Terraform Components allow you to deploy Terraform from a public or connected repo, to provision infrastructure resources in customer installs.
In order for Terraform modules to properly work with Nuon, they must specify an s3 {} backend for state. Read more below for more details.

Configuring a Terraform component

To configure a Terraform component, specify a repo, the required configuration values, and the version of Terraform to run it with.
nuon.<your-app>.toml
[[components]]
name              = "infra"
type              = "terraform_module"
terraform_version = "1.11.3"
[components.connected_repo]
directory = "components/infra"
repo      = "<your-org>/<your-repo>"
branch    = "main"
You can configure Terraform Components to use either a public repo (using a public_repo block) or a private GitHub repo (using a connected_repo block). Read more about VCS configuration here.

Configuring Terraform Vars

You can configure terraform variables for a component using component variables. These variables can access inputs, other Components, the sandbox, and details on the install itself.
nuon.<your-app>.toml
[[components]]
name              = "lambda_function"
type              = "terraform_module"
terraform_version = "1.11.3"
[components.connected_repo]
directory = "components/lambda-function"
repo      = "<your-org>/<your-repo>"
branch    = "main"
[components.env_vars]
AWS_REGION = "{{.nuon.install.sandbox.outputs.account.region}}"
[components.vars]
database_instance = "{{.nuon.install.inputs.database_instance}}"

Configuring Env Vars

State Management

All Terraform state is managed using an S3 backend, within the Nuon platform. In order for Terraform modules to be compatible with Nuon, and not lose state, they must set the backend to the s3 backend. 
terraform {
  required_version = ">= 1.11.3"

  backend "s3" {}

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

Execution and Permissions

The runner is responsible for executing Terraform, which means that Terraform is executed from within the Kubernetes cluster in K8S sandboxes, and from within ECS Fargate for aws-ecs sandboxes. In both cases, this is inside of the install network. Since Terraform is executed from within the install sandbox, Terraform resources can access both resources within the network (such as internal APIs,) and, in K8S sandboxes, the local Kubernetes cluster. The runner uses a dedicated IAM role defined in the sandbox when executing Terraform.