This doc is good for Terraform Operator releases v0.8.3 - v0.8.5 and covers the resource apiVersion: v1alpha1

The following is a list of configurable parameters of the Terraform CRD. A brief description about each parameter will be defined here. Fore more in-depth details about the features, see Core Concepts.

TerraformSpec v1alpha1 tf


Field Description
terraformModule
string
A remote URL to fetch the Terraform module. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host, port, path, scheme, etc. See ParsedAddress for a detailed explanation the parser.
terraformModuleConfigMap
ConfigMapSelector
Mount a ConfigMap as the Terraform module.
terraformModuleInline
string
Write the terraform module as a string.
terraformVersion
string
the Terraform version to use for the module. Defaults to 1.1.3
terraformRunnerExecutionScriptConfigMap
ConfigMapKeySelector
Allows the user to define a custom script for the Terraform Runner pod. The custom-script replaces the default script executed by the image.
scriptRunnerExecutionScriptConfigMap
ConfigMapKeySelector
Allows the user to define a custom script for the Script Runner pod. The custom-script replaces the default script executed by the image.
setupRunnerExecutionScriptConfigMap
ConfigMapKeySelector
Allows the user to define a custom script for the Setup Runner pod. The custom-script replaces the default script executed by the image.
keepLatestPodsOnly
boolean
When true will keep only the pods that match the current generation of the terraform k8s-resource. This overrides the behavior of keepCompletedPods.

The keepLatestPodsOnly option should reap all generational resources that are generated by the terraform-operator controller including:

  • Pods
  • Roles
  • RoleBindings
  • ServiceAccounts
  • ConfigMaps
  • Secrets
Items not in scope of deletion are:

  • PersistentVolumeClaims
  • any Secrets defined as the kubernetes backend from the customBackend config option
  • any Secrets defined by outputsSecret config option
  • any ServiceAccounts used by the runners that were not created by the controller (as in Bring Your Own ServiceAccount) by the serviceAccount config option
keepCompletedPods
boolean
When true will keep completed pods. Default is false and completed pods are removed.
cleanupDisk
boolean
CleanupDisk will clear out previous terraform run data from the persistent volume.
persistentVolumeSize
string
Define the size of the disk used to store terraform run data. If not defined, a default of “2Gi” is used.
runnerRules
PolicyRule
RunnerRules are RBAC rules that will be added to all runner pods.
runnerLabels
object
RunnerLabels is an unstructured key value map of labels that will be added to all runner pods.
runnerAnnotations
object
RunnerAnnotations is an unstructured key value map of annotations that will be added to all runner pods.
outputsSecret
string
OutputsSecret will create a secret with the outputs from the terraform module. All outputs from the module will be written to the secret unless the user defines “outputsToInclude” or “outputsToOmit”.
outputsToInclude
string array
A whitelist of the terraform module’s outputs to save to the OutputsSecret or TerraformStatus
outputsToOmit
string array
A blacklist of the terraform module’s outputs to omit when writing the to the OutputsSecret or TerraformStatus
writeOutputsToStatus
boolean
When true the terraform module’s outputs get written to the TerraformStatus
scriptRunnerVersion
string
The tag of the Script Runner image.
setupRunnerVersion
string
The tag of the Setup Runner image.
terraformRunner
string
The repo of the Terraform Runner image.
scriptRunner
string
The repo of the Script Runner image.
setupRunner
string
The repo of the Setup Runner image.
terraformRunnerPullPolicy
string
The pullPolicy for the Terraform Runner pod.
scriptRunnerPullPolicy
string
The pullPolicy for the Script Runner pod.
setupRunnerPullPolicy
string
The pullPolicy for the Setup Runner pod.
resourceDownloads
ResourceDownload array
ResourceDownloads defines other files to download into a path relative to the terraform module’s directory. The tfvar type is a special file that does not get added into the terraform module’s directory. The tfvar type gets added to a special directory and gets utilized when making the “terraform plan”. The tfvar special directory is also used by the Export Repo feature.
env
EnvVar array
Define environment variables used by all workflow runners. A common use case is the TF_VAR_ prefixed variables that get consumed in the “terraform plan”. TF_VAR_ prefixed variables are also utilized by the Export Repo feature.
serviceAccount
string
Use a specific kubernetes ServiceAccount for workflow runner pods. If not specified, a new ServiceAccount is created per generation.
credentials
Credentials array
Credentials generally used for Terraform providers
ignoreDelete
boolean
Bypass the finalization process in order to remove the Terraform resource from kubernetes without running any delete jobs.
customBackend
string
Configure the terraform backend by writing an inline Terraform Backend Configuration. If this field is omitted, a default consul backend configuration will be used, which will require a consul installation into the cluster.
exportRepo
ExportRepo
Consolidate and save the “tfvar"s to a single file, then export the file to a remote github repo. Specify the repo and the path and the Export Runner will run after the setup phase.
preInitScript
string
A script, written as an inline yaml string, that will run before “terraform init”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postInitScript
string
A script, written as an inline yaml string, that will run after “terraform init”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
prePlanScript
string
A script, written as an inline yaml string, that will run before “terraform plan”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postPlanScript
string
A script, written as an inline yaml string, that will run after “terraform plan”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
preApplyScript
string
A script, written as an inline yaml string, that will run before “terraform apply”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postApplyScript
string
A script, written as an inline yaml string, that will run after “terraform apply”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
preInitDeleteScript
string
A script, written as an inline yaml string, that will run before “terraform init”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postInitDeleteScript
string
A script, written as an inline yaml string, that will run after “terraform init”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
prePlanDeleteScript
string
A script, written as an inline yaml string, that will run before “terraform plan -destroy”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postPlanDeleteScript
string
A script, written as an inline yaml string, that will run after “terraform plan -destroy”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
preApplyDeleteScript
string
A script, written as an inline yaml string, that will run before “terraform apply”. “pre*” scripts run as Init Containers in a Terraform Runner pod. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
postApplyDeleteScript
string
A script, written as an inline yaml string, that will run after “terraform apply”. “post*” scripts run as standalone pods in the workflow. All scripts get executed from within the root of the terraform module’s directory. Therefore, files created, changed, or removed from this directory, or anywhere in the user’s $HOME directory, will persist for the next stage in the workflow.
sshTunnel
ProxyOpts
SSHTunnel can be defined for pulling from scm sources that cannot be accessed by the network the operator/runner runs in. An example is trying to reach an Enterprise Github server running on a private network.
scmAuthMethods
SCMAuthMethod array
A SCMAuthMethod is used to select the kubernetes secrets that provide the passwords, tokens or ssh-keys required to access private servers and repos. The actual creation of the kubernetes secret is not handled by Terraform Operator.

ResourceDownload v1alpha1 tf


Field Description
address
string
Source url of resources to fetch. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host, port, path, scheme, etc. See ParsedAddress for a detailed explanation the parser.
path
string
When defined, the downloaded resource(s) will be added to this path relative to the main module directory.
useAsVar
boolean
Add the downloaded resource file as a tfvar via the -var-file flag of the “terraform plan” command. The downloaded resource must not be a directory.

Credentials v1alpha1 tf


Field Description
secretNameRef
SecretNameRef
Load environment variables into the workflow runner pods from a kubernetes Secret.
awsCredentials
AWSCredentials
Methods to load AWS-specific credentials into the workflow runner pods. If using AWS_ACCESS_KEY_ID and/or environment variables for credentials, use the secretNameRef instead. For IRSA, using the serviceAccountAnnotations to add the expected eks.amazonaws.com/role-arn is effectively the same thing.
serviceAccountAnnotations
object
ServiceAccountAnnotations is an unstructured key value map of annotations that is added to the kubernetes ServiceAccount that gets mounted by the workflow runner pods. Cloud IAM roles, such as Workload Identity on GCP and IRSA on AWS use this method of providing credentials to pods without haven’t to manage secrets on the cluster.

ExportRepo v1alpha1 tf


Field Description
address
string
Destination url of the repo to push tfvar and config files. The URL uses a variation of Terraform’s “Module Source” URL-like syntax. This value will be parsed into all the components of an address, like host, port, path, scheme, etc. See ParsedAddress for a detailed explanation the parser.
tfvarsFile
string
The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the .tfvars file if desired.
confFile
string
The full path, including the directories and filename, relative to the root of the repo. The suffix of the file is not automatically added, so manually include the .conf file if desired.
retryOnFailure
boolean
Sets the export pod’s restartPolicy to “OnFailure”
gitUsername
string
The name of the user who pushes to git. This name is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod
gitEmail
string
The email of the user who pushes to git. This email is typically an automation user and probably the user whose token or sshkey is configured in SCMAuthMethod

ProxyOpts v1alpha1 tf


Field Description
host
string
The host name or ip-address of the ssh tunnel host.
user
string
The username that can access the ssh tunnel host for the configured secret.
sshKeySecretRef
SSHKeySecretRef
Specifies the kubernetes Secret where a SSH key is stored.

SCMAuthMethod v1alpha1 tf


Field Description
host
string
The host where private repos or servers are stored.
git
GitSCM
Configuration options for auth methods of git.

GitSCM v1alpha1 tf


Field Description
ssh
GitSSH
SSH options for accessing git over ssh.
https
GitHTTPS
HTTPS options for access git over https.

GitSSH v1alpha1 tf


Field Description
requireProxy
boolean
Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used.
sshKeySecretRef
SSHKeySecretRef
Specifies the kubernetes Secret where a SSH key is stored.

GitHTTPS v1alpha1 tf


Field Description
requireProxy
boolean
Specifies if the target host of the SCMAuthMethod requires a proxy to access. If true, the configured SSHTunnel is the proxy used.
tokenSecretRef
TokenSecretRef
Specifies the kubernetes Secret where a token key is stored.

ConfigMapSelector v1alpha1 tf


Field Description
name
string
Name of a ConfigMap
key
string
The key to select

SecretNameRef v1alpha1 tf


Field Description
name
string
Name of a kubernetes Secret
namespace
string
The namespace the secret is in. Omitting will select the same namespace as the resource
key
string
The key to select

SSHKeySecretRef v1alpha1 tf


Field Description
name
string
Name of a kubernetes Secret
namespace
string
The namespace the secret is in. Omitting will select the same namespace as the resource
key
string
The key to select

TokenSecretRef v1alpha1 tf


Field Description
name
string
Name of a kubernetes Secret
namespace
string
The namespace the secret is in. Omitting will select the same namespace as the resource
key
string
The key to select

AWSCredentials v1alpha1 tf


Field Description
irsa
string
When defined will add the special IRSA annotation to the kubernetes ServiceAccount that get added to workflow runner pods. Using the serviceAccountAnnotations to add the expected eks.amazonaws.com/role-arn is effectively the same thing.
kiam
string
When defined will add the special KIAM annotation to the workflow runner pods. Using runnerAnnotations to add the expected iam.amazonaws.com/role is effectively the same thing.

TerraformStatus v1alpha1 tf


Field Description

Kubernetes APIs

Some APIs used by Terraform Operator are adopted from Kubernetes itself. Below are the relevant APIs used by the Terraform CRD.

EnvVar v1 core


Field Description
name
string
Name of the environment variable. Must be a C_IDENTIFIER.
value
string
Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
valueFrom
EnvVarSource
Source for the environment variable’s value. Cannot be used if value is not empty.

ConfigMapKeySelector v1 core


Field Description
name
string
Name of a ConfigMap
key
string
The key to select

PolicyRule v1 rbac.authorization.k8s.io


Field Description
apiGroups
string array
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
nonResourceURLs
string array
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as “pods” or “secrets”) or non-resource URL paths (such as “/api”), but not both.
resourceNames
string array
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resources
string array
Resources is a list of resources this rule applies to. ResourceAll represents all resources.
verbs
string array
Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.

Other articles in this section: