Credentials

Resource Definitions using the OpenTofu Container Runner Driver

The OpenTofu Container Runner Driver Driver provides an easy way to execute OpenTofu code.

This driver handles the runner outputs to be compliant with the interface expected by the Orchestrator .

The example in this section shows:

How to build the config Resource Definition needed by the Resource Definition based on the OpenTofu Container Runner Driver Driver . This config Definition provides the data needed to create a Kubernetes Job in the desired cluster .
How to make the Kubernetes Job able to pull an image from a private registry .
How to inject the cloud account credentials into the IaC code running in the container via the credentials_config object.
How to fetch the OpenTofu scripts from a private Repository, via non-secret and secret fields.
How to inject the OpenTofu scripts as an inline file of the Resource Definition, via files .

The example is made up out of these files:

k8s-cluster-opentofu-container-runner-config.yaml: provides a connection to a GKE cluster .
agent.yaml: provides the configuration to access a private cluster via the Humanitec Agent. It is needed by the config Resource.
s3.yaml: in addition to referencing the config Resource Definition, it defines how to fetch the Terraform scripts from a private Github Repository to provision an S3 bucket. This also provides via file an AWS S3 bucket as place where to store the resource state.

Resource Definitions

agent.yaml (view on GitHub ) :

# This Resource Definition specifies the Humanitec Agent to use for the Runner.
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: agent-opentofu-container-runner
entity:
  driver_type: humanitec/agent
  name: agent-opentofu-container-runner
  type: agent
  driver_inputs:
    values:
      id: my-agent
  criteria:
    # Change to match the name of the development type you want this to apply to
    - env_type: development

k8s-cluster-opentofu-container-runner-config.yaml (view on GitHub ) :

# This Resource Definition specifies a `config` Resource to be provisioned through Terraform code read from a private Git repository accessed via an SSH key.
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: config-opentofu-container-runner
entity:
  name: Config For OpenTofu Container Runner Driver
  type: config
  driver_type: humanitec/template
  driver_inputs:
    values:
      templates:
        outputs:
          cluster:
            account: myOrg/myAccount
            cluster:
              name: my-eks-cluster
              region: eu-north-1
              cluster_type: eks
              loadbalancer: 10.10.10.10
          skip_permission_checks: false
        secrets: |
          agent_url: {{ .driver.secrets.agent_url }}
    secrets:
      agent_url: ${resources.agent.outputs.url}
  criteria:
  # Change to match the name of the development type you want this to apply to    
  - env_type: development
    res_id: opentofu-container-runner

s3.yaml (view on GitHub ) :

# This Resource Definition specifies an `s3` Resource to be provisioned through OpenTofu code read from a private Git repository accessed via a password or token.
# The backend is defined via an inline file
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: s3-opentofu-container-runner
entity:
  name: S3 Bucket
  type: s3
  driver_type: humanitec/opentofu-container-runner
  # The Cloud Account referenced here provides the variables used in the credentials_config property
  driver_account: my-aws-account
  driver_inputs:
    values:
      runner:
        # Specify imagePullSecrets for pulling the runner image on the target cluster
        pod_template: |
          spec:
            imagePullSecrets:
              - name: ghcr-private-registry
      # Pull OpenTofu code from this Git repository
      source:
        ref: refs/heads/main
        url: https://my-domain.com/my-org/my-repo.git
        username: my-git-handler
        path: path/to/s3
      # Define variables for the OpenTofu code
      variables:
        bucket: ${context.app.id}-${context.env.id}
        region: eu-west-3
      credentials_config:
        # These variables are provided by the Cloud Account referenced in the driver_account property
        environment:
          AWS_ACCESS_KEY_ID: AccessKeyId
          AWS_SECRET_ACCESS_KEY: SecretAccessKey
      use_default_backend: false
      files:
        # Define the TF backend dynamically using the Resource GuResId
        backend.tf: |
          terraform {
            backend "s3" {
              bucket = "my-s3-to-store-tf-state"
              key = "${context.res.guresid}/state/terraform.tfstate"
              region = "eu-west-3"
            }
          }
    secret_refs:
      # Obtain the password for authenticating to the Git repository from a secret store
      source:
        password:
          store: my-store
          ref: path/to/git/password
  criteria:
  - env_type: development

Resource Definitions

Driver

Capability

Flavor

Resource Type

Credentials

Resource Definitions using the OpenTofu Container Runner Driver

Resource Definitions

Resource Definitions

Driver

Capability

Flavor

Resource Type

Credentials

Resource Definitions using the OpenTofu Container Runner Driver #

Resource Definitions #

Resource Definitions using the OpenTofu Container Runner Driver

Resource Definitions