Week 18 - IaC From Within K8s: Crossplane and Terraform¶

18.1 Conceptual Core¶

Crossplane flips IaC inside out: cloud resources are Kubernetes resources (CRDs), reconciled by Crossplane's providers (provider-aws, provider-gcp, provider-azure, provider-helm, provider-kubernetes). You manage cloud infra with kubectl apply.
Compositions let you bundle low-level primitives into domain-specific abstractions: define a XPostgresInstance that, when applied, creates a VPC subnet, an RDS instance, IAM bindings, and a ServiceMonitor. Platform teams ship Compositions; app teams consume them.
Terraform alternative: run Terraform Cloud / Atlantis externally; treat the cluster as a deploy target only. Simpler in some shops; doesn't unify the control plane.

Provider = a controller image that knows how to talk to one external system. Install via Provider CRD.
ProviderConfig = credentials + connection details for the provider.
Managed Resource (MR) = the K8s representation of a cloud resource (Bucket, Database, IAMRole).
Composition = a YAML transform: "given this XPostgresInstance claim, produce these MRs with these field mappings."
Composite Resource Definition (XRD) = the schema for the abstract type; the platform-team-facing equivalent of CRD.

Install Crossplane. Install provider-aws (or provider-gcp).
Configure provider credentials.
Define an XRD XDatabase with parameters: size, engine, version, region.
Define a Composition that materializes an RDS instance + a Secret with credentials.
As an "app team" persona, create a Database claim. Watch it become a real RDS instance. Delete; watch it be torn down.

Restrict Composition selectors and compositionRef so app teams cannot select unintended Compositions. Use OPA/Gatekeeper to enforce naming, region, size limits.

Compositions are platform contracts. Version them. Provide migration paths. Treat as you would a public API: SLAs, deprecation windows, changelogs.