How to Run Terraform Self-Hosted: 4 Options

Terraform self-hosted means you run the Terraform workflow and its supporting services on your own infrastructure, not in Terraform Cloud’s SaaS. This usually refers to Terraform Enterprise or an OSS setup where you manage the state backend, execution environment, and integrations yourself. Large enterprises often prefer this model due to strict governance, compliance, or complex networking environments.

In a self-hosted setup, organizations deploy and maintain Terraform’s backend (workspaces, state files, and execution runtimes provided by orchestration platforms) within their own network. This approach provides full control over infrastructure, data, and execution environments, often necessary when security or compliance rules prevent storing state or credentials externally.

Why go self-hosted:

• Security and compliance: Keeps state files and secrets within internal systems
• Customization: Allows integration with private networks, internal CI/CD systems, or custom authentication
• Performance: Reduces latency and external dependencies for sensitive workloads

Running Terraform locally for a self-hosted setup means executing Terraform commands directly on a developer’s or operator’s local machine, with state files stored locally or in a controlled remote backend.

In this model, users install the Terraform CLI and manage infrastructure by running terraform plan and terraform apply from their local environment. The Terraform state, which tracks deployed resources, can live in a local file or a private remote backend such as Amazon S3, Azure Blob (azurerm), Google Cloud Storage (gcs), Consul, or the remote/HCP backend.

While this setup is simple, it puts version control, backend configuration, and secret management squarely on the user’s shoulders. It’s best for small teams, sandbox environments, or organizations prioritizing local control over convenience.

Local execution offers control and simplicity, but limited scalability. It’s great for experimentation or strict isolation but not for large-scale collaboration.

Advantages:

• Full control and data sovereignty: All Terraform operations and state data remain inside your infrastructure
• No external dependencies: Ideal for air-gapped or highly secure environments
• Fast setup: Minimal infrastructure overhead; easy to start and experiment with
• Custom workflow flexibility: Integrates smoothly with in-house CI/CD pipelines or local testing setups

Limitations:

• Collaboration challenges: Multiple engineers must coordinate to avoid state conflicts or drift
• Security risks: Secrets and credentials may be exposed if not managed carefully
• Limited scalability: No centralized policy enforcement or access controls

A self-hosted Terraform Enterprise installation runs entirely within your organization’s infrastructure. It gives internal teams ownership of how Terraform executes, stores state, and enforces policies, without relying on HashiCorp’s managed SaaS.

Instead of running Terraform manually, this setup provides a centralized platform for executing plans, managing state, and applying policies via a web UI or API. You can deploy Terraform Enterprise on virtual machines or on Kubernetes using the official Helm chart.

All Terraform operations occur inside your organization’s environment, ensuring security and compliance while supporting automation at scale.

Advantages:

• Centralized control: Manage workspaces, policies, and state from a single internal platform
• Improved security posture: Sensitive data never leaves your private network
• Team collaboration: Shared workflows, access controls, and CI/CD integration
• Enterprise-grade automation: Sentinel policies, run queues, and robust API integrations

Limitations:

• Setup and maintenance overhead: Requires in-house expertise to install, upgrade, and monitor
• Infrastructure demands: Needs dedicated compute, storage, and networking
• Cost considerations: Licensing and operational expenses can be significant

A self-hosted agent or runner executes Terraform inside your infrastructure using automation tools like GitHub Actions, GitLab CI, or Jenkins. Instead of cloud-hosted runners, Terraform runs on your own servers — providing direct access to internal networks, private APIs, and restricted systems.

Terraform commands are triggered automatically by CI/CD pipelines, while state files reside in a secure remote backend. Note that even with self-hosted runners, job logs are typically uploaded to your CI system’s control plane (e.g., GitHub/GitLab) unless you also self-host that control plane and storage.

A self-hosted agent or runner is a natural step up for teams that want CI/CD integration without losing network or data sovereignty.

Advantages:

• Controlled execution: Jobs run entirely within your infrastructure
• Private connectivity: Allows provisioning internal systems without public credential exposure
• Automation benefits: Seamlessly integrates Terraform into existing CI/CD workflows
• Flexible scaling: Add or replicate runners based on build frequency and capacity

Limitations:

• Administrative overhead: Self-managing agents requires monitoring and patching
• Resource costs: Hardware or VM capacity must be maintained
• Complex setup: Networking, authentication, and permissions require careful configuration

Spacelift is a self-hostable infrastructure-as-code management platform designed to automate and govern Terraform (and similar tools) with built-in policy controls, collaboration features, and CI/CD integration.

Unlike running Terraform manually or through basic CI pipelines, Spacelift provides a centralized environment to manage state, approvals, and policies. You can run Spacelift fully self-hosted, or use the SaaS with Private Worker Pools to execute runs inside your network.

Spacelift integrates directly with Git repositories, triggering Terraform runs automatically on pull requests or commits. This workflow blends automation, collaboration, and governance, helping teams scale IaC securely.

Spacelift is ideal for organizations seeking automated, auditable, and policy-driven Terraform workflows with self-hosted flexibility and enterprise-grade control.

Advantages:

• Centralized management: Unified UI for monitoring runs, state, and team activity
• Policy enforcement: Uses Open Policy Agent (OPA) for compliance and security
• Scalable automation: Runs Terraform plans and applies automatically on code changes
• Integration flexibility: Connects with GitHub, GitLab, Bitbucket, and major cloud providers

Limitations:

• Licensing costs: Self-hosted deployments typically use enterprise pricing
• Operational setup: Requires infrastructure and maintenance similar to Terraform Enterprise
• Learning curve: Advanced policy and workflow configuration may need onboarding time

Running Terraform self-hosted allows organizations to maintain full control over their infrastructure, data, and security. 

Different setups offer varying levels of flexibility and complexity. Running Terraform locally or through self-managed Terraform Enterprise provides deep customization but often increases operational overhead. Using self-hosted runners adds automation and network control but may still require manual policy management.

Spacelift offers a structured alternative for teams that need automation and governance without giving up data control. It supports self-hosted deployments where Terraform runs, state files, and policies stay within the organization’s environment, helping teams scale securely while meeting internal compliance and workflow needs. You can also run OpenTofu with Spacelift, either self-hosted or via SaaS with Private Worker Pools.

If you are looking for a specialized platform that helps you organize everything related to Terraform orchestration, check out Spacelift. Set up a personalized demo with one of our engineers.