OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.

Terraform logo repeated multiple times

Blog

The always-encrypted Kubernetes now comes with a Terraform provider

Adrian Stobbe


Constellation 2.14 introduces full Terraform support through a new provider plugin. This allows you to manage the lifecycle of Constellation clusters with Terraform, enabling seamless integration with GitOps pipelines and existing infrastructure setups. You no longer need to install the Constellation CLI, instead, you can just declare the entire Constellation cluster setup through Terraform. Read the docs for more information and examples.


Why devs love GitOps


GitOps is about using Git, a widely used version control system, as the single source of truth for declarative infrastructure and applications. This approach resonates strongly with developers for several reasons. For example, it makes collaboration easier by allowing developers to review, comment, and approve changes in a transparent manner. Additionally, GitOps embraces automated testing and deployment of infrastructure changes, leading to more stable and reliable systems by eliminating manual errors. Lastly, the versioned deployments allow for better disaster recovery by letting teams quickly revert to a known good state.


Terraform module vs. Terraform provider


Constellation release 2.13 introduced a Terraform module, which was using the CLI in the background so that a user would only interact with Terraform. However, this approach had several shortcomings. Most significantly, the CLI created files as a side effect in the background. With the provider, the Terraform state is the single source of truth of the cluster and it should be kept secure. The provider removes the dependency on the CLI and follows Terraform best practices.


By separating the OS image lookup and attestation to separate data sources, the provider provides more customizability and transparency.


This enables the user to see the image reference and attestation measurements during terraform plan and makes it possible to use custom images and attestation.


When should I use the provider?


For most users, the CLI will remain the go-to-way to get started with Constellation, and certain features, such as cluster recovery, still require the CLI. It's important to note that the provider doesn't intend to replace the CLI, rather, it complements it, to cater to the needs of more sophisticated and customized setups.


Self-managed infrastructure was also supported before, but the provider improves the UX for Terraform users and allows for true GitOps.


Summary


In short, the Terraform provider, introduced in Constellation 2.14, is for users who need to customize the infrastructure or want to manage the cluster through GitOps, and it empowers them to do so seamlessly.

Do you have feedback or questions regarding the Constellation Terraform provider? Engage with us via Github!


Author: Adrian Stobbe


Related reading

View all