Managing Kubernetes Deployments with Terraform and kubectl apply

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

This article outlines different methods to execute kubectl commands within your Terraform code for managing Kubernetes resources. We will explore four primary approaches: using the dedicated terraform-provider-kubectl, directly executing commands with the local_exec provisioner, leveraging pre-built external modules, and best practices for handling sensitive data like Kubernetes API tokens. Each approach comes with its own advantages and considerations, which we will discuss in detail. Additionally, we will cover important factors such as ensuring idempotency in your commands, implementing robust error handling, and adhering to security best practices when working with sensitive credentials.

To execute kubectl commands within your Terraform code for managing Kubernetes resources, you have several options:

1. Leveraging the terraform-provider-kubectl:

• Installation: Begin by incorporating the kubectl provider into your Terraform setup. You can achieve this by adding the following to your providers.tf file:

  terraform {
    required_providers {
      kubectl = {
        source  = "gavinbunney/kubectl"
        version = "~> 1.14"
      }
    }
  }

• Authentication: Ensure your kubectl context is properly configured to connect to your Kubernetes cluster. The provider will inherit credentials from your existing kubectl configuration.

• Applying Resources: Utilize the kubectl_manifest resource to deploy your Kubernetes manifests. For instance:

  resource "kubectl_manifest" "example" {
    depends_on = [
      kubernetes_namespace.example
    ]
    yaml_body = <<YAML
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx-deployment
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
          - name: nginx
            image: nginx:1.14.2
    YAML
  }

2. Using the local_exec Provisioner:

• Direct Execution: Execute kubectl commands directly within your Terraform code using the local_exec provisioner. However, exercise caution as this approach might expose sensitive credentials.

  resource "null_resource" "kubectl_apply" {
    provisioner "local-exec" {
      command = "kubectl apply -f deployment.yaml"
    }
  }

• Security Considerations: Avoid hardcoding sensitive information directly in your Terraform files. Instead, leverage environment variables or secure secret management solutions.

3. Employing External Modules:

• Pre-built Modules: Explore community-contributed Terraform modules designed for interacting with Kubernetes. These modules often provide a higher level of abstraction and can simplify common tasks.

  module "kubectl_command" {
    source  = "magnolia-sre/kubectl-cmd/kubernetes"
    version = "~> 1.0"
  
    commands = [
      "kubectl get pods -n kube-system",
    ]
  }

4. Handling Sensitive Data:

• Environment Variables: Store sensitive data, such as Kubernetes API tokens, in environment variables and reference them securely within your Terraform code.

• Secret Management: Utilize dedicated secret management tools like HashiCorp Vault to store and retrieve sensitive credentials securely.

Important Considerations:

• Idempotency: Ensure your kubectl commands are idempotent, meaning they can be executed multiple times without causing unintended side effects.

• Error Handling: Implement error handling mechanisms to gracefully manage potential failures during kubectl command execution.

• Security Best Practices: Prioritize security by avoiding the hardcoding of sensitive information and adopting secure credential management practices.

This document provides examples of how to execute kubectl commands within Terraform code. It demonstrates four methods: using the dedicated terraform-provider-kubectl, leveraging the local_exec provisioner for direct command execution, incorporating external modules for pre-built kubectl interactions, and handling sensitive data like kubeconfig paths securely using environment variables and Terraform's sensitive variable feature. The document emphasizes the importance of adapting these examples to specific use cases, prioritizing security, and ensuring idempotency and error handling in kubectl commands.

1. Using the terraform-provider-kubectl:

# providers.tf
terraform {
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14"
    }
  }
}

# main.tf
resource "kubernetes_namespace" "example" {
  metadata {
    name = "my-namespace"
  }
}

resource "kubectl_manifest" "nginx_deployment" {
  depends_on = [
    kubernetes_namespace.example
  ]

  yaml_body = <<YAML
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: my-namespace
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
YAML
}

2. Using the local_exec Provisioner:

# main.tf
resource "null_resource" "kubectl_apply" {
  provisioner "local-exec" {
    command = "kubectl apply -f deployment.yaml"
  }
}

3. Employing External Modules:

# main.tf
module "kubectl_command" {
  source  = "magnolia-sre/kubectl-cmd/kubernetes"
  version = "~> 1.0"

  commands = [
    "kubectl get pods -n kube-system",
  ]
}

4. Handling Sensitive Data (Example with Environment Variables):

# Set KUBECONFIG environment variable before running Terraform
# export KUBECONFIG=path/to/your/kubeconfig

# main.tf
resource "null_resource" "kubectl_apply" {
  provisioner "local-exec" {
    command = "kubectl apply -f deployment.yaml --kubeconfig=${var.kubeconfig}"
  }
}

variable "kubeconfig" {
  type = string
  default = env("KUBECONFIG")
  sensitive = true
}

Remember:

• Adapt these examples to your specific needs and context.
• Prioritize security by avoiding hardcoded sensitive information and using appropriate secret management techniques.
• Ensure your kubectl commands are idempotent and implement error handling mechanisms for robustness.

• When to use each method:
  • terraform-provider-kubectl: Best for managing Kubernetes manifests directly within Terraform, especially when you need to manage dependencies between Kubernetes resources and other Terraform resources.
  • local-exec provisioner: Useful for simple kubectl commands or when you need to interact with the cluster outside the scope of resource management (e.g., running a script after deployment). Use with caution due to potential security risks.
  • External modules: Ideal for common Kubernetes tasks or complex deployments, as they provide higher-level abstractions and reduce boilerplate code.
• Beyond the basics:
  • Explore the full potential of the terraform-provider-kubectl by leveraging its data sources for fetching information from your cluster.
  • Consider using tools like kustomize or helm in conjunction with Terraform for templating and managing complex Kubernetes applications.
• Terraform best practices still apply:
  • Use modules to organize your code and promote reusability.
  • Implement input validation to ensure the reliability of your Terraform code.
  • Leverage Terraform's state management capabilities to track changes and ensure consistency.
• Keep learning:
  • The Kubernetes and Terraform ecosystems are constantly evolving. Stay up-to-date with the latest features, best practices, and security considerations.

By carefully considering these notes and the information presented in the article, you can effectively manage your Kubernetes resources with Terraform while maintaining a secure and efficient workflow.

This article outlines four methods for managing Kubernetes resources using kubectl commands within Terraform:

Key Considerations:

• Idempotency: Ensure commands can be run multiple times without unintended consequences.
• Error Handling: Implement mechanisms to gracefully manage potential command execution failures.
• Security Best Practices: Avoid hardcoding sensitive information and adopt secure credential management practices.

In conclusion, integrating kubectl commands into your Terraform workflows is essential for managing Kubernetes resources effectively. This article explored four primary methods: using the specialized terraform-provider-kubectl, direct execution via the local-exec provisioner, leveraging pre-built external modules, and emphasizing secure handling of sensitive data like Kubernetes API tokens. Each approach has its own merits and considerations, allowing you to choose the most suitable one for your specific needs. Remember to prioritize idempotency in your commands, implement robust error handling, and adhere to security best practices by avoiding hardcoded credentials and adopting secure secret management techniques. By carefully considering these factors and the information presented, you can confidently manage your Kubernetes resources with Terraform, ensuring a secure and efficient infrastructure management process.

• magnolia-sre/kubectl-cmd/kubernetes | Terraform Registry | Mar 16, 2023 ... Multiline scripts (using heredoc format) are considered a single command. You can mix single or multiline commands. Use the destroy commands ( ...
• A more secure way to call kubectl from Terraform | by Ian Tivey ... | Calling kubectl from Terraform without leaking your credentials…
• How can terraform execute a kubectl command when my cluster ... | Posted by u/Cloud--Man - 2 votes and 6 comments
• Running kubectl with a local_file resource? - Terraform - HashiCorp ... | Hi, Im provisioning a cluster with terraform and want single out the etcd nodes IP’s after the cluster is done to trigger a ansible playbook and manipulate the udev write-cache. As of know im come so far as having this " kubectl get nodes --selector=node-role.kubernetes.io/etcd -o jsonpath=’{$.items[*].status.addresses[?(@.type==“InternalIP”)].address}’ --kubeconfig=kube_config_openstack" Which singles out the etcd_node ips. But next step is a bit unclear for me. How do i get that informati...
• kubectl command similar to "terraform plan" : r/kubernetes | Posted by u/Outrageous-Score-645 - 19 votes and 19 comments
• Create a datasource for URL documents · Issue #26 · gavinbunney ... | It would be useful to have a datasource that could pull documents from the internet. So instead of having 1,000 lines of YAML embedded in the .tf, just provide the URL to the YAML and voila!
• What is the equivalence of "kubectl apply -k" in terraform to manage ... | Posted by u/dayeye2006 - 1 vote and 2 comments
• Install ISTIO 1.3.x with Terraform - Environments - Discuss Istio | Good morning or good day to you. I am working to introduce Terraform in the company for automatically managing the cloud environment. The challenge is on the one side, that we are living in the IBM managed cloud and we want to use the VPC and managed K8S cluster there. Well, this runs fine now and as expected, but, I would like to install some packages via HELM into it like the package of ISTIO. I thought about using HELM to prevent a call to kubectl from Terraform as shell command to depl...
• failed to fetch resource from kubernetes: the server could ... | The issue I'm running into an error with karpenter yaml templates and I'm unsure on what the cause is. I've used the kubectl_manifest in the past and it worked fine on consecutive applies, but for ...