After AWS,Oracle Cloud, and Azure, GCP is the 4th cloud platform in our terraform tutorial series, we will describe what it takes to authenticate and provision a compute engine using their terraform provider. The instance will also have an nginx website linked to its public IP. If you want to know about the differences GCP brings in terms of networking it’s wrapped up on my blog
Note: GCP terraform provider authentication was a hell to get hold on and counter intuitive comparing to other Cloud platforms. I wasted a lot of time just trying to figure if I could avoid hardcoding project id.
Overview and Concepts
The following illustration shows the layers involved between your workstation and GCP cloud while running the terraform actions along with the instance attributes we will be provisioning.
- Files are merged in alphabetical order but resource definition order doesn't matter (subfolders are not read).
- Common configurations have 3 type of tf files and a statefile.
- 1- main.tf: terraform declaration code (configuration) . The file name can be anything you choose
2- variables.tf: Resource variables needed for the deploy
3- outputs.tf: displays the resources detail at the end of the deploy
4- terraform.tfstate: keeps track of the state of the stack(resources) after each terraform apply run
Example for a VPC >>
1- Create a shell resource declaration for the vpc in a file called vpc.tf
2- Get the id of the vpc resource from your GCP portal
3- Run the Terraform import then run Terraform show to extract the vpc full declaration from GCP to the same file (vpc.tf)
4- Now you can remove the id attribute with all non required attributes to create a vpc resource (Do that for each resource)
If you want to import all the existing resources in your account in bulk mode terraformer can help import both code and state from your GCP account automatically.
Terraform lab content: I purposely split this lab in 2 for more clarity
- VPC Deployment: To grasp the basics of a single resource deployment.
- Instance Deployment: Includes the instance provisioning configured as web sever(includes above vpc) .
I tried the lab using WSL (Ubuntu) terminal from windows but same applies to Mac.
Linux: Download, unzip and move the binary to the local bin directory
Once installed run the version command to validate your installation
To authenticate to GCP with Terraform you will need GCloud, service account credentials key file, and the projectId
- Using dedicated service accounts to authenticate with GCP is recommended practice (not user accounts or API keys)
- GCLOUD authentication configured with your GCP credentials. Refer to my Blog post for more details
Service account: Either you create a service account with “owner role” in the console or run the below cli commands
gcloud config list --format='table(account,project)'
- I’ll also assume the presence of an ssh key pair to attach to your vm instance. If not here is a command to generate a PEM based key pair.
II. Clone the repository
- Pick an area that is close to your gcp-terraform directory on your file system and issue the following command.
terraform-provider-gcp/create-vpc/To grasp how we deploy a single Vpc.
terraform-provider-gcp/launch-instance/For the final instance deploy.
III. Provider setup
INSTALL AND SETUP THE GCP PROVIDER
- Cd Into “
terraform-provider-gcp/create-vpc”where our configuration resides (i.e vpc)
”create-vpc”directory. Here, only
*.tffiles matter (click to see content)
IV. Partial Deployment
DEPLOY A SIMPLE VPC
- Once the authentication is setup and provider installed , we can run
terraform plancommand to create an execution plan (quick dry run to check the desired end-state).
- The output being too verbose I deliberately kept only relevant attributes for the VPC resource plan
- Next, we can run
”terraform deploy”to provision the resources to create our VPC (listed in the plan)
Note: We’ll now destroy the VPC as the next instance deploy contains the same VPC specs.
V. Full deployment (Instance)
- After our small intro to VPC creation, let's launch a vm and configure nginx in it in one command.
- First we need to switch to the second directory
Here's the content:
Note: As you can see we have 2 additional files and one Subfolder. compute.tf is where the compute instance and all its attributes are declared. All the other “.tf” files come from my vpc example with some additions for variables.tf and output.tf
LAUNCH THE INSTANCE
- Once in “
launch-instance”directory, you can run the plan command to validate the 9 resources required to launch our vm instance. The output has been truncated to reduce verbosity
- Now let’s launch our CENTOS7 vm using terraform apply (I left a map of different OS ids in the variables.tf you can choose from)
- Once the instance is provisioned, juts copy the public IP address(i.e 126.96.36.199) in chrome and Voila!
- You can also tear down this configuration by simply running terraform destroy from the same directory
- You can fetch any of the specified attributes in outputs.tf using terraform output command i.e:
Although terraform is a declarative language, there are still myriads of functions you can use to process strings/number/lists/mappings etc. There is an excellent all in one script with examples of most terraform functions >> here
- We have demonstrated in this tutorial how to quickly deploy a web server instance using terraform in GCP and leverage Cloud-init (Startupscript) to configure the vm during the bootstrap .
- We had to hardcode the projectId although it’s embedded in the config credentials (key file) which is makes it tedious and rigid
- Remember that all used attributes in this exercise can be modified in the
- Route table and internet gateway didn’t need to be created
- Improvement: Validate that startup script works for windows too.
Another improvement can be reached in terms of display of the security rules using formatlist .
Thank you for reading!