Infrastructure Management
This use case demonstrates how to manage infrastructure as code using OpenTofu (or Terraform) within Argo Workflows, orchestrated through Pipekit.
Overview
Pipekit can orchestrate infrastructure-as-code workflows that validate, plan, and apply infrastructure changes. This approach provides automated testing, drift detection, and controlled deployment of infrastructure changes through your CI/CD pipeline.
Key Workflows
Infrastructure management workflows typically include:
Security scanning with tools like Checkov to identify misconfigurations
Linting with tflint to enforce best practices
Plan generation showing proposed infrastructure changes
Drift detection identifying when live infrastructure diverges from code
Automated PR comments providing visibility into proposed changes
Example: Pull Request Validation
When a pull request modifies infrastructure code, automated workflows can validate the changes before merge.
The workflow performs several validation steps:
Clone the infrastructure repository
Run security scans to detect misconfigurations
Run linting to ensure code quality
Generate Terraform/OpenTofu plans showing what will change
Post plan summaries as PR comments for review
Workflow Structure
The PR validation workflow consists of multiple tasks organized as a DAG (directed acyclic graph):
Security Scanning
The workflow uses Checkov to scan infrastructure code for security and compliance issues:
Terraform Planning
The workflow generates a plan showing what infrastructure changes would occur:
The plan output is captured and posted as a comment on the pull request, providing reviewers with clear visibility into the proposed changes.
Example: Nightly Drift Detection
Infrastructure drift occurs when the actual state of your infrastructure diverges from what is defined in your code. A scheduled CronWorkflow can detect this drift by running tofu plan regularly and alerting when changes are detected.
CronWorkflow Structure
The nightly drift detection workflow runs on a schedule and checks for infrastructure changes:
Drift Detection Logic
The workflow runs tofu plan with the -detailed-exitcode flag, which returns exit code 2 when changes are detected:
When drift is detected, the workflow sends a notification to alert the team.
Managing Workflows with Pipekit
Pipekit provides a control plane for managing these infrastructure workflows. Pipekit offers a hosted SaaS control plane as the default option — the easiest and fastest way to get started. For organizations with specific compliance or infrastructure requirements, you can self-host Pipekit in your own environment.
Viewing Workflow Runs
View all workflow runs in the Pipekit UI through Pipes. Each Pipe Run provides:
Run Graph (DAG) showing task dependencies
Pod Logs for debugging
Workflow YAML for inspection
Using the CLI
The Pipekit CLI allows you to interact with infrastructure workflows from your terminal. Use it to list runs, view logs, and manage workflow execution.
Best Practices
Use Mutual Exclusion
Infrastructure operations should not run concurrently on the same resources. Use Argo's synchronization.mutexes to ensure only one workflow modifies infrastructure at a time:
Secure Credentials Management
Store sensitive credentials in Kubernetes Secrets and inject them into workflow pods as environment variables:
For enhanced security, consider using external secrets management solutions like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault with appropriate Kubernetes integrations.
Separate Plan from Apply
Never automatically run terraform apply or tofu apply in automated workflows. Always generate plans for review, then apply changes manually or with explicit human approval.
Consider creating a Workflow Template for the apply step. This allows authorized users to manually submit the template to apply infrastructure changes without needing to configure their local environment with the correct credentials and tooling. The template can include all necessary credentials, container images, and configuration, ensuring consistent and secure infrastructure deployments.
For example, create a template that takes the plan output as input and applies it:
Users can then submit this template from Pipekit when they're ready to apply reviewed changes.
Monitor for Drift
Run drift detection workflows on a regular schedule (e.g., nightly) to catch unexpected infrastructure changes early. Alert your team when drift is detected so they can investigate and remediate.
Use Node Selectors
For resource-intensive operations like security scanning, specify node selectors to ensure workflows run on appropriate hardware:
Related Resources
Last updated