Install Terraform Integration in Spinnaker (Spinnaker Operator)

Learn how to install Armory’s Terraform Integration Plugin in a Spinnaker instance managed by the Spinnaker Operator. Terraform Integration enables your app developers to provision infrastructure using Terraform as part of their delivery pipelines.

Overview of installing Terraform Integration

In this guide, you use the Kustomize files in the spinnaker-kustomize-patches repo to install the plugin. You do need to update the contents of some files.

  1. Configure Spinnaker
  2. Get the Terraform Integration installation files
  3. Configure the service
  4. Configure the plugin
  5. Deploy Terraform Integration


Spinnaker Version Terraform Integration Service Version Terraform Integration Plugin Version
1.30.x 2.30 0.0.2
1.29.x 2.28 0.0.1
1.28.x 2.28 0.0.1

Before you begin

You have read the Terraform Integration Overview.

Spinnaker requirements

Terraform Integration requirements

  • Basic auth credentials for the Git repository where your store your Terraform scripts. The Terraform Integration plugin needs access to credentials to download directories that house your Terraform templates.
    • You can configure your Git repo with any of the following:
      • A Personal Access Token (potentially associated with a service account).
      • SSH protocol in the form of an SSH key or an SSH key file
      • Basic auth in the form of a user and password, or a user-password file
  • A source for Terraform Input Variable files (tfvar) or a backend config. You must have a separate artifact provider that can pull your tfvar file(s). The Terraform Integration plugin supports the following artifact providers for tfvar files and backend configs:
    • GitHub
    • BitBucket
    • HTTP artifact
  • A dedicated external Redis instance
    • Armory requires configuring a dedicated external Redis instance for production usage of the Terraform Integration plugin. This is to ensure that you do not encounter scaling or stability issues in production.

Configure Spinnaker

Configure Redis

Terraform Integration uses Redis to store Terraform logs and plans.

You can only configure the Terraform Integration feature to use a password with the default Redis user.

Configure Redis settings in your configuration and then apply.

          baseUrl: "redis://spin-redis:6379"
          password: "password"

Configure your artifact account

The Terraform Integration uses the following artifact accounts:

  • Git Repo - To fetch the repo housing your main Terraform files.
  • GitHub, BitBucket or HTTP - Optional. To fetch single files such as var-files or backend config files.

Configure the Git Repo artifact

Spinnaker uses the Git Repo Artifact Provider to download the repo containing your main Terraform templates.

Edit your configuration to add the following:

            enabled: true
            - name: gitrepo
              token: <your-personal-access-token> #  personal access token

For more configuration options, see Configure a Git Repo Artifact Account.

Configure additional repos

This step is optional.

These optional steps describe how to configure GitHub as an artifact provider for the Terraform Integration.

Spinnaker uses the Github Artifact Provider to download any referenced tfvar files.

Configure your GitHub artifact:

          - name: <github-for-terraform> 
            token: <your-github-personal-access-token>
          enabled: true
  • name: the name for this account; replace github-for-terraform with a unique identifier for the artifact account.
  • token: GitHub personal access token; this field supports “encrypted” field references.

Spinnaker uses the BitBucket Artifact Provider to download any referenced tfvar files, so it must be configured with the BitBucket token to pull these files.

          enabled: true
          - name: <bitbucket-for-terraform>
            username: <your-bitbucket-username>
            password: <your-bitbucket-password>
  • name: the name for this account; replace <bitbucket-for-terraform> with a unique identifier for the artifact account.
  • username: Your Bitbucket username.
  • password: Your Bitbucket password; this field supports “encrypted” field references.

Get the Terraform Integration installation files

You can find the Terraform Integration service and plugin files in the spinnaker-kustomize-patches repo’s plugins/oss/terraformer directory.

  • kustomization.yml: Kustomize build file
  • deployment.yml: spin-terraformer Deployment manifest
  • service.yml: spin-terraformer Service manifest
  • terraformer-plugin-config.yml: plugin installation
  • terraformer.yml: config file
  • terraformer-local.yml: config file for Named Profiles
  • spinnaker.yml: Spinnaker service mapping
  • versions directory: contains version-specific values that Kustomize inserts into the manifest during generation

The spinnaker-kustomize-patches/recipes directory contains the example kustomization-oss-terraformer.yml recipe. You can use that recipe or copy the entries to your recipe. This guide uses the kustomization-oss-terraformer.yml recipe for examples.

Configure the service

Make sure the service version is compatible with your Spinnaker version.

You specify the version in the patchesStrategicMerge section of plugins/oss/terraformer/kustomization.yml. You can find supported versions in the plugins/oss/terraformer/versions directory. For example, if you are running Spinnaker 1.27.x, replace ./versions/v-1.28.yml with ./versions/v-1.27.yml.

  - ./pac-plugin-config.yml
  - ./versions/v-1.28.yml

Configure the plugin

In terraformer-plugin-config.yml, make sure the version number is compatible with your Spinnaker instance.

                enabled: true
                version: &pluginversion 0.0.1

For example, if you want to use plugin version 0.0.2, your version value would be &pluginversion 0.0.2.

Deploy Terraform Integration

This step deploys the Terraformer service and installs the plugin. If you want to see the generated manifest before you deploy, execute kubectl kustomize.

Apply the updates to your Kustomization file.

kubectl apply -k <kustomization-directory-path>

What’s next

Last modified August 17, 2023: (525a0c04)