Terraform
Set up the HCP Terraform Operator for Kubernetes
The HCP Terraform Operator for Kubernetes' CustomResourceDefinitions (CRD) allow you to dynamically create HCP Terraform workspaces with Terraform modules, populate workspace variables, and provision infrastructure with Terraform runs.
You can install the operator with the official HashiCorp Helm chart.
Prerequisites
All HCP Terraform users can use the HCP Terraform Operator for Kubernetes. You can use the operator to manage the supported features that your organization's pricing tier enables.
Networking requirements
The HCP Terraform Operator for Kubernetes makes outbound requests over HTTPS (TCP port 443) to the HCP Terraform application APIs. This may require perimeter networking as well as container host networking changes, depending on your environment. Refer to HCP Terraform IP Ranges for more information about IP ranges. Below, we list the services that run on specific IP ranges.
| Hostname | Port/Protocol | Directionality | Purpose |
|---|---|---|---|
app.terraform.io | tcp/443, HTTPS | Outbound | Dynamically managing HCP Terraform workspaces and returning the output to Kubernetes with the HCP Terraform API |
For self-managed Terraform Enterprise instances, ensure that the operator can reach your Terraform Enterprise hostname over HTTPS (TCP port 443).
Compatibility
The HCP Terraform Operator for Kubernetes supports the following versions:
- Helm 3.0.1 and above
- Kubernetes 1.15 and above
Install and configure
Sign in to HCP Terraform or Terraform Enterprise and navigate to the organization you want to integrate with Kubernetes.
Generate an organization token within HCP Terraform or Terraform Enterprise and save it to a file. These instructions assume you are using a file named
credentials.Set the
NAMESPACEenvironment variable. This will be the namespace that you will install the Helm chart to.export NAMESPACE=tfc-operator-systemCreate the namespace.
kubectl create namespace $NAMESPACECreate a Kubernetes Secret with the HCP Terraform API credentials.
kubectl -n $NAMESPACE create secret generic terraformrc --from-file=credentialsAdd sensitive variables, such as your cloud provider credentials, to the namespace.
kubectl -n $NAMESPACE create secret generic workspacesecrets --from-literal=secret_key=abc123Add the HashiCorp Helm repository.
helm repo add hashicorp https://helm.releases.hashicorp.comInstall the HCP Terraform Operator for Kubernetes with Helm. By default, the operator communicates with
app.terraform.io. When deploying in a self-managed Terraform Enterprise, it is required to set theoperator.tfeAddressto the specific hostname of the Terraform Enterprise instance.For HCP Terraform Cloud (default)
helm install --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator
For self-managed Terraform Enterprise, specify your instance's hostname
helm install --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator \ --set operator.tfeAddress="TERRAFORM_ENTERPRISE_HOSTNAME"
Alternatively, you can set this configuration in the value.yaml file.
operator: tfeAddress: <TERRAFORM_ENTERPRISE_HOSTNAME>Then, apply the configuration with.
helm install --namespace ${NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator -f value.yaml
To create a Terraform workspace, agent pool or etc, you can find different examples of the YAML manifests.
Upgrade
When a new version of the HCP Terraform Operator for Kubernetes Helm Chart is available from the HashiCorp Helm repository, you can upgrade with the following command.
helm upgrade --namespace ${RELEASE_NAMESPACE} hashicorp/hcp-terraform-operator tfc-operator