Terraform Controller (TF-Controller) is a reliable tool for managing your infrastructure and application resources using the GitOps approach, all at your own pace. An open source project created by Weaveworks, the makers of Flux, TF-Controller follows patterns established by Flux and integrates with Weave GitOps.
TF-Controller makes the following GitOps models available to suit your specific needs:
- Drift Detection: Use GitOps for drift detection so that you can decide which actions to take when drift occurs.
- GitOps Automation: Fully automate the GitOps process, including provisioning and enforcement, for all of your Terraform resources.
- Hybrid GitOps Automation: GitOps-ify certain parts of your existing infrastructure resources, such as a nodegroup or security group in an existing EKS cluster.
- State Enforcement: Use GitOps to enforce an existing
tfstatewithout making any other changes.
To get started with TF-controller, simply follow the provided getting started guide. You can also find extensive documentation here—it covers API references, CLI references, and how-to's for common situations.
With Weave GitOps Enterprise, you can manage
Terraform objects the same way you can with
- Multi-Tenancy: TF-controller supports multi-tenancy by running Terraform
applyinside Runner Pods. When specifying
.spec.serviceAccountName, the Runner Pod uses the specified ServiceAccount and runs inside the specified Namespace. These settings enable the soft multi-tenancy model, usable within the Flux multi-tenancy setup.
- GitOps Automation for Terraform: Setting
Terraformobject to be reconciled and act as the representation of your Terraform resources. TF-controller uses the spec of the
applyits associated Terraform resources. It then stores the
TFSTATEof the applied resources as a
Secretinside the Kubernetes cluster. After
.spec.intervalpasses, TF-Controller checks for drift between your live system and your Terraform resources and, if affirmative, automatically generates and applies a plan to correct it.
- Drift detection: Enabled by default, and part of the GitOps automation feature, the controller detects and fixes infrastructure drift based on the Terraform resources and their
TFSTATE. You can use the field
.spec.disableDriftDetectionto disable this behaviour. Drift detection-only mode, without
applysteps, allows you to perform read-only drift detection.
- Plan and Manual Approve: Separate the
applystep, just like in the Terraform workflow you are familiar with—but in a GitOps way. When a plan is generated, the controller shows you a message asking if you want to apply it. Optionally create and push the change to a new branch for your team members to review and approve too.
- YAML-based Terraform: The
Terraformobject in v0.13.0+ allows you to better configure your Terraform resources via YAMLs, but without introducing any extra CRDs to your cluster.
- First-class Terraform Cloud Support: Use
Terraformobjects to use Terraform Cloud as the backend for storing the state.
TF-controller has its own versioning system that is separate from the versioning system used by Weave GitOps. This means that you can install and use TF-controller independently of Weave GitOps—it will not be affected by the version of Weave GitOps that you are using.
Here is the dependency matrix:
|Version||Terraform||Source Controller||Flux v2|