We're setting up a Kubernetes infrastructure and using tools like Karpenter, Traefik, and Velero, managed via Terraform. Currently, these tools are installed through a Helm resource where we also set up roles and policies with Terraform. However, we want to transition to using ArgoCD to automatically detect changes and release new versions. The challenge lies in the ArgoCD application manifests that require dynamic references to Terraform outputs like roles and policies. What are the best methods to integrate Terraform resources into ArgoCD files for smooth deployment?
5 Answers
I think one of the biggest gaps with ArgoCD is its support for sources outside the Git repo. Flux has this covered with its variable substitution, using ConfigMaps to manage additional values. I’ve worked around this with a custom config management plugin or through an app-of-apps method where the top-level Application created by Terraform manages all of the necessary outputs. It’s not a trivial setup but can align with your goals if done correctly.
One approach is to write your Terraform parameters into a Parameter Store and then use ExternalSecretsOperator in Kubernetes to pull those values as secrets into your applications. It’s not ideal for Argo because the secrets won't be directly accessible, but it’s a solid workaround.
You could set up a job to make Terraform output its generated values and commit them directly to the Git repository that ArgoCD monitors. That way, ArgoCD can always be in sync with the latest Terraform outputs!
Have you thought about using Flux? It allows you to do the dynamic substitution easily with config maps and secrets through the `substitutefrom` parameter in the Flux kustomization resource. This might be worth looking into!
If you're a fan of Crossplane, you might want to check out the Terraform provider it offers. This allows you to mix it with your existing configurations, keeping everything managed by ArgoCD. Just be cautious about controlling who can set configurations since automatic syncing can complicate things. It’s an interesting path, though definitely not the simplest one!
I wish ArgoCD had that feature too! They seem to stick to their principles, but it makes certain integrations harder.