
If you're comparing hosted options for running Terraform or OpenTofu, like Scalr or Terraform Cloud, self-hosted agents are worth a close look. This post walks through what Terraform agents do, when you'd reach for them, and how they fit into a real infrastructure workflow. In Terraform Cloud you're limited to one "Terraform Cloud Agent'' unless you move to a more expensive tier or buy more. In Scalr, extra agents are free no matter what plan you're on, even the free version.
There are two types of self-hosted agents:
Running self-hosted agents for Terraform runs gets you a few things.
On security, you can configure the agents to comply with specific security and compliance standards. That matters for organizations with strict regulatory requirements, or for anyone wanting to limit the exposure of sensitive information. The agent pool can be assigned an instance profile, if using an AWS example, and the runs can inherit the credentials of the profile to avoid having to put any access tokens or secrets in the Scalr itself.
You also get to run Terraform operations in an environment you control. You can customize the operating system, install specific software dependencies, and configure network settings. Rather than having to install dependencies before every Terraform plan and apply, the dependencies can be built into the agent.
And because the agents run on your own cloud infrastructure, you have more control over the hardware specifications and resource allocation. This can be useful for optimizing performance based on the specific needs of your Terraform plan and apply.
In Scalr, agents are deployed with what is called an agent pool. Agent pools can be deployed on virtual machines, docker, or in Kubernetes. When a Terraform run is triggered from scalr.io, Scalr will hand off the run operations through an HTTP relay to the Terraform agent. Any information like Terraform configuration files, secrets, environment variables, custom hooks, and more will be passed to the agent. The agent spins up a container, executes the Terraform plan, and apply in the container while relaying all of the information back to scalr.io for the developers to view. Once the Terraform run has finished, the agent will go back into idle mode waiting for the next run.
For any organization that has its VCS provider internally or behind a firewall, it is highly unlikely that it would be opened to the internet due to the possibility of there being sensitive information or just general code leaked. In most cases, all of the Terraform configuration files as well as Terraform modules come from VCS providers which is why VCS agents could act as a critical component in the setup. VCS agents allow developers to connect their VCS providers to Scalr without opening the VCS provider to the internet. This also uses a secure HTTP relay that will pass the configuration files to Scalr securely.
Scalr only charges for a Terraform run, nothing else. We don't believe that if you want to follow best practices and make your environment more secure that you should be penalized for it. We also don't believe that if you are hosting the agent pool on your own virtual machine or Kubernetes cluster that we should charge you more, the value of Scalr is completely around a Terraform run, and the tooling we supply to help with automation, collaboration, visibility, and more.
A self-hosted agent pool gives you more control over your Terraform operations when you run a product like Scalr or Terraform Cloud. You keep ownership of the execution environment while a SaaS platform still handles the scaling and management around your deployments. For highly secure environments, agents are considered a best practice to ensure you meet your security and compliance requirements.
