This is a tutorial for using terraform with google cloud.
1. Overview
Terraform was created on May 21st, 2014 by Mitchell Hashimoto. Hashimoto was Hashicorp’s founder. Terraform is used for building code and handling infrastructure security. Terraform is a popular DevOps tool in the software world.
2. Terraform with Google Cloud
2.1 Prerequisites
Terraform is necessary on the operating system in which you want to execute the code.
2.2 Download
You can download Terraform from this website.
2.3 Setup
2.3.1 Terraform Setup
You can set up the Terraform by using the command below on macOS:
Terraform Setup
brew tap hashicorp/tap brew install hashicorp/tap/terraform
You can run this command to check if it is working:
Terraform Execution
terraform -v
The output of the above command executed is shown below:
Terraform Execution Output
apples-MacBook-Air:~ bhagvan.kommadi$ terraform -v Terraform v1.1.5 on darwin_amd64 apples-MacBook-Air:~ bhagvan.kommadi$
The terraform execution command has other options which are shown below:
Terraform Execution Options
$ terraform Usage: terraform [-version] [-help] [args] ... help content omitted
2.4 Start a New Terraform Project
You can create a Terraform Project using resource definitions. Resource definitions are the files with the suffix .tf. You can use Terraform’s language for configuring the resources like EC2 instance, an Azure MariaDB, or a DNS entry. You can create a sample Terraform project with the commands shown below:
Terraform Project Creation Commands
$ cd $HOME
$ mkdir sample-terraform
$ cd sample-terraform
$ cat > main.tf <<EOF
provider "local" {
version = "~> 1.4"
}
resource "local_file" "sample" {
content = "sample, Terraform"
filename = "sample.txt"
}
EOF
The above main.tf file has resource and provider definitions. Local provider version 1.4 or other compatible version is used. sample of type local_file has the resource definition. You can run the terraform project by using the command below:
Terraform Project Execution
terraform init
The output of the above command when executed is shown below:
Terraform Project Execution Output
apples-MacBook-Air:sample-terraform bhagvan.kommadi$ terraform init Initializing the backend... Initializing provider plugins... - Finding hashicorp/local versions matching "~> 1.4"... - Installing hashicorp/local v1.4.0... - Installed hashicorp/local v1.4.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ╷ │ Warning: Version constraints inside provider configuration blocks are deprecated │ │ on main.tf line 2, in provider "local": │ 2: version = "~> 1.4" │ │ Terraform 0.13 and earlier allowed provider version constraints inside the │ provider configuration block, but that is now deprecated and will be removed │ in a future version of Terraform. To silence this warning, move the provider │ version constraint into the required_providers block. ╵ Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
Above, terraform reads the project files and downloads the required providers from public registries. The next step is to execute the plan command as shown below:
Terraform Project Execution – Plan
terraform plan
The output of the above command when executed is shown below:
Terraform Project Execution – Plan Output
apples-MacBook-Air:sample-terraform bhagvan.kommadi$ terraform plan
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# local_file.sample will be created
+ resource "local_file" "sample" {
+ content = "sample, Terraform"
+ directory_permission = "0777"
+ file_permission = "0777"
+ filename = "sample.txt"
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│
│ on main.tf line 2, in provider "local":
│ 2: version = "~> 1.4"
│
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be removed
│ in a future version of Terraform. To silence this warning, move the provider
│ version constraint into the required_providers block.
╵
───────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
apples-MacBook-Air:sample-terraform bhagvan.kommadi$
The above terraform plan command helps in verifying the actions for resource creation. Terraform assumes that default values will be used where ever you have not shared them in the resource definition. You can now execute the apply command for resource creation.
Terraform Project Execution – Apply
terraform apply
The output of the above command when executed is shown below:
Terraform Project Execution – Apply Output
apples-MacBook-Air:sample-terraform bhagvan.kommadi$ terraform apply
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# local_file.sample will be created
+ resource "local_file" "sample" {
+ content = "sample, Terraform"
+ directory_permission = "0777"
+ file_permission = "0777"
+ filename = "sample.txt"
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│
│ on main.tf line 2, in provider "local":
│ 2: version = "~> 1.4"
│
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be removed
│ in a future version of Terraform. To silence this warning, move the provider
│ version constraint into the required_providers block.
╵
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
local_file.sample: Creating...
local_file.sample: Creation complete after 0s [id=37d2f5fd67a0734d5d8d1626a47ae46f5b4dee17]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
apples-MacBook-Air:sample-terraform bhagvan.kommadi$
In the above command, the execution plan is generated. You can see the sample.txt. It will have the expected content Sample, Terraform.
Terraform Project Execution – Sample.txt
sample, Terraform
You can run the apply-auto-approve command next.
Terraform Project Execution – Apply Auto Approve
terraform apply -auto-approve
The output of the above command when executed is shown below:
Terraform Project Execution – Apply Auto Approve Output
apples-MacBook-Air:sample-terraform bhagvan.kommadi$ terraform apply -auto-approve local_file.sample: Refreshing state... [id=37d2f5fd67a0734d5d8d1626a47ae46f5b4dee17] No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ╷ │ Warning: Version constraints inside provider configuration blocks are deprecated │ │ on main.tf line 2, in provider "local": │ 2: version = "~> 1.4" │ │ Terraform 0.13 and earlier allowed provider version constraints inside the │ provider configuration block, but that is now deprecated and will be removed │ in a future version of Terraform. To silence this warning, move the provider │ version constraint into the required_providers block. ╵ Apply complete! Resources: 0 added, 0 changed, 0 destroyed
You can have modules in Terraform which can have resources defined across different projects.
2.5 GCP Setup
You need to create a Google Cloud project using the console. The project ID can be terraform. You can enable the google compute engine from the console by clicking the enable button. Create a service account for the project and enable access to Google cloud project account. Download the key as JSON without granting users access. You need to have the service account key as secret credentials. Please do not check this into source control system. Please ensure that the service account has the following roles assigned first :
- Compute Engine Service Agent
- Kubernetes Engine Service Agent
- Security Admin
- Service Account Admin
- Service Account User
Create a new role mservice_admin from IAM & admin -> Roles. Assign the permission compute.networks.create to the mservice_admin role. Go to IAM and assign this role to the service account. If you encounter errors for permissions, use this role to add permissions from IAM& admin-> Roles.
- compute.networks.create
- compute.networks.delete
- compute.networks.get
2.6 Terraform Configuration
Let us create the terraform configuration by creating a separate directory terraform-gcp. In the directory terraform-gcp, copy the json file downloaded from the google cloud project. Now you can create the main.tf as shown below.
Terraform Project Execution on GCP – main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.5.0"
}
}
}
provider "google" {
credentials = file("terraform-344017-057709fcba5d.json")
project = "terraform"
region = "us-central1"
zone = "us-central1-c"
}
resource "google_compute_network" "vpc" {
name = "terraform-network"
auto_create_subnetworks = false
}
Please ensure that you have google service account json name and google cloud project mentioned as credentials and project name respectively. You can initialize the configuration by using the command terraform init and you can see the output of the command below.
Terraform Project Execution on GCP – initialize command
apples-MacBook-Air:terraform-gcp bhagvan.kommadi$ terraform init Initializing the backend... Initializing provider plugins... - Finding hashicorp/google versions matching "3.5.0"... - Installing hashicorp/google v3.5.0... - Installed hashicorp/google v3.5.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
You can format the configuration using terraform fmt and validate the configuration using terraform validate. The output of the validate command is shown below
Terraform Project Execution on GCP – terraform validate output
apples-MacBook-Air:terraform-gcp bhagvan.kommadi$ terraform validate Success! The configuration is valid.
You can apply the configuration using the command terraform apply. Errors might come related to permissions here. Please add them to the mservice_admin role. The output will be as below:
Terraform Project Execution on GCP – terraform apply output
apples-MacBook-Air:terraform-gcp bhagvan.kommadi$ terraform apply
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_network.vpc_network will be created
+ resource "google_compute_network" "vpc" {
+ auto_create_subnetworks = false
+ delete_default_routes_on_create = false
+ gateway_ipv4 = (known after apply)
+ id = (known after apply)
+ ipv4_range = (known after apply)
+ name = "terraform-network"
+ project = (known after apply)
+ routing_mode = (known after apply)
+ self_link = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_network.vpc: Destroying... [id=projects/terraform-344017/global/networks/terraform-network]
google_compute_network.vpc: Still destroying... [id=projects/terraform-344017/global/networks/terraform-network, 10s elapsed]
google_compute_network.vpc: Still destroying... [id=projects/terraform-344017/global/networks/terraform-network, 20s elapsed]
google_compute_network.vpc: Destruction complete after 28s
google_compute_network.vpc: Creating...
google_compute_network.vpc: Still creating... [10s elapsed]
google_compute_network.vpc: Creation complete after 17s [id=projects/terraform-344017/global/networks/terraform-network]
Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
Please go to the GCP console and search for resource terraform-network. It is created.
3. Download the Source Code
You can download the full source code of this example here: Using Terraform with Google Cloud
