Cache terraform providers to reduce transient errors

[chanwit]

[ekristen]

@chanwit have you thought about solutions to this yet? This is definitely a tricky aspect. One thought I had was to develop a second "source" controller who's job it is to run terraform init for each version of the source code reference and then reference it like kustomize controller does when sourcing an artifact from the source controller.

[chanwit]

I would tackle this problem using a simple image-based approach. We had a plan to have tfctl image build command, for example, for users to opt-in:

• Their custom version of Terraform binary
• Their pre-loaded set of providers

One of the goals is also the enablement of TF-controller in airgap environments.

[ekristen]

What about a terraform source controller that can take the source artifact from the source controller, run terraform using tfexec (so the version is selected automatically) and grabs all the providers and then creates a tar.gz like the source controller, from there the tf-controller uses it?

[ekristen]

@chanwit thinking about this more, I wonder if by using tfexec and including the latest patched terraform binary in the docker image 1.0.9, 1.1.9, 1.2.4 and then making use of the terraform network mirror with an nginx config, we could pass through cache the files to disk.

There's a terraform installation network mirror setting that can be dropped into the .tf code that can signal that a mirror should be used, if it's air-gapped this could be pre-populated static website, if this is online, it could be a pass through nginx cache and so then all the providers would just get cached locally on the cluster.

[ekristen]

The only catch is that terraform forces an https endpoint for network mirrors at the moment. Would be nice if http was supported then it could just use a proxy in the cluster.