles storing and versioning your state files. You can even roll back to previous states if something goes wrong. This is a huge relief compared to manually managing state backends.
    • Success Indicator: Fewer state-related conflicts and easier recovery from errors.
  • Collaboration & RBAC: Scalr provides role-based access control (RBAC), allowing you to define who can do what within your Terraform workspaces. This is crucial for security and compliance, especially as your team grows.
    • Guideline: Define clear roles (e.g., dev-team-lead, qa-engineer) with specific permissions for environments and workspaces.
    • Success Indicator: Reduced risk of unauthorized changes and clearer audit trails.
  • VCS-Driven Workflows: Connect your Git repositories (GitHub, GitLab, etc.) directly to Scalr workspaces. Commits and pull requests can automatically trigger Terraform plans, and merges can trigger applies. This brings CI/CD principles to your infrastructure.
    • Example: A terraform plan automatically runs on a pull request, showing the proposed changes directly in the PR comments.
    • Success Indicator: Faster feedback loops and more reliable deployments.

Pain Point Addressed: Debugging state issues or figuring out who changed what becomes much simpler with Scalr's run history and state versioning. If a run fails, the logs are centralized in Scalr, making it easier to pinpoint the problem without digging through CI/CD logs or individual machine outputs.

A typical Scalr backend configuration in your Terraform code might look like this:

Terraform

terraform {
 backend "remote" {
   hostname     = "myaccount.scalr.io"
   organization = "my-organization-name"

   workspaces {
     name = "my-workspace-name"
   }
 }
}

Guideline: Always use the remote backend block provided by Scalr in your root module to ensure state is managed by Scalr.Success Indicator: Consistent state locking and versioning visible within the Scalr UI for every run.

OpenTofu Support: Embracing the Open Source Alternative

For those who've transitioned to or are considering OpenTofu (the open-source successor to Terraform after the license change), Scalr offers first-class support. Since OpenTofu maintains compatibility with Terraform 1.5.x and earlier, integrating it with Scalr is generally seamless.

Key Benefits:

  • Consistent Workflow: You get the same benefits as with Terraform – centralized state, RBAC, VCS integration, policy checks, and cost estimation. Scalr treats OpenTofu runs just like Terraform runs.
    • Guideline: Ensure your OpenTofu configurations adhere to the syntax and structure expected by the version you're using, which Scalr will then execute.
    • Success Indicator: OpenTofu deployments are managed with the same level of control and visibility as Terraform deployments within Scalr.
  • Policy Enforcement (OPA): Use Open Policy Agent (OPA) to define and enforce policies on your OpenTofu configurations before they're applied. This helps maintain compliance and prevent misconfigurations.
    • Example: A policy could prevent the creation of overly expensive machine types or ensure all resources are tagged correctly.
    • Success Indicator: Reduction in out-of-policy deployments and improved compliance posture.
  • Cost Estimation: Scalr can integrate with tools like Infracost to show you the potential cost impact of your OpenTofu changes before you apply them, usually by commenting on a pull request.
    • Pain Point Addressed: Avoiding "bill shock" by understanding cost implications early in the development cycle.
    • Success Indicator: Fewer unexpected cloud cost overruns.

If you're using OpenTofu, your backend configuration within the .tf files remains very similar, pointing to Scalr:

Terraform

terraform { // Or `tofu` block if supported by future OpenTofu versions for clarity
 backend "remote" {
   hostname     = "myaccount.scalr.io"
   organization = "my-organization-name"

   workspaces {
     name = "opentofu-project-alpha"
   }
 }
}

Guideline: Specify OpenTofu as the IaC engine in your Scalr workspace settings.Success Indicator: Successful tofu plan and tofu apply operations executed via Scalr with expected state management and policy checks.

Terragrunt Integration: Managing Complexity at Scale

Terragrunt is a popular wrapper for Terraform and OpenTofu that helps keep your configurations DRY (Don't Repeat Yourself) and manage multiple environments more effectively. Scalr natively supports Terragrunt, allowing you to leverage its power within a managed platform.

Key Benefits:

  • Simplified run-all Operations: If you use terragrunt run-all to manage multiple modules or environments, Scalr can execute these commands, providing visibility into each underlying Terraform/OpenTofu operation.
    • Pain Point Addressed: Orchestrating changes across many Terragrunt modules can be complex to track. Scalr provides a unified view of these multi-part deployments.
    • Success Indicator: Successful execution and logging of run-all commands within Scalr with clear status for each module.
  • Variable Hierarchy Management: While Terragrunt excels at managing variable hierarchies with terragrunt.hcl files, Scalr complements this by allowing environment-level and workspace-level variables that can be securely managed and injected.
    • Guideline: Define common variables at higher levels in your Terragrunt structure or within Scalr environments, and override specifics at lower levels or in Scalr workspaces.
    • Success Indicator: Reduced duplication of variable definitions and more consistent configurations across environments.
  • Dependency Management: Terragrunt helps define dependencies between your infrastructure modules. Scalr respects these dependencies when executing Terragrunt commands.
    • Success Indicator: Modules are deployed in the correct order as defined by Terragrunt dependencies.

For a CLI-driven Terragrunt workflow with Scalr, you'd typically configure the remote backend in your root terragrunt.hcl:

Terraform

remote_state {
 backend = "remote"
 config = {
   hostname     = "myaccount.scalr.io"
   organization = "my-organization-name"

   workspaces {
     name = "terragrunt-prod-vpc" // Or use a prefix for run-all
     // prefix = "terragrunt-prod-" // if using run-all and want Scalr to manage individual module states under this prefix
   }
 }
}

// You might also use generate blocks for provider configurations if needed
generate "provider" {
 path      = "provider.tf"
 if_exists = "overwrite_terragrunt"
 contents  = <<EOF
provider "aws" {
 # Configuration sourced from Scalr environment variables or provider configs
}
EOF
}

Guideline: When using run-all with Scalr, ensure each unit (module) is configured to use a non-Scalr remote backend (like S3) for its individual state if you want run-all to manage dependencies and Scalr to orchestrate the overarching run-all command. Alternatively, for full Scalr state management per module, you'd treat each Terragrunt module as a separate Scalr workspace. The Scalr documentation provides specifics on the best approach depending on your run-all strategy.Success Indicator: Clear visibility into run-all operations within the Scalr UI, with individual module logs and status, and state managed as per your chosen configuration. Detection of deleted units in run-all workspaces is also a key Scalr feature.

By offering robust support for Terraform, OpenTofu, and Terragrunt, Scalr aims to unify your IaC practices, making them more secure, collaborative, and efficient. It tackles the common operational hurdles, letting you focus more on defining your infrastructure and less on the surrounding mechanics.

Note: Check out our new Learning Center here for technical guides and how-tos.

Your costs = usage. Period.

A screenshot of the modules page in the Scalr Platform