Regarding architectural questions

[zerunhu]

Why does a new terraform apply require the launch of a new runner pod instead of being executed directly in the controller?

[chanwit]

Hi @zerunhu

It's for security, multi-tenancy and scalability purpose.

Each runner is designed to have its own Service Account, which is able to link to a certain set of cloud policies - via IRSA on AWS for example.

With this you can apply the concept of least privileged at the pod-level.

Decoupling the runners out of the controller also allows us to scale to a large number of concurrency. For example, TF-Controller supports running at least 1,500 concurrent Terraform modules at the same time.