Announcing General Availability of the HashiCorp Terraform Cloud Operator for Kubernetes
The HashiCorp Terraform Strategic Integrations team is pleased to announce the General Availability of the HashiCorp Terraform Cloud Operator for Kubernetes.
We first announced this project in March 2020, and since then we’ve continued to expand the possibilities of what this operator can do. While the operator is still tailored to the idea of managing Terraform Cloud Workspaces through Kubernetes CustomResourceDefinitions (CRDs), we have taken steps to increase support for several features available via the Terraform Cloud API. Let’s take a look at the new features added since the alpha.
Visit the Terraform Cloud Operator for Kubernetes Learn tutorial for an interactive getting started experience.
» VCS Backed Workspaces
Connecting your version control system to Terraform Cloud is a powerful first step to enable your GitOps workflow with Terraform and Kubernetes. With the new VCS support in the Terraform Cloud Operator, you can specify your VCS configuration when synchronizing your Workspace via your custom resource configuration. The following demonstration walks you through the installation of the operator and configuration of a Workspace custom resource that connects a VCS repository to your Terraform Cloud Workspace to enable your GitOps pattern.
Here's the example Workspace Custom Resource that configures the integration between the demo
Workspace and the terraform-nullresource-example
repository.
# Your OAuth Token ID can be found at https://app.terraform.io/app/<your org>/settings/version-control
apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
name: demo
spec:
organization: demo
secretsMountPath: "/tmp/secrets"
module:
source: "github.com/koikonom/terraform-nullresource-example"
vcs:
token_id: "ot-<your vcs oauth token ID>"
repo_identifier: "koikonom/terraform-nullresource-example"
ingress_submodules: false
variables:
- key: CONFIRM_DESTROY
value: "1"
sensitive: false
environmentVariable: true
outputs:
- key: pet
moduleOutputName: rofl
» Terraform Cloud Agents
Terraform Cloud Agents allow Terraform Cloud to communicate with isolated, private, or on-premises infrastructure. By deploying lightweight agents within a specific network segment, you can establish a simple connection between your environment and Terraform Cloud which allows for provisioning operations and management. This is useful for on-premises infrastructure types such as vSphere, Nutanix, OpenStack, enterprise networking providers, and anything you might have in a protected enclave. The latest release of the Terraform Cloud operator offers the ability to configure an agent pool with your Workspace custom resource. First, create your agent pool in Terraform Cloud and register your agents. Then, you can specify the agentPoolID
in your Workspace manifest to configure your workspace.
apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
name: demo
spec:
organization: demo
secretsMountPath: "/tmp/secrets"
module:
source: "github.com/koikonom/terraform-nullresource-example"
agentPoolID: apool-<your agent pool ID>
variables:
- key: CONFIRM_DESTROY
value: "1"
sensitive: false
environmentVariable: true
outputs:
- key: pet
moduleOutputName: rofl
For more examples, visit our github repository: https://github.com/hashicorp/terraform-helm/tree/master/example.
Learn how to configure and use agents with the Manage Private Environments with Terraform Cloud Agents tutorial.
» Secure Outputs
In the 0.1.6.-alpha version released in November 2020, we migrated from the use of ConfigMaps to the use of Secrets for output storage. This change was made to ensure alignment with Kubernetes’ expectations of how potentially sensitive information should be stored. Note that if you are migrating from an older version of the operator, previously created ConfigMaps will not be automatically deleted by the operator and will require manual deletion. When the Workspace CR is installed, you will see a secret created in the namespace with the pattern <workspace-name>-outputs
, which contains the outputs of your Terraform Cloud run.
» Terraform Enterprise
The Terraform Cloud Operator for Kubernetes also supports Terraform Enterprise. By setting an optional TF_URL
environment variable on the operator's Deployment
, you can specify a Terraform Enterprise endpoint to use with your installation. The operator defaults to https://app.terraform.io
if TF_URL
is unset. The operator will examine the terraformrc.credentials
key for the hostname corresponding to TF_URL
. This behavior is consistent with hashicorp/go-tfe. Please refer to the values.yaml file for more information and options.
» Installation via Helm
With the general availability status of the Terraform Cloud Operator, the --devel
switch is no longer necessary to install the operator using Helm. Assuming you have the relevant inputs already available in your cluster, you may now install the operator directly from our Helm chart repository with the commands:
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/terraform
$ helm install --namespace ${RELEASE_NAMESPACE} hashicorp/terraform --generate-name
More information about the inputs required and the Helm chart for the Terraform Cloud Operator is available on the hashicorp/terraform-helm GitHub repository.
» Upgrade to operator-sdk Major Version 1.x
While this change has minimal visible impact to the Terraform Cloud Operator user experience, it is important to highlight as a major step towards the general availability of the TFC Operator. In August 2020, the Operator SDK team announced the official release of the 1.0 version of the Operator SDK. The 1.0 release brought several breaking changes and enhancements in order to establish stability and maturity of the SDK. They announced the eventual goal of merging with the Kubebuilder project and becoming a single operator development experience.
Adopting the SDK version 1.0 involved a significant rewrite and reorganization of the Terraform Cloud Operator to align with the Kubebuilder project layout. The operator-sdk upgrade was the final step in bringing the Terraform Cloud Operator to general availability and is now complete, setting the TFC Operator on firmer footing for development in the future.
We would love to hear your feedback on these updates! You can post bugs and feature requests for the Terraform Cloud Operator for Kubernetes by opening an issue at hashicorp/terraform-k8s. You can also engage with us and the community on HashiCorp Discuss and in #terraform-providers on the Kubernetes Slack (Sign up here).
To discover more about managing Kubernetes with Terraform, review the guides on HashiCorp Learn.
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Terraform adds run queue visibility and new ephemeral workspace features
HCP Terraform and Terraform Enterprise gain new features related to ephemeral workspaces along with run queue visibility for HCP Terraform specifically.
Automate AWS deployments with HCP Terraform and GitHub Actions
Learn how to use GitHub Actions to automate HCP Terraform operations.
Access AWS from HCP Terraform with OIDC federation
Securely access AWS from HCP Terraform using OIDC federation, eliminating the need to use access keys.