Outgrowing Terraform — and Migrating to Crossplane
June 16, 2021
Read time: 3 mins
Terraform is a widely deployed and popular technology that is used to enable an Infrastructure-as-Code (IaC) approach. While Terraform can be extremely useful, it does have some limitations that Crossplane can help organizations to overcome.
In the session Outgrowing Terraform at the Crossplane Community Day Europe event, Dalorion Johnson, software engineer at Guidewire and Nic Cope, principal software architect at Upbound detailed the challenges of scaling operations with Terraform and the opportunities presented by the Crossplane control plane approach. Guidewire Software develops a Platform-as-a-Service (PaaS) for the Property and Casualty Insurance industry.
Johnson explained that prior to entering the PaaS market, Guidewire was largely engaged with providing an on-premises solution development process. She noted that the process used to develop complex software installations at Guidewire's customers' offices was not cost effective and did not scale very well. As such, Guidewire decided to make a shift to the cloud, using Terraform as a core component to help build its platform.
A core element of Terraform is the HashiCrop Configuration Language (HCL) that is a declarative language used for defining desired infrastructure state.
"We are now managing 73,000 lines of HCL so we're starting to feel the limitations of Terraform," Johnson said. "We've really been using the heck out of it."
Limitations of Terraform – Drift
One of the key challenges that Guidewire has faced with Terraform as it has scaled out usage is the issue of drift. That is, over time the actual state of a deployment varies or 'drifts' from the desired state as defined by HCL.
Johnson explained that Terraform defines Guidewire's resources with a set of files. Those files are not constantly being updated with what is actually running in production. In reality what that means is that over time drift can occur that isn't noticed or even reconciled until a new Terraform change is introduced and pushed out to the infrastructure.
Cope noted that like Terraform, Crossplane uses declarative configuration to define the desired state of infrastructure.
"The big difference that Crossplane has is that it is an always-on control plane," Cope said. "Whereas the open source version of Terraform, at least, is a command line tool that is invoked on demand."
Cope added that part of the problem is that terraform doesn't know to go check the world unless you ask it whether something has changed and that can lead to surprises.
Limitations of Terraform – Access Control
Another key limitation that Guidewire has faced with Terraform is how access control is handled. Johnson detailed a complex layering of identity and access management (IAM) rules that her team needs to have to control infrastructure and tenant deployments.
"We rely heavily on AWS to configure resources within our cluster," Johnson said. "Terraform has no concept of access control."
That limitation means that Johnson's team needs to be much more hands on to help enable deployments, than the self-service model that she'd much rather have. As such, instead of working on new features to expand the platform, Johnson and her team have to worry about a lot of special configurations to help enable access control.
Crossplane's approach to access control is very different, according to Cope.
"The nice thing is that in Crossplane, access control is framed around your business's concepts, not necessarily cloud concepts," Cope said.
Cope explained that with Crossplane, an administrator grants the control plane access to act on the administrator's behalf on any cloud or API that is called. The administrator then uses the integrated Role Based Access Control (RBAC) to restrict what people can ask Crossplane to do on their behalf.
Limitation of Terraform: Cognitive Overhead
Initially, Terraform was useful to Guidewire helping it to scale quickly when it was moving to a PaaS model.
Johnson noted that as the platform has grown, its usage of Terraform has become more complex and sophisticated. Terraform for Johnson has now become—just another thing that her organization has to maintain. It's a challenge that she referred to as—Cognitive Overhead.
Cope emphasized that with Crossplane the Cognitive Overhead can be reduced significantly. Since Crossplane makes use of Kubernetes, it uses many of the same tools and processes, enabling more efficiency for users—without the need to learn and maintain entirely new tools.
Guidewire is now taking its first steps in migrating to Crossplane, helping to optimize its PaaS and make it easier to develop and maintain.
"We are experiencing the freshness of this bleeding edge technology and the Crossplane community has been very responsive and very helpful," Johnson said.