Terraform and OpenTofu Container Runner

What are the Terraform and OpenTofu Container Runner Drivers?

The Terraform and the OpenTofu Container Runner Drivers provide an easy, standardized and re-usable way to execute Terraform or OpenTofu code in your cluster by running a container image containing the Terraform or OpenTofu executable. You may bring your own image or use the default.

The current default images run these executable versions:

  • Terraform: 1.5.7
  • OpenTofu: 1.9.0

The Terraform and OpenTofu Container Runner Drivers are identical in structure and therefore covered on this common page.

This Driver is a virtual driver that wraps the Container Driver . Any Resources provisioned with it will therefore display the Container Driver as the Driver type being used.

This Driver supports only AKS, EKS, and GKE clusters as a target cluster for the execution of the Kubernetes Job created by the Container Driver .

Why use the Terraform or OpenTofu Container Runner Driver?

Using the Terraform or OpenTofu Container Runner Driver should ensure:

  • Reusability: You may want to use a dedicated Kubernetes cluster to execute your container, e.g. to run your Terraform or OpenTofu code. By separating out the runner configuration, it can be injected into any number Resource Definitions that should use that specific cluster to provision Resources via these Drivers.
  • Separation of concerns: As the configuration details are all in the config Resource Definition as shown in the example below, the Resource Definition based on the Terraform or OpenTofu Container Runner is completely oriented to provide the container specification and the Resource configuration.
  • Integrate: It provides an easy way to execute your Terraform or OpenTofu code via Humanitec in your infrastructure.

Compared to the Terraform Driver or Terraform Runner Driver , the Terraform and OpenTofu Container Runner Drivers:

  • Allow you to have more control of what is running in your cluster. You may choose to override the default image, but you are responsible for ensuring that the image includes the appropriate Terraform or OpenTofu executable and that your use complies with the respective vendor’s licensing terms.
  • Has a better defined architecture and execution model compared to the other Terraform drivers. As described here for the underlying Container Driver:
    • Executes a Kubernetes Job composed by different sidecar containers , each of them with a specific purpose, along with the main one.
    • Has to adhere to a specific interface to interact with the Platform Orchestrator.

How it works

The Terraform and OpenTofu Container Runner Drivers wrap the Container Driver and:

Matching different cluster configuration

By attaching the proper Matching Criteria to the config Resource Definition, a different Container Runner configuration can be matched e.g. per Environment Type so that the Kubernetes Job Container is executed in the proper cluster.

Using Terraform and OpenTofu backends

By default, the Drivers inject the configuration of a Kubernetes Terraform backend or Kubernetes OpenTofu backend that:

  • Creates Kubernetes secrets in the Runner namespace
  • Uses the Resource’s Globally Unique Id as secret_suffix via the context.res.guresid placeholder, to prevent any overlapping among resources

If you want to specify a different backend:

  • Set the boolean input value use_default_backend to false
  • Configure a different backend in your Terraform or OpenTofu code
  • Configure the proper Kubernetes cluster permissions as shown below

See our Terraform backends example for ways to handle backends.

Kubernetes cluster setup

Using the Terraform Container Runner Driver requires some additional setup on the target Kubernetes cluster so that the Platform Orchestrator may manage Kubernetes Jobs using the Driver. Refer to the “Container runner” instructions for the cluster type you are using:

In addition, a service account must be created in the target namespace for the Job execution itself, and it must be configured to have the permissions needed by the K8s Job to complete its execution.

Use these settings if your Terraform or OpenTofu code is using a backend other than the default Kubernetes backend :

Kubernetes Service Account 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: humanitec-runner
  namespace: humanitec-runner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: humanitec-runner
  name: humanitec-runner
rules:
- apiGroups: [""]
  resources: ["secrets", "configmaps"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: humanitec-runner
  namespace: humanitec-runner
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: humanitec-runner
subjects:
- kind: ServiceAccount
  name: humanitec-runner
  namespace: humanitec-runner

Use these settings if your Terraform or OpenTofu code is using the default Kubernetes backend :

Kubernetes Service Account 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: humanitec-runner
  namespace: humanitec-runner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: humanitec-runner
  name: humanitec-runner
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "get", "delete", "list", "update", "deletecollection"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["create", "get", "list", "update", "watch"]    
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: humanitec-runner
  namespace: humanitec-runner
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: humanitec-runner
subjects:
- kind: ServiceAccount
  name: humanitec-runner
  namespace: humanitec-runner

Properties

Property Description
Resource type Any
Account type Any

Inputs

Values

Name Type Description
runner object An object describing how to configure the Kubernetes Job which will run the supplied Terraform or OpenTofu image in the target cluster.
credentials_config object [Optional] An object describing how credentials should be made available to the runner container.
variables object [Optional] A Map of variable names that are used as inputs to the Terraform or OpenTofu definition and their values. Some limitations apply.
files object [Optional] A Map of file paths to their content to create, according to their path, in the directory where the tooling executes (if the path is relative) or at a specific mount point (if the path is absolute). You can’t define a file whose path is run.sh, as a file is injected at the same path to handle container outputs by the Driver.
source object [Optional] A Git repository to use to fetch content such as IaC scripts.
skip_permission_checks boolean [Optional] If set to true, the Driver and the Job skip the checks to ensure that the K8s cluster client and service account have the permissions to complete successfully. Defaults to false.
manifests_output string [Optional] The name of a property in the OUTPUTS_FILE or in the SECRET_OUTPUTS_FILE that contains a list of Manifest Location objects in JSON format. If the property is present in both files, the contents will be appended. These will then be returned as the manifests property in the Driver outputs. See Generating manifests for more details.
use_default_backend boolean [Optional] Defaults to true. Set to false in case of a backend that is not the default one should be used to store the Resource state.

Script variables

To supply OpenTofu or Terraform variables, the field variables described in values can be used, unless you want to inject a Resource Selector .

Due to some encoding limitations, OpenTofu or Terraform variables that take their value from a Resource Selector can not be placed in the variables inputs field. Instead, you can use the files section to create a variable definitions file ( Terraform , OpenTofu ) and place those variables here like this:

# Sample Resource Definition snippet showing a variable definitions file for using a Resource Selector
entity:
  driver_inputs:
    values:
      # Defining regular variables
      variables:
        app_id: ${context.app.id}
        env_id: ${context.env.id}
      # Defining a variable definitions file using a Resource Selector
      files:
        "input_vars.auto.tfvars.json": |
          {
            "principals": ${resources['gcs.default<workload>k8s-service-account'].outputs.principal}
          }

Placeholders are resolved by the Platform Orchestrator before the Driver is called. This means that the content of the Placeholder will already be resolved in the Driver inputs that the Driver receives. This includes any placeholders in comments.

For Drivers that allow pulling code from an external source such as a Git repository, Placeholders will not be resolved in that external code.

Runner object

The runner object provides all the information to properly build the Kubernetes Job that will execute the Terraform or OpenTofu code. It is a reduced version of the Job object in the Container Driver, as some of its properties are injected by the Terraform or OpenTofu Container Runner Driver.

Property Type Description
image string [Optional] The Terraform image the target container should run. Defaults to hashicorp/terraform:1.5.7 for Terraform and ghcr.io/humanitec/opentofu-container-runner:1.9.0 for OpenTofu.
service_account string [Optional] The Service Account the Kubernetes Job should run with. Defaults to humanitec-runner.
pod_template string [Optional] The same as Pod Template in Container Driver.
namespace string [Optional] The Namespace where the Runner should run. Defaults to humanitec-runner.
variables object [Optional] A Map of environment variables to their non-secret content the Kubernetes Job will run with.

credentials_config object

The credentials_config object describes how the provider credentials should be made available to the runner container.

Property Type Description
environment object Map whose keys are the environment values expected by the runner and value can be flattened credential keys (with . as delimiter) or credentials file path.
If the value is * it means that the whole credentials will be available at the specified environment variable. If the value at the specified key is an object, the environment variable assumes the stringified value of it.
Example: AWS_ACCESS_KEY_ID: aws.accessKeyId
file string File path for the file that will be built from credentials. The file path can’t be absolute or use dots.
Example: credentials.json
variables object Map whose keys are variables expected by the runner and values can be flattened credential keys (with . as delimiter) or credentials file path.
If the value is * it means that the whole credentials will be available at the specified variable.
If the key contains ., it is considered as a sub-field of a variable of type objects (e.g. “SECRET.ID: aws_access_key_id” generates a variable SECRET of type object which a field ID whose value is fetched by creds at path aws_access_key_id).
If the value at the specified key is an object, the variable is supplied to the scripts as an object, otherwise as a string.
Example: access_key: aws.accessKeyId

Source object

The source object defines how the Driver uses IaC scripts that are stored in Git. The supplied repository must be accessible to the Container K8s Job and credentials must be supplied if necessary.

Property Type Description
ref string [Optional] Full branch name or tag, or commit SHA, for example, /refs/heads/main.
url object Repository URL, for example, github.com:my-org/project.git for SSH or https://github.com/my-org/project.git for HTTPS.
username object [Optional] Username to authenticate. The default is git.
path string [Optional] Relative path to the IaC scripts, e.g. path/to/scripts. If specified, the contents at this path will be moved to the top level working directory shared among the main and the sidecar containers

According to the value specified in the ref property, the git-init init container fetches the content in the repository at a specific reference:

  • If ref is a git reference (e.g. refs/heads/my-branch, refs/tags/my-tag), that branch or tag is checked out.
  • If ref is a valid commit SHA, that commit is checked out.
  • If ref is empty, the HEAD of the repository is checked out (generally main or master).

This means that if ref is not a commit SHA, we can’t ensure that the scripts used to provision a resource match exactly the ones used to delete the same resource as a branch (or a tag) might have been updated compared to when the resource provisioning happened.

Secrets

Name Type Description
runner object [Optional] Object which describes the sensitive data to configure the Kubernetes Job which will run in the supplied Terraform or OpenTofu image in the target cluster.
cluster object [Optional] An object providing credentials and other sensitive information about how the Driver should connect to the target cluster.
files object [Optional] A Map of file paths to their sensitive content to create, according to their path, in the directory where the runner executes (if the path is relative) or at a specific mount point (if the path is absolute).
source object [Optional] Credentials to access the Git repository.

Runner object

The runner object defines the environment variables with a sensitive value the container runner runs with.

Property Type Description
variables object [Optional] A map of environment variables to their secret content the target container will run with.

Source object

Credentials to be used to access the Git repository. The choice of credentials depends on the url format.

Property Type Description
password string [Optional] Password or Personal Account Token - for HTTPS.
ssh_key string [Optional] SSH Private key - for connections over SSH.

Examples

In addition to the Container Driver examples page, we provide an example that consists of:

  • A config Resource Definition. It matches a res_id of terraform-container-runner and produces a cluster object as its output.
  • An s3 Resource Definition using the terraform-container-runner Driver that performs provisioning of an S3 bucket via the execution of Terraform code stored in a private GitHub repository. The Terraform code will be executed in the cluster specified by the config Resource Definition. Note that no reference to the config Resource is required.

Config Resource Definition

  1. Create a file defining the config Resource Definition you want to create to define the cluster where the Container Runner should run:
cat << "EOF" > config-terraform-runner.yaml
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: config-terraform-container-runner
entity:
  name: Config For Container Driver Runner
  type: config
  driver_type: humanitec/template
  driver_inputs:
    values:
      templates:
        outputs:
          cluster:
            account: myOrg/myAccount
            cluster:
              name: my-eks-cluster
              region: eu-north-1
              cluster_type: eks
              loadbalancer: 10.10.10.10
          skip_permission_checks: false
        secrets: |
          agent_url: {{ .driver.secrets.agent_url }}
    secrets:
      agent_url: ${resources.agent.outputs.url}
  criteria:
  - env_type: development
    res_id: terraform-container-runner
EOF
  1. Use the humctl create command to create the Resource Definition in the Organization defined by your configured context:
humctl create -f config-terraform-container-runner.yaml
rm config-terraform-container-runner.yaml

  1. Set the following environment variables:
Variable Example Description
HUMANITEC_TOKEN my-token The authentication token for accessing the Humanitec API
HUMANITEC_ORG my-org-id The unique identifier for the Humanitec Organization
  1. Execute this command:
curl https://api.humanitec.io/orgs/${HUMANITEC_ORG}/resources/defs \
  -X POST \
  -H "Authorization: Bearer ${HUMANITEC_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '
{
  "id": "config-terraform-runner",
  "name": "Config For Container Runner Driver",
  "type": "config",
  "criteria": [
    {
      "env_type": "development",
      "res_id": "terraform-container-runner"
    }
  ],
  "driver_type": "humanitec/template",
  "driver_inputs": {
    "values": {
      "templates": {
        "outputs": "skip_permission_checks: false\ncluster:\n  account: myOrg/myAccount\n  cluster:\n    loadbalancer: 10.10.10.10\n    name: my-eks-cluster\n    region: eu-north-1\n\n    cluster_type: eks\n",
        "secrets": {
          "agent_url": "{{ .driver.secrets.agent_url }}"
        }
      }
    },
    "secrets": {
      "agent_url": "${resources.agent.outputs.url}"
    }
  }
}'

Use this Resource Definition for the Humanitec Terraform Provider :

resource "humanitec_resource_definition" "config-terraform-container-runner" {
  driver_type = "humanitec/template"
  id             = "config-terraform-container-runner"
  name           = "Config For Terraform Container Runner Driver"
  type           = "config"
  driver_inputs  = {
    values_string  = jsonencode({
      "templates" = {
        "outputs" = {
          "cluster" = {
            "account" = "myOrg/myAccount"
            "cluster" = {
              "cluster_type" = "eks"
              "loadbalancer" = "10.10.10.10"
              "name"         = "my-eks-cluster"
              "region"       = "eu-north-1"
            }
          }
          "skip_permission_checks" = false
        }
        "secrets" = "agent_url: {{ .driver.secrets.agent_url }}\n"
      }
    })
    secrets_string = jsonencode({
      "agent_url" = "$${resources.agent.outputs.url}"
    })
  }
}

resource "humanitec_resource_definition_criteria" "config-terraform-container-runner_criteria_0" {
  resource_definition_id = resource.humanitec_resource_definition.config-terraform-container-runner.id 
  env_type = "development"
  res_id = "terraform-container-runner"
}

Terraform Container Runner Resource Definition

  1. Create a file defining the terraform-container-runner Resource Definition you want to create to define the Terraform code to execute in the Kubernetes Job created by the Container Driver:
cat << "EOF" > s3-tf.yaml
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: my-s3-bucket
entity:
  name: S3 Bucket
  type: s3
  driver_type: humanitec/terraform-container-runner
  driver_account: my-aws-account
  driver_inputs:
    values:
      source:
        ref: refs/heads/main
        url: https://my-domain.com/my-org/my-repo.git
        username: my-git-handler
        path: path/to/s3
      variables:
        bucket: ${context.app.id}-${context.env.id}
        region: eu-west-3
      credentials_config:
        environment:
          AWS_ACCESS_KEY_ID: AccessKeyId
          AWS_SECRET_ACCESS_KEY: SecretAccessKey
    secret_refs:
      source:
        password:
          store: my-store
          ref: path/to/git/password
  criteria:
  - env_type: development
EOF
  1. Use the humctl create command to create the Resource Definition in the Organization defined by your configured context:
humctl create -f s3-tf.yaml
rm s3-tf.yaml

  1. Set the following environment variables:
Variable Example Description
HUMANITEC_TOKEN my-token The authentication token for accessing the Humanitec API
HUMANITEC_ORG my-org-id The unique identifier for the Humanitec Organization
  1. Execute this command:
curl https://api.humanitec.io/orgs/${HUMANITEC_ORG}/resources/defs \
  -X POST \
  -H "Authorization: Bearer ${HUMANITEC_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '
{
  "id": "my-s3-bucket",
  "name": "S3 Bucket",
  "type": "s3",
  "criteria": [
    {
      "env_type": "development"
    }
  ],
  "driver_type": "humanitec/container-runner",
  "driver_account": "my-aws-account",
  "driver_inputs": {
    "values": {
      "source": {
        "ref": "refs/heads/main",
        "url": "https://my-domain.com/my-org/my-repo.git",
        "username": "my-git-handler",
        "path: path/to/s3"
      },
      "variables": {
        "bucket": "${context.app.id}-${context.env.id}",
        "region": "eu-west-3"
      }
    },
    "secret_refs": {
      "source":{
        "password": {
          "store": "my-store",
          "ref": "path/to/git/password"
        },
        ...
      }
    }
  }
}'

Use this Resource Definition for the Humanitec Terraform Provider :

resource "humanitec_resource_definition" "my-s3-bucket" {
  driver_type = "humanitec/terraform-container-runner"
  id             = "my-s3-bucket"
  name           = "S3 Bucket"
  type           = "s3"
  driver_account = "my-aws-account"
  driver_inputs  = {
    values_string  = jsonencode({
      "source" = {
        "ref" = "refs/heads/main"
        "url" = "https://my-domain.com/my-org/my-repo.git"
        "username" = "my-git-handler"
        "path" = "path/to/s3"
      }
      "variables" = {
        "bucket" = "$${context.app.id}-$${context.env.id}"
        "region" = "eu-west-3"
      }
      "credentials_config" = {
        "environment" = {
          "AWS_ACCESS_KEY_ID" = "AccessKeyId"
          "AWS_SECRET_ACCESS_KEY" = "SecretAccessKey"
        }
      }
    })
    secret_refs    = jsonencode({
      "source" = {
        "password" = {
          "store" = "my-store"
          "ref" = "path/to/git/password"
        }
      }
    })
  }
}

resource "humanitec_resource_definition_criteria" "my-s3-bucket_criteria_0" {
  resource_definition_id = resource.humanitec_resource_definition.my-s3-bucket.id 
  env_type = "development"
}

Terraform Runner