etok

README

Etok

Enhanced Terraform On Kubernetes

Requirements

• A kubernetes cluster

Install

Download and install the CLI from releases.

Deploy CRDs and the operator to your cluster:

etok generate crds | kubectl create -f -
etok generate operator | kubectl apply -f -

First run

Ensure you're in a directory containing terraform configuration:

$ cat random.tf
resource "random_id" "test" {
  byte_length = 2
}

Create a workspace:

etok workspace new default/default

Run terraform commands:

etok init
etok validate
etok plan
etok apply

Usage

Usage is similar to the terraform CLI:

Usage: etok [command]

Terraform Commands:
  apply         destroy         force-unlock
  get           import          init
  output        plan            refresh
  show          state           taint
  untaint       validate

etok Commands:
  generate     Generate deployment resources
  sh           Run shell commands in workspace
  version      Print client version information
  workspace    etok workspace management

Flags:
      --add_dir_header                   If true, adds the file directory to the header of the log messages
      --alsologtostderr                  log to standard error as well as files
  -h, --help                             help for etok
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --log_file string                  If non-empty, use this log file
      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (defa
ult 1800)
      --logtostderr                      log to standard error instead of files (default true)
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files
      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
  -v, --v Level                          number for the log level verbosity
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging

Use "etok [command] --help" for more information about a command.

Commands such as terraform fmt or terraform console have been left out because there is no purpose to running them on kubernetes.

RBAC

TODO

Identity

• GCP Workload Identity
• AWS IAM roles for service accounts

Credentials

Credentials placed inside a kubernetes secret named etok are made available to terraform as environment variables.

For example, to set credentials for the AWS provider:

kubectl create secret generic etok \
  --from-literal=AWS_ACCESS_KEY_ID="youraccesskeyid"  \
  --from-literal=AWS_SECRET_ACCESS_KEY="yoursecretaccesskey"

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are then made available as environment variables.

Or, to set credentials for the GCP provider:

kubectl create secret generic etok --from-file=GOOGLE_CREDENTIALS=[path to service account key]

Documentation

Overview

Copyright © 2020 Louis Garman <louisgarman@gmail.com>

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.