Structuring Scalr

The Scalr organizational model is broken up into the three components listed below. The model allows for object inheritance and assignment as well as the ability for information about Terraform workspaces and runs to roll up into global views for the platform admins.

  • Account Scope - primarily an administrative control plane where environments, IAM, policies, modules, and more are maintained. The account scope also serves as a global dashboard with views of all workspaces, run operations, and reports across environments.
  • Environment Scope - isolated groupings of workspaces, teams, policies, and more. There are no limitations on how to use environments but we recommend a one-to-one mapping to cloud accounts or subscriptions.
  • Workspaces - Workspaces are the child of an environment. This is where Terraform runs are executed, the state is stored, and all objects related to the deployments are linked.
4434

A best practice when designing your implementation is to manage the structure with the Scalr Terraform provider. By doing this, you can easily onboard teams into Scalr by updating a variable file and it reduces the long-term overhead.

Let's get into some more specifics about each scope.

Account Scope

Used primarily by your account admins as the control plane for the entire platform. There are three main themes in the account scope:

  • Management: Manage environments, IAM, modules, OPA policies, VCS connections, and provider configurations for the entire account.
  • Reporting: Report on modules, providers, Terraform version, resources, and more to give you a good understanding of how Terraform is being used.
  • Operations: Have cross-account views into workspaces and runs with the ability to execute bulk actions on them without having to search through environments and workspaces.

Management

The following objects can be created and managed at the account scope:

ObjectDescription
IAMRequired. Control teams, users, services accounts, and SAML/LDAP integrations. Access policies can be assigned to the account, environment, and/or workspace scope.
Provider ConfigurationsOptional. Provider configurations are created and managed at the account scope but assigned to environments. A single configuration can be assigned to one or more environments.
EnvironmentsRequired. Environments are the child of accounts. Environments are where workspaces are created and Terraform runs are executed.
Policy EngineOptional. OPA policy groups can be created and managed at the account scope but assigned to environments. A policy group can be assigned to one or more environments.
VariablesOptional. If a shell variable is created at the account scope, the variable will be inherited by all environments and workspaces.
VCS ProvidersOptional. If a VCS provider is created at the account scope, the provider will be available to all environments and workspaces.
ModulesOptional. If a module is created at the account scope, the module will be available to all environments and workspaces.
Agent PoolsOptional. If an agent is created at the account scope, the agent will be available to all environments and workspaces.

All of the objects above can be assigned and automatically inherited by environments.

Click Through Demo

Environment Scope

Environments are mainly where the development teams will operate as the workspaces within the environments are where the Terraform deployments actually happen.

Teams have the ability to consume modules created at the account scope or create and manage their own modules in the environment-level registry if they have the proper permissions assigned to them.

Admins have the ability to assign the following objects to an environment:

ObjectDescription
Provider ConfigurationsOptional. A single provider configuration can be used across one or more environments. When a provider configuration is the default for an environment Scalr will automatically insert the provider block when needed in a run.
VCS ProvidersOptional. A VCS provider is needed for the module registry and VCS connected workspaces. If a VCS provider is created here, it is only available in this environment. The VCS provider will be made available for workspaces within the environment, but not required if the workspace is CLI driven.
VariablesOptional. If a shell variable is assigned to an environment, the variable will be inherited by all workspaces within the environment.
OPA PoliciesOptional. OPA policy groups must be created at the account scope. The policy group is then assigned to an environment.
WebhooksOptional. If a webhook and endpoint are created and assigned to an environment, the webhook will be available to all workspaces.
Access PoliciesRequired. For users or teams to access an environment, they must be assigned an access policy within the environment.

Any of the objects assigned to the environment scope will be automatically inherited by all workspaces within the environment. For example, if you set a shell variable at the environment scope, all workspaces in that environment will inherit it and end users are not able to change or remove it.

Workspace Scope

Workspaces are where the Terraform deployments happen. Users have the ability to select whether runs are triggered in workspaces from the terraform CLI, a VCS repository, or using the Scalr no code module deployments.

All state files are stored within the workspaces and users have many different automation, drift, variable, and credential settings for each workspaces.

Again, it is highly recommended to leverage the Scalr Terraform provider to manage workspaces.