How to manage “Admin User” consumption in Terraform Cloud Business
Problem Statement
Some Terraform Cloud Business customers have reported noticeable overconsumption of admin users as part of their natural usage of the product.
For HashiCorp Flex customers, this has had the impact of consuming more of their Flexible consumption balance than is desired. The typical state at which is noticed is only at the end of a billing period, where the consumption has already taken effect. Our intention is to ensure that you are maturing your use of Terraform Cloud at your own pace, and finding value through provisioning and managing infrastructure at scale. It is not our intention for our customers to feel penalized for having a “slower” consumption of using Terraform runs & applies and running out of “budget” due to the # of admin users, per hour consumption.
For our service entitlement customers, this would risk exceeding admin user entitlements, and may result in a true-up by HashiCorp sales. Keep in contact with your customer success manager, your account manager, and explain the situation, they will be happy to work out a plan.
What is a Terraform Cloud Admin User?
In Terraform Cloud Business, Admin users are a billable metric and are metered/counted if the user has specific Authorizations or Team Permissions granted. Terraform Cloud “admin users” are not identified as specific users within a specific Org Team.
More specifically:
“Admin User” means a “User” with administrative access to (i) manage policies, (ii) manage workspaces, or (iii) manage VCS settings (or any combination of the foregoing) in the Customer’s TFCB account.
Note: For Flex customers, average consumption ranges from $4-$5 USD per 24 hours, per admin user. YYou can check your Usage Page at any time to review your organization’s usage. You can also check your HashiCorp Cloud Platform Account Summary to see the total admin user-hours consumption and average of admin users on the current billing period.
“Admin User” means a User with administrative access to (i) manage policies, (ii) manage workspaces, or (iii) manage VCS settings (or any combination of the foregoing) in the Customer’s Terraform Cloud account. A Customer may not utilize more Admin Users per month than are set forth in the “Qty” column in the table above for Terraform Cloud Business User.
For entitlement customers, you can review your contract for details on pricing.
In short, ALL users in the “Owners” Team (due to automatically having the above permissions, and ANY user in ANY Team with one or more of these permissions are considered “admin users.”
Please be aware, this means that the # of admin users at any given time WILL fluctuate depending on the rate of onboarding or offboarding new team members to Terraform Cloud and distributing self-service manageability permissions (e.g. create, update) to Terraform workspaces, policies, and VCS to team members.
How many admin users do I need?
If your organization is new to Terraform Cloud Business, it is very likely that you should consider “right-sizing” the number of admin users minimally necessary in order to facilitate your business needs.
Terraform Cloud Business Admin users have access to create, update, or delete workspaces, policies, and VCS settings whereas other users only have read access. Therefore, the authorized users should have ownership, governance, and accountability for your entire infrastructure operations.
In our experience, the majority of customers are able to operate with 10 or less admin users per Business Org.
Consider least privilege design and ensure that a limited number of users have an administrative level of access. Doing so will also minimize your total admin user-hours consumption.
Best Practices for Onboarding New Terraform Users
When enabling self service development and application teams to provision and manage infrastructure with Terraform, you can follow these best practices. Your Org Owners & Platform Admin Users can onboard new Terraform team members with the following:
- Creating new workspaces according to projects they are working on (e.g. database, or autoscaling VMs, a microservice)
- Provisioning any security policy guardrails (e.g. with Sentinel)
- Connecting any version control (e.g. GitHub or GitLab)
Once these are created, Terraform resources (e.g. infrastructure objects like compute, network, and storage) can be fully self-service provisioned or managed by any team members using terraform plan and apply.
Where do I go to remove these admin user permissions?
- As an Org Owner, navigate to the “Org Settings > Teams” and review all of the Teams to see the “Organization Access” permissions
- Remove admin user access permissions to any Custom Team
- Change “Manage all workspaces” to “View all workspaces”
- Change “Manage all projects” to “View all projects”
- Uncheck “Manage policies”
- Uncheck “Manage version control settings”
Note: Removing these permissions has the impact that all users in these Teams will not be able to create, edit, or delete policies, projects, workspaces, and VCS settings. Additionally, you cannot remove these permissions from the owners group. To reduce admin count on owners, remove users from the owners team.
How can I be made aware of increases to admin user count?
As the problem is more prominent for HashiCorp Flex customers who consume # of admin users per hour, we currently are planning the following for HashiCorp Flex customers:
We are in the process of enhancing Terraform Cloud. Two email notifications are planned:
- Email notification when the admin user counts are increased by an Org Owner
- Email notification when the Org is upgraded from Team/Team Governance to Business
The email is sent to the Notification Email in the Org > General Settings for any Terraform Cloud Business Org connected to a HashiCorp Flex Billing Account.
Note: The HCP Billing account may be connected to one or more Terraform Cloud Business Orgs. This email will therefore go out to each Org, regardless of whether it did or did not add admin users.
It is the HCP Billing account owner responsibility to prioritize and inform any Terraform Cloud Org owners of any remediation steps to reduce admin counts and overall consumption.