Set up the HCP Terraform Operator for Kubernetes

The HCP Terraform Operator for Kubernetes' CustomResourceDefinitions (CRD) allow you to dynamically create HCP Terraform workspaces with Terraform modules, populate workspace variables, and provision infrastructure with Terraform runs.

You can install the operator with the official HashiCorp Helm chart.

Prerequisites

All HCP Terraform users can use the HCP Terraform Operator for Kubernetes. You can use the operator to manage the supported features that your organization's pricing tier enables.

Networking requirements

The HCP Terraform Operator for Kubernetes makes outbound requests over HTTPS (TCP port 443) to the HCP Terraform application APIs. This may require perimeter networking as well as container host networking changes, depending on your environment. Refer to HCP Terraform IP Ranges for more information about IP ranges. Below, we list the services that run on specific IP ranges.

Hostname	Port/Protocol	Directionality	Purpose
`app.terraform.io`	tcp/443, HTTPS	Outbound	Dynamically managing HCP Terraform workspaces and returning the output to Kubernetes with the HCP Terraform API

For self-managed Terraform Enterprise instances, ensure that the operator can reach your Terraform Enterprise hostname over HTTPS (TCP port 443).

Compatibility

The HCP Terraform Operator for Kubernetes supports the following versions:

Helm 3.0.1 and above
Kubernetes 1.15 and above

Install and configure

Sign in to HCP Terraform or Terraform Enterprise and navigate to the organization you want to integrate with Kubernetes.
Generate an organization token within HCP Terraform or Terraform Enterprise and save it to a file. These instructions assume you are using a file named credentials.
Set the NAMESPACE environment variable. This will be the namespace that you will install the Helm chart to.
```
export NAMESPACE=tfc-operator-system
```
Create the namespace.
```
kubectl create namespace $NAMESPACE
```

Create a Kubernetes Secret with the HCP Terraform API credentials.

kubectl -n $NAMESPACE create secret generic terraformrc --from-file=credentials

Add sensitive variables, such as your cloud provider credentials, to the namespace.

kubectl -n $NAMESPACE create secret generic workspacesecrets --from-literal=secret_key=abc123

Add the HashiCorp Helm repository.

helm repo add hashicorp https://helm.releases.hashicorp.com

Install the HCP Terraform Operator for Kubernetes with Helm. By default, the operator communicates with HCP Terraform at app.terraform.io. The following example command installs the Helm chart for HCP Terraform:
```
$ helm install --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator
```
When deploying in self-managed Terraform Enterprise, you must set the operator.tfeAddress to the specific hostname of the Terraform Enterprise instance:
```
$ helm install --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator \
--set operator.tfeAddress="TERRAFORM_ENTERPRISE_HOSTNAME"
```
Alternatively, you can set the tfeAddress configuration for Terraform Enterprise in the value.yaml file.
```
operator:
  tfeAddress: <TERRAFORM_ENTERPRISE_HOSTNAME>
```
Run the following command to apply the value.yaml file:
```
$ helm install --namespace ${NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator -f value.yaml
```
To create a Terraform workspace, agent pool, or other object, refer to the example YAML manifests in the operator repository on GitHub.

Upgrade

When a new version of the HCP Terraform Operator for Kubernetes Helm Chart is available from the HashiCorp Helm repository, you can upgrade with the following command.

helm upgrade --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator