The following is a list of configurable parameters of the Terraform CRD. A brief description about each parameter will be defined here. Fore more in-depth details about the features, see Core Concepts.

TerraformSpec v1alpha1 tf

Field	Description
`terraformModule` string	A remote URL to fetch the Terraform module. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like `host`, `port`, `path`, `scheme`, etc. See ParsedAddress for a detailed explanation the parser.
`terraformModuleConfigMap` ConfigMapSelector	Mount a ConfigMap as the Terraform module.
`terraformModuleInline` string	Write the terraform module as a string.
`terraformVersion` string	the Terraform version to use for the module. Defaults to `1.1.3`
`terraformRunnerExecutionScriptConfigMap` ConfigMapKeySelector	Allows the user to define a custom script for the Terraform Runner pod. The custom-script replaces the default script executed by the image.
`scriptRunnerExecutionScriptConfigMap` ConfigMapKeySelector	Allows the user to define a custom script for the Script Runner pod. The custom-script replaces the default script executed by the image.
`setupRunnerExecutionScriptConfigMap` ConfigMapKeySelector	Allows the user to define a custom script for the Setup Runner pod. The custom-script replaces the default script executed by the image.
`keepLatestPodsOnly` boolean	When `true` will keep only the pods that match the current generation of the terraform k8s-resource. This overrides the behavior of `keepCompletedPods`. The `keepLatestPodsOnly` option should reap all generational resources that are generated by the terraform-operator controller including: Pods Roles RoleBindings ServiceAccounts ConfigMaps Secrets Items not in scope of deletion are: PersistentVolumeClaims any Secrets defined as the kubernetes backend from the `customBackend` config option any Secrets defined by `outputsSecret` config option any ServiceAccounts used by the runners that were not created by the controller (as in Bring Your Own ServiceAccount) by the `serviceAccount` config option
`keepCompletedPods` boolean	When `true` will keep completed pods. Default is `false` and completed pods are removed.
`cleanupDisk` boolean	CleanupDisk will clear out previous terraform run data from the persistent volume.
`persistentVolumeSize` string	Define the size of the disk used to store terraform run data. If not defined, a default of “2Gi” is used.
`runnerRules` PolicyRule	RunnerRules are RBAC rules that will be added to all runner pods.
`runnerLabels` object	RunnerLabels is an unstructured key value map of labels that will be added to all runner pods.
`runnerAnnotations` object	RunnerAnnotations is an unstructured key value map of annotations that will be added to all runner pods.
`outputsSecret` string	OutputsSecret will create a secret with the outputs from the terraform module. All outputs from the module will be written to the secret unless the user defines “outputsToInclude” or “outputsToOmit”.
`outputsToInclude` string array	A whitelist of the terraform module’s outputs to save to the `OutputsSecret` or `TerraformStatus`
`outputsToOmit` string array	A blacklist of the terraform module’s outputs to omit when writing the to the `OutputsSecret` or `TerraformStatus`
`writeOutputsToStatus` boolean	When `true` the terraform module’s outputs get written to the `TerraformStatus`
`scriptRunnerVersion` string	The tag of the Script Runner image.
`setupRunnerVersion` string	The tag of the Setup Runner image.
`terraformRunner` string	The repo of the Terraform Runner image.
`scriptRunner` string	The repo of the Script Runner image.
`setupRunner` string	The repo of the Setup Runner image.
`terraformRunnerPullPolicy` string	The `pullPolicy` for the Terraform Runner pod.
`scriptRunnerPullPolicy` string	The `pullPolicy` for the Script Runner pod.
`setupRunnerPullPolicy` string	The `pullPolicy` for the Setup Runner pod.
`resourceDownloads` ResourceDownload array	ResourceDownloads defines other files to download into a path relative to the terraform module’s directory. The `tfvar` type is a special file that does not get added into the terraform module’s directory. The `tfvar` type gets added to a special directory and gets utilized when making the “terraform plan”. The `tfvar` special directory is also used by the Export Repo feature.
`env` EnvVar array	Define environment variables used by all workflow runners. A common use case is the `TF_VAR_` prefixed variables that get consumed in the “terraform plan”. `TF_VAR_` prefixed variables are also utilized by the Export Repo feature.
`serviceAccount` string	Use a specific kubernetes ServiceAccount for workflow runner pods. If not specified, a new ServiceAccount is created per generation.
`credentials` Credentials array	Credentials generally used for Terraform providers
`ignoreDelete` boolean	Bypass the finalization process in order to remove the Terraform resource from kubernetes without running any delete jobs.
`customBackend` string	Configure the terraform backend by writing an inline Terraform Backend Configuration. If this field is omitted, a default consul backend configuration will be used, which will require a consul installation into the cluster.
`exportRepo` ExportRepo	Consolidate and save the “tfvar"s to a single file, then export the file to a remote github repo. Specify the repo and the path and the Export Runner will run after the setup phase.
`preInitScript` string	A script, written as an inline yaml string, that will run before “terraform init”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postInitScript` string	A script, written as an inline yaml string, that will run after “terraform init”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`prePlanScript` string	A script, written as an inline yaml string, that will run before “terraform plan”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postPlanScript` string	A script, written as an inline yaml string, that will run after “terraform plan”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`preApplyScript` string	A script, written as an inline yaml string, that will run before “terraform apply”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postApplyScript` string	A script, written as an inline yaml string, that will run after “terraform apply”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`preInitDeleteScript` string	A script, written as an inline yaml string, that will run before “terraform init”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postInitDeleteScript` string	A script, written as an inline yaml string, that will run after “terraform init”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`prePlanDeleteScript` string	A script, written as an inline yaml string, that will run before “terraform plan -destroy”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postPlanDeleteScript` string	A script, written as an inline yaml string, that will run after “terraform plan -destroy”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`preApplyDeleteScript` string	A script, written as an inline yaml string, that will run before “terraform apply”. “`pre*`” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`postApplyDeleteScript` string	A script, written as an inline yaml string, that will run after “terraform apply”. “`post*`” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s `$HOME` directory, will persist for the next stage in the workflow.
`sshTunnel` ProxyOpts	SSHTunnel can be defined for pulling from scm sources that cannot be accessed by the network the operator/runner runs in. An example is trying to reach an Enterprise Github server running on a private network.
`scmAuthMethods` SCMAuthMethod array	A SCMAuthMethod is used to select the kubernetes secrets that provide the passwords, tokens or ssh-keys required to access private servers and repos. The actual creation of the kubernetes secret is not handled by Terraform Operator.

ResourceDownload v1alpha1 tf

Field	Description
`address` string	Source url of resources to fetch. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like `host`, `port`, `path`, `scheme`, etc. See ParsedAddress for a detailed explanation the parser.
`path` string	When defined, the downloaded resource(s) will be added to this path relative to the main module directory.
`useAsVar` boolean	Add the downloaded resource file as a tfvar via the `-var-file` flag of the “terraform plan” command. The downloaded resource must not be a directory.

Credentials v1alpha1 tf

Field	Description
`secretNameRef` SecretNameRef	Load environment variables into the workflow runner pods from a kubernetes Secret.
`awsCredentials` AWSCredentials	Methods to load AWS-specific credentials into the workflow runner pods. If using `AWS_ACCESS_KEY_ID` and/or environment variables for credentials, use the `secretNameRef` instead. For IRSA, using the `serviceAccountAnnotations` to add the expected `eks.amazonaws.com/role-arn` is effectively the same thing.
`serviceAccountAnnotations` object	ServiceAccountAnnotations is an unstructured key value map of annotations that is added to the kubernetes ServiceAccount that gets mounted by the workflow runner pods. Cloud IAM roles, such as Workload Identity on GCP and IRSA on AWS use this method of providing credentials to pods without haven’t to manage secrets on the cluster.

ExportRepo v1alpha1 tf

Field	Description
`address` string	Destination url of the repo to push `tfvar` and `config` files. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like `host`, `port`, `path`, `scheme`, etc. See ParsedAddress for a detailed explanation the parser.
`tfvarsFile` string	The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the `.tfvars` file if desired.
`confFile` string	The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the `.conf` file if desired.
`retryOnFailure` boolean	Sets the export pod’s restartPolicy to “OnFailure”
`gitUsername` string	The name of the user who pushes to git. This name is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod
`gitEmail` string	The email of the user who pushes to git. This email is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod

ProxyOpts v1alpha1 tf

Field	Description
`host` string	The host name or ip-address of the ssh tunnel host.
`user` string	The username that can access the ssh tunnel host for the configured secret.
`sshKeySecretRef` SSHKeySecretRef	Specifies the kubernetes Secret where a SSH key is stored.

SCMAuthMethod v1alpha1 tf

Field	Description
`host` string	The host where private repos or servers are stored.
`git` GitSCM	Configuration options for auth methods of git.

GitSCM v1alpha1 tf

Field	Description
`ssh` GitSSH	SSH options for accessing git over ssh.
`https` GitHTTPS	HTTPS options for access git over https.

GitSSH v1alpha1 tf

Field	Description
`requireProxy` boolean	Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used.
`sshKeySecretRef` SSHKeySecretRef	Specifies the kubernetes Secret where a SSH key is stored.

GitHTTPS v1alpha1 tf

Field	Description
`requireProxy` boolean	Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used.
`tokenSecretRef` TokenSecretRef	Specifies the kubernetes Secret where a token key is stored.

ConfigMapSelector v1alpha1 tf

Field	Description
`name` string	Name of a ConfigMap
`key` string	The key to select

SecretNameRef v1alpha1 tf

Field	Description
`name` string	Name of a kubernetes Secret
`namespace` string	The namespace the secret is in. Omitting will select the same namespace as the resource
`key` string	The key to select

SSHKeySecretRef v1alpha1 tf

Field	Description
`name` string	Name of a kubernetes Secret
`namespace` string	The namespace the secret is in. Omitting will select the same namespace as the resource
`key` string	The key to select

TokenSecretRef v1alpha1 tf

Field	Description
`name` string	Name of a kubernetes Secret
`namespace` string	The namespace the secret is in. Omitting will select the same namespace as the resource
`key` string	The key to select

AWSCredentials v1alpha1 tf

Field	Description
`irsa` string	When defined will add the special IRSA annotation to the kubernetes ServiceAccount that get added to workflow runner pods. Using the serviceAccountAnnotations to add the expected `eks.amazonaws.com/role-arn` is effectively the same thing.
`kiam` string	When defined will add the special KIAM annotation to the workflow runner pods. Using `runnerAnnotations` to add the expected `iam.amazonaws.com/role` is effectively the same thing.

TerraformStatus v1alpha1 tf

Field	Description

Kubernetes APIs

Some APIs used by Terraform Operator are adopted from Kubernetes itself. Below are the relevant APIs used by the Terraform CRD.

EnvVar v1 core

Field	Description
`name` string	Name of the environment variable. Must be a C_IDENTIFIER.
`value` string	Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
`valueFrom` EnvVarSource	Source for the environment variable’s value. Cannot be used if value is not empty.

ConfigMapKeySelector v1 core

Field	Description
`name` string	Name of a ConfigMap
`key` string	The key to select

PolicyRule v1 rbac.authorization.k8s.io

Field	Description
`apiGroups` string array	APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
`nonResourceURLs` string array	NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as “pods” or “secrets”) or non-resource URL paths (such as “/api”), but not both.
`resourceNames` string array	ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
`resources` string array	Resources is a list of resources this rule applies to. ResourceAll represents all resources.
`verbs` string array	Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.