Nirmata Terraform Controller

Overview

The Nirmata Terraform Controller (NTC) enables policy enforcement for Terraform Cloud (TFC) workloads by validating Terraform plans against Kyverno policies. NTC runs inside a Kubernetes cluster, synchronizes Kyverno policies from Git, and exposes endpoints that can be invoked by Terraform Cloud Agents during plan execution.

This document provides installation‑focused guidance for setting up NTC in a Kubernetes environment. It excludes integration and implementation workflows, which are covered in a separate document.

Prerequisites

• Kubernetes: v1.23 or later
• Helm: v3.8 or later
• Network connectivity: Terraform Cloud Agent must be able to send requests to the NTC /scan or /runtask endpoint.
• Kyverno policies: Stored in Git and accessible to NTC for policy synchronization.

Installation

Installation Using Helm Repository (Recommended)

Add the Nirmata Helm repository

helm repo add nirmata https://nirmata.github.io/terraform-cloud-run-task
helm repo update

Install with API key for standalone mode (TFC agent hooks)

helm install ntc nirmata/nirmata-terraform-controllers --set secrets.apiKey="$(openssl rand -base64 32)" --namespace ntc --create-namespace

Or install with an existing internal secret

helm install ntc nirmata/nirmata-terraform-controller --set secrets.existingSecret="my-ntc-secret" --namespace ntc --create-namespace

From OCI Registry

helm install ntc oci://ghcr.io/nirmata/charts/nirmata-terraform-controller --set secrets.apiKey="your-api-key" --namespace ntc --create-namespace

Endpoints

NTC exposes the following API endpoints:

Verifying the Installation

# Check pods are running
kubectl get pods -n ntc -l app.kubernetes.io/name=nirmata-terraform-controller

# View logs
kubectl logs -f deployment/ntc-nirmata-terraform-controller -n ntc

# Test health endpoint

curl http://<NTC-Endpoint>/healthcheck

Uninstalling

helm uninstall ntc --namespace ntc
kubectl delete namespace ntc