etok

README

Etok

Enhanced Terraform On Kubernetes

Requirements

• A kubernetes cluster

Install

Download and install the CLI from releases.

Deploy CRDs and the operator to your cluster:

etok generate crds | kubectl create -f -
etok generate operator | kubectl apply -f -

First run

Ensure you're in a directory containing terraform configuration:

$ cat random.tf
resource "random_id" "test" {
  byte_length = 2
}

Create a workspace:

etok workspace new default/default

Run terraform commands:

etok plan
etok apply

Usage

Usage is similar to the terraform CLI:

Usage:
  etok [command]

Available Commands:
  apply       Run terraform apply
  destroy     Run terraform destroy
  generate    Generate deployment resources
  help        Help about any command
  plan        Run terraform plan
  sh          Open shell session
  version     Print client version information
  workspace   etok workspace management

Flags:
      --add_dir_header                   If true, adds the file directory to the header of the log messages
      --alsologtostderr                  log to standard error as well as files
  -h, --help                             help for etok
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --log_file string                  If non-empty, use this log file
      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (defa
ult 1800)
      --logtostderr                      log to standard error instead of files (default true)
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files
      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
  -v, --v Level                          number for the log level verbosity
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging

Use "etok [command] --help" for more information about a command.

Commands such as terraform fmt or terraform console have been left out because there is no purpose to running them on kubernetes.

RBAC

TODO

Identity

• GCP Workload Identity
• AWS IAM roles for service accounts

Credentials

Credentials placed inside a kubernetes secret named etok are made available to terraform as environment variables.

For example, to set credentials for the AWS provider:

kubectl create secret generic etok \
  --from-literal=AWS_ACCESS_KEY_ID="youraccesskeyid"  \
  --from-literal=AWS_SECRET_ACCESS_KEY="yoursecretaccesskey"

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are then made available as environment variables.

Or, to set credentials for the GCP provider:

kubectl create secret generic etok --from-file=GOOGLE_CREDENTIALS=[path to service account key]

FAQ

What is uploaded to the pod when running a plan/apply/destroy?

The contents of the root module (the current working directory, or the value of the path flag) is uploaded. Additionally, if the root module configuration contains references to other modules on the local filesystem, then these too are uploaded, along with all such modules recursively referenced (modules referencing modules, and so forth). The directory structure containing all modules is maintained on the kubernetes pod, ensuring relative references remain valid (e.g. ./modules/vpc or ../modules/vpc).

Etok supports the use of a .terraformignore file. Etok expects to find the file in a directory that is an ancestor of the modules to be uploaded. For example, if the modules to be uploaded are in /tf/modules/prod and /tf/modules/vpc, then the following paths will be checked:

• /tf/modules/.terraformignore
• /tf/.terraformignore
• /.terrraformignore

If not found then the default set of rules apply as documented in the link above.

Documentation

Overview

Copyright © 2020 Louis Garman <louisgarman@gmail.com>

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.