HCP Terraform Operator for Kubernetes overview
The HCP Terraform Operator for Kubernetes allows you to manage HCP Terraform resources with Kubernetes custom resources. You can provision infrastructure internal or external to your Kubernetes cluster directly from the Kubernetes control plane.
The operator's CustomResourceDefinitions (CRD) let you dynamically create HCP Terraform workspaces with Terraform modules, populate workspace variables, and provision infrastructure with Terraform runs.
Key benefits
The HCP Terraform Operator for Kubernetes v2 offers several improvements over v1:
Flexible resource management: The operator now features multiple custom resources, each with separate controllers for different HCP Terraform resources. This provides additional flexibility and the ability to manage more custom resources concurrently, significantly improving performance for large-scale deployments.
Namespace management: The
--namespace
option allows you to tailor the operator's watch scope to specific namespaces, which enables more fine-grained resource management.Configurable synchronization: The
--sync-period
option allows you to configure the synchronization frequency between custom resources and HCP Terraform, ensuring timely updates and smoother operations.
Supported HCP Terraform features
The HCP Terraform Operator for Kubernetes allows you to create agent pools, deploy modules, and manage workspaces through Kubernetes controllers. These controllers enable you to automate and manage HCP Terraform resources using custom resources in Kubernetes.
Agent pools
Agent pools in HCP Terraform manage the execution environment for Terraform runs. The HCP Terraform Operator for Kubernetes allows you to create and manage agent pools as part of your Kubernetes infrastructure.
The following example creates a new agent pool with the name agent-pool-development
and generates an agent token with the name token-red
.
---apiVersion: app.terraform.io/v1alpha2kind: AgentPoolmetadata: name: my-agent-poolspec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token name: agent-pool-development agentTokens: - name: token-red
The operator stores the token-red
agent token in a Kubernetes secret named my-agent-pool-token-red
.
You can also enable agent autoscaling by providing a .spec.autoscaling
configuration in your AgentPool
specification.
---apiVersion: app.terraform.io/v1alpha2kind: AgentPoolmetadata: name: thisspec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token name: agent-pool-development agentTokens: - name: token-red agentDeployment: replicas: 1 autoscaling: targetWorkspaces: - name: us-west-development - id: ws-NUVHA9feCXzAmPHx - wildcardName: eu-development-* minReplicas: 1 maxReplicas: 3 cooldownPeriod: scaleUpSeconds: 30 scaleDownSeconds: 30
In the above example, the operator ensures that at least one agent pod is continuously running and dynamically scales the number of pods up to a maximum of three based on the workload or resource demand. The operator then monitors resource demands by observing the load of the designated workspaces specified by the name
, id
, or wildcardName
patterns. When the workload decreases, the operator downscales the number of agent pods.
Refer to the agent pool API reference for the complete AgentPool
specification.
Module
The Module
controller enforces an API-driven Run workflow and lets you deploy Terraform modules within workspaces.
The following example deploys version 1.0.0
of the hashicorp/module/random
module in the workspace-name
workspace.
---apiVersion: app.terraform.io/v1alpha2kind: Modulemetadata: name: my-modulespec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token module: source: hashicorp/module/random version: 1.0.0 workspace: name: workspace-name variables: - name: string_length outputs: - name: random_string
The operator passes the workspace's string_length
variable to the module and stores the random_string
outputs as either a Kubernetes secret or a ConfigMap. If the workspace marks the output as sensitive
, the operator stores the random_string
as a Kubernetes secret; otherwise, the operator stores it as a ConfigMap. The variables must be accessible within the workspace as a workspace variable, workspace variable set, or project variable set.
Refer to the module API reference for the complete Module
specification.
Project
Projects let you organize your workspaces and scope access to workspace resources. The Project
controller allows you to create, configure, and manage projects directly from Kubernetes.
The following example creates a new project named testing
.
---apiVersion: app.terraform.io/v1alpha2kind: Projectmetadata: name: testingspec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token name: project-demo
The Project
controller allows you to manage team access permissions.
The following example creates a project named testing
and grants the qa
team admin access to the project.
---apiVersion: app.terraform.io/v1alpha2kind: Projectmetadata: name: testingspec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token name: project-demo teamAccess: - team: name: qa access: admin
Refer to the project API reference for the complete Project
specification.
Workspace
HCP Terraform workspaces organize and manage Terraform configurations. The HCP Terraform Operator for Kubernetes allows you to create, configure, and manage workspaces directly from Kubernetes.
The following example creates a new workspace named us-west-development
, configured to use Terraform version 1.6.2
. This workspace has two variables, nodes
and rds-secret
. The variable rds-secret
is treated as sensitive, and the operator reads the value for the variable from a Kubernetes secret named us-west-development-secrets
.
---apiVersion: app.terraform.io/v1alpha2kind: Workspacemetadata: name: us-west-developmentspec: organization: kubernetes-operator token: secretKeyRef: name: tfc-operator key: token name: us-west-development description: US West development workspace terraformVersion: 1.6.2 applyMethod: auto agentPool: name: ap-us-west-development terraformVariables: - name: nodes value: 2 - name: rds-secret sensitive: true valueFrom: secretKeyRef: name: us-west-development-secrets key: rds-secret runTasks: - name: rt-us-west-development stage: pre_plan
In the above example, the applyMethod
has the value of auto
, so HCP Terraform automatically applies any changes to this workspace. The specification also configures the workspace to use the ap-us-west-development
agent pool and run the rt-us-west-development
run task at the pre_plan
stage.
The operator stores the value of the workspace outputs as Kubernetes secrets or ConfigMaps. If the outputs are marked as sensitive
, they are stored as Kubernetes secrets, otherwise they are stored as ConfigMaps.
Note: The operator rolls back any external modifications made to the workspace to match the state specified in the custom resource definition.
Refer to the workspace API reference for the complete Workspace
specification.