{"id":26361137,"url":"https://github.com/polyseam/cndi-cdktf","last_synced_at":"2026-02-09T18:05:15.217Z","repository":{"id":243787382,"uuid":"813409664","full_name":"polyseam/cndi-cdktf","owner":"polyseam","description":"Experimental Terraform Integration for CNDI","archived":false,"fork":false,"pushed_at":"2025-04-10T05:37:10.000Z","size":70,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-10T06:35:43.126Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/polyseam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-11T03:14:33.000Z","updated_at":"2025-04-10T05:37:14.000Z","dependencies_parsed_at":"2025-04-10T06:27:36.019Z","dependency_job_id":"3594c851-4257-410c-b2c4-2a7a3ff4c0f1","html_url":"https://github.com/polyseam/cndi-cdktf","commit_stats":null,"previous_names":["polyseam/cndi-cdktf"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/polyseam/cndi-cdktf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyseam%2Fcndi-cdktf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyseam%2Fcndi-cdktf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyseam%2Fcndi-cdktf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyseam%2Fcndi-cdktf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/polyseam","download_url":"https://codeload.github.com/polyseam/cndi-cdktf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyseam%2Fcndi-cdktf/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269189670,"owners_count":24375565,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-07T02:00:09.698Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-16T17:20:03.349Z","updated_at":"2026-02-09T18:05:10.173Z","avatar_url":"https://github.com/polyseam.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# [@cndi/cdktf](https://jsr.io/@cndi/cdktf)\n\n## goals\n\n- enable use of Terraform Modules in CNDI\n- reduce the size of the CNDI CLI in bytes\n- reduce the complexity of the CNDI CLI in lines of code\n- reduce the distance between the CNDI toolchain and the rest of the cdktf\n  ecosystem\n\n## why now?\n\nAs we were going to build support for CNDI's keyless authentication, we found\nthe\n[aws/eks CNDI deployment target](https://github.com/polyseam/cndi/blob/main/src/outputs/terraform/aws/AWSEKSStack.ts)\nincluded a ton of boilerplate especially related to authorization, which is\nquite sensitive.\n\nIf we can meaningfully reduce the footprint of our implementation, we can reduce\nthe surface area of the code which needs to be carefully and securely\nmaintained.\n\n## background\n\n[polyseam/cndi](https://github.com/polyseam/cndi) creates cloud infrastructure\nusing Terraform to create clusters, and GitOps Manifests to create the rest.\n\nThe [cndi](https://github.com/polyseam/cndi) CLI does this by importing every\nrequired Typescript API for each\n[Terraform Provider](https://registry.terraform.io/browse/providers) we support.\n\nThere's a map of our provider and module dependencies here in\n[./cdktf.json](./cdktf.json).\n\nThe `cndi` CLI is built with [Deno](https://github.com/denoland/deno) and\nsupposedly the package ecosystem is such that unused code cannot be tree-shaken,\nbecause static analysis cannot determine whether there are side-effects from\nimports.\n[I'd love to be wrong about this](https://github.com/polyseam/cndi/issues/929).\n\nOne side effect of this is that the CLI is quite large, and the user has to\ndownload the entire CLI to use it.\n\nThe intended [cdktf](https://developer.hashicorp.com/terraform/cdktf) pattern is\nactually to pull down only the packages you need using their `cdktf get`\ncommand.\n\nCNDI includes every\n[Terraform Provider](https://registry.terraform.io/browse/providers) we support,\nwhere each cloud's Provider\n[eg. aws](https://registry.terraform.io/providers/hashicorp/aws/latest) includes\nthe entire cloud's API.\n\nTerraform also provides an interface called a\n[Terraform Module](https://developer.hashicorp.com/terraform/language/modules)\n(not to be confused with a npm package). A module is a collection of resources\nthat can be used to create a specific piece of infrastructure. For example, the\n[aws-eks module](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest)\ncan be used to create an AWS EKS.\n\n## limitations of the current state of cndi\n\n1. The CLI is large, especially relative to it's _potential_ size (we've seen it\n   smaller with comparable functionality by writing out Terraform objects with\n   no CDKTF API, see\n   [v1.16.0](https://github.com/polyseam/cndi/tree/v1.16.0/src/outputs/terraform/aws-eks))\n2. The `cndi ow` command is slow because it must load all the APIs into memory\n3. [Terraform Modules](https://developer.hashicorp.com/terraform/cdktf/concepts/modules)\n   have been avoided, locking us out of their often simpler and better supported\n   APIs\n4. CNDI's extensibility is done through\n   [Terraform Passthru](https://github.com/polyseam/cndi/blob/main/docs/terraform-passthru.md)\n   which effectively takes the `cndi/terraform/cdk.tf.json` we generate for you,\n   then deep merging the object found in your config:\n   `cndi_config.yaml[infrastructure][terraform]` object. This means that CNDI\n   core developers have access to elegant typescript APIs, but CNDI users deal\n   with a workaround when the core funcationality is insufficient.\n\n## solving for the limitations\n\n### @cndi/cdktf\n\nWe know that there are some CDKTF modules we would like to use, like the\n[aws-eks module](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest).\nWe know that to get that module with intellisence we need to call `cdktf get`\nwith some terraform package metadata present specifying the versions to\ndownload.\n\nWhat if we maintain a repository and build system which generates the CDKTF\npackages we rely on and publishes them to a registry?\n\nThis is the goal of `@cndi/cdktf`. It has a JSON configuration file which\nspecifies the modules we want to build, and the versions we want to build them\nat. It will then build the modules and publish them to a registry.\n\nImporting these modules is then just a matter of importing them after they have\nbeen built into the CNDI CLI.\n\nThis solution _does not_ change the architecture by pulling the packages from\nlocal disk at runtime.\n\nCNDI still pulls in all the required terraform modules at build time, but it\ndoes so using vendored versions of the modules which are built and published by\n`@cndi/cdktf` using the `cdktf` toolkit.\n\nIt is not yet clear if this vendoring and publishing process can also do\ntree-shaking and code-splitting, but it seems plausible.\n\nThis solution doesn't expose a better API as a successor to Terraform Passthru.\nThe user still doesn't have access to the rich expressivity of the CDKTF API.\nMaybe we tackle this in CNDI v3. Maybe that typescript-centric API is also\nsynergistic with Typescript FaaS?\n\n```jsonc\n{\n  // tags for modules used to set SHAs\n  \"terraformModules\": [\n    {\n      \"name\": \"aws-vpc\",\n      \"source\": \"terraform-aws-modules/vpc/aws\",\n      \"version\": \"5.17.0\"\n    },\n    {\n      \"name\": \"aws-eks\",\n      \"source\": \"terraform-aws-modules/eks/aws\",\n      \"version\": \"20.31.6\"\n    },\n    {\n      \"name\": \"aws-iam-assumable-role-with-oidc\",\n      \"source\": \"terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc\",\n      \"version\": \"5.52.2\"\n    },\n    {\n      \"name\": \"aws-eks-managed-node-group\",\n      \"source\": \"terraform-aws-modules/eks/aws//modules/eks-managed-node-group\",\n      \"version\": \"20.31.6\"\n    }\n  ]\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolyseam%2Fcndi-cdktf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpolyseam%2Fcndi-cdktf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolyseam%2Fcndi-cdktf/lists"}