{"id":20263595,"url":"https://github.com/springerpe/terraform-controller-modules","last_synced_at":"2026-02-06T18:32:19.950Z","repository":{"id":80987535,"uuid":"499047670","full_name":"SpringerPE/terraform-controller-modules","owner":"SpringerPE","description":"PoC","archived":false,"fork":false,"pushed_at":"2022-06-09T14:34:36.000Z","size":8,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-19T11:35:04.054Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SpringerPE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-02T08:08:42.000Z","updated_at":"2022-06-09T14:37:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"f3af8b31-8be5-4bec-82a3-5393441cf3b7","html_url":"https://github.com/SpringerPE/terraform-controller-modules","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SpringerPE/terraform-controller-modules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpringerPE%2Fterraform-controller-modules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpringerPE%2Fterraform-controller-modules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpringerPE%2Fterraform-controller-modules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpringerPE%2Fterraform-controller-modules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SpringerPE","download_url":"https://codeload.github.com/SpringerPE/terraform-controller-modules/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpringerPE%2Fterraform-controller-modules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29172616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T16:33:35.550Z","status":"ssl_error","status_checked_at":"2026-02-06T16:33:30.716Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T11:35:40.116Z","updated_at":"2026-02-06T18:32:19.923Z","avatar_url":"https://github.com/SpringerPE.png","language":"HCL","readme":"# terraform-controller-modules\n\nExperiment using a terraform module stored in a git repo.\n\nTested with GKE K8S version: v1.23.5-gke.1501\nTerraform controller images versions: oamdev/terraform-controller:0.7.0 / oamdev/docker-terraform:1.1.2\nKubevela version: v1.4.1\n\n\n## Pros and Cons\n\nPros:\n\n* Easy to use, just regular terraform modules. Modules are not specific to the controller.\n* Terraform modules stored a git repo or by defining inline HCL.\n* Terraform init, apply and output shown in the output (and logs)\n* Inputs become properties in the app manifest. \n* Possible to pass environment vars to terraform.\n* Controller is looping to apply the state continuously.\n* Output can be stored as a secret in K8S and used in next service to retrieve credentials\n* Possible to define SA for the terraform provider by namespace, each team can use the same terraform module but with a different account.\n* Operators can use the terraform controller directly to define the resources in K8S, not need to use apps.\n* The same git repository can store different modules, each own in a different path. The repository can include examples, docs, ...\n\nCons:\n\n* `vela show \u003ccomponent\u003e` does not show the input parameters, only output. When app manifest is defined, users need to know which properties are available/predefined.\n* Output is logged, so secrets or sensitive data can be leaked (it can be avoid with sensitive = true)\n* Update the git repo with the modules does not trigger the changes. App needs to be redeployed\n* When app is redeployed changes can be because of app changes or because of terraform changes in git repo (done by operator).\n* TF state backups need to be improved, only possible by a hack.\n* Private repositories currently not supported, issue is open (should not be difficult to implement)\n* Fixing a broken app -because errors in terraform modules- needs to be done with workflow commands or killing the pod\n\n\n## K8S/Kubevela setup\n\n1. Secret:\n```\necho \"gcpCredentialsJSON: '${GOOGLE_CREDENTIALS}'\" \u003e gcp-credentials.conf\necho \"gcpProject: ${GOOGLE_PROJECT}\" \u003e\u003e gcp-credentials.conf\nkubectl create secret generic gcp-account-creds-project-test -n katee-engineering-enablement --from-file=credentials=gcp-credentials.conf\nrm -f gcp-credentials.conf\n```\n\n2. Define provider settings pointing to the secret: `kubectl -n katee-engineering-enablement apply -f provider.yaml`\n\n3. Create Kubevela component to deploy apps `kubectl -n katee-engineering-enablement apply -f cloudrun.yaml`\n\n4. Check if component is there: `vela components --label vendor=sn`\n\n5. Show component: `vela show test-cloudrun-ee`:\n```\n### Properties\n+----------------------------+-------------------------------------------------------------------+-----------------------------------------------------------+----------+---------+\n| NAME | DESCRIPTION | TYPE | REQUIRED | DEFAULT |\n+----------------------------+-------------------------------------------------------------------+-----------------------------------------------------------+----------+---------+\n| writeConnectionSecretToRef | The secret which the cloud resource connection will be written to | [writeConnectionSecretToRef](#writeConnectionSecretToRef) | false | |\n+----------------------------+-------------------------------------------------------------------+-----------------------------------------------------------+----------+---------+\n\n\n#### writeConnectionSecretToRef\n+-----------+-----------------------------------------------------------------------------+--------+----------+---------+\n| NAME | DESCRIPTION | TYPE | REQUIRED | DEFAULT |\n+-----------+-----------------------------------------------------------------------------+--------+----------+---------+\n| name | The secret name which the cloud resource connection will be written to | string | true | |\n| namespace | The secret namespace which the cloud resource connection will be written to | string | false | |\n+-----------+-----------------------------------------------------------------------------+--------+----------+---------+\n```\n\n\n### Notes\n\n* The service account (SA) used by the provider can be created in a \"main\"/\"host\" project and bound in the destination `$GOOGLE_PROJECT` (where the Terraform resources will be created) with the needed roles/permissions. For this example the account was bound as owner of the `$GOOGLE_PROJECT`. The json key can be loaded in a environment variable like `GOOGLE_CREDENTIALS=$(cat account-key.json)`. Google API's may need to be enabled in order to manage GCP resources in `$GOOGLE_PROJECT`,\n\n\n* The `ComponentDefinition` definition key `spec.schematic.terraform` can point to a specific provider reference:\n```\n providerRef:\n name: gcp-project-test\n namespace: katee-engineering-enablement\n```\n\n* Also different labels can be defined in metatada (in the example `vendor`), these labels can be used to filter components with the cli.\n\n\n* The provider reference can be used by differents `ComponentDefintion` components by metadata `name` and `namespace` keys. The spec includes the GCP project used by the terraform provider and the service account (as a secret, see creation process above):\n\n```\napiVersion: terraform.core.oam.dev/v1beta1\nkind: Provider\nmetadata:\n namespace: katee-engineering-enablement\n name: gcp-project-test\n labels:\n \"config.oam.dev/catalog\": \"sn\"\n \"config.oam.dev/type\": \"terraform-provider\"\n \"config.oam.dev/provider\": \"terraform-gcp\"\nspec:\n provider: gcp\n region: europe-west4\n credentials:\n source: Secret\n secretRef:\n namespace: katee-engineering-enablement\n name: gcp-account-creds-project-test\n key: credentials\n```\n\n* K8S operators can use the terraform controller directly, by creating a `Configuration` definition pointing to the git repository/path and pointing to the proper provider reference (multiple providers are possible):\n```\napiVersion: terraform.core.oam.dev/v1beta1\nkind: Configuration\nmetadata:\n name: cloudrun\nspec:\n remote: https://github.com/jriguera/terraform-controller-modules.git\n path: cloudrun\n variable:\n project: \"project-id\"\n service_name: \"jose-test\"\n image_name: \"gcr.io/cloudrun/hello\"\n providerRef:\n name: gcp-project-test\n namespace: katee-engineering-enablement\n writeConnectionSecretToRef:\n name: cloudrun-direct\n namespace: katee-engineering-enablement\n```\n\n\n## Deploy app\n\n\nCreate a manifest `app.yml` (change `project-id`):\n```\napiVersion: core.oam.dev/v1beta1\nkind: Application\nmetadata:\n name: my-cloud-run-test\nspec:\n components:\n - name: cloud-run-app\n type: test-cloudrun-ee\n properties:\n project: \"project-id\"\n service_name: \"jose-test\"\n image_name: \"gcr.io/cloudrun/hello\"\n env:\n HELLO: \"hola\"\n BYE: \"adios\"\n writeConnectionSecretToRef:\n name: cloudrun-url\n```\n\n1. Deploy Application: `vela up -f app.yml`\n\n2. Check the app and its status: `vela ls` and `vela status my-cloud-run-test`:\n```\nAbout:\n\n Name: \tmy-cloud-run-test \n Namespace: \tkatee-engineering-enablement \n Created at:\t2022-06-03 10:33:03 +0200 CEST\n Status: \trunning \n\nWorkflow:\n\n mode: DAG\n finished: true\n Suspend: true\n Terminated: false\n Steps\n - id:hn4wmei93j\n name:cloud-run-app\n type:apply-component\n phase:succeeded \n message:\n\nServices:\n\n - Name: cloud-run-app \n Cluster: local Namespace: katee-engineering-enablement\n Type: test-cloudrun-ee\n Healthy Cloud resources are deployed and ready to use\n No trait applied\n```\n\n3. Check outputs (secrets): `kubectl describe secret cloudrun-url -n katee-engineering-enablement`:\n```\nName: cloudrun-url\nNamespace: katee-engineering-enablement\nLabels: terraform.core.oam.dev/created-by=terraform-controller\n terraform.core.oam.dev/owned-by=cloud-run-app\n terraform.core.oam.dev/owned-namespace=katee-engineering-enablement\nAnnotations: \u003cnone\u003e\n\nType: Opaque\n\nData\n====\nsa_name: 63 bytes\nsa_private_key: 3132 bytes\nservice_url: 41 bytes\n```\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspringerpe%2Fterraform-controller-modules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspringerpe%2Fterraform-controller-modules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspringerpe%2Fterraform-controller-modules/lists"}