Skip to main content
Version: 0.35.0

Overview

Terraform Controller (TF-Controller) is a reliable tool for managing your infrastructure and application resources using the GitOps approach, all at your own pace. An open source project created by Weaveworks, the makers of Flux, TF-Controller follows patterns established by Flux and integrates with Weave GitOps.

TF-Controller makes the following GitOps models available to suit your specific needs:

  • Drift Detection: Use GitOps for drift detection so that you can decide which actions to take when drift occurs.
  • GitOps Automation: Fully automate the GitOps process, including provisioning and enforcement, for all of your Terraform resources.
  • Hybrid GitOps Automation: GitOps-ify certain parts of your existing infrastructure resources, such as a nodegroup or security group in an existing EKS cluster.
  • State Enforcement: Use GitOps to enforce an existing tfstate without making any other changes.

To get started with TF-controller, simply follow the provided getting started guide. You can also find extensive documentation here—it covers API references, CLI references, and how-to's for common situations.

With Weave GitOps Enterprise, you can manage Terraform objects the same way you can with Kustomization and HelmReleases:

WGE Enterprise dashboard showing Terraform view

Features

  • Multi-Tenancy: TF-controller supports multi-tenancy by running Terraform plan and apply inside Runner Pods. When specifying .metadata.namespace and .spec.serviceAccountName, the Runner Pod uses the specified ServiceAccount and runs inside the specified Namespace. These settings enable the soft multi-tenancy model, usable within the Flux multi-tenancy setup.
  • GitOps Automation for Terraform: Setting .spec.approvePlan=auto allows a Terraform object to be reconciled and act as the representation of your Terraform resources. TF-controller uses the spec of the Terraform object to plan and apply its associated Terraform resources. It then stores the TFSTATE of the applied resources as a Secret inside the Kubernetes cluster. After .spec.interval passes, TF-Controller checks for drift between your live system and your Terraform resources and, if affirmative, automatically generates and applies a plan to correct it.
  • Drift detection: Enabled by default, and part of the GitOps automation feature, the controller detects and fixes infrastructure drift based on the Terraform resources and their TFSTATE. You can use the field .spec.disableDriftDetection to disable this behaviour. Drift detection-only mode, without plan or apply steps, allows you to perform read-only drift detection.
  • Plan and Manual Approve: Separate the plan from the apply step, just like in the Terraform workflow you are familiar with—but in a GitOps way. When a plan is generated, the controller shows you a message asking if you want to apply it. Optionally create and push the change to a new branch for your team members to review and approve too.
  • YAML-based Terraform: The Terraform object in v0.13.0+ allows you to better configure your Terraform resources via YAMLs, but without introducing any extra CRDs to your cluster.
  • First-class Terraform Cloud Support: Use spec.cloud to configure Terraform objects to use Terraform Cloud as the backend for storing the state.

Dependencies

TF-controller has its own versioning system that is separate from the versioning system used by Weave GitOps. This means that you can install and use TF-controller independently of Weave GitOps—it will not be affected by the version of Weave GitOps that you are using.

Here is the dependency matrix:

VersionTerraformSource ControllerFlux v2
v0.14.0v1.3.9v0.35.1v0.40.x
v0.13.1v1.3.1v0.31.0v0.38.x