The Challenge of Terraform Org Sprawl
VGW's Terraform adoption began in 2019 with organic growth that led to significant operational challenges. As teams migrated from CloudFormation and Pulumi to Terraform Cloud, the organization spawned a new Terraform org for each team to maintain isolation of workloads, runs, and state. This approach created an explosion of organizations that became increasingly difficult to manage. Each new team request required an 8-12 week procurement process to renegotiate contracts, estimate run usage, and provision admin users. The decentralized structure resulted in inconsistent standards, governance gaps, and duplication of private registry modules. Cost tracking became complex across multiple orgs, and the overhead of coordinating with numerous org owners to rebalance usage created significant friction for the platform team.
Consolidation Strategy and Implementation
To address these challenges, VGW's SRE team designed a centralized single-org architecture leveraging Terraform Cloud's projects feature to create isolated tenants within one organization. This structure allowed teams to maintain autonomy while establishing consistent security and governance patterns. The team built automation around GitHub workflows to provision new tenant projects, create scoped service accounts for CI/CD pipelines, and establish a management workspace pattern for teams to self-service their infrastructure. They implemented OIDC-based authentication to eliminate long-lived credentials and created three distinct service account types: plan-only for pull requests, apply for non-production environments, and apply for production workspaces. The solution included custom GitHub Actions, static analysis tooling, and comprehensive documentation to guide teams into the 'pit of success' with minimal friction.
Results and Ongoing Evolution
The consolidation effort reduced team onboarding time from 8-12 weeks to under 12 minutes through a simple pull request process. By May, VGW had created 45 projects with 345 workspaces, onboarded 400 teams, and published 15 private modules to their centralized registry—one module alone had been downloaded 13,000 times. The single-org model simplified cost tracking, eliminated the need for constant contract renegotiation, and provided a clear path for scaling Terraform usage across the organization. The team continues to refine the onboarding experience, plans to integrate automation into their internal developer platform, and is exploring Terraform Stacks to further optimize their workspace structure. This transformation demonstrates how thoughtful platform engineering can turn infrastructure-as-code sprawl into a scalable, secure, and developer-friendly foundation.
