What is a run?

There are two types of runs in Scalr:

  1. A standard run is one that actually runs a Terraform apply.
  2. A dry run, or speculative run, is one that executes the plan, cost estimation, and policy phases, but not the apply.

What are the Scalr IPs to whitelist?

The IPs that will need to be whitelisted for scalr.io are listed in this API endpoint .

Also, you can automate the process with Terraform by adding a code snippet below to your template:

data "http" "ips-allowlist" {
  url = "https://scalr.io/.well-known/allowlist.txt"

locals {
  ips_allowlist = split("\n", trimspace(data.http.ips-allowlist.body))

Can I fence an account?

Yes, to improve security, users have the ability to allow only specific public IPs/CIDRs to access their Scalr account. If the request issuer is out of the approved list, the request will be blocked. Currently, the feature is only available in the Scalr API and provider.

How is my Terraform state stored?

If a Terraform run is executed within Scalr then the resulting Terraform state file is stored within Scalr. All state files are securely stored in a Scalr-owned and encrypted Google Cloud bucket.

What are Scalr environments?

Environments are the logical grouping of workspaces, teams, policies, and other objects that relate to each other. The majority of the time, we see an environment being the equivalent of an app or team. Generally, there are a few questions that should be answered when thinking of your structure:

  • Will I need different policies applied to any of my workspaces within the environment?
  • Will the same provider credentials be used across all workspaces?
  • Will all users/teams within the environment collaborate on these workspaces?
  • Will all workspaces use the VCS provider(s) assigned to this environment?

If you answered yes to any of those questions, you may consider breaking out components into separate environments.

Are Provider Configurations required in Scalr?

Provider configurations are required for Terraform runs to execute, but you decide where configurations are actually stored. Scalr.io provides the ability to store encrypted Provider Configurations and will automatically pass them to runs. Some business requirements, like a Business Associate Agreement (BAA), require that the configurations are not stored with a SaaS vendor and Scalr can accommodate this as well.

For businesses who must store the configurations outside of Scalr, you have the option of using the Self Hosted Agent Pools, which provides flexibility in where the configurations are stored. Agents are placed in the network of your choice and scalr.io will never have a connection to the agent, the agent only pulls information from scalr.io and executes Terraform runs accordingly. Because provider configurations just need to be passed to the Terraform runs as shell variables, this gives you flexibility on how the configurations are actually supplied:

  • Using automation to set it as an OS variable on the agent server.
  • Pulled from a vault at the time of run execution with custom hooks.
  • Inherited from the instance profile of the server that the agent is hosted on.

Any of these methods ensure that scalr.io never has access to your configurations and it is solely managed within your network.

How do I migrate or update Terraform state in Scalr?

Migrating state to Scalr is simply done by changing the Terraform configuration to use Scalr as a remote backend. Regardless of where the state is now (local, S3 bucket, etc) the Terraform CLI (terraform init) will detect the change of configuration and automatically migrate the state to Scalr.

  • If there is an existing remote state then simply need to update the terraform {} block to be similar to the example below
  • If the state is currently local then add the complete terraform{} block similar to this example.
terraform {
  backend "remote" {
    hostname = "my-account.scalr.io"
    organization = "env-ssccu6d5ch64lqg"
    workspaces {
      name = "migrate-demo"
  • Run terraform init to migrate the state and answer “yes” to the prompt. This will create the workspace and upload the state to Scalr.

Can Scalr use the Terraform credential helper?

Scalr supports credential helpers if you have a use case where it is needed. To use the helper remotely, it must be installed in the following location within the workspace: terraform.d/plugins/terraform-credentials-scalr.

For self-hosted customers, the helper can be added and configured on the Scalr worker server for global use in the following location: /opt/scalr-server/var/lib/tf-worker/plugins/terraform-credentials-scalr

Why do I need the Scalr hierarchy?

The Scalr hierarchical model is one of the key differentiators of Scalr that helps businesses of all sizes scale their Terraform usage. At Scalr, our goal is to help you centralize your Terraform administration and decentralize the Terraform operations. What does this mean:

Things that should be centralized in the account scope:

  • IAM (RBAC, Teams, Users)
  • OPA Policies
  • Module Registry (Required modules)
  • Cross Account Reporting
  • Provider Credentials
  • VCS providers
  • Shared Variables

Things that should be decentralized at the environment scope:

  • Workspaces
  • Workspace orchestration and scheduling
  • Run execution
  • Module Registry (Team/App specific modules)

By centralizing the administration, the administrative team can ensure the developers are deploying their Terraform in a controlled manner while also having visibility over it. This then allows the developer teams to increase their velocity by managing their workflows within Scalr environments without interruption.

How do I get my invoice?

Invoices can be retrieved by your team through the Scalr UI by going to the account scope and clicking on the billing page:

Then go to invoices to view and download:

The accounts:billing permission is required to view and access the invoices.

If you do not have access to Scalr, please contact that account administrator who will be able to retrieve the invoice for you.

Where are my invoices sent?

Invoices are sent to the email address in the billing details section unless a ticket was opened and a different email was provided.

Where can I find Scalr's W9?

You can find the W9 for Scalr here: http://scalr.com/w9

Enable EPEL Repo for the Agent

Download the CentOS GPG Key

# Get OS Release number
OS_RELEASE=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release))
OS_RELEASE_MAJOR=$(echo $OS_RELEASE | cut -d. -f1)
# Download the GPG key and save locally
curl -s https://www.centos.org/keys/RPM-GPG-KEY-CentOS-$OS_RELEASE_MAJOR | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$OS_RELEASE_MAJOR

Create the Repo File

# Get OS Release number
OS_RELEASE=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release))
OS_RELEASE_MAJOR=$(echo $OS_RELEASE | cut -d. -f1)
# Create the repo file
cat << EOF | sudo tee /etc/yum.repos.d/centos-extras.repo
#additional packages that may be useful
name=CentOS-$OS_RELEASE_MAJOR - Extras

Build the Repo Cache

sudo yum -q makecache -y --disablerepo='*' --enablerepo='extras'