Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Terraform
Terraform Home

HCP Terraform Operator for Kubernetes overview

The HCP Terraform Operator for Kubernetes allows you to manage HCP Terraform resources with Kubernetes custom resources. You can provision infrastructure internal or external to your Kubernetes cluster directly from the Kubernetes control plane.

The operator's CustomResourceDefinitions (CRD) let you dynamically create HCP Terraform workspaces with Terraform modules, populate workspace variables, and provision infrastructure with Terraform runs.

Key benefits

The HCP Terraform Operator for Kubernetes v2 offers several improvements over v1:

  • Flexible resource management: The operator now features multiple custom resources, each with separate controllers for different HCP Terraform resources. This provides additional flexibility and the ability to manage more custom resources concurrently, significantly improving performance for large-scale deployments.

  • Namespace management: The --namespace option allows you to tailor the operator's watch scope to specific namespaces, which enables more fine-grained resource management.

  • Configurable synchronization: The --sync-period option allows you to configure the synchronization frequency between custom resources and HCP Terraform, ensuring timely updates and smoother operations.

Supported HCP Terraform features

The HCP Terraform Operator for Kubernetes allows you to create agent pools, deploy modules, and manage workspaces through Kubernetes controllers. These controllers enable you to automate and manage HCP Terraform resources using custom resources in Kubernetes.

Agent pools

Agent pools in HCP Terraform manage the execution environment for Terraform runs. The HCP Terraform Operator for Kubernetes allows you to create and manage agent pools as part of your Kubernetes infrastructure.

The following example creates a new agent pool with the name agent-pool-development and generates an agent token with the name token-red.

---
apiVersion: app.terraform.io/v1alpha2
kind: AgentPool
metadata:
  name: my-agent-pool
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  name: agent-pool-development
  agentTokens:
    - name: token-red

The operator stores the token-red agent token in a Kubernetes secret named my-agent-pool-token-red.

You can also enable agent autoscaling by providing a .spec.autoscaling configuration in your AgentPool specification.

---
apiVersion: app.terraform.io/v1alpha2
kind: AgentPool
metadata:
  name: this
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  name: agent-pool-development
  agentTokens:
  - name: token-red
  agentDeployment:
   replicas: 1
  autoscaling:
    targetWorkspaces:
    - name: us-west-development
    - id: ws-NUVHA9feCXzAmPHx
    - wildcardName: eu-development-*
    minReplicas: 1
    maxReplicas: 3
    cooldownPeriod:
      scaleUpSeconds: 30
      scaleDownSeconds: 30

In the above example, the operator ensures that at least one agent pod is continuously running and dynamically scales the number of pods up to a maximum of three based on the workload or resource demand. The operator then monitors resource demands by observing the load of the designated workspaces specified by the name, id, or wildcardName patterns. When the workload decreases, the operator downscales the number of agent pods.

Refer to the agent pool API reference for the complete AgentPool specification.

Module

The Module controller enforces an API-driven Run workflow and lets you deploy Terraform modules within workspaces.

The following example deploys version 1.0.0 of the hashicorp/module/random module in the workspace-name workspace.

---
apiVersion: app.terraform.io/v1alpha2
kind: Module
metadata:
  name: my-module
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  module:
    source: hashicorp/module/random
    version: 1.0.0
  workspace:
    name: workspace-name
  variables:
  - name: string_length
  outputs:
  - name: random_string

The operator passes the workspace's string_length variable to the module and stores the random_string outputs as either a Kubernetes secret or a ConfigMap. If the workspace marks the output as sensitive, the operator stores the random_string as a Kubernetes secret; otherwise, the operator stores it as a ConfigMap. The variables must be accessible within the workspace as a workspace variable, workspace variable set, or project variable set.

Refer to the module API reference for the complete Module specification.

Project

Projects let you organize your workspaces and scope access to workspace resources. The Project controller allows you to create, configure, and manage projects directly from Kubernetes.

The following example creates a new project named testing.

---
apiVersion: app.terraform.io/v1alpha2
kind: Project
metadata:
  name: testing
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  name: project-demo

The Project controller allows you to manage team access permissions.

The following example creates a project named testing and grants the qa team admin access to the project.

---
apiVersion: app.terraform.io/v1alpha2
kind: Project
metadata:
  name: testing
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  name: project-demo
  teamAccess:
  - team:
      name: qa
    access: admin

Refer to the project API reference for the complete Project specification.

Workspace

HCP Terraform workspaces organize and manage Terraform configurations. The HCP Terraform Operator for Kubernetes allows you to create, configure, and manage workspaces directly from Kubernetes.

The following example creates a new workspace named us-west-development, configured to use Terraform version 1.6.2. This workspace has two variables, nodes and rds-secret. The variable rds-secret is treated as sensitive, and the operator reads the value for the variable from a Kubernetes secret named us-west-development-secrets.

---
apiVersion: app.terraform.io/v1alpha2
kind: Workspace
metadata:
  name: us-west-development
spec:
  organization: kubernetes-operator
  token:
    secretKeyRef:
      name: tfc-operator
      key: token
  name: us-west-development
  description: US West development workspace
  terraformVersion: 1.6.2
  applyMethod: auto
  agentPool:
    name: ap-us-west-development
  terraformVariables:
    - name: nodes
      value: 2
    - name: rds-secret
      sensitive: true
      valueFrom:
        secretKeyRef:
          name: us-west-development-secrets
          key: rds-secret
  runTasks:
    - name: rt-us-west-development
      stage: pre_plan

In the above example, the applyMethod has the value of auto, so HCP Terraform automatically applies any changes to this workspace. The specification also configures the workspace to use the ap-us-west-development agent pool and run the rt-us-west-development run task at the pre_plan stage.

The operator stores the value of the workspace outputs as Kubernetes secrets or ConfigMaps. If the outputs are marked as sensitive, they are stored as Kubernetes secrets, otherwise they are stored as ConfigMaps.

Note: The operator rolls back any external modifications made to the workspace to match the state specified in the custom resource definition.

Refer to the workspace API reference for the complete Workspace specification.

Edit this page on GitHub