Enable the Terraform Integration Stage in Armory Continuous Deployment
Overview of enabling Terraform Integration
Enabling the Terraform Integration stage consists of these steps:
Compatibility
| Spinnaker Version | Terraform Integration Service Version | Terraform Integration Plugin Version |
|---|---|---|
| 1.30.x | 2.30 | 0.0.2 |
| 1.29.x | 2.28 | 0.0.1 |
| 1.28.x | 2.28 | 0.0.1 |
Before you begin
- You have read the Terraform Integration Overview.
- You are running Armory Continuous Deployment.
- You manage your instance using the Armory Operator.
Terraform Integration is a built-in feature of Armory CD.
If you are running open source Spinnaker, see the Terraform Integration Overview for installation paths based on whether you are using Halyard or the Spinnaker Operator.
Terraform Integration requirements
- Basic auth credentials for the Git repository where your store your Terraform scripts. The Terraform Integration plugin needs access to credentials to download directories that house your Terraform templates.
- You can configure your Git repo with any of the following:
- A Personal Access Token (potentially associated with a service account).
- SSH protocol in the form of an SSH key or an SSH key file
- Basic auth in the form of a user and password, or a user-password file
- You can configure your Git repo with any of the following:
- A source for Terraform Input Variable files (
tfvar) or a backend config. You must have a separate artifact provider that can pull yourtfvarfile(s). The Terraform Integration plugin supports the following artifact providers fortfvarfiles and backend configs:- GitHub
- BitBucket
- HTTP artifact
- A dedicated external Redis instance
- Armory requires configuring a dedicated external Redis instance for production usage of the Terraform Integration plugin. This is to ensure that you do not encounter scaling or stability issues in production.
Configure Armory CD
Configure Redis
Terraform Integration uses Redis to store Terraform logs and plans.
You can only configure the Terraform Integration feature to use a password with the default Redis user.
Configure Redis settings in your Armory CD configuration and then apply your changes.
You need to modify spinnaker-kustomize-patches/armory/features/patch-terraformer.yml. Add Redis configuration in the profiles section.
profiles:
redis:
baseUrl: "<your-redis-url>"
password: "<your-redis-password>"
spec:
spinnakerConfig:
profiles:
terraformer:
redis:
baseUrl: "<your-redis-url>"
password: "<your-redis-password>"
Configure your artifact account
The Terraform Integration uses the following artifact accounts:
- Git Repo - To fetch the repo housing your main Terraform files.
- GitHub, BitBucket or HTTP - Optional. To fetch single files such as var-files or backend config files.
Spinnaker uses the Git Repo Artifact Provider to download the repo containing your main Terraform templates. For more configuration options, see Configure a Git Repo Artifact Account.
You need to modify spinnaker-kustomize-patches/armory/features/patch-terraformer.yml. Configure artifacts in the spec.spinnakerConfig.config.artifacts section.
spec:
spinnakerConfig:
config:
armory:
terraform:
enabled: true
artifacts:
gitrepo:
enabled: true
accounts:
- name: gitrepo
username: <username>
token: <git-token>
# password:
# tokenFile:
# usernamePasswordFile:
# sshPrivateKeyFilePath:
# sshPrivateKeyPassphrase:
# sshKnownHostsFilePath:
# sshTrustUnknownHosts:
spec:
spinnakerConfig:
profiles:
clouddriver:
artifacts:
gitRepo:
enabled: true
accounts:
- name: gitrepo
token: <your-personal-access-token>
Configure additional repos
You need to modify spinnaker-kustomize-patches/armory/features/patch-terraformer.yml. Configure additional artifacts in the spec.spinnakerConfig.config.artifacts section.
This step is optional.
These optional steps describe how to configure GitHub as an artifact provider for the Terraform Integration.
Spinnaker uses the Github Artifact Provider to download any referenced tfvar files.
Configure your GitHub artifact:
spec:
spinnakerConfig:
config:
artifacts:
github:
accounts:
- name: <github-for-terraform>
token: <your-github-personal-access-token>
enabled: true
name: the name for this account; replacegithub-for-terraformwith a unique identifier for the artifact account.token: GitHub personal access token; this field supports “encrypted” field references.
Spinnaker uses the BitBucket Artifact Provider to download any referenced tfvar files, so it must be configured with the BitBucket token to pull these files.
spec:
spinnakerConfig:
config:
artifacts:
bitbucket:
enabled: true
accounts:
- name: <bitbucket-for-terraform>
username: <your-bitbucket-username>
password: <your-bitbucket-password>
name: the name for this account; replace<bitbucket-for-terraform>with a unique identifier for the artifact account.username: Your Bitbucket username.password: Your Bitbucket password; this field supports “encrypted” field references.
Enable Terraform Integration
You need to modify your Kustomization recipe to include patch-terraformer.yml.
patchesStrategicMerge:
- armory/features/patch-terraformer.yml
Add enabled: true to your terraform section.
spec:
spinnakerConfig:
config:
armory:
terraform:
enabled: true
Apply the update
After you finish your Terraform Integration configuration, apply your changes. Confirm that the Terraform Integration service (Terraformer) is deployed with your Armory CD deployment:
kubectl get pods -n <your-spinnaker-namespace>
In the command output, look for a line similar to the following:
spin-terraformer-d4334g795-sv4vz 2/2 Running 0 0d
What’s next
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified August 17, 2023: (525a0c04)