hashicorp/terraform-k8s hashicorp/terraform-k8s

  • Stars
    star
    449
  • Rank 93,565 (Top 2 %)
  • Language
    Go
  • License
    Mozilla Public Li...
  • Created over 4 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hashicorp/terraform-k8s
github

hashicorp

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Terraform Cloud Operator for Kubernetes

📣 Terraform Cloud Operator v2 Beta 📣

We are working on a new version of the Terraform Cloud Operator for Kubernetes at hashicorp/terraform-cloud-operator. This new version of the operator will bring a cleaner set of CRDs and support for features such as Agent Pools and deploying agents, Run Tasks, and Workspace Notifications. If you would like to participate in our beta please see our installation instructions.

Terraform logo

Terraform Cloud Operator for Kubernetes

The Terraform Cloud Operator for Kubernetes provides first-class integration between Kubernetes and Terraform Cloud by extending the Kubernetes control plane to enable lifecycle management of cloud and on-prem infrastructure through Kubernetes manifests. Manifests can be deployed and managed using kubectl, Terraform, Gitops tools, or any other tool that allows you to manage Kubernetes custom resources.

This operator provides a unified way to manage a Kubernetes application and its infrastructure dependencies through a single Kubernetes CustomResourceDefinition (CRD). After the infrastructure dependencies are created, pertinent information such as endpoints and credentials are returned from Terraform Cloud to Kubernetes.

Use Case

  • Manage the lifecycle of cloud and on-prem infrastructure through a single Kubernetes custom resource
    • Install the operator from the corresponding Helm Chart to enable the management of infrastructure services from any Kubernetes cluster.
    • Provision and manage infrastructure from any provider, such as AWS, Azure, GCP, and any of the hundreds of other Terraform providers, to use them with your existing application configurations, through Terraform Cloud or Terraform Enterprise.
    • Deploy and Manage your Kubernetes and infrastructure resources in a single git repository, separate git repositories, or directly from a module in the Terraform Registry, to match your existing operating model.
    • Provide governance for your infrastructure resources using policy-as-code with OPA Gatekeeper and HashiCorp Sentinel.

You can read more about this project and its potential use cases on our blog.

Terraform also enables you to create and publish custom infrastructure providers through the Terraform SDK. Once you create a new Terraform provider, publish it to the Terraform Registry and then you can consume it with the operator.

Join us in the #terraform-providers channel on the Kubernetes Slack to discuss this, and other Terraform and Kubernetes projects (Sign up here).

Note: This project is versioned separately from Terraform. Supported Terraform versions must be version 0.12 or above. By versioning this project separately, we can iterate on Kubernetes integrations more quickly and release new versions without forcing Terraform users to do a full Terraform upgrade.

We take Terraform's security and our users' trust very seriously. If you believe you have found a security issue in the Terraform Cloud Operator for Kubernetes, please responsibly disclose by contacting us at [email protected].

Installation and Configuration

Namespace

Create the namespace where you will deploy the operator, Secrets, and Workspace resources.

$ kubectl create ns $NAMESPACE

Authentication

The operator must authenticate to Terraform Cloud. Note that the operator must run within the cluster, which means that it already handles Kubernetes authentication.

  1. Generate a Terraform Cloud Team API token at https://app.terraform.io/app/$ORGANIZATION/settings/teams, where $ORGANIZATION is your organization name.

  2. Create a file for storing the API token and open it in a text editor.

  3. Insert the generated token ($TERRAFORM_CLOUD_API_TOKEN) into the text file formatted for Terraform credentials.

    credentials app.terraform.io {
  token = "$TERRAFORM_CLOUD_API_TOKEN"
}

  4. Create a Kubernetes secret named terraformrc in the namespace. Reference the credentials file ($FILENAME) created in the previous step.

    $ kubectl create -n $NAMESPACE secret generic terraformrc --from-file=credentials=$FILENAME

    Ensure terraformrc is the name of the secret, as it is the default secret name defined under the Helm value syncWorkspace.terraformRC secretName in the values.yaml file.

If you have the free tier of Terraform Cloud, you will only be able to generate a token for the one team associated with your account. If you have a paid tier of Terraform Cloud, create a separate team for the operator with "Manage Workspaces" access.

Note that a Terraform Cloud Team API token is a broad-spectrum token. It allows the token holder to create workspaces and execute Terraform runs. You cannot limit the access it provides to a single workspace or role within a team. In order to support a first-class Kubernetes experience, security and access control to this token must be enforced by Kubernetes Role-Based Access Control (RBAC) policies.

Workspace Sensitive Variables

Sensitive variables in Terraform Cloud workspaces often take the form of credentials for cloud providers or API endpoints. They enable Terraform Cloud to authenticate against a provider and apply changes to infrastructure.

Create the secret for the namespace that contains all of the sensitive variables required for the workspace.

$ kubectl create -n $NAMESPACE secret generic workspacesecrets --from-literal=SECRET_KEY=$SECRET_KEY --from-literal=SECRET_KEY_2=$SECRET_KEY_2 ...

Ensure workspacesecrets is the name of the secret, as it is the default secret name defined under the Helm value syncWorkspace.sensitiveVariables.secretName in the values.yaml file.

In order to support a first-class Kubernetes experience, security and access control to these secrets must be enforced by Kubernetes Role-Based Access Control (RBAC) policies.

Terraform Version

By default, the operator will create a Terraform Cloud workspace with a pinned version of Terraform.

Override the Terraform version that will be set for the workspace by changing the Helm value syncWorkspace.terraformVersion to the Terraform version of choice.

Deploy the Operator

Use the Helm chart repository to deploy the Terraform Operator to the namespace you previously created.

$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/terraform
$ helm install --namespace ${NAMESPACE} hashicorp/terraform --generate-name

Create a Workspace

The Workspace CustomResource defines a Terraform Cloud workspace, including variables, Terraform module, and outputs.

Here are examples of Workspace CustomResource..

The Workspace Spec includes the following parameters:

  1. organization: The Terraform Cloud organization you would like to use.

  2. secretsMountPath: The file path defined on the operator deployment that contains the workspace's secrets.

Additional parameters are outlined below.

Modules

The Workspace will only execute Terraform configuration in a module. It will not execute *.tf files.

Information passed to the Workspace CustomResource will be rendered to a template Terraform configuration that uses the module block. Specify a module with remote source. Publicly available VCS repositories, the Terraform Registry, and private module registry are supported. In addition to source, specify a module version.

module:
  source: "hashicorp/hello/random"
  version: "3.1.0"

The above Kubernetes definition renders to the following Terraform configuration.

module "operator" {
  source = "hashicorp/hello/random"
  version = "3.1.0"
}

Variables

Variables for the workspace must equal the module's input variables. You can define Terraform variables in two ways:

  1. Inline

    variables:
  - key: hello
    value: world
    sensitive: false
    environmentVariable: false

  2. With a Kubernetes ConfigMap reference

    variables:
  - key: second_hello
    valueFrom:
      configMapKeyRef:
        name: say-hello
        key: to
    sensitive: false
    environmentVariable: false

The above Kubernetes definition renders to the following Terraform configuration.

variable "hello" {}

variable "second_hello" {}

module "operator" {
  source = "hashicorp/hello/random"
  version = "3.1.0"
  hello = var.hello
  second_hello = var.second_hello
}

The operator pushes the values of the variables to the Terraform Cloud workspace. For secrets, set sensitive to be true. The workspace sets them as write-only. Denote workspace environment variables by setting environmentVariable as true.

Sensitive variables should already be initialized as per Workspace Sensitive Variables. You can define them by setting sensitive: true. Do not define the value or use a ConfigMap reference, as the read from file will override the value you set.

variables:
  - key: AWS_SECRET_ACCESS_KEY
    sensitive: true
    environmentVariable: true

Apply an SSH key to the Workspace (optional)

SSH keys can be used to clone private modules. To apply an SSH key to the workspace, specify sshKeyID in the Workspace Custom Resource. The SSH key ID can be found in the Terraform Cloud API.

apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
  name: $WORKSPACE
spec:
   sshKeyID: $SSHKEYID

Outputs

In order to retrieve Terraform outputs, specify the outputs section of the Workspace CustomResource. The key represents the output key you expect from terraform output and moduleOutputName denotes the module's output key name.

outputs:
  - key: my_pet
    moduleOutputName: pet

The above Kubernetes definition renders to the following Terraform configuration.

output "my_pet" {
  value = module.operator.pet
}

The values of the outputs can be consumed from two places:

  1. Kubernetes status of the workspace. 
    $ kubectl describe -n $NAMESPACE workspace $WORKSPACE_NAME
  2. ConfigMap labeled $WORKSPACE_NAME-outputs. Kubernetes deployments can consume these output values. 
    $ kubectl describe -n $NAMESPACE configmap $WORKSPACE_NAME-outputs

Deploy

Deploy the workspace after configuring its module, variables, and outputs.

$ kubectl apply -n $NAMESPACE -f workspace.yml

Update a Workspace

The following changes updates and executes new runs for the Terraform Cloud workspace:

  1. organization
  2. module source or version
  3. outputs
  4. Non-sensitive or ConfigMap reference variables.

Updates to sensitive variables will not trigger a new execution because sensitive variables are write-only for security purposes. The operator is unable to reconcile the upstream value of the secret with the value stored locally. Similarly, ConfigMap references do not trigger updates as the operator does not read the value for comparison.

After updating the configuration, re-deploy the workspace.

$ kubectl apply -n $NAMESPACE -f workspace.yml

Delete a Workspace

When deleting the Workspace CustomResource, the command line will wait for a few moments.

$ kubectl delete -n $NAMESPACE workspace.app.terraform.io/$WORKSPACE_NAME

This is because the operator is running a finalizer. The finalizer will execute before the workspace officially deletes in order to:

  1. Stop all runs in the workspace, including pending ones
  2. terraform destroy -auto-approve on resources in the workspace
  3. Delete the workspace.

Once the finalizer completes, Kubernetes deletes the Workspace CustomResource.

Debugging

Check the status and outputs of the workspace by examining its Kubernetes status. This provides the run ID and workspace ID to debug in the Terraform Cloud UI.

$ kubectl describe -n $NAMESPACE workspace $WORKSPACE_NAME

When workspace creation, update, or deletion fails, check errors by examining the logs of the operator.

$ kubectl logs -n $NAMESPACE $(kubectl get pods -n $NAMESPACE --selector "component=sync-workspace" -o jsonpath="{.items[0].metadata.name}")

If Terraform Cloud returns an error that the Terraform configuration is incorrect, examine the Terraform configuration at its ConfigMap.

$ kubectl describe -n $NAMESPACE configmap $WORKSPACE_NAME

Internals

Why create a namespace and secrets?

The Helm chart does not include secrets management or injection. Instead, it expects to find secrets mounted as volumes to the operator's deployment. This supports secrets management approaches in Kubernetes that use a volume mount for secrets.

In order to support a first-class Kubernetes experience, security and access control to these secrets must be enforced by Kubernetes Role-Based Access Control (RBAC) policies.

For the Terraform Cloud Team API token, the entire credentials file with the Terraform Cloud API Token is mounted to the filepath specified by TF_CLI_CONFIG_FILE. In an equivalent Kubernetes configuration, the following example creates a Kubernetes secret and mount it to the operator at the filepath specified by TF_CLI_CONFIG_FILE.

---
# not secure secrets management
apiVersion: apps/v1
kind: Secret
metadata:
  name: terraformrc
type: Opaque
data:
  credentials: |-
    credentials app.terraform.io {
      token = "$TERRAFORM_CLOUD_API_TOKEN"
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: terraform-k8s
spec:
  # some sections omitted for clarity
  template:
    metadata:
      labels:
        name: terraform-k8s
    spec:
      serviceAccountName: terraform-k8s
      containers:
        - name: terraform-k8s
          env:
            - name: TF_CLI_CONFIG_FILE
              value: "/etc/terraform/.terraformrc"
          volumeMounts:
          - name: terraformrc
            mountPath: "/etc/terraform"
            readOnly: true
      volumes:
        - name: terraformrc
          secret:
            secretName: terraformrc
            items:
            - key: credentials
              path: ".terraformrc"

Similar to the Terraform Cloud API Token, the Helm chart mounts them to the operator's deployment for use. It does not mount workspace sensitive variables to the Workspace Custom Resource. This ensures that only the operator has access to read and create sensitive variables as part of the Terraform Cloud workspace.

Examine the deployment in templates/sync-workspace-deployment.yaml. The deployment mounts a volume containing the sensitive variables. The file name is the secret's key and file contents is the secret's value. This supports secrets management approaches in Kubernetes that use a volume mount for secrets.

---
# not secure secrets management
apiVersion: apps/v1
kind: Secret
metadata:
  name: workspacesecrets
type: Opaque
data:
  AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
  GOOGLE_APPLICATION_CREDENTIALS: ${GOOGLE_APPLICATION_CREDENTIALS}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: terraform-k8s
spec:
  # some sections omitted for clarity
  template:
    metadata:
      labels:
        name: terraform-k8s
    spec:
      serviceAccountName: terraform-k8s
      containers:
        - name: terraform-k8s
          volumeMounts:
          - name: workspacesecrets
            mountPath: "/tmp/secrets"
            readOnly: true
      volumes:
        - name: workspacesecrets
          secret:
            secretName: workspacesecrets

Helm Chart

The Helm chart consists of several components. The Kubernetes configurations associated with the Helm chart are located under crds/ and templates/.

Custom Resource Definition

Helm starts by deploying the Custom Resource Definition for the Workspace. Custom Resource Definitions extend the Kubernetes API. It looks for definitions in the crds/ of the chart.

The Custom Resource Definition under crds/app.terraform.io_workspaces_crd.yaml defines that the Workspace Custom Resource schema.

Role-Based Access Control

In order to scope the operator to a namespace, Helm assigns a role and service account to the namespace. The role has access to Pods, Secrets, Services, and ConfigMaps. This configuration is located in templates/.

Namespace Scope

To ensure the operator does not have access to secrets or resource beyond the namespace, the Helm chart scopes the operator's deployment to a namespace.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: terraform-k8s
spec:
  # some sections omitted for clarity
  template:
    metadata:
      labels:
        name: terraform-k8s
    spec:
      serviceAccountName: terraform-k8s
      containers:
        - name: terraform-k8s
          command:
          - /bin/terraform-k8s
          - "--k8s-watch-namespace=$(POD_NAMESPACE)"
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace

When deploying, ensure that the namespace is passed into the --k8s-watch-namespace option. Otherwise, the operator will attempt to access across all namespaces (cluster scope).

More Repositories

1

terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Go
40,845
star
2

vault

A tool for secrets management, encryption as a service, and privileged access management
Go
29,344
star
3

consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
Go
27,763
star
4

vagrant

Vagrant is a tool for building and distributing development environments.
Ruby
25,729
star
5

packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
Go
14,818
star
6

nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Go
14,315
star
7

terraform-provider-aws

Terraform AWS provider
Go
9,438
star
8

raft

Golang implementation of the Raft consensus protocol
Go
7,383
star
9

serf

Service orchestration and management tool.
Go
5,692
star
10

go-plugin

Golang plugin system over RPC.
Go
4,874
star
11

hcl

HCL is the HashiCorp configuration language.
Go
4,827
star
12

waypoint

A tool to build, deploy, and release any application on any platform.
Go
4,789
star
13

terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
TypeScript
4,701
star
14

consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Go
4,682
star
15

terraform-provider-azurerm

Terraform provider for Azure Resource Manager
Go
4,347
star
16

otto

Development and deployment made easy.
HTML
4,282
star
17

golang-lru

Golang LRU cache
Go
4,015
star
18

boundary

Boundary enables identity-based access management for dynamic infrastructure.
Go
3,762
star
19

memberlist

Golang package for gossip based membership and failure detection
Go
3,303
star
20

go-memdb

Golang in-memory database built on immutable radix trees
Go
2,937
star
21

next-mdx-remote

Load mdx content from anywhere through getStaticProps in next.js
TypeScript
2,245
star
22

terraform-provider-google

Terraform Google Cloud Platform provider
Go
2,213
star
23

go-multierror

A Go (golang) package for representing a list of errors as a single error.
Go
2,029
star
24

yamux

Golang connection multiplexing library
Go
2,003
star
25

envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Go
1,967
star
26

go-retryablehttp

Retryable HTTP client in Go
Go
1,702
star
27

go-getter

Package for downloading things from a string URL using a variety of protocols.
Go
1,541
star
28

terraform-provider-kubernetes

Terraform Kubernetes provider
Go
1,538
star
29

best-practices

HCL
1,490
star
30

go-version

A Go (golang) library for parsing and verifying versions and version constraints.
Go
1,459
star
31

go-metrics

A Golang library for exporting performance and runtime metrics to external metrics systems (i.e. statsite, statsd)
Go
1,404
star
32

terraform-guides

Example usage of HashiCorp Terraform
HCL
1,324
star
33

setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
JavaScript
1,238
star
34

mdns

Simple mDNS client/server library in Golang
Go
1,020
star
35

vault-guides

Example usage of HashiCorp Vault secrets management
Shell
990
star
36

terraform-provider-helm

Terraform Helm provider
Go
976
star
37

go-immutable-radix

An immutable radix tree implementation in Golang
Go
926
star
38

vault-helm

Helm chart to install Vault and other associated components.
Shell
904
star
39

terraform-ls

Terraform Language Server
Go
896
star
40

vscode-terraform

HashiCorp Terraform VSCode extension
TypeScript
870
star
41

levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Go
822
star
42

vault-k8s

First-class support for Vault and Kubernetes.
Go
697
star
43

terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
HCL
653
star
44

terraform-github-actions

Terraform GitHub Actions
Shell
618
star
45

terraform-exec

Terraform CLI commands via Go.
Go
608
star
46

terraform-provider-vsphere

Terraform Provider for VMware vSphere
Go
601
star
47

consul-k8s

First-class support for Consul Service Mesh on Kubernetes
Go
599
star
48

raft-boltdb

Raft backend implementation using BoltDB
Go
585
star
49

nextjs-bundle-analysis

A github action that provides detailed bundle analysis on PRs for next.js apps
JavaScript
539
star
50

go-discover

Discover nodes in cloud environments
Go
537
star
51

consul-replicate

Consul cross-DC KV replication daemon.
Go
504
star
52

next-mdx-enhanced

A Next.js plugin that enables MDX pages, layouts, and front matter
JavaScript
496
star
53

terraform-provider-kubernetes-alpha

A Terraform provider for Kubernetes that uses dynamic resource types and server-side apply. Supports all Kubernetes resources.
Go
493
star
54

docker-vault

Official Docker images for Vault
Shell
492
star
55

puppet-bootstrap

A collection of single-file scripts to bootstrap your machines with Puppet.
Shell
444
star
56

terraform-provider-vault

Terraform Vault provider
Go
431
star
57

cap

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP
Go
426
star
58

consul-helm

Helm chart to install Consul and other associated components.
Shell
422
star
59

nomad-autoscaler

Nomad Autoscaler brings autoscaling to your Nomad workloads.
Go
411
star
60

damon

A terminal UI (TUI) for HashiCorp Nomad
Go
405
star
61

terraform-provider-azuread

Terraform provider for Azure Active Directory
Go
404
star
62

vault-ssh-helper

Vault SSH Agent is used to enable one time keys and passwords
Go
404
star
63

terraform-provider-scaffolding

Quick start repository for creating a Terraform provider
Go
402
star
64

docker-consul

Official Docker images for Consul.
Dockerfile
399
star
65

vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Go
398
star
66

terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
HCL
397
star
67

vault-action

A GitHub Action that simplifies using HashiCorp Vaultâ„¢ secrets as build variables.
JavaScript
391
star
68

terraform-plugin-sdk

Terraform Plugin SDK enables building plugins (providers) to manage any service providers or custom in-house solutions
Go
383
star
69

hil

HIL is a small embedded language for string interpolations.
Go
382
star
70

nomad-pack

Go
377
star
71

hcl2

Former temporary home for experimental new version of HCL
Go
375
star
72

errwrap

Errwrap is a Go (golang) library for wrapping and querying errors.
Go
373
star
73

learn-terraform-provision-eks-cluster

HCL
364
star
74

go-cleanhttp

Go
359
star
75

design-system

Helios Design System
TypeScript
358
star
76

logutils

Utilities for slightly better logging in Go (Golang).
Go
356
star
77

vault-ruby

The official Ruby client for HashiCorp's Vault
Ruby
336
star
78

vault-rails

A Rails plugin for easily integrating Vault secrets
Ruby
334
star
79

waypoint-examples

Example Apps that can be deployed with Waypoint
PHP
326
star
80

next-remote-watch

Decorated local server for next.js that enables reloads from remote data changes
JavaScript
325
star
81

go-hclog

A common logging package for HashiCorp tools
Go
307
star
82

terraform-config-inspect

A helper library for shallow inspection of Terraform configurations
Go
293
star
83

consul-haproxy

Consul HAProxy connector for real-time configuration
Go
279
star
84

nomad-guides

Example usage of HashiCorp Nomad
HCL
275
star
85

consul-esm

External service monitoring for Consul
Go
260
star
86

http-echo

A tiny go web server that echos what you start it with!
Makefile
257
star
87

vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver
Go
253
star
88

terraform-aws-nomad

A Terraform Module for how to run Nomad on AWS using Terraform and Packer
HCL
253
star
89

faas-nomad

OpenFaaS plugin for Nomad
Go
252
star
90

terraform-provider-google-beta

Terraform Google Cloud Platform Beta provider
Go
251
star
91

go-sockaddr

IP Address/UNIX Socket convenience functions for Go
Go
250
star
92

terraform-foundational-policies-library

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.
HCL
233
star
93

vagrant-vmware-desktop

Official provider for VMware desktop products: Fusion, Player, and Workstation.
Go
225
star
94

nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
Go
219
star
95

go-tfe

Terraform Cloud/Enterprise API Client/SDK in Golang
Go
217
star
96

terraform-provider-awscc

Terraform AWS Cloud Control provider
HCL
213
star
97

boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
HCL
206
star
98

nomad-pack-community-registry

A repo for Packs written and maintained by Nomad community members
HCL
205
star
99

terraform-plugin-framework

A next-generation framework for building Terraform providers.
Go
204
star
100

vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
Go
192
star