README
¶
TERRAFORM CONTROLLER
Terraform Controller manages the life cycles of a terraform resource, allowing developers to self-serve dependencies in a controlled manner.
DEVELOPERS
- Workflows are run outside developer namespace so credentials can be shared without being exposed.
- Changes can be approved beforehand, following a plan and apply workflow.
- Developers can view and debug the terraform workflows from their our namespaces.
PLATFORM ENGINEERS
- Place guardrails around which modules can be consumed.
- Automatically inject environment specific configuration (dev, prod, cost centres and so forth) into the module, based on labels.
- Allow developers to see the associated costs to their configurations
DOCUMENTATION
View the documentation at https://terranetes.appvia.io/terraform-controller
GETTING STARTED
Prerequisites
The quickest way to get up the running is via the Helm chart.
$ git clone git@github.com:appvia/terraform-controller.git
$ cd terraform-controller
# kind create cluster
$ helm install -n terraform-system terraform-controller charts/ --create-namespace
$ kubectl -n terraform-system get po
- Configure credentials for developers
# The following assumes you can using static credentials, for managed pod identity see docs
$ kubectl -n terraform-system create secret generic aws \
--from-literal=AWS_ACCESS_KEY_ID=<ID> \
--from-literal=AWS_SECRET_ACCESS_KEY=<SECRET> \
--from-literal=AWS_REGION=<REGION>
$ kubectl -n terraform-system apply -f examples/provider.yaml
$ kubectl -n terraform-system get provider -o yaml
- Create your first configuration
$ cat examples/configuration.yaml # demos a s3 bucket
$ kubectl create namespace apps
# NOTE: Make sure to change the bucket name in examples/configuration.yaml
# spec.variables.bucket
$ vim examples/configuration.yaml
$ kubectl -n apps apply -f examples/configuration.yaml
$ kubectl -n apps get po
# Straight away a job is created to 'watch' the terraform workflow
$ kubectl -n apps logs -f <POD_ID>
# Check the module output
$ kubectl -n apps get secret test -o yaml
- Approve the plan
By default unless the spec.enableAutoApproval is true, all changes must be approved before acting on. An annotation is used to approve the previous plan.
$ kubectl -n apps annotate configurations.terraform.appvia.io bucket "terraform.appvia.io/apply"=true --overwrite
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pkg
|
|
|
apis/core/v1alpha1
Package v1alpha1 contains API Schema definitions for the core v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=core.appvia.io
|
Package v1alpha1 contains API Schema definitions for the core v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=core.appvia.io |
|
apis/terraform/v1alpha1
Package v1alpha1 contains API Schema definitions for the terraform v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=terraform.appvia.io
|
Package v1alpha1 contains API Schema definitions for the terraform v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=terraform.appvia.io |
|
register
Package register generated by go-bindata.// sources: charts/crds/terraform.appvia.io_configurations.yaml charts/crds/terraform.appvia.io_policies.yaml charts/crds/terraform.appvia.io_providers.yaml deploy/webhooks/manifests.yaml
|
Package register generated by go-bindata.// sources: charts/crds/terraform.appvia.io_configurations.yaml charts/crds/terraform.appvia.io_policies.yaml charts/crds/terraform.appvia.io_providers.yaml deploy/webhooks/manifests.yaml |
Click to show internal directories.
Click to hide internal directories.