Terraform logo repeated multiple times


The always-encrypted Kubernetes now comes with a Terraform provider

Adrian Stobbe

Constellation 2.14 introduces full Terraform support through a new provider plugin. This allows you to manage the lifecycle of Constellation clusters with Terraform, enabling seamless integration with GitOps pipelines and existing infrastructure setups. You no longer need to install the Constellation CLI, instead, you can just declare the entire Constellation cluster setup through Terraform. Read the docs for more information and examples.

Why devs love GitOps

GitOps is about using Git, a widely used version control system, as the single source of truth for declarative infrastructure and applications. This approach resonates strongly with developers for several reasons. For example, it makes collaboration easier by allowing developers to review, comment, and approve changes in a transparent manner. Additionally, GitOps embraces automated testing and deployment of infrastructure changes, leading to more stable and reliable systems by eliminating manual errors. Lastly, the versioned deployments allow for better disaster recovery by letting teams quickly revert to a known good state.

Terraform module vs. Terraform provider

Constellation release 2.13 introduced a Terraform module, which was using the CLI in the background so that a user would only interact with Terraform. However, this approach had several shortcomings. Most significantly, the CLI created files as a side effect in the background. With the provider, the Terraform state is the single source of truth of the cluster and it should be kept secure. The provider removes the dependency on the CLI and follows Terraform best practices.

By separating the OS image lookup and attestation to separate data sources, the provider provides more customizability and transparency.

This enables the user to see the image reference and attestation measurements during terraform plan and makes it possible to use custom images and attestation.

When should I use the provider?

For most users, the CLI will remain the go-to-way to get started with Constellation, and certain features, such as cluster recovery, still require the CLI. It's important to note that the provider doesn't intend to replace the CLI, rather, it complements it, to cater to the needs of more sophisticated and customized setups.

Self-managed infrastructure was also supported before, but the provider improves the UX for Terraform users and allows for true GitOps.


In short, the Terraform provider, introduced in Constellation 2.14, is for users who need to customize the infrastructure or want to manage the cluster through GitOps, and it empowers them to do so seamlessly.

Do you have feedback or questions regarding the Constellation Terraform provider? Engage with us via Github!

Author: Adrian Stobbe

Related reading

View all