From Terraform Modules to Platform Services: Simplify Infrastructure Management with the Kratix CLI

If you've worked with Terraform for any amount of time, you've probably experienced handing Terraform modules directly to application developers. Although this enables teams to get started quickly, it can lead to a world of pain. For example, does the following quote from an internal developer platform team engineer at a large bank resonate with you?

"I handed my developers a reusable Terraform module for Postgres. A week later, three teams forked it, none of them had backups enabled, and I’m on the hook when something goes wrong..."

If so, read on!

The Dangers of Providing Terraform Modules to Developers

At first glance, providing developers with Terraform modules appears straightforward; modules encapsulate best practices, making it easy for users to provision infrastructure. However, problems quickly surface:

• Teams independently manage Terraform configurations, leading to sprawl and making it challenging to track compliance or govern infrastructure consistently.

• Those same independent configurations allow misconfigurations to creep in, resulting in critical applications being provisioned without essential features like backups or high availability.

• Applying critical security patches or updates becomes a manual, error-prone process involving multiple teams and repositories.

These challenges rapidly diminish the initial benefits of using Terraform modules. Often, teams find themselves pressured to rewrite or drastically refactor their Terraform codebase, a costly, disruptive, and risky process. 

But what if there was a way to achieve the platform engineering outcomes you need without restarting from scratch?

Why Terraform Needs a Platform Layer

Terraform modules are powerful, but they impose a heavy operational burden on developers. Teams must deeply understand Terraform, handle state management complexities, and maintain secure and up-to-date configurations.

Moving to a standardised, self-service way to offer services and provisions infrastructure via a platform can deliver the outcomes you want without requiring your team to burn everything down and start again. 

This is precisely what Kratix, an open-source framework for building internal developer platforms, provides: a way to incrementally introduce platform engineering APIs and best practices on top of existing Terraform modules without disruption.

Bootstrapping Terraform Modules into Kratix Promises

Kratix provides a concept of a Promise. A Promise is the definition of a service that you want to make available on your platform. With Kratix, converting an existing Terraform module into a managed, self-service capability becomes effortless. For instance, an example Terraform module for provisioning an AWS S3 bucket can quickly be transformed into a managed service with a simple “kratix init” CLI command:

This command has generated a Promise for us. This Promise effectively provides an API for the Terraform module, exposing the same set of input values as the module itself.

We can now install the Promise and make the offering available on the platform:

In this example, I am running Syntasso Kratix Enterprise (SKE) with built-in support for a Backstage portal, so by default, all my Promises are also going to be added to the Backstage instance I have configured:

Providing Developers a Seamless Self-Service Experience

With Kratix Promises, developers no longer interact directly with Terraform or manage the resulting infrastructure. Instead, they utilise familiar interfaces like Kubernetes APIs or developer portals such as Backstage to provision and manage infrastructure, services, and other platform components. This self-service model greatly reduces complexity and keeps developers focused on building applications. 

As I am using SKE, I can go straight into Backstage and browse the Promises installed, and instantly get started filling out a form to request an AWS S3 Bucket.

After I submit the request in Backstage, Kratix triggers the Workflows defined in the Promise, which will generate the required Terraform code to reconcile the modules with the user’s inputs. 

In this example, I am using a GitHub repo with GitHub Actions configured to reconcile the requests:

Custom Workflows: Approvals and Governance

Some service configurations require additional oversight. For instance, you may wish to add manual approvals for AWS S3 buckets provisioned with specific sensitive settings. Kratix makes it straightforward to insert additional logic into your workflows.

In this example, let’s add a manual approval step for when users want to create publicly accessible S3 buckets. This code detects when the bucket Promise configuration property public is set to true, and creates a Jira issue for manual approval. Kratix will wait for this ticket to be closed before proceeding with provisioning the S3 bucket:

This approval step will run every time a user makes a request. Let’s make a new request with `public` set to `true`, and you can see that the workflow will wait for  approval before outputting the Terraform to GitHub:

Fleet Management: Updates Without Disruption

Imagine your business decides that descriptive cost-tracking FinOps tags must be used by default on all buckets. Without Kratix, rolling out such a policy would require significant manual effort and coordination with every team that manages its own buckets. With Kratix, updating your Promise to enforce tags is simple and automatic:

• Update the Promise definition to configure the tags by default.

• Kratix automatically applies this change across all existing and future bucket instances.

  
  

Developers see no disruption or extra workload; the platform seamlessly manages the update.

Since I want the tags to be unique to each request, let’s add a container to the workflow that mutates the Terraform file to have the required tags:

After we apply this updated Promise, Kratix will roll out the change to the fleet by reconciling the workflows again with the new definition:

This results in each individual request getting updated with the required tags:

Conclusion: Empower Your Platform with Terraform and Kratix

Terraform modules alone aren't sufficient for sustainable infrastructure management. By leveraging Kratix Promises, you achieve a consistent, secure, and efficient self-service infrastructure. Additionally, when combined with Syntasso Kratix Enterprise, you gain powerful integrations with developer portals, simplifying the delivery and ongoing management of your platform as a seamless, intuitive service.

Developers gain streamlined tools without complexity, and your organisation benefits from scalable, maintainable infrastructure management.

Ready to transform Terraform modules into robust platform capabilities? Try Kratix today with our guided quickstart. Using Terraform Enterprise (TFE) or HashiCorp Cloud Platform (HCP), we’ve got you covered with complete Terraform integrations and support with Syntasso Kratix Enterprise.