Using Terraform Templates Enterprise
This guide will show you how to use a template to create a Terraform resource in Weave GitOps Enterprise.
CLI Guide
Prerequisites
- Install Weave GitOps Enterprise and enable TLS.
- Install Terraform Controller.
1. Add a template to your cluster
Add the following template to a path in your Git repository that is synced by Flux. For example, in the Installation guide, we set the path that is synced by Flux to ./clusters/management
.
Commit and push these changes. Once a template is available in the cluster, it can be used to create a resource, which will be shown in the next step.
Expand to see ./clusters/management/tf-template.yaml
Verify that your template is in the cluster:
kubectl get gitopstemplates.clustertemplates.weave.works -A
NAME AGE
sample-wge-tf-controller-template 14m
If the template does not appear immediately, reconcile the changes with Flux:
flux reconcile kustomization flux-system
► annotating Kustomization flux-system in flux-system namespace
✔ Kustomization annotated
◎ waiting for Kustomization reconciliation
✔ applied revision main/e6f5f0c3925bcfecdb50bceb12af9a87677d2213
2. Use the template to create a resource
A resource can be created from a template by specifying the template's name and supplying values to it, as well as your Weave GitOps Enterprise username, password, and HTTP API endpoint.
gitops add terraform --from-template sample-wge-tf-controller-template \
--set="RESOURCE_NAME"="name" \
--username=<username> --password=<password> \
--endpoint https://localhost:8000 \
--url https://github.com/myawesomeorg/myawesomerepo
Created pull request: https://github.com/myawesomeorg/myawesomerepo/pull/5
This will create a PR in your Git repository with a TF-Controller manifest. Once the PR is merged, TF-Controller will supply the values to the Terraform manifest, apply the Terraform manifest to create the resource, and reconcile any changes that you make to the Terraform manifest!
This template can be used to create multiple resources out of the same Terraform manifest by supplying different values to the template. Any changes to the Terraform manifest will be reconciled automatically to all resources.
3. List available templates
Get a specific template that can be used to create a Terraform resource:
gitops get template terraform sample-wge-tf-controller-template --endpoint https://localhost:8000 --username=<username> --password=<password>
NAME PROVIDER DESCRIPTION ERROR
sample-wge-tf-controller-template This is a sample WGE template that will be translated into a tf-controller specific template.
List all the templates available on the cluster:
gitops get template terraform --endpoint https://localhost:8000 --username=<username> --password=<password>
NAME PROVIDER DESCRIPTION ERROR
sample-aurora-tf-template This is a sample Aurora RDS template.
sample-wge-tf-controller-template This is a sample WGE template that will be translated into a tf-controller specific template.
4. List the parameters of a template
List all the parameters that can be defined on a specific template:
gitops get template terraform tf-controller-aurora --list-parameters --endpoint https://localhost:8000 --username=<username> --password=<password>
NAME REQUIRED DESCRIPTION OPTIONS
RESOURCE_NAME false Resource Name
Use Case: Create an Aurora RDS with WGE
For a more advanced example, here is a template to create an Aurora RDS cluster using WGE with Flux and the TF-Controller.
Pre-requisites
- Everything from the previous section
- Get (or create) an AWS Access Key ID and Secret Access Key. Check the AWS docs for details on how to do this.
- Create an AWS IAM Role for the Terraform AWS Provider. Its policy should include
iam:CreateRole
. More info here.
1. Configure a way to manage secrets
Configure a way to safely store Secrets. One method is to use the Mozilla SOPS CLI, but there are other ways, such as Sealed Secrets or Vaults.
Follow the steps in the Flux docs except for the "Configure in-cluster secrets decryption" step! This step looks slightly different for WGE. Instead of re-creating the controllers, you can configure the kustomize-controller
as instructed below.
In your Git repository source, add the following to your kustomize-controller
configuration:
cat <<EOF >> ./clusters/<cluster-name>/flux-system/gotk-sync.yaml
decryption:
provider: sops
secretRef:
name: sops-gpg
EOF
2. Encrypt and store your credentials in your Git repository
Create a Secret to store sensitive values such as the following:
- DB username
- DB password
- AWS Access Key ID
- AWS Secret Access Key
- AWS Role ARN
If following the Flux guide, this steps corresponds to "Encrypting secrets using OpenPGP". You can stop following the Flux guide at this step.
For example, here is what you would do if using the SOPS method:
kubectl -n flux-system create secret generic tf-controller-auth \
--from-literal=master_username=admin \
--from-literal=master_password=change-me \
--from-literal=aws_access_key=AKIAIOSFODNN7EXAMPLE \
--from-literal=aws_secret_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \
--from-literal=aws_role_arn="arn:aws:iam::012345678910:role/wge-tf-controller-example" \
--dry-run=client \
-o yaml > tf-controller-auth.yaml
Then, encrypt the secret:
sops --encrypt --in-place tf-controller-auth.yaml
Commit and push your changes. You can now store encrypted secrets to your Git repository.
4. Add the manifests to your cluster
Add the following Terraform manifest to the root of your Git repository.
Expand to see Terraform manifest
Add the following template to a path in your Git repository that is synced by Flux. In the quickstart guide, we set this path to ./clusters/management
.
Expand to see Terraform manifest at ./clusters/management/rds-template.yaml
Commit and push your changes.
You can change the location where you keep your Terraform manifests in your Git source (which the TF-Controller will reconcile) by configuring spec.resourcetemplates.spec.path
.
5. Use the template to create the RDS
gitops add terraform --from-template rds-template \
--username=<username> --password=<password> \
--endpoint https://localhost:8000 \
--url https://github.com/myawesomeorg/myawesomerepo \
--set "RESOURCE_NAME"="tf-controller-aurora","CLUSTER_IDENTIFIER"="super-awesome-aurora","DATABASE_NAME"="db1","BACKUP_RETENTION_PERIOD"=5,"REGION"="us-west-2"
Created pull request: https://github.com/myawesomeorg/myawesomerepo/pull/6
Merge the PR in your Git repository to add the TF-Controller manifest. TF-Controller will supply the values to the Terraform manifest, apply the Terraform manifest to create the resource, and reconcile any changes that you make to the Terraform manifest.
Any changes to your Terraform manifest will be automatically reconciled by the TF-controller with Flux.
You can re-use this template to create multiple Terraform resources, each with a different set of values!
Make sure to delete the newly created RDS resources to not incur additional costs.