How InfraDots Runs Terraform & OpenTofu

This page explains where and how InfraDots executes Terraform/OpenTofu, where state lives, and how that fits with using the CLI locally.

Where execution runs

InfraDots can run Terraform/OpenTofu in two ways:

You run worker agents in your own network (e.g. AWS, GCP, on-prem)
Execution happens inside your environment; InfraDots orchestrates and stores state
Use this when you need runs to use your private APIs, VPN, or compliance boundaries

See Worker Pools for setup.

State is the record of what resources Terraform/OpenTofu manage. InfraDots stores it remotely and encrypted.
You do not get a local terraform.tfstate file by default when using InfraDots for runs.
State is tied to the workspace; only users with access to that workspace can use or see that state (according to your organization’s permissions).
Backend configuration (e.g. backend "remote") is handled by InfraDots when you run plan/apply in the platform — you don’t need to configure the backend in your repo for runs triggered in InfraDots.

You can still use the terraform or tofu CLI on your machine:

Local development — Run tofu plan or terraform plan locally to iterate; use the same .tf files you push to the repo.
State — For runs triggered in InfraDots, state stays in InfraDots. If you want to run apply locally against the same state, you’d configure the remote backend (or equivalent) to point at InfraDots, if your plan supports that.
Production and collaboration — InfraDots is built for shared, audited runs: who ran what, when, and what changed. Use the platform for production applies and let the CLI support local experimentation.

State — Stored by InfraDots; access follows workspace/organization permissions.
Variables — Stored encrypted; mark sensitive so they never appear in logs or plan output.
Runs — Executed in isolated environments; logs are available to authorized users only.

For more on variables and secrets, see Variables and secrets.