The following is a list of configurable parameters of the Terraform
CRD. A brief description about each parameter will be defined here. Fore more in-depth details about the features, see Core Concepts.
TerraformSpec v1alpha1 tf
Field | Description |
---|---|
terraformModule string |
A remote URL to fetch the Terraform module. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host , port , path , scheme , etc. See ParsedAddress for a detailed explanation the parser. |
terraformModuleConfigMap ConfigMapSelector |
Mount a ConfigMap as the Terraform module. |
terraformModuleInline string |
Write the terraform module as a string. |
terraformVersion string |
the Terraform version to use for the module. Defaults to 1.1.3 |
terraformRunnerExecutionScriptConfigMap ConfigMapKeySelector |
Allows the user to define a custom script for the Terraform Runner pod. The custom-script replaces the default script executed by the image. |
scriptRunnerExecutionScriptConfigMap ConfigMapKeySelector |
Allows the user to define a custom script for the Script Runner pod. The custom-script replaces the default script executed by the image. |
setupRunnerExecutionScriptConfigMap ConfigMapKeySelector |
Allows the user to define a custom script for the Setup Runner pod. The custom-script replaces the default script executed by the image. |
keepLatestPodsOnly boolean |
When true will keep only the pods that match the current generation of the terraform k8s-resource. This overrides the behavior of keepCompletedPods . |
keepCompletedPods boolean |
When true will keep completed pods. Default is false and completed pods are removed. |
cleanupDisk boolean |
CleanupDisk will clear out previous terraform run data from the persistent volume. |
persistentVolumeSize string |
Define the size of the disk used to store terraform run data. If not defined, a default of “2Gi” is used. |
runnerRules PolicyRule |
RunnerRules are RBAC rules that will be added to all runner pods. |
runnerLabels object |
RunnerLabels is an unstructured key value map of labels that will be added to all runner pods. |
runnerAnnotations object |
RunnerAnnotations is an unstructured key value map of annotations that will be added to all runner pods. |
outputsSecret string |
OutputsSecret will create a secret with the outputs from the terraform module. All outputs from the module will be written to the secret unless the user defines “outputsToInclude” or “outputsToOmit”. |
outputsToInclude string array |
A whitelist of the terraform module’s outputs to save to the OutputsSecret or TerraformStatus |
outputsToOmit string array |
A blacklist of the terraform module’s outputs to omit when writing the to the OutputsSecret or TerraformStatus |
writeOutputsToStatus boolean |
When true the terraform module’s outputs get written to the TerraformStatus |
scriptRunnerVersion string |
The tag of the Script Runner image. |
setupRunnerVersion string |
The tag of the Setup Runner image. |
terraformRunner string |
The repo of the Terraform Runner image. |
scriptRunner string |
The repo of the Script Runner image. |
setupRunner string |
The repo of the Setup Runner image. |
terraformRunnerPullPolicy string |
The pullPolicy for the Terraform Runner pod. |
scriptRunnerPullPolicy string |
The pullPolicy for the Script Runner pod. |
setupRunnerPullPolicy string |
The pullPolicy for the Setup Runner pod. |
resourceDownloads ResourceDownload array |
ResourceDownloads defines other files to download into a path relative to the terraform module’s directory. The tfvar type is a special file that does not get added into the terraform module’s directory. The tfvar type gets added to a special directory and gets utilized when making the “terraform plan”. The tfvar special directory is also used by the Export Repo feature. |
env EnvVar array |
Define environment variables used by all workflow runners. A common use case is the TF_VAR_ prefixed variables that get consumed in the “terraform plan”. TF_VAR_ prefixed variables are also utilized by the Export Repo feature. |
serviceAccount string |
Use a specific kubernetes ServiceAccount for workflow runner pods. If not specified, a new ServiceAccount is created per generation. |
credentials Credentials array |
Credentials generally used for Terraform providers |
ignoreDelete boolean |
Bypass the finalization process in order to remove the Terraform resource from kubernetes without running any delete jobs. |
customBackend string |
Configure the terraform backend by writing an inline Terraform Backend Configuration. If this field is omitted, a default consul backend configuration will be used, which will require a consul installation into the cluster. |
exportRepo ExportRepo |
Consolidate and save the “tfvar"s to a single file, then export the file to a remote github repo. Specify the repo and the path and the Export Runner will run after the setup phase. |
preInitScript string |
A script, written as an inline yaml string, that will run before “terraform init”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postInitScript string |
A script, written as an inline yaml string, that will run after “terraform init”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
prePlanScript string |
A script, written as an inline yaml string, that will run before “terraform plan”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postPlanScript string |
A script, written as an inline yaml string, that will run after “terraform plan”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
preApplyScript string |
A script, written as an inline yaml string, that will run before “terraform apply”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postApplyScript string |
A script, written as an inline yaml string, that will run after “terraform apply”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
preInitDeleteScript string |
A script, written as an inline yaml string, that will run before “terraform init”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postInitDeleteScript string |
A script, written as an inline yaml string, that will run after “terraform init”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
prePlanDeleteScript string |
A script, written as an inline yaml string, that will run before “terraform plan -destroy”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postPlanDeleteScript string |
A script, written as an inline yaml string, that will run after “terraform plan -destroy”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
preApplyDeleteScript string |
A script, written as an inline yaml string, that will run before “terraform apply”. “pre* ” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
postApplyDeleteScript string |
A script, written as an inline yaml string, that will run after “terraform apply”. “post* ” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow. |
sshTunnel ProxyOpts |
SSHTunnel can be defined for pulling from scm sources that cannot be accessed by the network the operator/runner runs in. An example is trying to reach an Enterprise Github server running on a private network. |
scmAuthMethods SCMAuthMethod array |
A SCMAuthMethod is used to select the kubernetes secrets that provide the passwords, tokens or ssh-keys required to access private servers and repos. The actual creation of the kubernetes secret is not handled by Terraform Operator. |
ResourceDownload v1alpha1 tf
Field | Description |
---|---|
address string |
Source url of resources to fetch. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host , port , path , scheme , etc. See ParsedAddress for a detailed explanation the parser. |
path string |
When defined, the downloaded resource(s) will be added to this path relative to the main module directory. |
useAsVar boolean |
Add the downloaded resource file as a tfvar via the -var-file flag of the “terraform plan” command. The downloaded resource must not be a directory. |
Credentials v1alpha1 tf
Field | Description |
---|---|
secretNameRef SecretNameRef |
Load environment variables into the workflow runner pods from a kubernetes Secret. |
awsCredentials AWSCredentials |
Methods to load AWS-specific credentials into the workflow runner pods. If using AWS_ACCESS_KEY_ID and/or environment variables for credentials, use the secretNameRef instead. For IRSA, using the serviceAccountAnnotations to add the expected eks.amazonaws.com/role-arn is effectively the same thing. |
serviceAccountAnnotations object |
ServiceAccountAnnotations is an unstructured key value map of annotations that is added to the kubernetes ServiceAccount that gets mounted by the workflow runner pods. Cloud IAM roles, such as Workload Identity on GCP and IRSA on AWS use this method of providing credentials to pods without haven’t to manage secrets on the cluster. |
ExportRepo v1alpha1 tf
Field | Description |
---|---|
address string |
Destination url of the repo to push tfvar and config files. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host , port , path , scheme , etc. See ParsedAddress for a detailed explanation the parser. |
tfvarsFile string |
The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the .tfvars file if desired. |
confFile string |
The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the .conf file if desired. |
retryOnFailure boolean |
Sets the export pod’s restartPolicy to “OnFailure” |
gitUsername string |
The name of the user who pushes to git. This name is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod |
gitEmail string |
The email of the user who pushes to git. This email is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod |
ProxyOpts v1alpha1 tf
Field | Description |
---|---|
host string |
The host name or ip-address of the ssh tunnel host. |
user string |
The username that can access the ssh tunnel host for the configured secret. |
sshKeySecretRef SSHKeySecretRef |
Specifies the kubernetes Secret where a SSH key is stored. |
SCMAuthMethod v1alpha1 tf
Field | Description |
---|---|
host string |
The host where private repos or servers are stored. |
git GitSCM |
Configuration options for auth methods of git. |
GitSCM v1alpha1 tf
Field | Description |
---|---|
ssh GitSSH |
SSH options for accessing git over ssh. |
https GitHTTPS |
HTTPS options for access git over https. |
GitSSH v1alpha1 tf
Field | Description |
---|---|
requireProxy boolean |
Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used. |
sshKeySecretRef SSHKeySecretRef |
Specifies the kubernetes Secret where a SSH key is stored. |
GitHTTPS v1alpha1 tf
Field | Description |
---|---|
requireProxy boolean |
Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used. |
tokenSecretRef TokenSecretRef |
Specifies the kubernetes Secret where a token key is stored. |
ConfigMapSelector v1alpha1 tf
Field | Description |
---|---|
name string |
Name of a ConfigMap |
key string |
The key to select |
SecretNameRef v1alpha1 tf
Field | Description |
---|---|
name string |
Name of a kubernetes Secret |
namespace string |
The namespace the secret is in. Omitting will select the same namespace as the resource |
key string |
The key to select |
SSHKeySecretRef v1alpha1 tf
Field | Description |
---|---|
name string |
Name of a kubernetes Secret |
namespace string |
The namespace the secret is in. Omitting will select the same namespace as the resource |
key string |
The key to select |
TokenSecretRef v1alpha1 tf
Field | Description |
---|---|
name string |
Name of a kubernetes Secret |
namespace string |
The namespace the secret is in. Omitting will select the same namespace as the resource |
key string |
The key to select |
AWSCredentials v1alpha1 tf
Field | Description |
---|---|
irsa string |
When defined will add the special IRSA annotation to the kubernetes ServiceAccount that get added to workflow runner pods. Using the serviceAccountAnnotations to add the expected eks.amazonaws.com/role-arn is effectively the same thing. |
kiam string |
When defined will add the special KIAM annotation to the workflow runner pods. Using runnerAnnotations to add the expected iam.amazonaws.com/role is effectively the same thing. |
TerraformStatus v1alpha1 tf
Field | Description |
---|
Kubernetes APIs
Some APIs used by Terraform Operator are adopted from Kubernetes itself. Below are the relevant APIs used by the Terraform CRD.
EnvVar v1 core
Field | Description |
---|---|
name string |
Name of the environment variable. Must be a C_IDENTIFIER. |
value string |
Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”. |
valueFrom EnvVarSource |
Source for the environment variable’s value. Cannot be used if value is not empty. |
ConfigMapKeySelector v1 core
Field | Description |
---|---|
name string |
Name of a ConfigMap |
key string |
The key to select |
PolicyRule v1 rbac.authorization.k8s.io
Field | Description |
---|---|
apiGroups string array |
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. |
nonResourceURLs string array |
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as “pods” or “secrets”) or non-resource URL paths (such as “/api”), but not both. |
resourceNames string array |
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. |
resources string array |
Resources is a list of resources this rule applies to. ResourceAll represents all resources. |
verbs string array |
Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. |
Other articles in this section: