Isn’t this just Terraform’s kubernetes/helm providers?

No — and it isn’t trying to be. Terraform owns the layer below: VPCs, node groups, IAM, the cluster itself. khook starts where that ends, and is built to be driven by Terraform (run it on every terraform apply), not to replace it. What khook replaces is the anti-pattern of pushing the bootstrap through Terraform’s in-cluster providers — which fights the tool on day zero.

Where the providers fight you

Where Terraform is still the right tool

The flip side, honestly: when in-cluster objects must be wired into the cloud graph — an IRSA role annotated onto a ServiceAccount, DNS records, a stable, review-gated set of namespaces and quotas — Terraform’s providers, with plan/review and managed deletion, are the better tool. Keep those there. khook is for the sequenced, wait-heavy, run-once-converge-always window between “cluster exists” and “GitOps has the wheel.”

“But you’ll have state too”

khook’s run record does store state in an in-cluster Secret — same place as Terraform’s kubernetes backend, same trick as Helm’s release records. The difference is what’s in it: a journal (per-step input hash and outcome) so a failed bootstrap resumes at step 7 instead of redoing 12, and an edited spec re-runs only the steps whose inputs changed. It is not an ownership ledger of your cluster’s objects. Delete it and nothing breaks — the next run just re-converges.

The division of labor

Layer Owner
VPC, node groups, IAM, the cluster itself Terraform / eksctl / CAPI
Day-zero bootstrap: CNI, CRDs, secrets tooling, GitOps controller, readiness gates khook
In-cluster objects wired into the cloud graph (IRSA, DNS, review-gated quotas) Terraform providers
Long-term reconciliation, drift correction, app delivery ArgoCD / Flux