tofu-controller icon indicating copy to clipboard operation
tofu-controller copied to clipboard

Published 20 hours ago verified publisher icon flux-iac

Live runner environment to interactively run terraform commands.

Open elisiano opened this issue 2 years ago • 1 comments

Howdy! We are using a finicky terraform provider that bails whenever the remote resources have been deleted outside of terraform.

Ideally this should be fixed in the provider to just recreate the resources but this got me thinking that it might be useful to have a live pod where we can exec inside and run terraform commands (specifically terraform state ... ones).

The use cases I have in mind are mainly:

  • remove terraform resources from the state
  • move terraform resources around (for refactoring)

Currently the process is a bit awkward:

  • pause the reconciliation of the terraform object
  • get the state (as documented)
  • run terraform commands
  • upload the changed state (as documented)
  • resume the reconciliation

I have tried to set spec.alwaysCleanupRunnerPod: false and exec in the runner but I can't find the manifests and it does not have the secrets mounted (maybe I'm missing something?).

elisiano avatar Aug 17 '22 19:08 elisiano

Thank you @elisiano

Currently the process is a bit awkward:

pause the reconciliation of the terraform object get the state (as documented) run terraform commands upload the changed state (as documented) resume the reconciliation

Yes, we would also encapsulate these steps into a command to help the debugging process.

I have tried to set spec.alwaysCleanupRunnerPod: false and exec in the runner but I can't find the manifests and it does not have the secrets mounted (maybe I'm missing something?).

We are locked down by Kubernetes' security for some reasons, yes. Me too; I exec into the pod and didn't find any manifests.

But for the Secrets, we're trying to be as secure as possible by design. There are no secrets mounted into the pod. We obtained them via API, so there are no secrets for you to see there.

chanwit avatar Aug 18 '22 12:08 chanwit

Besides the tf.state, the tfctl command could also help into extracting the current variables configured on the cluster and referenced in Terraform CR in into a terraform.tfvars.json local file

I've used the following (ugly!) command as a workaround to extract the variables from the Terraform CR (without yet dealing with the varsFrom)

k get terraform terraform -o yaml | yq '.spec.vars| map({ (.name): .value})' | grep TF_VAR | sed 's/TF_VAR_//' | yq -o json | jq 'add' > terraform.tfvars.json

then I can run terraform init && terraform plan

gberche-orange avatar Jan 25 '23 11:01 gberche-orange

@elisiano - This functionality is now being provided by the break-glass mode - please can you try that out, and let us know if it meets your requirements?

madAndroid avatar Nov 06 '23 10:11 madAndroid

Closing in light of previous comment -- the ask has been addressed.

lasomethingsomething avatar Nov 06 '23 14:11 lasomethingsomething