Terraform Deployment Target¶
Overview¶
By default, every resource in a Plan is deployed to the same account and host cluster dictated by the deployment model. The Deployment Target feature introduces an option to override this for individual resources, allowing them to target the service provider's control plane even when the overall deployment runs in the customer's cloud account (BYOC, Bring Your Own Cloud).
Note
This feature is currently only available for Terraform resources.
When a Terraform resource targets the control plane, it runs on the service provider's Provisioner host cluster. This means potentially sensitive infrastructure — such as IAM roles, secrets managers, or configuration stores — stays within the service provider's environment and never leaves their control, even though the end-customer deployment that depends on it runs in the customer's account.
When to Use¶
Consider using a control plane deployment target when:
- Sensitive resources need to remain in the service provider's account (credentials, encryption keys, configuration)
- Shared infrastructure should be managed centrally rather than per-customer account
- Provider-side orchestration resources are required to support customer deployments
Configuration¶
Add the deploymentTarget property to a Terraform resource in your Plan specification:
services:
- name: providerInfra
type: terraform
internal: true
deploymentTarget:
account: ControlPlane
terraformConfigurations:
configurationPerCloudProvider:
aws:
terraformExecutionIdentity: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-custom-terraform-execution-role"
terraformPath: /terraform/provider
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
deploymentTarget Properties¶
| Property | Type | Description |
|---|---|---|
account | enum | The account where the resource will be deployed. Accepted values: DataPlane (default) or ControlPlane. |
Account Values¶
DataPlane— The resource is deployed to the data plane account determined by the deployment model. This is the default behavior for all resources and has no additional restrictions.ControlPlane— The resource is deployed in the service provider's account, on the Provisioner host cluster. Only supported for BYOC deployments. See Restrictions below.
Restrictions¶
The DataPlane account target has no restrictions — it preserves the existing default behavior for all deployment models.
The following restrictions apply when using the ControlPlane account target:
ControlPlane restrictions
Review these restrictions carefully before setting account: ControlPlane.
BYOC deployments only¶
ControlPlane is only supported for BYOC (Bring Your Own Account) deployments. In the Service Provider Hosted model "DataPlane" is service provider's account.
Terraform resources only¶
ControlPlane is only supported for Terraform resources.
AWS only¶
The service provider's Provisioner host cluster runs exclusively on AWS. Therefore, ControlPlane Terraform resources only support the aws key under configurationPerCloudProvider. Multi-cloud configuration (gcp, azure) is not available for control plane resources.
Internal resources only¶
A resource with account: ControlPlane must be internal (internal: true). Control plane resources cannot be tenant-aware (external).
Immutable Once Set¶
The account setting cannot be changed after the resource is created. This restriction applies to:
- Resources explicitly set to
ControlPlane— cannot be changed toDataPlane - Resources explicitly set to
DataPlane— cannot be changed toControlPlane - Existing resources without an explicit
deploymentTarget— these default toDataPlaneand cannot be changed toControlPlane
Example¶
The following Plan specification shows a BYOC deployment with two Terraform resources: one deployed in the service provider's control plane and another in the customer's data plane.
name: My SaaS Product
deployment:
byoaDeployment:
awsAccountId: "<AWS_ACCOUNT_ID>"
awsBootstrapRoleAccountArn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-bootstrap-role
services:
# This resource runs in the service provider's account
- name: providerSecrets
type: terraform
internal: true
deploymentTarget:
account: ControlPlane
terraformConfigurations:
configurationPerCloudProvider:
aws:
terraformExecutionIdentity: "arn:aws:iam::<PROVIDER_ACCOUNT_ID>:role/omnistrate-custom-terraform-execution-role"
terraformPath: /terraform/provider-secrets
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
# This resource runs in the customer's account (default behavior)
- name: customerInfra
type: terraform
internal: true
terraformConfigurations:
configurationPerCloudProvider:
aws:
terraformPath: /terraform/customer-infra/aws
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
gcp:
terraformPath: /terraform/customer-infra/gcp
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
azure:
terraformPath: /terraform/customer-infra/azure
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
oci:
terraformPath: /terraform/customer-infra/oci
gitConfiguration:
reference: refs/heads/main
repositoryUrl: https://github.com/your-org/infra-repo.git
- name: MyApp
dependsOn:
- providerSecrets
- customerInfra
helmChartConfiguration:
chartName: my-app
chartVersion: 1.0.0
chartRepoName: my-repo
chartRepoURL: https://charts.example.com
In this example, providerSecrets is deployed to the service provider's Provisioner cluster on AWS, ensuring that sensitive configuration never leaves the provider's control. The customerInfra resource uses the default DataPlane target and deploys into the customer's AWS account. The application Helm chart depends on both.
Next Steps¶
- Terraform Overview: Learn the basics of using Terraform with Omnistrate
- Multi-Cloud Configuration: Configure Terraform stacks for multiple cloud providers
- Deployment Models: Understand the different deployment models including BYOC
- Plan Specification: Full schema reference for the
deploymentTargetproperty