Skip to content

TF Bridge

A Kubernetes controller that streamlines Terraform usage along side with GitOps tools. The controller continuously monitors state produced by terraform apply and inject specified terraform outputs into the Kubernetes resources. This allows to integrate Terraform with GitOps tools like ArgoCD, FluxCD, etc.

Architecture

Requirements

  • A Kubernetes cluster that you can access via kubectl
  • A Terraform state bucket (optional; a sample state bucket will be provided below)
  • Any AWS credentials. The controller is using aws-sdk-go-v2 to access the state file in a S3 bucket in this guide, so the client requires AWS authentication. However, it doesn't matter which AWS principle it is because the file is public to all.

Install tf-bridge

kubectl apply -f https://tf-bridge-public.s3.us-west-2.amazonaws.com/all.yaml
This installs the following resources into your cluster:

  1. ClusterBackend CRD
  2. ClusterTFState CRD
  3. TFState CRD
  4. tf-bridge Namespace
  5. tf-bridge Deployment
  6. tf-bridge ServiceAccount
  7. tf-bridge ClusterRole and ClusterRoleBinding

AWS SDK Authentication

If you are NOT deploying the controller to an EKS cluster, you need to provider one of the following environment variable sets in the tf-bridge Deployment for the AWS SDK to authenticate. They can be generated on your AWS console or with AWS CLI.

  1. AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN or
  2. AWS_WEB_IDENTITY_TOKEN_FILE

Deploy resources

This section can be skipped if you configure ClusterBackend and TFState on the actual resources in your cluster. Otherwise the next section will use resources deployed in this section.

kubectl apply -f https://tf-bridge-public.s3.us-west-2.amazonaws.com/existing-resources.yaml
This deploys a ServiceAccount and a Deployment from the nginx image for demo purposes.

Configure ClusterBackend and TFState

kubectl apply -f https://tf-bridge-public.s3.us-west-2.amazonaws.com/resources-all.yaml
This deploys the following resources into the cluster:

  1. ClusterBackend: it points to the sample bucket tf-bridge-public where there is a sample Terraform state file with some outputs.
  2. ClusterTFState: it adds nodeAffinity to the deployment api-server.
  3. TFState: it adds the IRSA annotation to the service account api-server and db CName to the deployment environment variable list.

Validate the patching effects

kubectl get tfstate -A
this should give you something similar to below 
NAMESPACE   NAME               BACKEND   FULLYAPPLIED
default     api-server-state   s3        True
You can also check the manifest of the deployment and service account to make sure the expected fields are patched correctly.

Reconciliation error

If you see any TFState or ClusterTFState not fully applied, you can add the following annotation to the TFState or ClusterTFState to trigger reconciliation.

kubectl annotate tfstate api-server-state sync=$(date +%s) --overwrite

kubectl annotate clustertfstate node-affinity sync=$(date +%s) --overwrite