Rohith Jayawardene, May 11, 2022
Kubernetes has been brilliant at delivering an ecosystem for developers, improving the velocity of shipping, bringing components under a common framework and DSL, coupled with the flexibility to expand and extend the offering. And so it beggars belief that speaking to customers, application dependencies and consumption is still a major bottleneck to progress, with teams blocked waiting on that database, queue, object store and so forth.
Thing is …
While the terraform-controller isn’t trying to solve all those issues, it’s a step in the right direction.
Give it a try!
The quickest way to get up and running is via the Helm chart.
a. Deploy the controller
$ git clone email@example.com:appvia/terraform-controller.git $ cd terraform-controller # kind create cluster $ helm install -n terraform-system terraform-controller charts/ --create-namespace $ kubectl -n terraform-system get po
b. Configure credentials for developers
# The following assumes you are using static credentials. For managed pod identity see the docs: https://github.com/appvia/terraform-controller/blob/master/docs/providers.md $ kubectl -n terraform-system create secret generic aws --from-literal=AWS_ACCESS_KEY_ID=<ID> --from-literal=AWS_SECRET_ACCESS_KEY=<SECRET> --from-literal=AWS_REGION=<REGION> $ kubectl -n terraform-system apply -f examples/provider.yaml
c. Create your first configuration
$ kubectl create namespace apps # NOTE: Make sure to change the bucket name in examples/configuration.yaml (spec.variables.bucket) $ vim examples/configuration.yaml $ kubectl -n apps apply -f examples/configuration.yaml # Check the module output $ kubectl -n apps get secret test -o yaml
With Infracosts already integrated one idea is to introduce control over budgets. Though it wouldn’t directly enforce costs, and some resources are usage based (i.e. an s3 bucket is free, but dump 10TB inside and it costs a lot). It could be a lightweight means of capturing costs, allowing developers to play / tune their dependencies and foster a better understanding on cost.
constraints: budgets: # Allow monthly spend of up to 100 dollars within each namespace for cloud resources - namespaces: matchExpressions: - key: kubernetes.io/metadata.name operator: Exists budget: 100 # Allow monthly spend of up to 500 dollars for namespaces with project cost center code PK-101 - namespaces: matchExpression: - key: company.com/costcode: operator: In values: [PK-101] budget: 500
Integrate Checkov into the pipeline and allow Platform Engineers the ability to drive policy from above.
constraints: checkov: source: https://github.com/<ORG>/<POLICY-REPO>.git?ref=v1.2.0 secretRef: name: policy-sshkey
Note: while acting as a barrier, it’s very late in the game if this is applied against a production workload and not really following a shift-left approach. It is definitely worth reading our Policy As (Versioned) Code (PaC) blog for a coupled approach (i.e. using your same PaC repository in your Terraform module CI workflows prior to publishing versions, as well as enforced within the Cluster at deployment time).
Update: This has been completed and is available from v0.1.1 onwards: https://github.com/appvia/terraform-controller/releases/tag/v0.1.1
This is by no means meant to be an exclusive list or comparison, there’s plenty of blogs a Google search away for that, but it’s worth highlighting a few notable projects out there.
Now an incubating project on the CNCF, Crossplane is an interesting project and plays well into the bric-a-brac approach loved by us DevOps. In a gist, it’s composed of managed resources (think terraform resources) which are packaged up into “Compositions” (think opinionated collection of terraform modules) and presented back to the Application Developer as a consumable CRD. Initially trying to replicate the breadth of Terraforms cloud support, it recently joined the club with its Terrajet project, which codegens controllers from Terraform providers.
Probably the first google hit when typing terraform controller. The project works in a similar approach – coordinating a series of workflows via Kubernetes jobs and mapping those to “terraform init” and “terraform apply”.
Watch this space for a “hello world” example using the Terraform controller, and check out the following for more info: