Self-Hosted Terraform Cloud Alternative on an Offshore VPS

Terraform state is the single most sensitive artifact in your infrastructure toolkit. It contains IDs, IPs, sometimes plaintext secrets, and a complete map of every resource you own across every provider. Storing this in a US SaaS means a subpoena, a billing dispute, or an account suspension can lock you out of your own infrastructure or expose its full topology. A self-hosted backend on an offshore VPS gives you the same locking and versioning semantics as Terraform Cloud, but the data sits on a disk you control in a jurisdiction you chose. Use MinIO for S3-compatible storage with native state locking through DynamoDB-compatible options, or use the native Terraform HTTP backend that ships with Atlantis. Either way, you keep the workflow (plan, apply, locking, audit log) and lose the vendor. The 2023 BSL license shift made some users uncomfortable about long-term commercial use of HashiCorp tooling. OpenTofu (the community fork) is now a drop-in replacement and runs identically on your VPS - same provider ecosystem, same HCL syntax, same module registry compatibility. If you self-host the state and the runner, switching engines becomes a one-line config change rather than a vendor migration.

The minimal self-hosted setup has three pieces. First, a state backend - MinIO on a single VPS handles teams of any practical size. A 50 GB SSD VPS at 4 GB RAM is plenty for state files (each is typically 50 KB to 5 MB) plus a few years of versions. Install MinIO via the official binary or docker image, configure it with a root user, and create a bucket per environment (prod, staging, dev). Second, the lock backend. The simplest pattern is to use MinIO's built-in object versioning plus the Terraform S3 backend with the `dynamodb_table` option pointing at a compatible service. Alternatively, use the consul backend (deploy a single-node consul on the same VPS) or the postgres backend if you already run Postgres. Third, the execution layer. Atlantis is the open-source equivalent of Terraform Cloud workspaces - it listens for git webhooks, runs `terraform plan` on pull requests, comments the plan back, and applies on merge. Install Atlantis as a systemd service on the same VPS, expose it on port 4141 behind a TLS reverse proxy, and configure your git provider to send webhooks. The whole stack on a 4 GB RAM offshore VPS handles a 20-person team comfortably.

On a fresh Ubuntu 22.04 VPS, install MinIO: `wget https://dl.min.io/server/minio/release/linux-amd64/minio && chmod +x minio && mv minio /usr/local/bin/`. Create a data directory and a service user: `useradd -r minio-user && mkdir -p /var/lib/minio && chown minio-user:minio-user /var/lib/minio`. Write a systemd unit at `/etc/systemd/system/minio.service` with the binary path, the data dir as argument, and env vars `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD` set to strong random values. Start with `systemctl enable --now minio`. Install Atlantis: `curl -sSL https://github.com/runatlantis/atlantis/releases/latest/download/atlantis_linux_amd64.zip -o atlantis.zip && unzip atlantis.zip && mv atlantis /usr/local/bin/`. Configure Atlantis via env vars or a yaml config - set `ATLANTIS_GH_USER`, `ATLANTIS_GH_TOKEN`, `ATLANTIS_GH_WEBHOOK_SECRET`, `ATLANTIS_REPO_ALLOWLIST`, and `ATLANTIS_ATLANTIS_URL`. For GitLab or Gitea use the equivalent variables. Configure each Terraform project's `backend` block to point at your MinIO endpoint: `terraform { backend "s3" { endpoint = "https://minio.yourdomain.tld" bucket = "tfstate-prod" key = "service.tfstate" region = "us-east-1" access_key = "MINIO_USER" secret_key = "MINIO_PASS" force_path_style = true } }`. The `force_path_style` flag is critical for MinIO compatibility. Test with `terraform init && terraform plan` from your laptop, then push a branch to trigger Atlantis end to end.