terranetes-controller

TERRAFORM CONTROLLER

Terraform Controller manages the life cycles of a terraform resource, allowing developers to self-serve dependencies in a controlled manner.

DEVELOPERS

• Workflows are run outside developer namespace so credentials can be shared without being exposed.
• Changes can be approved beforehand, following a plan and apply workflow.
• Developers can view and debug the terraform workflows from their our namespaces.

PLATFORM ENGINEERS

• Place guardrails around which modules can be consumed.
• Automatically inject environment specific configuration (dev, prod, cost centres and so forth) into the module, based on labels.
• Allow developers to see the associated costs to their configurations

DOCUMENTATION

View the documentation at https://terranetes.appvia.io/terraform-controller

GETTING STARTED

Prerequisites

• Helm CLI
• Kind

The quickest way to get up the running is via the Helm chart.

$ git clone git@github.com:appvia/terraform-controller.git
$ cd terraform-controller
# kind create cluster
$ helm install -n terraform-system terraform-controller charts/terraform-controller --create-namespace
$ kubectl -n terraform-system get po

• Configure credentials for developers

# The following assumes you can using static credentials, for managed pod identity see docs

$ kubectl -n terraform-system create secret generic aws \
  --from-literal=AWS_ACCESS_KEY_ID=<ID> \
  --from-literal=AWS_SECRET_ACCESS_KEY=<SECRET> \
  --from-literal=AWS_REGION=<REGION>
$ kubectl -n terraform-system apply -f examples/provider.yaml
$ kubectl -n terraform-system get provider -o yaml

• Create your first configuration

$ cat examples/configuration.yaml # demos a s3 bucket
$ kubectl create namespace apps

# NOTE: Make sure to change the bucket name in examples/configuration.yaml
# spec.variables.bucket
$ vim examples/configuration.yaml
$ kubectl -n apps apply -f examples/configuration.yaml
$ kubectl -n apps get po

# Straight away a job is created to 'watch' the terraform workflow
$ kubectl -n apps logs -f <POD_ID>

# Check the module output
$ kubectl -n apps get secret test -o yaml

• Approve the plan

By default unless the spec.enableAutoApproval is true, all changes must be approved before acting on. An annotation is used to approve the previous plan.

$ kubectl -n apps annotate configurations.terraform.appvia.io bucket "terraform.appvia.io/apply"=true --overwrite

This site is open source. Improve this page.