DEV Community: Abraham Naiborhu The latest articles on DEV Community by Abraham Naiborhu (@abrahamparn). https://dev.to/abrahamparn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2683454%2F646ff8d2-3b9f-4e5f-a7b3-425aecb33cdd.jpeg DEV Community: Abraham Naiborhu https://dev.to/abrahamparn en Terraforming a Production-Lite GCP Web Platform: MIG, Cloud NAT, Load Balancer, and Private Backends Abraham Naiborhu Wed, 20 May 2026 06:18:00 +0000 https://dev.to/abrahamparn/terraforming-a-production-lite-gcp-web-platform-mig-cloud-nat-load-balancer-and-private-backends-1bfg https://dev.to/abrahamparn/terraforming-a-production-lite-gcp-web-platform-mig-cloud-nat-load-balancer-and-private-backends-1bfg <p>Hi! After building my first Terraform artifact, The GCP Foundation Lite, I wanted to move one layer higher.</p> <p>I wanted to answer a more complex question:</p> <blockquote> <p>Can I provision infrastructure for an actual web platform?</p> </blockquote> <p>Thus, I created this project titled "Production-Lite GCP Web Platform" using Terraform.</p> <p>This project provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>reserved database subnet</li> <li>map-based firewall rules</li> <li>Cloud NAT</li> <li>custom service account</li> <li>regional Managed Instance Group</li> <li>instance template</li> <li>startup script</li> <li>HTTP health check</li> <li>backend service</li> <li>external HTTP load balancer</li> <li>remote Terraform state</li> <li>reusable Terraform modules</li> </ul> <p>The goal was not to create a full enterprise platform, but to create a small but production-shaped infra pattern that can run an application.</p> <p>But, before i go even further, do check my github repository at <a href="https://github.com/abrahamparn/terraform-gcp-production-lite-web-platform" rel="noopener noreferrer">terraform-gcp-production-lite-web-platform</a></p> <h2> Why I Built This </h2> <p>In my first artifact, I focused on the foundation layer.</p> <p>That project included: </p> <ul> <li>remote Terraform state</li> <li>versioned GCS state bucket</li> <li>custom VPC</li> <li>role-based subnets</li> <li>firewall rules</li> <li>service accounts</li> <li>IAM bindings</li> <li>reusable modules</li> </ul> <p>That was useful because it helped me understand how to create the base layer of a Google Cloud environment.</p> <p>But a foundation alone does not run an application.</p> <p>So for this second artifact, I wanted to build something closer to a real web platform.</p> <p>The objective was to move from this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform creates the foundation. </code></pre> </div> <p>To this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform provisions infrastructure that can serve application traffic. </code></pre> </div> <h2> What This Project Builds </h2> <p>This project creates:</p> <ul> <li>custom VPC network</li> <li>application subnet</li> <li>reserved database subnet</li> <li>firewall rules</li> <li>Cloud Router</li> <li>Cloud NAT</li> <li>custom application service account</li> <li>instance template</li> <li>regional Managed Instance Group</li> <li>HTTP health check</li> <li>backend service</li> <li>external HTTP load balancer</li> <li>global forwarding rule</li> <li>startup script</li> <li>simple web application endpoint</li> <li>remote state in GCS</li> </ul> <p>The application VMs are private.</p> <p>They do not have external IP addresses.</p> <p>Users access the application through the external HTTP load balancer.</p> <p>Outbound internet access from the private VMs is handled through Cloud NAT.</p> <h2> High-Level Architecture </h2> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User ↓ External HTTP Load Balancer ↓ Backend Service ↓ Regional Managed Instance Group ↓ Private Application VM ↓ Application Endpoint </code></pre> </div> <p>For outbound access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private Application VM ↓ Cloud NAT ↓ Internet </code></pre> </div> <p>The important point is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Inbound traffic enters through the load balancer. Outbound traffic leaves through Cloud NAT. The backend VM does not need a public IP address. </code></pre> </div> <h2> Architecture Diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User / Browser | v External HTTP Load Balancer | v Target HTTP Proxy | v URL Map | v Backend Service | v Regional Managed Instance Group | v Private App VM(s) | v Application running from startup script Private App VM(s) | v Cloud NAT | v Outbound Internet </code></pre> </div> <h2> What Production-Lite Means </h2> <p>For this project, production-lite means the infrastructure follows production-style patterns without trying to become a full enterprise platform.</p> <p>This project includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>private backend instances load balancer entry point health checks Managed Instance Group Cloud NAT service account separation firewall rules remote state Terraform modules </code></pre> </div> <p>But this version does not include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTPS custom domain Cloud Armor Cloud SQL Secret Manager CI/CD multi-region deployment blue-green deployment Kubernetes </code></pre> </div> <p>Those features are important, but I intentionally deferred them.</p> <p>The goal of v1.0 is to keep the scope focused:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I provision a production-shaped HTTP web platform with private backends? </code></pre> </div> <h2> Why Private Backend Instances Matter </h2> <p>One of the most important design choices in this project is that the backend VMs do not have external IP addresses.</p> <p>In the instance template, the network interface does not include an <code>access_config</code> block.</p> <p>Conceptually, the pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="c1"># No access_config block.</span> <span class="c1"># This intentionally creates VMs without external IP addresses.</span> <span class="p">}</span> </code></pre> </div> <p>This means the VM is not directly exposed to the internet.</p> <p>Instead, application traffic must go through the load balancer.</p> <p>That is a better pattern than exposing a VM directly with a public IP address.</p> <p>A direct public VM might be fine for a quick test, but for an application platform, I want a cleaner entry point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet -&gt; Load Balancer -&gt; Backend Service -&gt; Private VM </code></pre> </div> <h2> Why Cloud NAT Is Needed </h2> <p>Because the backend VMs are private, they do not have direct outbound internet access through an external IP.</p> <p>However, the VM still needs outbound access for operational tasks such as:</p> <ul> <li>running <code>apt-get update</code> </li> <li>installing packages</li> <li>downloading dependencies</li> <li>calling external services</li> <li>bootstrapping the application during startup</li> </ul> <p>This is where Cloud NAT is useful.</p> <p>Cloud NAT allows private resources to initiate outbound internet connections without assigning public IP addresses to those resources.</p> <p>In this project, Cloud NAT is created using:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT gateway</li> <li>selected subnet configuration</li> </ul> <p>The important improvement from my earlier lab is that I do not need to NAT every subnet.</p> <p>For this artifact, the app subnet receives NAT.</p> <p>The reserved database subnet does not receive NAT by default.</p> <p>This is the intended posture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app subnet -&gt; Cloud NAT enabled db subnet -&gt; Cloud NAT not enabled by default </code></pre> </div> <p>That separation is small, but architecturally meaningful.</p> <h2> Why I Used a Managed Instance Group </h2> <p>A standalone VM is simpler.</p> <p>But a standalone VM does not really show platform thinking.</p> <p>For this artifact, I used a <strong>regional Managed Instance Group</strong>.</p> <p>The MIG uses:</p> <ul> <li>instance template</li> <li>target size</li> <li>named port</li> <li>autohealing policy</li> <li>health check</li> </ul> <p>The difference is important.</p> <p>A standalone VM says:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I created a server. </code></pre> </div> <p>A Managed Instance Group says:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I defined how application instances should be created, managed, replaced, and checked. </code></pre> </div> <p>That is a stronger infrastructure pattern.</p> <h2> Why I Used an External HTTP Load Balancer </h2> <p>The external HTTP load balancer acts as the public entry point.</p> <p>The load balancer connects to the backend service, and the backend service connects to the Managed Instance Group.</p> <p>The request flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User -&gt; Global forwarding rule -&gt; Target HTTP proxy -&gt; URL map -&gt; Backend service -&gt; Managed Instance Group -&gt; Application VM </code></pre> </div> <p>This is more realistic than opening port 80 directly on a public VM.</p> <p>It also allows me to test important infrastructure concepts:</p> <ul> <li>backend services</li> <li>health checks</li> <li>named ports</li> <li>firewall rules for health check probes</li> <li>load-balanced application access</li> </ul> <h2> Why Health Checks Matter </h2> <p>The load balancer needs to know whether the backend instances are healthy.</p> <p>For that, I use an HTTP health check.</p> <p>The application exposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET / GET /healthz GET /metadata </code></pre> </div> <p>The <code>/healthz</code> endpoint is used by the health check.</p> <p>This is better than using <code>/</code> as the health check path because <code>/</code> is usually a user-facing route, while <code>/healthz</code> is explicitly meant for machine health checking.</p> <p>The expected response is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>A simple health endpoint is enough for this version.</p> <p>The goal is not to build a complex application.</p> <p>The goal is to prove that the infrastructure can route traffic to a healthy backend.</p> <h2> Application Endpoints </h2> <p>The sample application exposes three endpoints.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>/</code></td> <td>Root endpoint</td> </tr> <tr> <td><code>/healthz</code></td> <td>Health check endpoint</td> </tr> <tr> <td><code>/metadata</code></td> <td>Instance information endpoint</td> </tr> </tbody> </table></div> <p>The root endpoint returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hi from Terraform GCP Production-Lite Platform </code></pre> </div> <p>The health endpoint returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>The metadata endpoint returns information such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-gcp-production-lite-web-platform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev-web-mig-xxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The application is intentionally small.</p> <p>Terraform and infrastructure design are the focus.</p> <h2> Repository Structure </h2> <p>The repository structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-production-lite-web-platform/ ├── README.md ├── .gitignore ├── versions.tf ├── providers.tf ├── backend.tf.example ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example ├── locals.tf ├── docs/ │ ├── architecture.md │ ├── deployment-runbook.md │ ├── operations-runbook.md │ ├── verification.md │ ├── design-decisions.md │ └── version-roadmap.md ├── scripts/ │ └── startup.sh └── modules/ ├── network/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── iam/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── nat/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── compute/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf └── load-balancer/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>There are five main modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network iam nat compute load-balancer </code></pre> </div> <p>Each module has a specific responsibility.</p> <h2> Module Responsibilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>network</code></td> <td>VPC, subnets, firewall rules</td> </tr> <tr> <td><code>iam</code></td> <td>Service accounts and IAM role bindings</td> </tr> <tr> <td><code>nat</code></td> <td>Cloud Router and Cloud NAT</td> </tr> <tr> <td><code>compute</code></td> <td>Instance template and Managed Instance Group</td> </tr> <tr> <td><code>load-balancer</code></td> <td>HTTP load balancer resources</td> </tr> </tbody> </table></div> <p>The root module connects them together.</p> <p>The root module should answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What components make up this platform? How are those components connected? </code></pre> </div> <p>The child modules should answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How is each infrastructure area implemented? </code></pre> </div> <p>This separation makes the repository easier to read.</p> <h2> Root Module Composition </h2> <p>The root <code>main.tf</code> composes the platform.</p> <p>At a high level, the order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network iam nat health check compute load balancer IAP IAM bindings </code></pre> </div> <p>This order makes sense because:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Compute needs network and IAM. NAT needs network. The load balancer needs the instance group. IAP access needs IAM and firewall rules. </code></pre> </div> <p>The root module should not contain all low-level resources.</p> <p>It should orchestrate modules.</p> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The VPC is created as a custom mode VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">routing_mode</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="p">}</span> </code></pre> </div> <p>I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want explicit control over subnet ranges.</p> <p>This is cleaner than relying on automatically created subnets.</p> <h2> Map-Based Subnets </h2> <p>Instead of hardcoding each subnet as a separate resource, I define subnets as a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.1.0/24"</span> <span class="nx">private_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.2.0/24"</span> <span class="nx">private_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"database-reserved"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The network module then creates subnets using <code>for_each</code>.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">private_google_access</span> <span class="p">}</span> </code></pre> </div> <p>This is more flexible than writing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"db"</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>If I want to add another subnet later, I can add another map entry.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">cache</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.3.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"cache"</span> <span class="p">}</span> </code></pre> </div> <p>The module does not need to change.</p> <h2> Map-Based Firewall Rules </h2> <p>The network module also creates firewall rules from a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-lb-health-check</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Google Cloud load balancer health checks and proxy traffic."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH to private backend instances through IAP."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The module creates firewall rules using <code>for_each</code> and dynamic <code>allow</code> blocks.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I prefer this pattern because traffic policy becomes data-driven.</p> <p>The module does not need to know every possible firewall rule.</p> <p>It only needs to know how to create firewall rules from structured input.</p> <h2> Firewall Rules Used </h2> <p>For this version, I use three main firewall rules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>allow-lb-health-check</code></td> <td>Allows Google load balancer and health check traffic to backend VMs</td> </tr> <tr> <td><code>allow-iap-ssh</code></td> <td>Allows SSH through IAP TCP forwarding</td> </tr> <tr> <td><code>allow-internal</code></td> <td>Allows internal traffic inside the platform CIDR</td> </tr> </tbody> </table></div> <p>The important security decision is that I do not open SSH to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>Instead, SSH access is designed around IAP.</p> <h2> IAM Module </h2> <p>The IAM module creates service accounts.</p> <p>For this artifact, the main service account is the application VM service account.</p> <p>Example input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_accounts</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"dev-prod-lite-app-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Production Lite App Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account used by private application VM instances."</span> <span class="nx">project_roles</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"roles/logging.logWriter"</span><span class="p">,</span> <span class="s2">"roles/monitoring.metricWriter"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The service account is attached to the application instances.</p> <p>This is cleaner than using the default Compute Engine service account.</p> <p>It also makes the identity of the workload explicit.</p> <h2> NAT Module </h2> <p>The NAT module creates:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT</li> </ul> <p>In my earlier lab, Cloud NAT was applied to all subnets.</p> <p>For this artifact, I wanted a more intentional design.</p> <p>So NAT is applied only to selected subnet keys.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">nat_subnet_keys</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"app"</span><span class="p">]</span> </code></pre> </div> <p>That means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app subnet gets outbound internet through Cloud NAT db subnet does not get NAT by default </code></pre> </div> <p>This is a small design improvement, but it shows better network intent.</p> <p>The app tier needs outbound access for package installation and application operations.</p> <p>The reserved database tier should be more restricted.</p> <h2> Compute Module </h2> <p>The compute module creates:</p> <ul> <li>instance template</li> <li>regional Managed Instance Group</li> <li>named port</li> <li>autohealing policy</li> </ul> <p>The instance template defines:</p> <ul> <li>machine type</li> <li>boot disk</li> <li>network interface</li> <li>startup script</li> <li>service account</li> <li>network tags</li> </ul> <p>The important part is the network interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="c1"># No access_config block.</span> <span class="p">}</span> </code></pre> </div> <p>This keeps the VM private.</p> <p>The MIG then uses the instance template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_region_instance_group_manager"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">base_instance_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_size</span> <span class="nx">version</span> <span class="p">{</span> <span class="nx">instance_template</span> <span class="p">=</span> <span class="nx">google_compute_instance_template</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">named_port</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> <span class="nx">auto_healing_policies</span> <span class="p">{</span> <span class="nx">health_check</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="nx">initial_delay_sec</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The named port is important because the backend service uses it to send traffic to the correct backend port.</p> <h2> Load Balancer Module </h2> <p>The load balancer module creates:</p> <ul> <li>global IP address</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule</li> </ul> <p>The backend service connects the load balancer to the MIG.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-backend"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">port_name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">health_checks</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="p">]</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">backend_instance_group</span> <span class="nx">balancing_mode</span> <span class="p">=</span> <span class="s2">"UTILIZATION"</span> <span class="nx">capacity_scaler</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The load balancer then exposes the service through a global forwarding rule.</p> <p>For v1.0, I use HTTP on port 80.</p> <p>HTTPS will come later in v1.1.</p> <h2> Startup Script </h2> <p>The startup script bootstraps the application when the VM starts.</p> <p>The script installs dependencies, creates the application files, and starts the service.</p> <p>A simplified version of the application behavior is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET / -&gt; returns a simple message GET /healthz -&gt; returns ok GET /metadata -&gt; returns hostname and version information </code></pre> </div> <p>The important operational improvement is that the application should run as a systemd service.</p> <p>That is better than running a background process with <code>&amp;</code>.</p> <p>With systemd, I can check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status prod-lite-app </code></pre> </div> <p>And view logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>journalctl <span class="nt">-u</span> prod-lite-app <span class="nt">--no-pager</span> <span class="nt">-n</span> 50 </code></pre> </div> <h2> Remote State </h2> <p>Like the first artifact, this project uses a GCS backend for Terraform state.</p> <p>Example backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"YOUR_TERRAFORM_STATE_BUCKET"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-production-lite-web-platform/v1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The state path becomes something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://YOUR_TERRAFORM_STATE_BUCKET/terraform-gcp-production-lite-web-platform/v1/default.tfstate </code></pre> </div> <p>Using remote state is important because this project is no longer a tiny one-file local experiment.</p> <p>It has multiple modules and multiple cloud resources.</p> <p>Remote state gives the project a more realistic workflow.</p> <h2> Git Safety </h2> <p>I do not commit real <code>.tfvars</code> files.</p> <p>The repository includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <p>But ignores:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>The <code>.gitignore</code> includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.terraform/ *.tfstate *.tfstate.* *.tfvars *.tfplan crash.log .DS_Store </code></pre> </div> <p>This avoids committing local values, real project IDs, or state files.</p> <h2> Running the Project </h2> <p>The execution flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Configure backend 2. Configure terraform.tfvars 3. Run terraform fmt 4. Run terraform init 5. Run terraform validate 6. Run terraform plan 7. Run terraform apply 8. Verify the load balancer and backend health </code></pre> </div> <h3> Configure Backend </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>backend.tf.example backend.tf </code></pre> </div> <p>Then edit the bucket name.</p> <h3> Configure Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>terraform.tfvars.example terraform.tfvars </code></pre> </div> <p>Then edit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project_id</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">admin_principal</span> <span class="err">=</span> <span class="s2">"user:your-email@example.com"</span> </code></pre> </div> <h3> Run Terraform </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> terraform init terraform validate terraform plan terraform apply </code></pre> </div> <h2> Expected Output </h2> <p>After deployment, Terraform should output values such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network_name subnets firewall_rules cloud_nat_name cloud_router_name health_check_name mig_name mig_instance_group load_balancer_ip load_balancer_url curl_test_command curl_health_check_command platform_summary </code></pre> </div> <p>The most important output is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>load_balancer_url </code></pre> </div> <p>That URL is used to test the application.</p> <h2> Verification </h2> <p>After deployment, I can test the root endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hi from Terraform GCP Production-Lite Platform </code></pre> </div> <p>Test the health endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP/healthz </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>Test the metadata endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP/metadata </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-gcp-production-lite-web-platform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev-web-mig-xxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Verifying the Infrastructure </h2> <p>Verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list </code></pre> </div> <p>Verify the subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list </code></pre> </div> <p>Verify firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list </code></pre> </div> <p>Verify Cloud NAT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute routers nats list <span class="se">\</span> <span class="nt">--router</span><span class="o">=</span>dev-nat-router <span class="se">\</span> <span class="nt">--region</span><span class="o">=</span>asia-southeast2 </code></pre> </div> <p>Verify the Managed Instance Group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instance-groups managed list </code></pre> </div> <p>Verify backend health:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health BACKEND_SERVICE_NAME <span class="nt">--global</span> </code></pre> </div> <p>Verify the application VM does not have an external IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list </code></pre> </div> <p>This is one of the most important checks.</p> <p>The application should be reachable through the load balancer, not directly through a public VM IP.</p> <h2> Accessing the Private VM Through IAP </h2> <p>Since the VM has no external IP, direct SSH is not available.</p> <p>Instead, I use IAP TCP forwarding.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute ssh INSTANCE_NAME <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--tunnel-through-iap</span> </code></pre> </div> <p>This requires:</p> <ul> <li>IAM permission for IAP tunnel access</li> <li>OS Login role</li> <li>firewall rule allowing IAP source range</li> <li>correct target tag on the VM</li> </ul> <p>The firewall source range for IAP TCP forwarding is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is better than opening SSH to the public internet.</p> <h2> Troubleshooting Notes </h2> <h3> Load Balancer Returns 502 </h3> <p>Possible causes:</p> <ul> <li>application failed to start</li> <li>health check path is wrong</li> <li>firewall rule does not allow health check probes</li> <li>target tag mismatch</li> <li>named port mismatch</li> <li>backend service points to the wrong instance group</li> </ul> <p>Useful commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health BACKEND_SERVICE_NAME <span class="nt">--global</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status prod-lite-app </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>journalctl <span class="nt">-u</span> prod-lite-app <span class="nt">--no-pager</span> <span class="nt">-n</span> 100 </code></pre> </div> <h3> VM Cannot Install Packages </h3> <p>Possible cause:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud NAT is not configured correctly. </code></pre> </div> <p>Useful check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://example.com </code></pre> </div> <p>Run that from inside the VM.</p> <h3> IAP SSH Fails </h3> <p>Possible causes:</p> <ul> <li>missing IAP role</li> <li>missing OS Login role</li> <li>missing service account user role</li> <li>missing IAP firewall rule</li> <li>wrong VM network tag</li> </ul> <p>Check firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name~iap"</span> </code></pre> </div> <h2> Important Design Decisions </h2> <h3> 1. Use private backend VMs </h3> <p>The backend application instances do not have external IP addresses.</p> <p>This reduces direct exposure and forces traffic through the load balancer.</p> <h3> 2. Use Cloud NAT </h3> <p>The private VMs still need outbound access.</p> <p>Cloud NAT allows that without assigning public IPs to the VMs.</p> <h3> 3. Use map-based subnet definitions </h3> <p>Subnets are defined through a map so the network module stays reusable.</p> <p>Adding another subnet should not require another resource block.</p> <h3> 4. Use map-based firewall rules </h3> <p>Firewall rules are also defined through a map.</p> <p>This keeps ingress policy data-driven and easier to extend.</p> <h3> 5. Use a Managed Instance Group </h3> <p>The application tier is managed as a group based on an instance template.</p> <p>This is more production-shaped than a standalone VM.</p> <h3> 6. Use HTTP only in v1.0 </h3> <p>HTTPS is intentionally deferred to v1.1.</p> <p>The v1.0 goal is to prove:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>private backends Cloud NAT MIG health checks HTTP load balancing firewall rules remote state </code></pre> </div> <h3> 7. Reserve a DB subnet without provisioning a database </h3> <p>The DB subnet demonstrates tiered network design.</p> <p>A database is not provisioned in v1.0 because this artifact focuses on the web platform infrastructure.</p> <h2> What I Learned </h2> <p>This artifact helped me understand that application infrastructure is not only about creating a VM.</p> <p>A proper platform needs several parts to work together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>networking identity firewall rules NAT compute lifecycle health checks load balancing state management documentation </code></pre> </div> <p>The most interesting part for me was seeing how small configuration details affect the whole platform.</p> <p>For example:</p> <ul> <li>if the firewall source range is wrong, the load balancer cannot reach the backend</li> <li>if the health check path is wrong, the backend becomes unhealthy</li> <li>if Cloud NAT is missing, private VMs may fail during startup</li> <li>if the MIG named port does not match the backend service, traffic may not route correctly</li> <li>if SSH is opened to <code>0.0.0.0/0</code>, the design becomes weaker</li> </ul> <p>This project made me appreciate that infrastructure is a system.</p> <p>Each component has to be designed with the others in mind.</p> <h2> What I Intentionally Did Not Add </h2> <p>I intentionally did not add HTTPS in this version.</p> <p>I also did not add:</p> <ul> <li>Cloud Armor</li> <li>Cloud SQL</li> <li>Secret Manager</li> <li>CI/CD</li> <li>custom domain</li> <li>blue-green deployment</li> <li>autoscaling policy</li> <li>multi-region deployment</li> </ul> <p>Those are useful, but I want this artifact to stay focused.</p> <p>The purpose of v1.0 is to build the core web platform first.</p> <h2> Next Step </h2> <p>The next version will be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.1 — HTTPS and Custom Domain </code></pre> </div> <p>That version should add:</p> <ul> <li>Google-managed SSL certificate</li> <li>custom domain</li> <li>HTTPS target proxy</li> <li>global forwarding rule on port 443</li> <li>optional HTTP-to-HTTPS redirect</li> </ul> <p>After that, I want to continue with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.2 — Security Hardening v2.0 — Terraform CI/CD with GitHub Actions and Workload Identity Federation v2.1 — Drift, Import, and State Recovery v3.0 — Database and Secrets </code></pre> </div> <h2> References </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform GCS backend: https://developer.hashicorp.com/terraform/language/backend/gcs Google Cloud — Store Terraform state in Cloud Storage: https://cloud.google.com/docs/terraform/resource-management/store-state Google Cloud — External Application Load Balancer overview: https://cloud.google.com/load-balancing/docs/https Google Cloud — Terraform examples for external Application Load Balancers: https://cloud.google.com/load-balancing/docs/https/ext-http-lb-tf-module-examples Google Cloud — Cloud NAT overview: https://cloud.google.com/nat/docs/overview Google Cloud — IAP TCP forwarding: https://cloud.google.com/iap/docs/using-tcp-forwarding </code></pre> </div> devops googlecloud infrastructure terraform Building a GCP Terraform Foundation: VPC, IAM, and Remote State Abraham Naiborhu Fri, 15 May 2026 13:58:12 +0000 https://dev.to/abrahamparn/building-a-gcp-terraform-foundation-vpc-iam-and-remote-state-54jp https://dev.to/abrahamparn/building-a-gcp-terraform-foundation-vpc-iam-and-remote-state-54jp <p>After going through several Terraform learning labs, I wanted to create my first Terraform artifact.</p> <p>The goal was not to build a full production landing zone, but to build a clean GCP Terraform Foundation Lite project.</p> <p>This project is meant to prove that I can bootstrap the basic foundation layer of a Google Cloud environment using Terraform.</p> <p>It includes:</p> <ul> <li>remote Terraform state</li> <li>versioned GCS state bucket</li> <li>custom VPC network</li> <li>role-based public and private subnets</li> <li>firewall rules</li> <li>service accounts</li> <li>IAM bindings</li> <li>reusable modules</li> <li>basic naming convention</li> <li>GitHub-safe variable patterns</li> </ul> <h2> Why I Built This </h2> <p>In my earlier Terraform labs, I learned individual concepts:</p> <ul> <li>installing Terraform</li> <li>creating a VPC</li> <li>using variables</li> <li>using outputs</li> <li>storing remote state in GCS</li> <li>creating modules</li> <li>creating service accounts</li> <li>using Terraform with GitHub Actions</li> </ul> <p>But those were learning labs. For this project, I wanted to convert those lessons into a cleaner artifact.</p> <p>The objective was to create something that looks closer to a real Terraform repository. It's still simple, but structured enough to show a proper foundation pattern.</p> <h2> What This Project Builds </h2> <p>This project creates:</p> <ul> <li>Google Cloud Storage bucket for Terraform state</li> <li>object versioning for state recovery</li> <li>custom VPC network</li> <li>public-facing subnet</li> <li>private workload subnet</li> <li>IAP SSH firewall rule</li> <li>internal traffic firewall rule</li> <li>application service account</li> <li>CI/CD service account</li> <li>optional IAM bindings</li> </ul> <p>The project is intentionally called Foundation Lite because it is not a full enterprise landing zone. It is a smaller version focused on the fundamentals.</p> <h2> Why Remote State Matters </h2> <p>By default, Terraform can store state locally in a file called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate </code></pre> </div> <p>That is acceptable for early learning. However, from the labs I learn that local state is risky when the project becomes more serious.</p> <p>If state only exists on my machine, then several problems appear:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What if the file is deleted? What if another person needs to work on the infrastructure? What if two people run Terraform at the same time? What if I need to recover a previous state version? </code></pre> </div> <p>For this project, I used Google Cloud Storage as the remote backend that stores Terraform state. Furthermore, I also enabled Object Versioning on the bucket because it gives me a recovery path if the state object is accidentally overwritten or deleted.</p> <p>Reference:</p> <p><a href="https://developer.hashicorp.com/terraform/language/backend/gcs" rel="noopener noreferrer">https://developer.hashicorp.com/terraform/language/backend/gcs</a></p> <p><a href="https://cloud.google.com/storage/docs/samples/storage-bucket-tf-with-versioning" rel="noopener noreferrer">https://cloud.google.com/storage/docs/samples/storage-bucket-tf-with-versioning</a></p> <h2> Why Bootstrap Is Separate </h2> <p>One important thing I learned is that the GCS bucket for Terraform state must exist before Terraform can use it as a backend.</p> <p>That creates a bootstrapping problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform needs a backend bucket. But Terraform cannot use the backend bucket before it exists. </code></pre> </div> <p>So I separated the project into two stages:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Folder</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Stage 1</td> <td><code>bootstrap/state-bucket</code></td> <td>Creates the GCS state bucket</td> </tr> <tr> <td>Stage 2</td> <td><code>foundation</code></td> <td>Uses the GCS bucket as backend and creates the foundation resources</td> </tr> </tbody> </table></div> <p>This separation makes the workflow clearer.</p> <p>First, I bootstrap the state bucket.</p> <p>Then I use that bucket to manage the foundation.</p> <h2> Repository Structure </h2> <p>The repository structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-foundation-lite/ ├── README.md ├── .gitignore ├── docs/ │ └── architecture.md ├── bootstrap/ │ └── state-bucket/ │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── terraform.tfvars.example ├── foundation/ │ ├── backend.tf │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── terraform.tfvars.example └── modules/ ├── network/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf └── iam/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>There are two main folders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bootstrap/ foundation/ </code></pre> </div> <p>And two reusable modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/network modules/iam </code></pre> </div> <h2> Architecture </h2> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Bootstrap Terraform ↓ GCS State Bucket with Object Versioning ↓ Foundation Remote Backend ↓ Foundation Root Module ↓ Network Module + IAM Module </code></pre> </div> <p>The network module creates the VPC, subnets, and firewall rules.</p> <p>The IAM module creates service accounts and optional IAM role bindings.</p> <h2> Important Note About Public and Private Subnets in GCP </h2> <p>In Google Cloud, subnets are not inherently public or private in the same way as AWS.</p> <p>A subnet becomes public-facing or private based on how workloads inside it are configured.</p> <p>For example:</p> <ul> <li>whether instances have external IPs</li> <li>whether traffic enters through a load balancer</li> <li>whether Cloud NAT exists</li> <li>what firewall rules allow</li> <li>how routing and exposure are designed</li> </ul> <p>So in this project, I use <code>public</code> and <code>private</code> as role-based names.</p> <p>They describe the intended function of each subnet.</p> <p>They are not native GCP subnet types.</p> <h2> Stage 1: Bootstrap State Bucket </h2> <p>The first Terraform stage creates the GCS state bucket.</p> <p>Folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bootstrap/state-bucket </code></pre> </div> <p>The bucket resource looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"terraform_state"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">state_bucket_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_access_prevention</span> <span class="p">=</span> <span class="s2">"enforced"</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">versioning</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"terraform-state"</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"bootstrap"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There are several important settings here.</p> <h3> Uniform Bucket-Level Access </h3> <p>This keeps access management simpler by using IAM at the bucket level.</p> <h3> Public Access Prevention </h3> <p>This prevents the state bucket from accidentally becoming public.</p> <p>Terraform state can contain sensitive infrastructure information, so the state bucket should never be publicly accessible.</p> <h3> Object Versioning </h3> <p>Object Versioning gives a recovery path if the Terraform state object is accidentally deleted or overwritten.</p> <p>This is important because Terraform state is critical to Terraform-managed infrastructure.</p> <h2> Stage 2: Foundation Backend </h2> <p>After the bucket exists, the foundation stage can use it as a backend.</p> <p>Folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>foundation </code></pre> </div> <p>Example backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-gcp-project-id-tfstate"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"foundation"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This stores the foundation state at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://your-gcp-project-id-tfstate/foundation/default.tfstate </code></pre> </div> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>custom VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The module receives subnet definitions using a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">public</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.1.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"public-facing"</span> <span class="p">}</span> <span class="nx">private</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.2.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"private-workload"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The VPC is created as a custom mode VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want explicit control over the subnet ranges.</p> <p>This is cleaner than relying on automatically created subnets.</p> <h2> Firewall Rules </h2> <p>The network module also creates firewall rules from a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic inside the foundation CIDR range."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.10.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The IAP SSH rule is intentionally scoped to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is the source range used by IAP TCP forwarding.</p> <p>I used this instead of opening SSH from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>That is a better security habit.</p> <h2> IAM Module </h2> <p>The IAM module creates service accounts.</p> <p>Example input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_accounts</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Application Workload Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account intended for application workloads."</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="nx">cicd</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"CI/CD Terraform Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account intended for Terraform automation."</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The module creates service accounts using <code>for_each</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"service_accounts"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_accounts</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.name_prefix}-${each.key}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">display_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="p">}</span> </code></pre> </div> <p>This keeps identity creation separate from network creation.</p> <p>That separation makes the repository easier to understand.</p> <h2> Naming Convention </h2> <p>The project uses a simple naming pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environment-nameprefix-resource </code></pre> </div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-foundation-vpc dev-foundation-public-subnet dev-foundation-private-subnet dev-foundation-app dev-foundation-cicd </code></pre> </div> <p>The goal is not to create the perfect naming standard.</p> <p>The goal is to avoid random resource names.</p> <p>Even a simple naming convention makes infrastructure easier to inspect later.</p> <h2> Git Safety </h2> <p>I do not commit real <code>.tfvars</code> files.</p> <p>The repository includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <p>but ignores:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>The <code>.gitignore</code> includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.terraform/ *.tfstate *.tfstate.* *.tfvars *.tfvars.json !*.tfvars.example *.tfplan .DS_Store </code></pre> </div> <p>This keeps local values and state files out of GitHub.</p> <p>That is important because Terraform state and tfvars files can contain project-specific or sensitive information.</p> <h2> Running the Project </h2> <p>The execution order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Run bootstrap 2. Create the state bucket 3. Update foundation/backend.tf with the bucket name 4. Run foundation 5. Verify resources in GCP </code></pre> </div> <h3> Bootstrap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>bootstrap/state-bucket <span class="nb">cp </span>terraform.tfvars.example terraform.tfvars terraform init terraform <span class="nb">fmt </span>terraform validate terraform plan terraform apply </code></pre> </div> <h3> Foundation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ../../foundation <span class="nb">cp </span>terraform.tfvars.example terraform.tfvars terraform init terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> terraform validate terraform plan terraform apply </code></pre> </div> <h2> Expected Output </h2> <p>The foundation output should show a summary similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>foundation_summary = { environment = "dev" network_name = "dev-foundation-vpc" subnet_count = 2 firewall_count = 2 service_accounts = ["app", "cicd"] } </code></pre> </div> <p>This confirms that Terraform created:</p> <ul> <li>one VPC</li> <li>two subnets</li> <li>two firewall rules</li> <li>two service accounts</li> </ul> <h2> Verification </h2> <p>I can verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-foundation-vpc"</span> </code></pre> </div> <p>Verify subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-foundation-vpc"</span> </code></pre> </div> <p>Verify firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-foundation-vpc"</span> </code></pre> </div> <p>Verify service accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam service-accounts list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"email~dev-foundation"</span> </code></pre> </div> <p>Verify remote state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://your-gcp-project-id-tfstate/foundation/ </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://your-gcp-project-id-tfstate/foundation/default.tfstate </code></pre> </div> <h2> Next Step </h2> <p>This artifact only creates the foundation layer.</p> <p>The next artifact will build on top of this idea by provisioning a production-lite GCP web platform.</p> <p>That project will include:</p> <ul> <li>Cloud NAT</li> <li>Managed Instance Group</li> <li>instance template</li> <li>health check</li> <li>HTTP load balancer</li> <li>private backend instances</li> </ul> <p>The foundation answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I bootstrap a clean Terraform-managed GCP environment? </code></pre> </div> <p>The next artifact answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I provision infrastructure for an actual application platform? </code></pre> </div> devops google infrastructure terraform CI/CD for Terraform on GCP: Plan on Pull Request, Apply with Approval, No Static Keys Abraham Naiborhu Wed, 13 May 2026 15:04:16 +0000 https://dev.to/abrahamparn/cicd-for-terraform-on-gcp-plan-on-pull-request-apply-with-approval-no-static-keys-3kpm https://dev.to/abrahamparn/cicd-for-terraform-on-gcp-plan-on-pull-request-apply-with-approval-no-static-keys-3kpm <p>Hi guys, so, this will be my last lab.</p> <p>In the previous labs, I used Terraform from my local machine.<br> The workflow was simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>local terminal -&gt; terraform plan -&gt; terraform apply </code></pre> </div> <p>That worked for learning, but it is not how I want to manage infrastructure changes in a more professional setup.</p> <p>For this lab, I wanted to move Terraform execution into GitHub Actions.</p> <p>The target workflow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pull Request -&gt; terraform fmt -&gt; terraform validate -&gt; terraform plan Manual Approval -&gt; terraform apply </code></pre> </div> <p>The main goal is not only automation.</p> <p>The main goal is infrastructure change control.</p> <p>In this lab, I built a Terraform CI/CD workflow using:</p> <ul> <li>GitHub Actions</li> <li>Google Cloud Workload Identity Federation</li> <li>Terraform remote state in Google Cloud Storage</li> <li><code>terraform fmt -check</code></li> <li><code>terraform validate</code></li> <li><code>terraform plan</code></li> <li>manual <code>terraform apply</code> </li> <li>no downloaded service account JSON key</li> </ul> <p>The key idea is:</p> <blockquote> <p>Terraform should not only create infrastructure. Terraform changes should also be reviewed before they are applied.</p> </blockquote> <h2> Why This Lab Matters </h2> <p>Infrastructure as Code without review is dangerous.</p> <p>Why only application code that needs review? why not Terraform? Thus, A better workflow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>write Terraform code open pull request run terraform fmt and validate run terraform plan review the change apply only after approval </code></pre> </div> <p>This makes Terraform closer to a professional engineering workflow.</p> <h2> Why Workload Identity Federation? </h2> <p>One important decision in this lab was to avoid using a service account JSON key.</p> <p>Instead, I used Workload Identity Federation.</p> <p>The authentication flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions OIDC token ↓ Google Workload Identity Provider ↓ Google service account impersonation ↓ Terraform can access Google Cloud </code></pre> </div> <p>This means I do not need to download a long-lived service account key and store it in GitHub Secrets.</p> <p>For this lab, GitHub Actions impersonates a Google Cloud service account through Workload Identity Federation.</p> <p>Reference:</p> <p><a href="https://github.com/google-github-actions/auth" rel="noopener noreferrer">https://github.com/google-github-actions/auth</a></p> <p><a href="https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions" rel="noopener noreferrer">https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions</a></p> <h2> What This Lab Creates </h2> <p>The infrastructure itself is intentionally simple.</p> <p>This lab creates:</p> <ul> <li>one custom VPC network</li> <li>one subnet</li> <li>remote Terraform state in Google Cloud Storage</li> </ul> <p>Why simple?</p> <p>Because the focus of this lab is not infrastructure complexity.</p> <p>The focus is the Terraform delivery workflow.</p> <p>I wanted the CI/CD workflow to be easy to debug before applying it to a bigger project such as my production-lite GCP web platform.</p> <h2> Folder Structure </h2> <p>The folder structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab/ ├── .github/ │ └── workflows/ │ ├── lab-09-terraform-plan.yml │ └── lab-09-terraform-apply.yml └── 09-terraform-cicd-github-actions/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>The Terraform code lives inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>09-terraform-cicd-github-actions/ </code></pre> </div> <p>The GitHub Actions workflows live inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/ </code></pre> </div> <h2> Terraform Backend </h2> <p>The backend uses Google Cloud Storage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/09-terraform-cicd-github-actions"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This keeps the state for this lab separate from the previous labs.</p> <p>The expected state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/default.tfstate </code></pre> </div> <h2> Terraform Configuration </h2> <p>The Terraform configuration creates a small VPC and subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.subnet_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> <span class="err">}</span> </code></pre> </div> <p>The expected resources are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network google_compute_subnetwork.subnet </code></pre> </div> <h2> Variables </h2> <p>The root variables are defined in <code>variables.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"cicd-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"cicd-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.90.1.0/24"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>project</code> variable does not have a default value.</p> <p>That is intentional.</p> <p>I do not want to hardcode the Google Cloud project ID inside the Terraform configuration.</p> <p>In GitHub Actions, I pass the value using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <h2> GitHub Repository Variables </h2> <p>In GitHub, I added repository variables under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Settings -&gt; Secrets and variables -&gt; Actions -&gt; Variables </code></pre> </div> <p>The variables are:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>Example Value</th> </tr> </thead> <tbody> <tr> <td><code>GCP_PROJECT_ID</code></td> <td><code>terraform-gcp-learning-lab</code></td> </tr> <tr> <td><code>GCP_REGION</code></td> <td><code>asia-southeast2</code></td> </tr> <tr> <td><code>GCP_WORKLOAD_IDENTITY_PROVIDER</code></td> <td><code>projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-provider</code></td> </tr> <tr> <td><code>GCP_SERVICE_ACCOUNT</code></td> <td><code>terraform-cicd@PROJECT_ID.iam.gserviceaccount.com</code></td> </tr> <tr> <td><code>TF_WORKING_DIR</code></td> <td><code>09-terraform-cicd-github-actions</code></td> </tr> <tr> <td><code>TF_VERSION</code></td> <td><code>1.15.1</code></td> </tr> </tbody> </table></div> <p>These are repository variables, not service account keys.</p> <p>There is no downloaded JSON key.</p> <h2> Plan Workflow </h2> <p>The plan workflow runs on pull request.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/lab-09-terraform-plan.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Lab 09 - Terraform Plan</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">09-terraform-cicd-github-actions/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">.github/workflows/lab-09-terraform-plan.yml"</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">read</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_IN_AUTOMATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">TF_INPUT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt, validate, and plan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ vars.TF_WORKING_DIR }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to Google Cloud using WIF</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ vars.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.GCP_SERVICE_ACCOUNT }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ vars.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init -input=false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan \</span> <span class="s">-input=false \</span> <span class="s">-no-color \</span> <span class="s">-var="project=${{ vars.GCP_PROJECT_ID }}" \</span> <span class="s">-var="region=${{ vars.GCP_REGION }}"</span> </code></pre> </div> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <p>The <code>id-token: write</code> permission is required for GitHub Actions to request an OIDC token for Workload Identity Federation.</p> <h2> Apply Workflow </h2> <p>The apply workflow is manually triggered.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/lab-09-terraform-apply.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Lab 09 - Terraform Apply</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_IN_AUTOMATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">TF_INPUT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan and apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ vars.TF_WORKING_DIR }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to Google Cloud using WIF</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ vars.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.GCP_SERVICE_ACCOUNT }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ vars.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init -input=false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan output file</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan \</span> <span class="s">-input=false \</span> <span class="s">-no-color \</span> <span class="s">-out=tfplan \</span> <span class="s">-var="project=${{ vars.GCP_PROJECT_ID }}" \</span> <span class="s">-var="region=${{ vars.GCP_REGION }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform apply approved plan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -input=false -auto-approve tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform output</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform output</span> </code></pre> </div> <p>The apply workflow uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="s">terraform-apply</span> </code></pre> </div> <p>In GitHub, I configured this environment with required approval.</p> <p>So the apply step is not fully automatic.</p> <p>It still requires manual approval.</p> <h2> The Error I Encountered </h2> <p>My first plan workflow failed.</p> <p>The error was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Invalid value for variable on variables.tf line 1: variable "project" { var.project is "" The project variable must not be empty. </code></pre> </div> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project is "" </code></pre> </div> <p>This means Terraform did receive the variable, but the value was empty.</p> <p>The workflow line was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <p>So the likely issue was that <code>vars.GCP_PROJECT_ID</code> was empty or not configured correctly in GitHub Actions.</p> <p>The authentication step still worked, but Terraform failed during the plan stage because the <code>project</code> variable was empty.</p> <p>That was a useful lesson.</p> <p>Authentication and Terraform input variables are related, but they are not the same thing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WIF authentication lets GitHub Actions access Google Cloud. Terraform variables tell Terraform what values to use. </code></pre> </div> <p>In this case, WIF was working, but my Terraform variable was not being passed correctly.</p> <h2> The Fix </h2> <p>The fix was to check the GitHub repository variables.</p> <p>In GitHub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Repository -&gt; Settings -&gt; Secrets and variables -&gt; Actions -&gt; Variables </code></pre> </div> <p>I made sure this variable existed exactly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT_ID </code></pre> </div> <p>with value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>The variable name must match exactly.</p> <p>This:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT_ID </code></pre> </div> <p>is not the same as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PROJECT_ID </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT </code></pre> </div> <p>After fixing the variable, the workflow was able to pass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <p>correctly into Terraform.</p> <h2> Optional Debugging Step </h2> <p>A safe debugging step is to print whether the variable exists without printing sensitive values.</p> <p>For this lab, <code>GCP_PROJECT_ID</code> is not a secret, so printing it is acceptable.</p> <p>I can add this temporarily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug repository variables</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "TF_WORKING_DIR=${{ vars.TF_WORKING_DIR }}"</span> <span class="s">echo "GCP_REGION=${{ vars.GCP_REGION }}"</span> <span class="s">echo "GCP_PROJECT_ID length=$(echo -n '${{ vars.GCP_PROJECT_ID }}' | wc -c)"</span> </code></pre> </div> <p>If the length is <code>0</code>, the variable is missing or not available to the workflow.</p> <p>I would remove this debug step after the workflow is stable.</p> <h2> The Successful Result </h2> <p>After fixing the variable, the workflow worked.</p> <p>The plan workflow successfully ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform fmt -check terraform init terraform validate terraform plan </code></pre> </div> <p>Then the manual apply workflow successfully deployed the infrastructure.</p> <p>The apply workflow created:</p> <ul> <li>VPC network</li> <li>subnet</li> </ul> <p>The important thing is not that the infrastructure was complex.</p> <p>The important thing is that Terraform was executed through GitHub Actions using Workload Identity Federation without a service account key.</p> <h2> Verifying the Infrastructure </h2> <p>After apply, I can verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-cicd-network"</span> </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-cicd-network </code></pre> </div> <p>Then verify the subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-cicd-subnet"</span> </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-cicd-subnet </code></pre> </div> <p>I can also verify the remote state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/ </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/default.tfstate </code></pre> </div> <h2> What I Learned </h2> <p>This lab taught me that Terraform CI/CD is not only about running Terraform commands in GitHub Actions.</p> <p>There are several separate concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions workflow Google Cloud authentication Workload Identity Federation Terraform remote state Terraform variable injection manual approval before apply </code></pre> </div> <p>The error I encountered was useful because it showed that successful Google Cloud authentication does not guarantee Terraform has received the right input values.</p> <p>WIF solved the authentication problem.</p> <p>GitHub repository variables solved the Terraform input problem.</p> <p>The key lesson was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Authentication answers: who is running Terraform? Variables answer: what values should Terraform use? </code></pre> </div> <p>Those are different concerns.</p> <h2> Next Step </h2> <p>This lab is not the final artifact yet.</p> <p>This is the learning lab for my future Terraform CI/CD artifact.</p> <p>The next step is to take this same pattern and apply it to my larger Terraform project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Production-Lite GCP Web Platform </code></pre> </div> <p>That project will combine:</p> <ul> <li>Terraform modules</li> <li>remote state</li> <li>VPC and subnets</li> <li>Cloud NAT</li> <li>Managed Instance Group</li> <li>HTTP load balancer</li> <li>GitHub Actions CI/CD</li> <li>Workload Identity Federation</li> </ul> <p>At that point, the infrastructure will not only be reproducible.</p> <p>It will also be reviewable and safely deployable through CI/CD.</p> <h2> References </h2> <ul> <li><a href="https://docs.github.com/actions/learn-github-actions/variables" rel="noopener noreferrer">GitHub Actions variables</a></li> <li><a href="https://github.com/google-github-actions/auth" rel="noopener noreferrer">Google GitHub Actions authentication</a></li> <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation" rel="noopener noreferrer">Google Cloud Workload Identity Federation</a></li> <li><a href="https://developer.hashicorp.com/terraform/language/values/variables" rel="noopener noreferrer">Terraform input variables</a></li> </ul> cicd github googlecloud terraform Managed Instance Group, Cloud NAT, Service Account, and HTTP Load Balancer Abraham Naiborhu Mon, 11 May 2026 09:40:55 +0000 https://dev.to/abrahamparn/managed-instance-group-cloud-nat-service-account-and-http-load-balancer-3fp7 https://dev.to/abrahamparn/managed-instance-group-cloud-nat-service-account-and-http-load-balancer-3fp7 <p>In the previous lab, I created a private VM with no external IP and accessed it through IAP.</p> <p>That lab worked for private access, but it also exposed an important issue.</p> <p>The VM could be private, but without outbound internet access, the startup script could fail when trying to install packages.</p> <p>In my case, Nginx installation failed because the VM had no external IP and no Cloud NAT.</p> <p>That taught me an important distinction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP = controlled inbound administrative access Cloud NAT = outbound internet access for private resources </code></pre> </div> <p>So in this lab, I wanted to build a more complete serving pattern.</p> <p>Instead of using a single VM, I moved to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>instance template -&gt; Managed Instance Group -&gt; health check -&gt; backend service -&gt; HTTP load balancer </code></pre> </div> <p>I also added Cloud NAT so the private backend instances can install Nginx during startup without needing external IP addresses.</p> <h2> What This Lab Builds </h2> <p>This lab provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>Cloud Router</li> <li>Cloud NAT</li> <li>custom service account for MIG instances</li> <li>IAM bindings</li> <li>firewall rule for Google Cloud load balancer and health check traffic</li> <li>internal firewall rule</li> <li>HTTP health check</li> <li>instance template</li> <li>regional managed instance group</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule</li> <li>external HTTP load balancer IP</li> </ul> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ↓ Global forwarding rule ↓ Target HTTP proxy ↓ URL map ↓ Backend service ↓ Regional Managed Instance Group ↓ Private backend VMs ↓ outbound only Cloud NAT </code></pre> </div> <h2> Why This Lab Matters </h2> <p>The previous private VM lab was about controlled administrative access.</p> <p>This lab is about serving traffic properly.</p> <p>A single VM is not enough for a production-like serving pattern.</p> <p>A better pattern is to place backend instances inside a Managed Instance Group and expose them through a load balancer.</p> <p>The backend instances remain private.</p> <p>The public entry point is the load balancer.</p> <p>Cloud NAT gives the backend instances outbound internet access for startup tasks such as package installation.</p> <h2> Folder Structure </h2> <p>The folder structure for this lab is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>08-mig-nat-http-lb/ ├── backend.tf ├── main.tf ├── outputs.tf ├── startup.sh ├── terraform.tfvars ├── variables.tf ├── modules/ │ ├── gcp-cloud-nat/ │ ├── gcp-http-lb/ │ ├── gcp-mig/ │ ├── gcp-network/ │ └── gcp-service-account/ </code></pre> </div> <p>This lab uses five modules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>gcp-network</code></td> <td>Creates VPC, subnets, and firewall rules</td> </tr> <tr> <td><code>gcp-cloud-nat</code></td> <td>Creates Cloud Router and Cloud NAT</td> </tr> <tr> <td><code>gcp-service-account</code></td> <td>Creates a custom service account</td> </tr> <tr> <td><code>gcp-mig</code></td> <td>Creates instance template and managed instance group</td> </tr> <tr> <td><code>gcp-http-lb</code></td> <td>Creates the HTTP load balancer resources</td> </tr> </tbody> </table></div> <h2> Remote State </h2> <p>This lab still uses Google Cloud Storage as the Terraform backend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/08-mig-http-load-balancer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Each lab uses a different prefix so the state files do not collide.</p> <h2> Root Module </h2> <p>The root module wires all child modules together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"cloud_nat"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-cloud-nat"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_self_link</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"service_account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-service-account"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_service_account_id}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_service_account_display_name}"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"mig"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-mig"</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">mig_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_zone</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_machine_type</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">mig_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_tags</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_instance_count</span> <span class="nx">app_port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">health_check_self_link</span> <span class="p">=</span> <span class="nx">google_compute_health_check</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">cloud_nat</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"http_lb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-http-lb"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">lb_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lb_name</span> <span class="nx">backend_instance_group</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">mig</span><span class="p">.</span><span class="nx">mig_instance_group</span> <span class="nx">health_check_self_link</span> <span class="p">=</span> <span class="nx">google_compute_health_check</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">app_port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> </code></pre> </div> <p>The important dependency flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module -&gt; Cloud NAT module network module -&gt; MIG module service account module -&gt; MIG module MIG module -&gt; HTTP load balancer module </code></pre> </div> <p>The most important lines are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">network_self_link</span> <span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">mig_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">service_account</span><span class="err">.</span><span class="nx">email</span> <span class="nx">backend_instance_group</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">mig</span><span class="err">.</span><span class="nx">mig_instance_group</span> </code></pre> </div> <p>These lines connect the modules together.</p> <h2> Cloud NAT Module </h2> <p>The Cloud NAT module creates a Cloud Router and Cloud NAT gateway.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_router"</span> <span class="s2">"router"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.router_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_self_link</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_router_nat"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.nat_name}"</span> <span class="nx">router</span> <span class="p">=</span> <span class="nx">google_compute_router</span><span class="p">.</span><span class="nx">router</span><span class="p">.</span><span class="nx">name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">nat_ip_allocate_option</span> <span class="p">=</span> <span class="s2">"AUTO_ONLY"</span> <span class="nx">source_subnetwork_ip_ranges_to_nat</span> <span class="p">=</span> <span class="s2">"ALL_SUBNETWORKS_ALL_IP_RANGES"</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">=</span> <span class="s2">"ERRORS_ONLY"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This solves the issue from the previous lab.</p> <p>The backend instances can remain private while still having outbound internet access.</p> <h2> Service Account Module </h2> <p>This lab also creates a custom service account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">account_id</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">display_name</span> <span class="p">}</span> </code></pre> </div> <p>The MIG instances use this service account instead of relying on the default Compute Engine service account.</p> <p>The root module passes the service account email into the MIG module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">service_account</span><span class="err">.</span><span class="nx">email</span> </code></pre> </div> <h2> MIG Module </h2> <p>The MIG module creates an instance template and a regional managed instance group.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance_template"</span> <span class="s2">"template"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}-template-"</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">disk</span> <span class="p">{</span> <span class="nx">source_image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="nx">auto_delete</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">boot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">disk_type</span> <span class="p">=</span> <span class="s2">"pd-balanced"</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> <span class="nx">metadata_startup_script</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">startup_script_path</span><span class="p">)</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">service_account</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_account_email</span> <span class="nx">scopes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://www.googleapis.com/auth/cloud-platform"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There is no external IP configuration in the network interface.</p> <p>That means the backend instances remain private.</p> <p>The regional managed instance group uses the template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_region_instance_group_manager"</span> <span class="s2">"mig"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">base_instance_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_size</span> <span class="nx">version</span> <span class="p">{</span> <span class="nx">instance_template</span> <span class="p">=</span> <span class="nx">google_compute_instance_template</span><span class="p">.</span><span class="nx">template</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">named_port</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> <span class="nx">distribution_policy_zones</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">zone</span><span class="p">]</span> <span class="nx">auto_healing_policies</span> <span class="p">{</span> <span class="nx">health_check</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="nx">initial_delay_sec</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The named port is important because the backend service uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>port_name = "http" </code></pre> </div> <p>So the MIG and backend service need to agree on the named port.</p> <h2> HTTP Load Balancer Module </h2> <p>The HTTP load balancer module creates:</p> <ul> <li>global IP address</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"lb_ip"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-ip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-backend"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">port_name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">health_checks</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="p">]</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">backend_instance_group</span> <span class="nx">balancing_mode</span> <span class="p">=</span> <span class="s2">"UTILIZATION"</span> <span class="nx">capacity_scaler</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The backend service points to the instance group output from the MIG module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">backend_instance_group</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">mig</span><span class="err">.</span><span class="nx">mig_instance_group</span> </code></pre> </div> <p>That is the connection between the load balancer and the backend instances.</p> <h2> Firewall Rules </h2> <p>The firewall rules are still created by the network module.</p> <p>The load balancer and health check rule allows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">source_ranges</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> </code></pre> </div> <p>The MIG instances also use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">mig_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> </code></pre> </div> <p>This means the firewall rule applies to the backend instances.</p> <p>The rule allows traffic on port 80:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">allow</span> <span class="err">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <h2> Startup Script </h2> <p>The startup script installs Nginx and creates a simple HTML page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx <span class="nv">HOSTNAME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> <span class="nv">LOCAL_IP</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span> <span class="nt">-I</span> | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span><span class="s2">"</span> <span class="nb">cat</span> <span class="o">&gt;</span> /var/www/html/index.html <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &lt;!doctype html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Terraform MIG Load Balancer Lab&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h1&gt;Hello from Terraform Lab 008&lt;/h1&gt; &lt;p&gt;This page is served from a private VM inside a Managed Instance Group.&lt;/p&gt; &lt;p&gt;Hostname: </span><span class="k">${</span><span class="nv">HOSTNAME</span><span class="k">}</span><span class="sh">&lt;/p&gt; &lt;p&gt;Internal IP: </span><span class="k">${</span><span class="nv">LOCAL_IP</span><span class="k">}</span><span class="sh">&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="no">EOF </span>systemctl <span class="nb">enable </span>nginx systemctl restart nginx </code></pre> </div> <p>In the previous private VM lab, this script failed because the VM had no external IP and no Cloud NAT.</p> <p>In this lab, Cloud NAT should allow the backend instances to reach the internet and install Nginx successfully.</p> <h2> Variables </h2> <p>For local values, I used <code>terraform.tfvars</code>.</p> <p>Public article version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">admin_principal</span> <span class="err">=</span> <span class="s2">"user:your-email@example.com"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"mig-lb-network"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-lb-health-check</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Google Cloud load balancer health checks and proxy traffic."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.80.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">mig_name</span> <span class="err">=</span> <span class="s2">"web-mig"</span> <span class="nx">mig_instance_count</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">mig_machine_type</span> <span class="err">=</span> <span class="s2">"e2-micro"</span> <span class="nx">mig_zone</span> <span class="err">=</span> <span class="s2">"asia-southeast2-a"</span> <span class="nx">mig_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> <span class="nx">mig_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">mig_service_account_id</span> <span class="err">=</span> <span class="s2">"web-mig-sa"</span> <span class="nx">mig_service_account_display_name</span> <span class="err">=</span> <span class="s2">"Web MIG Service Account"</span> <span class="nx">lb_name</span> <span class="err">=</span> <span class="s2">"web-lb"</span> <span class="nx">app_port</span> <span class="err">=</span> <span class="mi">80</span> </code></pre> </div> <p>I do not commit the real <code>terraform.tfvars</code> file to GitHub.</p> <p>For GitHub, I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <h2> Initialize, Format, and Validate </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>The validation result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Terraform Plan </h2> <p>The plan should show resources across multiple modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network module.cloud_nat module.service_account module.mig module.http_lb </code></pre> </div> <p>The important thing here is not just the number of resources.</p> <p>The important thing is the dependency chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC and subnets are created first. Cloud NAT is attached to the network. Instance template uses the app subnet and service account. MIG creates backend instances. Backend service uses the MIG instance group. Load balancer exposes the backend service. </code></pre> </div> <h2> Terraform Apply </h2> <p>After reviewing the plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>The apply process may take several minutes because the MIG needs time to create backend instances and the load balancer needs time to detect healthy backends.</p> <h2> Outputs </h2> <p>Useful outputs from this lab include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output load_balancer_ip terraform output load_balancer_url terraform output curl_test_command terraform output lab_summary </code></pre> </div> <p>The most important output is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>load_balancer_url </code></pre> </div> <p>This is the public HTTP endpoint for the lab.</p> <h2> Testing the Load Balancer </h2> <p>To test the load balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> <span class="si">$(</span>terraform output <span class="nt">-raw</span> load_balancer_url<span class="si">)</span> </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK </code></pre> </div> <p>The response body should contain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello from Terraform Lab 008 </code></pre> </div> <p>To test whether traffic may reach different backend instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..5<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="si">$(</span>terraform output <span class="nt">-raw</span> load_balancer_url<span class="si">)</span> | <span class="nb">grep </span>Hostname <span class="k">done</span> </code></pre> </div> <p>If both backend instances are healthy and receiving traffic, the hostname may change across requests.</p> <h2> Verifying Backend Health </h2> <p>I can check backend health using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health dev-web-lb-backend <span class="se">\</span> <span class="nt">--global</span> </code></pre> </div> <p>Expected health state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HEALTHY </code></pre> </div> <p>If the backend is unhealthy, possible causes include:</p> <ul> <li>startup script still running</li> <li>Nginx failed to install</li> <li>health check firewall rule is wrong</li> <li>named port mismatch</li> <li>backend instances are not listening on port 80</li> </ul> <h2> Verifying Private Backend Instances </h2> <p>The backend instances should not have external IP addresses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name~dev-web-mig"</span> </code></pre> </div> <p>The external IP column should be empty.</p> <p>This confirms that the backend instances are private.</p> <p>The load balancer is public, but the backend instances are not directly exposed.</p> <h2> Verifying Cloud NAT </h2> <p>To verify Cloud NAT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute routers nats list <span class="se">\</span> <span class="nt">--router</span><span class="o">=</span>dev-nat-router <span class="se">\</span> <span class="nt">--region</span><span class="o">=</span>asia-southeast2 </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-nat-gateway </code></pre> </div> <p>This confirms that Cloud NAT exists for the VPC.</p> <h2> Verifying Remote State </h2> <p>The remote state should be stored in Google Cloud Storage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/08-mig-http-load-balancer/ </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/08-mig-http-load-balancer/default.tfstate </code></pre> </div> <h2> What I Learned </h2> <p>This lab connected several important Terraform and Google Cloud concepts.</p> <p>The previous labs taught me:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>how to create resources how to use variables how to use outputs how to use remote state how to create modules how to create a private VM </code></pre> </div> <p>This lab combined those concepts into a more realistic serving architecture.</p> <p>The most important lesson is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>A private backend can still serve public traffic through a load balancer. </code></pre> </div> <p>The backend instances do not need external IP addresses.</p> <p>The public entry point is the load balancer.</p> <p>The backend instances can still install packages during startup because Cloud NAT provides outbound internet access.</p> <p>Another important lesson is how Terraform modules compose infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module creates network outputs Cloud NAT module uses network output service account module creates workload identity MIG module uses subnet and service account outputs load balancer module uses MIG output </code></pre> </div> <h2> Next Step </h2> <p>This lab uses an HTTP load balancer.</p> <p>The next improvement would be to move from HTTP to HTTPS.</p> <p>That would introduce:</p> <ul> <li>managed SSL certificate</li> <li>domain mapping</li> <li>HTTPS proxy</li> <li>forwarding rule on port 443</li> <li>possibly Cloud DNS</li> </ul> <p>That would make the infrastructure closer to a real public-facing production setup.</p> googlecloud infrastructure networking tutorial Private VM Access with IAP, OS Login, and Service Account Abraham Naiborhu Sun, 10 May 2026 08:06:49 +0000 https://dev.to/abrahamparn/private-vm-access-with-iap-os-login-and-service-account-4m5c https://dev.to/abrahamparn/private-vm-access-with-iap-os-login-and-service-account-4m5c <p>In the previous Terraform lab, I created a private Compute Engine VM using module composition.</p> <p>The VM was created from a reusable <code>gcp-vm</code> module, while the network was created from a reusable <code>gcp-network</code> module.</p> <p>That lab helped me understand this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input </code></pre> </div> <p>For this lab, I wanted to improve the access pattern.</p> <p>Previously, the VM already had:</p> <ul> <li>no external IP</li> <li>an IAP SSH firewall rule</li> <li>the <code>iap-ssh</code> network tag</li> </ul> <p>However, that was only half of the private access story.</p> <p>In this lab, I wanted to make the private VM access pattern more complete by adding:</p> <ul> <li>custom VM service account</li> <li>OS Login</li> <li>IAP TCP forwarding access</li> <li>IAM bindings</li> <li>startup script verification</li> <li>SSH access through IAP</li> </ul> <p>The goal was to move from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VM exists </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VM exists, has no external IP, and can be accessed in a controlled way through IAP. </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>firewall rule for IAP SSH</li> <li>internal firewall rule</li> <li>custom VM service account</li> <li>IAM binding for IAP TCP forwarding</li> <li>IAM binding for OS Login</li> <li>IAM binding for service account usage</li> <li>private Compute Engine VM</li> <li>startup script for Nginx installation</li> <li>remote Terraform state in Google Cloud Storage</li> </ul> <p>The important thing is that the VM has <strong>no external IP address</strong>.</p> <h2> Architecture </h2> <p>The structure is now composed of three child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>07-private-vm-access-iap/ ├── modules/ │ ├── gcp-network/ │ ├── gcp-service-account/ │ └── gcp-vm/ </code></pre> </div> <p>The root module wires them together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module │ ├── module.network │ ├── VPC │ ├── app subnet │ ├── db subnet │ ├── IAP SSH firewall rule │ └── internal firewall rule │ ├── module.vm_service_account │ └── custom VM service account │ ├── IAM bindings │ ├── IAP tunnel access │ ├── OS Login admin access │ └── service account user access │ └── module.vm └── private VM </code></pre> </div> <p>The main Terraform pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input service account module output -&gt; root module -&gt; VM module input IAM bindings -&gt; controlled private VM access </code></pre> </div> <h2> Why IAP? </h2> <p>Normally, if a VM has an external IP, I can SSH into it from the internet if the firewall allows it.</p> <p>But exposing SSH publicly is not a good habit.</p> <p>For this lab, I wanted the VM to stay private.</p> <p>So instead of giving the VM an external IP, I used Identity-Aware Proxy TCP forwarding.</p> <p>The firewall rule allows SSH only from Google’s IAP TCP forwarding source range:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>The VM also has this network tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>So the firewall rule applies only to instances with that tag.</p> <h2> Why OS Login? </h2> <p>I also enabled OS Login.</p> <p>Instead of managing SSH keys manually in project or instance metadata, OS Login allows VM login access to be controlled through IAM.</p> <p>For this lab, the selected admin principal receives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>roles/compute.osAdminLogin </code></pre> </div> <p>This allows the principal to log in through OS Login with admin-level access.</p> <h2> Why a Custom Service Account? </h2> <p>I also created a dedicated service account for the VM.</p> <p>The service account is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com </code></pre> </div> <p>This is better than blindly using the default Compute Engine service account.</p> <p>In real environments, each workload should have an identity that matches what it needs to do.</p> <p>For this lab, the service account exists mainly to practice a cleaner VM identity pattern.</p> <h2> Backend Configuration </h2> <p>This lab still uses remote state in Google Cloud Storage.</p> <p>Example <code>backend.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/07-private-vm-access-iap"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This means the state for this lab is isolated from the previous labs.</p> <h2> Root Module </h2> <p>The root module calls three child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm_service_account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-service-account"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.vm_service_account_id}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment} ${var.vm_service_account_display_name}"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-vm"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_tags</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="nx">enable_oslogin</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_oslogin</span> <span class="p">}</span> </code></pre> </div> <p>The important lines are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vm_service_account</span><span class="err">.</span><span class="nx">email</span> </code></pre> </div> <p>This means the VM module does not create its own network or service account.</p> <p>Instead, it consumes outputs from other modules.</p> <h2> IAM Bindings </h2> <p>This lab also creates IAM bindings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"iap_tunnel_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iap.tunnelResourceAccessor"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"os_admin_login"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/compute.osAdminLogin"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_service_account_iam_member"</span> <span class="s2">"vm_service_account_user"</span> <span class="p">{</span> <span class="nx">service_account_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iam.serviceAccountUser"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> </code></pre> </div> <p>These roles support the access pattern:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Role</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>roles/iap.tunnelResourceAccessor</code></td> <td>Allows IAP TCP forwarding</td> </tr> <tr> <td><code>roles/compute.osAdminLogin</code></td> <td>Allows OS Login with admin privileges</td> </tr> <tr> <td><code>roles/iam.serviceAccountUser</code></td> <td>Allows the principal to use the VM service account</td> </tr> </tbody> </table></div> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The firewall rule for IAP SSH allows traffic from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>and targets instances tagged with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>My Terraform output showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"allow-iap-ssh" = { "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } </code></pre> </div> <h2> VM Module </h2> <p>The VM module creates the private Compute Engine instance.</p> <p>The VM resource uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> </code></pre> </div> <p>There is no <code>access_config</code> block.</p> <p>That means the VM does not receive an external IP address.</p> <p>The VM also uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">metadata</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">enable-oslogin</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">enable_oslogin</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>and attaches the custom service account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_account</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_account_email</span> <span class="nx">scopes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://www.googleapis.com/auth/cloud-platform"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Terraform Apply Result </h2> <p>After running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>the lab completed successfully.</p> <p>The output showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_name = "dev-iap-private-vm" vm_internal_ip = "10.60.1.2" vm_machine_type = "e2-micro" vm_service_account_email = "dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com" vm_zone = "asia-southeast2-a" </code></pre> </div> <p>The lab summary showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "environment" = "dev" "firewall_count" = 2 "iap_ssh_enabled_pattern" = true "network_name" = "dev-iap-private-network" "os_login_enabled" = true "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 "vm_external_ip" = "none" "vm_internal_ip" = "10.60.1.2" "vm_name" = "dev-iap-private-vm" "vm_service_account_email" = "dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com" "vm_subnet_key" = "app" "vm_zone" = "asia-southeast2-a" } </code></pre> </div> <p>This confirmed that the VM was created privately with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_external_ip = "none" </code></pre> </div> <h2> Verifying That the VM Has No External IP </h2> <p>I verified the VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances describe dev-iap-private-vm <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"table(name,networkInterfaces[0].networkIP,networkInterfaces[0].accessConfigs)"</span> </code></pre> </div> <p>The result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME NETWORK_IP ACCESS_CONFIGS dev-iap-private-vm 10.60.1.2 </code></pre> </div> <p>The <code>ACCESS_CONFIGS</code> field is empty.</p> <p>That confirms that the VM has no external IP address.</p> <h2> SSH Command Through IAP </h2> <p>Terraform also generated the IAP SSH command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcloud compute ssh dev-iap-private-vm --zone=asia-southeast2-a --tunnel-through-iap </code></pre> </div> <p>This command is important because the VM is private.</p> <p>Without an external IP, I cannot SSH directly from the public internet.</p> <p>The intended access path is through IAP TCP forwarding.</p> <h2> The One Thing That Failed: Startup Script Internet Access </h2> <p>Almost everything worked.</p> <p>But one thing failed.</p> <p>The startup script tried to install Nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx </code></pre> </div> <p>The VM failed to fetch the Nginx package from Debian repositories.</p> <p>The error was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Failed to fetch https://deb.debian.org/debian-security/pool/updates/main/n/nginx/nginx_1.22.1-9%2bdeb12u4_amd64.deb Cannot initiate the connection to deb.debian.org:443 Network is unreachable </code></pre> </div> <p>This happened because the VM has no external IP address and I did not configure Cloud NAT.</p> <p>So the VM was private, but it also had no outbound internet path to reach Debian package repositories.</p> <p>This is an important distinction.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP solves private administrative access into the VM. Cloud NAT solves outbound internet access from the VM. </code></pre> </div> <p>In this lab, I configured IAP access, but I did not configure Cloud NAT yet.</p> <p>That means SSH through IAP can work, but installing packages from the internet during startup may fail.</p> <p>This is not a Terraform failure.</p> <p>This is a network design gap.</p> <h2> What Worked </h2> <p>The successful parts were:</p> <ul> <li>custom VPC created</li> <li>app and db subnets created</li> <li>VM created in the app subnet</li> <li>VM has no external IP</li> <li>custom service account attached to the VM</li> <li>OS Login enabled</li> <li>IAP SSH firewall rule created</li> <li>IAP SSH command generated</li> <li>Terraform outputs confirmed the infrastructure</li> <li>remote state continued to work</li> </ul> <p>The key output was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_external_ip = "none" vm_internal_ip = "10.60.1.2" iap_ssh_enabled_pattern = true os_login_enabled = true </code></pre> </div> <p>That means the core private access pattern was successfully provisioned.</p> <h2> What Did Not Work </h2> <p>The startup script verification did not fully work because the VM could not install Nginx.</p> <p>The command that would normally verify Nginx was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> http://localhost </code></pre> </div> <p>But since Nginx installation failed, this verification could not succeed yet.</p> <p>The root cause was not the startup script itself.</p> <p>The root cause was that the private VM had no outbound internet path.</p> <h2> How I Would Fix This Next </h2> <p>There are several ways to fix this.</p> <p>The most appropriate next lab is to add:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT</li> <li>private VM outbound internet access</li> <li>startup script retry</li> <li>Nginx installation verification</li> </ul> <p>That would allow the VM to stay private while still being able to reach package repositories on the internet.</p> <p>The improved design would be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private VM ↓ outbound internet Cloud NAT ↓ Internet package repositories </code></pre> </div> <p>The VM would still have no external IP.</p> <p>But it could access the internet for outbound traffic through Cloud NAT.</p> <h2> What I Learned </h2> <p>This lab clarified an important distinction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private inbound access and private outbound access are different problems. </code></pre> </div> <p>IAP helps solve inbound administrative access.</p> <p>It lets me access a private VM without giving it an external IP.</p> <p>But IAP does not automatically give the VM outbound internet access.</p> <p>For outbound internet access from a VM with no external IP, I need something like Cloud NAT.</p> <p>This is an important infrastructure lesson.</p> <p>At first, I thought:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The VM has IAP, so it should be fine. </code></pre> </div> <p>But that was incomplete.</p> <p>The better understanding is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP = controlled inbound access to private VM Cloud NAT = outbound internet access from private VM </code></pre> </div> <p>This failure actually made the lab better because it revealed a real production design consideration.</p> terraform googlecloud devops infrastructure Creating a VM from Network Module Outputs Abraham Naiborhu Sat, 09 May 2026 15:49:20 +0000 https://dev.to/abrahamparn/creating-a-vm-from-network-module-outputs-41ko https://dev.to/abrahamparn/creating-a-vm-from-network-module-outputs-41ko <p>In the previous lab, I created a reusable Terraform module for Google Cloud networking.</p> <p>That module created:</p> <ul> <li>a custom VPC network</li> <li>multiple subnets</li> <li>firewall rules</li> <li>outputs for network, subnet, and firewall information</li> </ul> <p>That was already an improvement from writing every resource directly in the root configuration.</p> <p>However, the network module was still isolated. It created network resources, but nothing else was consuming those outputs yet.</p> <p>So in this lab, I wanted to take the next logical step:</p> <blockquote> <p>Create a Compute Engine VM that uses the subnet output from the network module.</p> </blockquote> <p>At first, I considered creating the VM directly in the root module. But then I changed the format and added a second module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-vm </code></pre> </div> <p>So now the lab has two child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network modules/gcp-vm </code></pre> </div> <p>The purpose of this lab is to understand module composition.</p> <p>The main idea is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The network module creates the network. The network module exposes subnet outputs. The root module passes the selected subnet output into the VM module. The VM module creates a VM inside that subnet. </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab creates:</p> <ul> <li>one custom VPC network</li> <li>two subnets</li> <li>two firewall rules</li> <li>one Compute Engine VM</li> <li>a startup script that installs Nginx</li> <li>remote state in Google Cloud Storage</li> <li>outputs from both the network module and VM module</li> </ul> <p>The final result from Terraform was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 6 added, 0 changed, 0 destroyed. </code></pre> </div> <p>The six resources were:</p> <ol> <li>VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>IAP SSH firewall rule</li> <li>internal firewall rule</li> <li>Compute Engine VM</li> </ol> <h2> Folder Structure </h2> <p>The final folder structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>06-gcp-vm-and-network-module/ ├── backend.tf ├── main.tf ├── modules │ ├── gcp-network │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── gcp-vm │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── outputs.tf ├── README.md ├── startup.sh ├── terraform.tfvars ├── terraform.tfvars.example └── variables.tf </code></pre> </div> <p>There are now two child modules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>gcp-network</code></td> <td>Creates VPC, subnets, and firewall rules</td> </tr> <tr> <td><code>gcp-vm</code></td> <td>Creates the Compute Engine VM</td> </tr> </tbody> </table></div> <p>The root module is responsible for wiring them together.</p> <h2> The Main Concept: Module Composition </h2> <p>In the previous lab, the network module created subnets and exposed them through outputs.</p> <p>The output looked conceptually like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">subnet_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">self_link</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Because of this output, the root module can access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>In this lab, that value is passed into the VM module.</p> <p>The important pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input </code></pre> </div> <p>This was the main learning point.</p> <h2> Remote State </h2> <p>This lab still uses Google Cloud Storage as the Terraform backend.</p> <p>Example <code>backend.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/06-gcp-vm-and-network-module"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/default.tfstate </code></pre> </div> <p>Each lab has a different backend prefix so that the state files do not collide.</p> <h2> Root <code>main.tf</code> </h2> <p>The root <code>main.tf</code> configures the provider and calls both modules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-vm"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_tags</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="p">}</span> </code></pre> </div> <p>The most important line is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>This line means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Get the selected subnet from the network module output and pass it into the VM module. </code></pre> </div> <p>If:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>then Terraform resolves:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>That is the subnet used by the VM.</p> <h2> Why This is Better Than Hardcoding the Subnet </h2> <p>Without module outputs, I could hardcode the subnet like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork</span> <span class="err">=</span> <span class="s2">"dev-app-subnet"</span> </code></pre> </div> <p>But that is weaker.</p> <p>The VM module should not guess or hardcode the subnet.</p> <p>Instead, the network module creates the subnet, exposes the subnet self-link, and the root module passes that value into the VM module.</p> <p>This makes the dependency clear.</p> <p>The VM depends on the subnet created by the network module.</p> <h2> VM Module </h2> <p>The VM module is responsible for creating the Compute Engine instance.</p> <p>Inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-vm/main.tf </code></pre> </div> <p>the VM resource is defined like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"app_vm"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.vm_name}"</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="nx">size</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"pd-balanced"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> <span class="nx">metadata_startup_script</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">startup_script_path</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The VM does not receive an external IP address because there is no <code>access_config</code> block inside the <code>network_interface</code>.</p> <p>That means the VM is private.</p> <p>This is intentional.</p> <p>For this lab, I wanted the VM to use an internal IP only.</p> <h2> Startup Script </h2> <p>The VM uses a startup script to install Nginx.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>startup.sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx <span class="nb">cat</span> <span class="o">&gt;</span> /var/www/html/index.html <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &lt;!doctype html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Terraform Module Output VM&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h1&gt;Hello from Terraform&lt;/h1&gt; &lt;p&gt;This VM was created using a subnet output from the network module.&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="no">EOF </span>systemctl <span class="nb">enable </span>nginx systemctl restart nginx </code></pre> </div> <p>The startup script is passed into the VM module using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">startup_script_path</span> <span class="err">=</span> <span class="s2">"${path.module}/startup.sh"</span> </code></pre> </div> <p>Then the VM module reads it using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">metadata_startup_script</span> <span class="err">=</span> <span class="nx">file</span><span class="err">(</span><span class="nx">var</span><span class="err">.</span><span class="nx">startup_script_path</span><span class="err">)</span> </code></pre> </div> <h2> Firewall Rules </h2> <p>The network module creates two firewall rules.</p> <h3> IAP SSH Rule </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-allow-iap-ssh </code></pre> </div> <p>This allows SSH from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>with the target tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>The VM also has the tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>That means the IAP SSH firewall rule applies to this VM.</p> <h3> Internal Rule </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-allow-internal </code></pre> </div> <p>This allows internal traffic from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10.50.0.0/16 </code></pre> </div> <p>This is used for internal communication between the lab subnets.</p> <h2> Variables </h2> <p>The local values are stored in <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.50.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.50.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.50.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">vm_name</span> <span class="err">=</span> <span class="s2">"module-output-vm"</span> <span class="nx">vm_machine_type</span> <span class="err">=</span> <span class="s2">"e2-micro"</span> <span class="nx">vm_zone</span> <span class="err">=</span> <span class="s2">"asia-southeast2-a"</span> <span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> <span class="nx">vm_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> </code></pre> </div> <p>The important VM value is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>This tells Terraform to place the VM in the app subnet.</p> <h2> Initialize Terraform </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Because this lab uses two child modules, Terraform initializes both modules.</p> <p>Expected output includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing modules... - network in modules/gcp-network - vm in modules/gcp-vm </code></pre> </div> <h2> Format and Validate </h2> <p>Because this lab has nested module folders, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Terraform Plan </h2> <p>Next, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform planned to create six resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 6 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>The planned resources included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_firewall.ingress_rules["allow-iap-ssh"] module.network.google_compute_firewall.ingress_rules["allow-internal"] module.network.google_compute_network.vpc_network module.network.google_compute_subnetwork.subnets["app"] module.network.google_compute_subnetwork.subnets["db"] module.vm.google_compute_instance.app_vm </code></pre> </div> <p>This plan output is important because it shows the module boundaries.</p> <p>Network resources are created under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>The VM is created under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.vm </code></pre> </div> <h2> Apply </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform completed successfully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 6 added, 0 changed, 0 destroyed. </code></pre> </div> <h2> Terraform Outputs </h2> <p>After apply, I checked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>The output showed the network, subnet, firewall, and VM information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "environment" = "dev" "firewall_count" = 2 "network_name" = "dev-network-module" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 "vm_external_ip" = "none" "vm_internal_ip" = "10.50.1.2" "vm_name" = "dev-module-output-vm" "vm_subnet_key" = "app" "vm_subnet_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "vm_zone" = "asia-southeast2-a" } </code></pre> </div> <p>This confirms several important things:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Output</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>vm_name</code></td> <td>VM was created as <code>dev-module-output-vm</code> </td> </tr> <tr> <td><code>vm_internal_ip</code></td> <td>VM received internal IP <code>10.50.1.2</code> </td> </tr> <tr> <td><code>vm_external_ip</code></td> <td>VM has no external IP</td> </tr> <tr> <td><code>vm_subnet_key</code></td> <td>VM selected the <code>app</code> subnet</td> </tr> <tr> <td><code>vm_subnet_link</code></td> <td>VM consumed the app subnet self-link from the network module</td> </tr> </tbody> </table></div> <p>The VM output also showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_selected_subnet_key = "app" vm_selected_subnet_self_link = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" </code></pre> </div> <p>This proves that the VM was attached to the subnet created by the network module.</p> <h2> Subnet Outputs </h2> <p>The subnet outputs showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>subnets = { "app" = { "cidr_range" = "10.50.1.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "name" = "dev-app-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" } "db" = { "cidr_range" = "10.50.2.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" "name" = "dev-db-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" } } </code></pre> </div> <p>This confirms that the network module created both the app and db subnets.</p> <h2> Firewall Outputs </h2> <p>The firewall outputs showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_rules = { "allow-iap-ssh" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-iap-ssh" "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } "allow-internal" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-internal" "name" = "dev-allow-internal" "source_ranges" = toset([ "10.50.0.0/16", ]) "target_tags" = toset(null) /* of string */ } } </code></pre> </div> <p>The IAP SSH rule targets instances with the tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>The VM also uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> </code></pre> </div> <p>So the firewall rule is connected to the VM through network tags.</p> <h2> Verify the VM </h2> <p>I can verify the VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-module-output-vm"</span> </code></pre> </div> <p>I can also inspect the VM network interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances describe dev-module-output-vm <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(networkInterfaces[0].subnetwork,networkInterfaces[0].networkIP,networkInterfaces[0].accessConfigs)"</span> </code></pre> </div> <p>The expected result is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>subnetwork: dev-app-subnet internal IP: 10.50.1.2 external IP/accessConfigs: empty </code></pre> </div> <p>This means the VM is private and does not have an external IP.</p> <h2> Verify Remote State </h2> <p>Because this lab uses the GCS backend, the state is stored remotely.</p> <p>I can verify it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/default.tfstate </code></pre> </div> <h2> Destroy </h2> <p>Because this is still a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform destroyed the resources managed by this lab.</p> <h2> What I Learned </h2> <p>This lab helped me understand Terraform module composition more clearly.</p> <p>In the previous lab, I had one child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-network </code></pre> </div> <p>In this lab, I added another child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-vm </code></pre> </div> <p>The most important lesson was not just creating a VM.</p> <p>The important lesson was passing an output from one module into another module.</p> <p>The flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-network creates subnets gcp-network outputs subnet self-links root module selects the app subnet root module passes the subnet self-link into gcp-vm gcp-vm creates a VM in that subnet </code></pre> </div> <p>The key Terraform expression is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>Breaking it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>means the network child module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.subnets </code></pre> </div> <p>means the subnet output from that module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[var.vm_subnet_key] </code></pre> </div> <p>means select one subnet from the subnet map.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.self_link </code></pre> </div> <p>means use the selected subnet self-link.</p> <p>So if:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>Terraform uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>This is then passed into the VM module.</p> <p>That is the main pattern I wanted to learn:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module output -&gt; root module -&gt; another module input </code></pre> </div> <h2> Next Step </h2> <p>The next logical step is to improve the VM access pattern.</p> <p>Right now, the VM has no external IP and has an IAP SSH firewall rule.</p> <p>The next lab could focus on testing private VM access through IAP, or improving the module further by adding:</p> <ul> <li>service account for the VM</li> <li>IAM binding for IAP SSH</li> <li>OS Login configuration</li> <li>startup script verification</li> <li>HTTP health check or internal-only web service testing</li> </ul> terraform googlecloud devops infrastructure Building a Reusable VPC, Subnets, and Firewall Rules Module Abraham Naiborhu Sat, 09 May 2026 07:16:13 +0000 https://dev.to/abrahamparn/building-a-reusable-vpc-subnets-and-firewall-rules-module-10p8 https://dev.to/abrahamparn/building-a-reusable-vpc-subnets-and-firewall-rules-module-10p8 <p>In the previous Terraform labs, I created Google Cloud resources directly from the root configuration.</p> <p>That worked, but the structure was still quite simple.</p> <p>Every resource was defined directly inside the main Terraform configuration. For a small lab, that is fine. But as the infrastructure grows, putting everything in one root configuration can become harder to maintain.</p> <p>So in this lab, I started learning Terraform modules.</p> <p>The goal is to turn the previous VPC and subnet configuration into a reusable local module.</p> <p>But instead of only creating one VPC and one subnet, I made the lab slightly more practical by creating:</p> <ul> <li>one custom VPC network</li> <li>two subnets</li> <li>two firewall rules</li> <li>reusable module inputs</li> <li>module outputs</li> <li>remote state using Google Cloud Storage</li> </ul> <h2> What is a Terraform Module? </h2> <p>A Terraform module is a collection of Terraform configuration files that are managed together.</p> <p>In simple terms, a module is like a reusable infrastructure component.</p> <p>For this lab, I created a local module called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network </code></pre> </div> <p>This module is responsible for creating the GCP network resources.</p> <p>The root configuration calls that module and passes values into it.</p> <h2> Root Module vs Child Module </h2> <p>The folder where I run Terraform commands is the root module.</p> <p>In this lab, the root module is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ </code></pre> </div> <p>The reusable child module is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/modules/gcp-network/ </code></pre> </div> <p>The root module is the entry point.</p> <p>The child module is the reusable implementation.</p> <p>The mental model is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module = caller Child module = reusable implementation Child module variables = function parameters Child module outputs = return values </code></pre> </div> <p>Since I have written JavaScript before, this feels similar to calling a function.</p> <p>The root module passes values into the child module, and the child module creates the infrastructure based on those values.</p> <h2> Final Folder Structure </h2> <p>The folder structure for this lab is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars ├── terraform.tfvars.example └── modules/ └── gcp-network/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>For GitHub, I only commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── modules/ └── gcp-network/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>I do not commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars .terraform/ terraform.tfstate </code></pre> </div> <h2> Backend Configuration </h2> <p>This lab still uses remote state with Google Cloud Storage.</p> <p>In <code>backend.tf</code>, I configured the GCS backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/05-gcp-network-module"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>The state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab/05-gcp-network-module/default.tfstate </code></pre> </div> <p>Each lab should have its own state prefix.</p> <p>This avoids accidentally mixing state from different labs.</p> <h2> Root <code>main.tf</code> </h2> <p>The root <code>main.tf</code> configures the provider and calls the child module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> </code></pre> </div> <p>The most important part is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="p">}</span> </code></pre> </div> <p>This tells Terraform to use the local module inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network </code></pre> </div> <p>The root module passes values such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="nx">region</span> <span class="nx">network_name</span> <span class="nx">subnets</span> <span class="nx">firewall_rules</span> </code></pre> </div> <p>into the child module.</p> <h2> Root <code>variables.tf</code> </h2> <p>In the root <code>variables.tf</code>, I declared the values that the lab accepts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Default Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"asia-southeast2"</span><span class="p">,</span> <span class="s2">"asia-southeast1"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Region must be one of: asia-southeast2, asia-southeast1, or us-central1."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, staging, or prod."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"network-module"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Network name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of subnets to create inside the VPC."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">alltrue</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">subnet_key</span><span class="p">))</span> <span class="err">&amp;&amp;</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">cidr_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="p">])</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Each subnet key must be a valid lowercase name, and each cidr_range must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of ingress firewall rules to create."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">[])</span> <span class="nx">allow</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="p">}))</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">alltrue</span><span class="p">(</span><span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">rule_name</span><span class="p">,</span> <span class="nx">rule</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">source_range</span> <span class="nx">in</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="err">:</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">source_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="p">]</span> <span class="p">]))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Every firewall source range must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is more advanced than the previous labs because I am no longer passing only simple strings.</p> <p>For <code>subnets</code>, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">map</span><span class="err">(</span><span class="nx">object</span><span class="err">(</span><span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span><span class="err">))</span> </code></pre> </div> <p>For <code>firewall_rules</code>, I used a more complex object structure because each firewall rule can contain:</p> <ul> <li>description</li> <li>source ranges</li> <li>target tags</li> <li>allowed protocols and ports</li> </ul> <h2> Child Module <code>variables.tf</code> </h2> <p>Inside the child module, I also declared the variables that the module expects.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/variables.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Default Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of subnets to create inside the VPC."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of ingress firewall rules to create."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">[])</span> <span class="nx">allow</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="p">}))</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p>At first, having variables in both the root module and child module felt repetitive.</p> <p>But the purpose is different.</p> <p>The root variables receive values from the outside, usually from <code>terraform.tfvars</code>.</p> <p>The child module variables define the input contract of the reusable module.</p> <p>The flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars ↓ root variables.tf ↓ root main.tf module block ↓ child module variables.tf ↓ child module main.tf resources </code></pre> </div> <h2> Child Module <code>main.tf</code> </h2> <p>Inside the child module, I defined the actual GCP resources.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/main.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">final_network_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There are several important concepts here.</p> <h2> Using <code>locals</code> </h2> <p>I used a local value to build the final network name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">final_network_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="p">}</span> </code></pre> </div> <p>This means if:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> </code></pre> </div> <p>then the final network name becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-network-module </code></pre> </div> <h2> Creating Multiple Subnets with <code>for_each</code> </h2> <p>Instead of creating subnet resources one by one, I used <code>for_each</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This lets Terraform create multiple subnet resources from a map.</p> <p>For example, in my <code>terraform.tfvars</code>, I defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Terraform then creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-app-subnet dev-db-subnet </code></pre> </div> <p>This is better than duplicating two separate <code>google_compute_subnetwork</code> blocks.</p> <h2> Creating Firewall Rules with <code>for_each</code> </h2> <p>I also used <code>for_each</code> for firewall rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This allows me to define firewall rules from a map instead of hardcoding each rule directly in the module.</p> <h2> Using a Dynamic Block </h2> <p>The firewall rule uses a dynamic block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I used this because a firewall rule can allow multiple protocols.</p> <p>For example, the internal rule allows:</p> <ul> <li>TCP</li> <li>UDP</li> <li>ICMP</li> </ul> <p>Instead of hardcoding multiple <code>allow</code> blocks, the dynamic block generates them from the input value.</p> <h2> Child Module Outputs </h2> <p>The child module also exposes outputs.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/outputs.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_self_link"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The self-link of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subnets created by this module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">subnet_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">self_link</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Firewall rules created by this module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">rule_key</span><span class="p">,</span> <span class="nx">rule</span> <span class="nx">in</span> <span class="nx">google_compute_firewall</span><span class="p">.</span><span class="nx">ingress_rules</span> <span class="err">:</span> <span class="nx">rule_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">target_tags</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>These outputs allow the root module to consume and display the values created inside the child module.</p> <h2> Root Outputs </h2> <p>The root module then exposes selected module outputs.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>outputs.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network name created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network ID created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subnets created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Firewall rules created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Summary of this module-based network lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnet_count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">)</span> <span class="nx">firewall_count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">firewall_rules</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The root output references the child module output like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">network_name</span> </code></pre> </div> <p>This means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Get the network_name output from the network module. </code></pre> </div> <h2> <code>terraform.tfvars</code> </h2> <p>For local values, I used <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.40.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This creates:</p> <ul> <li>one VPC</li> <li>two subnets</li> <li>two firewall rules</li> </ul> <p>The IAP SSH source range is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is used for Identity-Aware Proxy TCP forwarding.</p> <p>I used this instead of opening SSH to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>because opening SSH to the whole internet is not a good habit.</p> <h2> Initialize Terraform </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Because this lab uses a module, Terraform also initialized the module.</p> <p>The expected output includes something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing modules... - network in modules/gcp-network </code></pre> </div> <p>This is different from the previous labs.</p> <p>Previously, Terraform initialized only the backend and provider.</p> <p>Now, Terraform also recognizes the local child module.</p> <h2> Format and Validate </h2> <p>Because this lab has Terraform files inside the module folder, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Plan </h2> <p>Next, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>The expected plan was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 5 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_network.vpc_network module.network.google_compute_subnetwork.subnets["app"] module.network.google_compute_subnetwork.subnets["db"] module.network.google_compute_firewall.ingress_rules["allow-iap-ssh"] module.network.google_compute_firewall.ingress_rules["allow-internal"] </code></pre> </div> <p>This is an important difference.</p> <p>Previously, resource addresses looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network </code></pre> </div> <p>Now, because the resource is created inside a module, the address starts with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_network.vpc_network </code></pre> </div> <p>This means the resource is managed inside the <code>network</code> module.</p> <h2> Apply </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform created the resources successfully.</p> <h2> Terraform Output </h2> <p>After the apply completed, I checked the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>The result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_rules = { "allow-iap-ssh" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-iap-ssh" "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } "allow-internal" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-internal" "name" = "dev-allow-internal" "source_ranges" = toset([ "10.40.0.0/16", ]) "target_tags" = toset(null) /* of string */ } } lab_summary = { "environment" = "dev" "firewall_count" = 2 "network_name" = "dev-network-module" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 } network_id = "projects/terraform-gcp-learning-lab/global/networks/dev-network-module" network_name = "dev-network-module" subnets = { "app" = { "cidr_range" = "10.40.1.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "name" = "dev-app-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" } "db" = { "cidr_range" = "10.40.2.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" "name" = "dev-db-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" } } </code></pre> </div> <p>The output confirms that Terraform created:</p> <ul> <li>one VPC network</li> <li>two subnets</li> <li>two firewall rules</li> </ul> <p>The <code>lab_summary</code> output is especially useful because it gives a quick summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_count = 2 subnet_count = 2 network_name = "dev-network-module" </code></pre> </div> <h2> Verify the VPC in Google Cloud </h2> <p>I also verified the VPC using the Google Cloud CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-network-module"</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME SUBNET_MODE BGP_ROUTING_MODE IPV4_RANGE GATEWAY_IPV4 INTERNAL_IPV6_RANGE dev-network-module CUSTOM REGIONAL </code></pre> </div> <p>This confirms that the VPC network was created in custom subnet mode.</p> <h2> Verify the Subnets </h2> <p>Then I checked the subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-network-module"</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME REGION NETWORK RANGE STACK_TYPE IPV6_ACCESS_TYPE INTERNAL_IPV6_PREFIX EXTERNAL_IPV6_PREFIX UTILIZATION_DETAILS dev-app-subnet asia-southeast2 dev-network-module 10.40.1.0/24 IPV4_ONLY dev-db-subnet asia-southeast2 dev-network-module 10.40.2.0/24 IPV4_ONLY </code></pre> </div> <p>This confirms that both subnets were created:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Subnet</th> <th>CIDR Range</th> </tr> </thead> <tbody> <tr> <td><code>dev-app-subnet</code></td> <td><code>10.40.1.0/24</code></td> </tr> <tr> <td><code>dev-db-subnet</code></td> <td><code>10.40.2.0/24</code></td> </tr> </tbody> </table></div> <h2> Verify Remote State </h2> <p>Because this lab uses the GCS backend, I verified the remote state file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/05-gcp-network-module/ </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/05-gcp-network-module/default.tfstate </code></pre> </div> <p>This confirms that the Terraform state is stored in Google Cloud Storage.</p> <h2> Destroy </h2> <p>Because this is still a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform destroyed the resources managed by this lab.</p> <p>The GCS state bucket was not destroyed because it was created outside this Terraform configuration.</p> <h2> What I Learned </h2> <p>This lab helped me understand Terraform modules much better.</p> <p>Previously, I created infrastructure directly in the root configuration.</p> <p>Now, I separated the configuration into two layers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module = decides what to deploy Child module = defines how to deploy it </code></pre> </div> <p>The root module calls the child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="p">}</span> </code></pre> </div> <p>The child module creates the actual resources:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> terraform googlecloud devops infrastructure Terraform tfvars and Safer Variable Values Abraham Naiborhu Sat, 09 May 2026 07:07:52 +0000 https://dev.to/abrahamparn/terraform-tfvars-and-safer-variable-values-4eon https://dev.to/abrahamparn/terraform-tfvars-and-safer-variable-values-4eon <p>In the previous lab, I configured Terraform remote state using Google Cloud Storage. I like that, but there was still one part of the workflow that i think can be automated.</p> <p>Every time I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform asked me to manually enter the Google Cloud project ID. I don't like that. So in this lab, I will improve the configuration by introducing:</p> <ul> <li><code>terraform.tfvars</code></li> <li><code>terraform.tfvars.example</code></li> <li>safer GitHub patterns</li> <li>variable validation</li> <li>cleaner environment-based naming</li> </ul> <p>The goal is not only to make Terraform stop asking for the project ID manually.</p> <p>The goal is to make the configuration cleaner, safer, and closer to how Terraform is usually managed in a real project.</p> <p>Reference: <a href="https://developer.hashicorp.com/terraform/language/values/variables" rel="noopener noreferrer">terraform website</a></p> <h2> Goals </h2> <p>The goals for this lab are simple:</p> <ol> <li>Use <code>terraform.tfvars</code> to provide local variable values.</li> <li>Stop typing the project ID manually during <code>terraform plan</code> and <code>terraform apply</code>.</li> <li>Use <code>terraform.tfvars.example</code> as a safe template for GitHub.</li> <li>Keep the real <code>terraform.tfvars</code> file out of version control.</li> <li>Add validation rules to prevent bad variable values.</li> <li>Continue using Google Cloud Storage as the remote backend.</li> </ol> <h2> Previous Problem </h2> <p>In the previous configuration, I declared the <code>project</code> variable like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Because this variable does not have a default value, Terraform asked me to enter it manually.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform would ask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>Then I had to type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>The same thing happened when running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>This works, but it is repetitive.</p> <p>A better way is to provide variable values using a <code>terraform.tfvars</code> file.</p> <h2> What is <code>terraform.tfvars</code>? </h2> <p><code>terraform.tfvars</code> is a variable definition file.</p> <p>Instead of manually typing variable values in the terminal, I can store those values in a file.</p> <p>Terraform automatically loads a file named:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>when running commands like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan terraform apply terraform destroy </code></pre> </div> <p>This means I can define the values once and reuse them across Terraform commands.</p> <h2> Final Folder Structure </h2> <p>For this lab, my folder structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>04-tfvars-safe-variable-values/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>However, for GitHub, I should only commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>04-tfvars-safe-variable-values/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>I should not commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>because real <code>.tfvars</code> files can contain environment-specific values or sensitive values.</p> <h2> Step 1: Configure the GCS Backend </h2> <p>Because the previous lab already created a GCS bucket for Terraform state, I reused the same bucket.</p> <p>My state bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>In <code>backend.tf</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/04-tfvars-safe-variable-values"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The important part here is the <code>prefix</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">prefix</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab/04-tfvars-safe-variable-values"</span> </code></pre> </div> <p>This gives the lab its own remote state path.</p> <p>I do not want this lab to share the same state file as the previous remote state lab. Each lab should have its own isolated state path to avoid state collision.</p> <h2> Step 2: Create <code>variables.tf</code> </h2> <p>Next, I created <code>variables.tf</code>.</p> <p>This time, I did not only declare basic variables. I also added:</p> <ul> <li>descriptions</li> <li>types</li> <li>default values</li> <li>validation rules </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"asia-southeast2"</span><span class="p">,</span> <span class="s2">"asia-southeast1"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Region must be one of: asia-southeast2, asia-southeast1, or us-central1."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, staging, or prod."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Network name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Subnet name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.30.0.0/24"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Subnet CIDR range must be a valid CIDR block, for example 10.30.0.0/24."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This makes the variables more self-documenting.</p> <p>For example, this is better:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> </code></pre> </div> <p>than only writing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{}</span> </code></pre> </div> <p>The validation rules are also useful because they help catch bad values before Terraform creates or changes infrastructure.</p> <h2> Step 3: Create <code>main.tf</code> </h2> <p>Next, I created <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.subnet_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>A custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>A subnet inside the VPC</td> </tr> </tbody> </table></div> <p>The naming is now controlled by variables.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">name</span> <span class="err">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> </code></pre> </div> <p>If:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> </code></pre> </div> <p>then the final VPC name becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-tfvars-network </code></pre> </div> <p>This is better than hardcoding one static name for every environment.</p> <h2> Step 4: Create <code>outputs.tf</code> </h2> <p>I also created an <code>outputs.tf</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The environment used for this lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The final VPC network name."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network ID."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The final subnet name."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The subnet CIDR range."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Summary of the Terraform tfvars lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>lab_summary</code> output is useful because it shows the key values from the lab in one structured output.</p> <h2> Step 5: Create <code>terraform.tfvars</code> </h2> <p>Now I created the real local values file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>terraform.tfvars </code></pre> </div> <p>Inside <code>terraform.tfvars</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This is the file that Terraform will automatically read.</p> <p>Because of this file, Terraform no longer needs to ask me to enter the <code>project</code> value manually.</p> <h2> Step 6: Create <code>terraform.tfvars.example</code> </h2> <p>The real <code>terraform.tfvars</code> file should not be committed to GitHub.</p> <p>However, I still want other people to understand what values are needed to recreate the lab.</p> <p>So I created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>terraform.tfvars.example </code></pre> </div> <p>Inside <code>terraform.tfvars.example</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This file is safe to commit because it does not contain my actual project-specific values.</p> <p>The pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Commit terraform.tfvars.example. Do not commit terraform.tfvars. </code></pre> </div> <h2> Step 7: Update <code>.gitignore</code> </h2> <p>At the root of my GitHub repository, I updated <code>.gitignore</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Terraform local files .terraform/ *.tfstate *.tfstate.* # Terraform variable files that may contain sensitive or environment-specific values *.tfvars *.tfvars.json # Keep example variable files !*.tfvars.example # Crash logs crash.log crash.*.log # macOS .DS_Store </code></pre> </div> <p>This makes Git ignore real <code>.tfvars</code> files but still allow <code>.tfvars.example</code> files.</p> <p>This is important because <code>.tfvars</code> files may contain values that should not be exposed publicly.</p> <h2> Step 8: Initialize Terraform </h2> <p>After preparing the files, I initialized Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Successfully configured the backend "gcs"! </code></pre> </div> <p>This means Terraform is using the GCS backend for remote state.</p> <h2> Step 9: Format and Validate </h2> <p>Then I formatted the files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>After that, I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Step 10: Run <code>terraform plan</code> </h2> <p>Now I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>This time, Terraform did not ask me to manually enter the project value.</p> <p>That is because Terraform automatically loaded the value from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>Expected plan summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 2 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:</p> <ul> <li>one custom VPC network</li> <li>one subnet</li> </ul> <p>This is the first improvement of the lab.</p> <p>The workflow is now cleaner because the repeated variable values are stored in a local <code>.tfvars</code> file.</p> <h2> Step 11: Test Variable Validation </h2> <p>Before applying the configuration, I tested the validation rules.</p> <p>First, I intentionally changed the environment value in <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"development"</span> </code></pre> </div> <p>Then I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform returned a validation error because the accepted values are only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev staging prod </code></pre> </div> <p>The expected error is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Environment must be one of: dev, staging, or prod. </code></pre> </div> <p>After testing, I changed it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> </code></pre> </div> <p>Then I tested the subnet CIDR validation.</p> <p>I changed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"not-a-cidr"</span> </code></pre> </div> <p>Then I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform returned an error because the value was not a valid CIDR block.</p> <p>The expected error is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Subnet CIDR range must be a valid CIDR block, for example 10.30.0.0/24. </code></pre> </div> <p>After testing, I changed it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This is the second improvement of the lab.</p> <p>Terraform does not only accept values from <code>terraform.tfvars</code>. It can also validate whether the values are acceptable before creating infrastructure.</p> <h2> Step 12: Apply the Configuration </h2> <p>After confirming that the validation works, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform showed the execution plan and asked for confirmation.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 2 added, 0 changed, 0 destroyed. </code></pre> </div> <p>Terraform also displayed the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Outputs: environment = "dev" subnet_cidr_range = "10.30.0.0/24" subnet_name = "dev-tfvars-subnet" vpc_network_name = "dev-tfvars-network" lab_summary = { "cidr" = "10.30.0.0/24" "environment" = "dev" "network" = "dev-tfvars-network" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet" = "dev-tfvars-subnet" } </code></pre> </div> <p>The exact output may look slightly different depending on the project and Terraform output order.</p> <h2> Step 13: Verify Remote State </h2> <p>Because this lab uses the GCS backend, I verified that the remote state was created in the correct path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/04-tfvars-safe-variable-values/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/04-tfvars-safe-variable-values/default.tfstate </code></pre> </div> <p>This confirms that the lab still uses remote state, but now with cleaner variable handling.</p> <h2> Step 14: Query Outputs </h2> <p>I can query all outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>I can also query the summary output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output lab_summary </code></pre> </div> <p>Or get the output in JSON format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> </code></pre> </div> <p>The JSON output can be useful when Terraform output needs to be consumed by another tool or script.</p> <h2> Step 15: Destroy the Infrastructure </h2> <p>Because this is only a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform showed the destroy plan and asked for confirmation.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Destroy complete! Resources: 2 destroyed. </code></pre> </div> <p>The GCS bucket is not destroyed because it was not created by this Terraform configuration.</p> <h2> What I Learned </h2> <p>The main lesson from this lab is that Terraform variable management is not only about convenience.</p> <p>At first, I only wanted to avoid typing the project ID repeatedly.</p> <p>But after adding <code>terraform.tfvars</code>, <code>terraform.tfvars.example</code>, <code>.gitignore</code>, and validation rules, I realized that variable management also affects:</p> <ul> <li>safety</li> <li>repeatability</li> <li>collaboration</li> <li>repository hygiene</li> <li>infrastructure naming consistency</li> </ul> <h2> Next Step </h2> <p>This lab improved the variable workflow.</p> <p>The next logical step is to make the Terraform configuration reusable by introducing modules.</p> <p>So far, every lab defines resources directly in the root configuration.</p> <p>In the next lab, I want to learn how to turn the VPC and subnet configuration into a reusable Terraform module.</p> terraform googlecloud devops infrastructureascode Storing Terraform State in Google Cloud Storage Abraham Naiborhu Thu, 07 May 2026 08:19:10 +0000 https://dev.to/abrahamparn/storing-terraform-state-in-google-cloud-storage-14de https://dev.to/abrahamparn/storing-terraform-state-in-google-cloud-storage-14de <p>Again with another journey of mine!<br> In my previous Terraform labs, I created Google Cloud resources using Terraform with local state. By default, Terraform stores state locally in a file called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate </code></pre> </div> <p>Previously, we are doing this locally, and now i want to try it in GCS (google cloud storage) to store my remote state. </p> <p>In this article, I will move from local Terraform state to remote state using Google Cloud Storage. Thus, my goal is to use the remote state using Google Cloud Storage.</p> <h2> What This Lab Creates </h2> <p>We will create:</p> <ul> <li>a Google Cloud Storage bucket for Terraform state</li> <li>a Terraform GCS backend configuration</li> <li>a custom VPC network</li> <li>a custom subnet</li> <li>a remote Terraform state file stored in GCS</li> </ul> <p>My state bucket name is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>The state path in the bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <h2> Why Remote State Matters </h2> <p>Terraform state is important because it tracks the relationship between Terraform configuration and real infrastructure.</p> <p>For example, when Terraform creates a VPC, it stores information about that VPC in the state file.</p> <p>So, when i run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform compares:</p> <ol> <li>my current Terraform configuration</li> <li>the current state</li> <li>the real infrastructure in Google Cloud</li> </ol> <p>Then Terraform decides what needs to be created, changed, or destroyed.</p> <p>This is why state management is important.</p> <p>If I only store state locally, it becomes harder to collaborate, recover, or operate Terraform safely.</p> <p>Using Google Cloud Storage as the backend helps move the state file away from my local laptop and into a remote location.</p> <h2> Step 1: Set Environment Variables </h2> <p>First, I set the environment variables for my project, state bucket, and region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PROJECT_ID</span><span class="o">=</span>terraform-gcp-learning-lab <span class="nb">export </span><span class="nv">STATE_BUCKET</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">-terraform-state"</span> <span class="nb">export </span><span class="nv">REGION</span><span class="o">=</span><span class="s2">"asia-southeast2"</span> </code></pre> </div> <p>In my case:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PROJECT_ID = terraform-gcp-learning-lab STATE_BUCKET = terraform-gcp-learning-lab-terraform-state REGION = asia-southeast2 </code></pre> </div> <p>I used <code>asia-southeast2</code> because this is the Jakarta region and currently I am in Jakarta.</p> <h2> Step 2: Create the GCS Bucket </h2> <p>Next, I created the Google Cloud Storage bucket that will store the Terraform state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets create gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--uniform-bucket-level-access</span> </code></pre> </div> <p>This creates a GCS bucket with uniform bucket-level access enabled.</p> <p>Uniform bucket-level access means access control is managed at the bucket level using IAM, instead of mixing IAM and object-level ACLs.</p> <h2> Step 3: Enable Bucket Versioning </h2> <p>After creating the bucket, I enabled versioning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets update gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--versioning</span> </code></pre> </div> <p>This is useful because Terraform state is important. So if you change it or remove it, you can go back to the previous version anytime you want.</p> <p>If the state file is accidentally overwritten, bucket versioning can help provide a recovery path.</p> <h2> Step 3: Enable Bucket Versioning </h2> <p>After creating the bucket, I enabled versioning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets update gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--versioning</span> </code></pre> </div> <p>This is useful because Terraform state is important.</p> <p>If the state file is accidentally overwritten, bucket versioning can help provide a recovery path.</p> <p>I created a new folder for this lab:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>03-remote-state-gcs <span class="nb">cd </span>03-remote-state-gcs </code></pre> </div> <p>Then I created the Terraform files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>backend.tf main.tf variables.tf outputs.tf </code></pre> </div> <p>The folder structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03-remote-state-gcs/ ├── backend.tf ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h2> Step 5: Configure the GCS Backend </h2> <p>The backend configuration tells Terraform where to store state.</p> <p>In <code>backend.tf</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/03-remote-state-gcs"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>bucket</code> is the GCS bucket name.</p> <p>The <code>prefix</code> is the path inside the bucket where Terraform will store the state file.</p> <p>In this lab, Terraform will store the state at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>One important note:</p> <p>Backend configuration cannot use normal Terraform variables like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">bucket</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">bucket_name</span> </code></pre> </div> <p>That is because Terraform needs to configure the backend before it evaluates variables.</p> <p>So for this beginner lab, I hardcoded the bucket name directly inside <code>backend.tf</code>.</p> <h2> Step 6: Create <code>variables.tf</code> </h2> <p>Next, I created the input variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"remote-state-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"remote-state-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.20.0.0/24"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>project</code> variable does not have a default value.</p> <p>This means Terraform will ask me to provide the project ID when running commands such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <h2> Step 7: Create <code>main.tf</code> </h2> <p>This is my <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates two resources:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>Custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>Subnet inside the VPC</td> </tr> </tbody> </table></div> <p>I set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want to create a custom mode VPC.</p> <p>That means the subnet is created explicitly by Terraform instead of being automatically created by Google Cloud.</p> <h2> Step 8: Create <code>outputs.tf</code> </h2> <p>I also created a simple <code>outputs.tf</code> file to display useful information after the resources are created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range of the subnet."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>These outputs make it easier to see selected infrastructure information after running <code>terraform apply</code>.</p> <h2> Step 9: Initialize Terraform </h2> <p>Before applying the configuration, I initialized Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>This command initializes the working directory, downloads the provider, and configures the GCS backend.</p> <p>The important part is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Successfully configured the backend "gcs"! </code></pre> </div> <p>This means Terraform is now configured to store state in Google Cloud Storage.</p> <h2> Step 10: Format and Validate </h2> <p>After initialization, I formatted the Terraform files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Step 11: Run Terraform Plan </h2> <p>Next, I reviewed the execution plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Because the <code>project</code> variable does not have a default value, Terraform asked me to enter it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>I entered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>Terraform then generated a plan.</p> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 2 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:</p> <ul> <li>one VPC network</li> <li>one subnet</li> </ul> <h2> Step 12: Apply the Configuration </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform asked for the project value again.</p> <p>I entered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>Then Terraform asked for confirmation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: </code></pre> </div> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>After the apply finished, Terraform created the VPC and subnet.</p> <h2> Step 13: Verify the State File in GCS </h2> <p>After applying the configuration, I checked the bucket.</p> <p>The state file was created under this path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>This confirms that Terraform state is now stored in Google Cloud Storage.</p> <p>To check it using the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span>/terraform-gcp-learning-lab/03-remote-state-gcs/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>This is the key result of the lab.</p> <p>The infrastructure is still managed by Terraform, but the state is no longer stored only as a local <code>terraform.tfstate</code> file.</p> <h2> Step 14: Query the Outputs </h2> <p>I can still query outputs normally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>Even though the state is remote, Terraform commands still work from my local terminal.</p> <p>The difference is that Terraform reads and writes state from the GCS backend.</p> <h2> Step 15: Destroy the Infrastructure </h2> <p>Because this is only a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform asked for the project value again.</p> <p>Then it showed the destroy plan.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>This destroyed the VPC and subnet managed by Terraform.</p> <p>Important note:</p> <p>This does not delete the GCS bucket because the bucket was created manually using <code>gcloud</code>, not by this Terraform configuration.</p> <h2> What I Learned </h2> <p>In this lab, I learned that Terraform state is one of the most important parts of Terraform.</p> <p>Previously, my Terraform state was stored locally.</p> <p>After this lab, my Terraform state is stored remotely in Google Cloud Storage.</p> <h2> Next Step </h2> <p>This lab still asks me to enter the <code>project</code> variable manually.</p> <p>In the next article, I want to improve the workflow by using:</p> <ul> <li><code>terraform.tfvars</code></li> <li>cleaner variable values</li> <li>safer GitHub patterns using <code>terraform.tfvars.example</code> </li> </ul> <p>That should make the Terraform workflow more practical and less repetitive.</p> terraform googlecloud devops infrastructureascode Terraform Outputs on GCP: Querying Useful Data from a VPC, Subnet, and VM Abraham Naiborhu Tue, 05 May 2026 16:08:17 +0000 https://dev.to/abrahamparn/terraform-outputs-on-gcp-querying-useful-data-from-a-vpc-subnet-and-vm-3nek https://dev.to/abrahamparn/terraform-outputs-on-gcp-querying-useful-data-from-a-vpc-subnet-and-vm-3nek <p>Hi, we are back again. Previously, I created a simple Google Cloud VPC and then improved the configuration by introducing variables.</p> <p>This time, I want to continue with another Terraform concept: <strong>outputs</strong>. But, we will not be using the previous code, because adding outputs for one vpc is too simple. So, I made the lab slightly more practical.</p> <p>In this lab, I will create:</p> <ul> <li>a custom VPC network</li> <li>a subnet with a defined CIDR range</li> <li>a small Compute Engine VM</li> <li>Terraform outputs to query useful information after provisioning</li> </ul> <p>The goal is to understand how Terraform outputs can expose important infrastructure data after resources are created.</p> <p>Reference: <a href="https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-outputs" rel="noopener noreferrer">Hasicorp website about gcp tutorial</a></p> <h2> Why Outputs Matter </h2> <p>When Terraform creates infrastructure, it stores a lot of resource data in the state file. However, as users, we usually do not need to read everything.</p> <p>Most of the time, we only care about specific values, such as:</p> <ul> <li>the VM internal IP address</li> <li>the VPC name</li> <li>the subnet CIDR range</li> <li>the VM self-link</li> <li>a structured summary of the created resources</li> </ul> <p>This is where outputs are useful.</p> <p>Outputs allow us to expose selected resource information after <code>terraform apply</code>.</p> <p>They can also be queried later using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab creates three Google Cloud resources:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>Custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>Regional subnet inside the VPC</td> </tr> <tr> <td><code>google_compute_instance.vm_instance</code></td> <td>Small Compute Engine VM inside the subnet</td> </tr> </tbody> </table></div> <p>The VM will be created without an external public IP address.</p> <p>This happens because the <code>network_interface</code> block does not include an <code>access_config</code> block.</p> <p>For this lab, that is fine because the goal is not to SSH into the VM or expose an application. The goal is to learn how Terraform outputs work.</p> <h2> Create a new lab folder </h2> <p>Because this is a new lab, I created a new folder.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>learn-terraform-gcp-lab-output <span class="nb">cd </span>learn-terraform-gcp-lab-output </code></pre> </div> <p><br> Then create three files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>main.tf variables.tf outputs.tf </code></pre> </div> <p>The folder should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>learn-terraform-gcp-lab-output/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h2> Create <code>variables.tf</code> </h2> <p>First, open <code>variables.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano variables.tf </code></pre> </div> <p>Then add the following variable declarations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud zone where the VM instance will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.10.0.0/24"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the Compute Engine VM instance."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-vm"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"machine_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The machine type for the Compute Engine VM instance."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"e2-micro"</span> <span class="p">}</span> </code></pre> </div> <p>This file only declares the input variables Terraform can accept.</p> <p>The important distinction is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>variables.tf declares input variables. main.tf uses those variables. outputs.tf exposes selected resource data after apply. </code></pre> </div> <h2> Create <code>main.tf</code> </h2> <p>Next, open <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano main.tf </code></pre> </div> <p>Then add the following Terraform configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"vm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Understanding <code>main.tf</code> </h3> <h4> Google Provider </h4> <p>The provider block tells Terraform which Google Cloud project, region, and zone to use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> </code></pre> </div> <p>The values come from the variables declared in <code>variables.tf</code>.</p> <h4> Custom VPC Network </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>This creates a custom VPC network.</p> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>This means Google Cloud will not automatically create subnets for us.</p> <p>Instead, we will define our own subnet manually.</p> <h4> Subnet </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This creates a subnet inside the VPC.</p> <p>The subnet uses this CIDR range:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10.10.0.0/24 </code></pre> </div> <p>This value comes from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">var</span><span class="err">.</span><span class="nx">subnet_cidr_range</span> </code></pre> </div> <h4> Compute Engine VM </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"vm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This creates a small Compute Engine VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>e2-micro </code></pre> </div> <p>The VM is attached to the subnet using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork</span> <span class="err">=</span> <span class="nx">google_compute_subnetwork</span><span class="err">.</span><span class="nx">subnet</span><span class="err">.</span><span class="nx">id</span> </code></pre> </div> <p>Because there is no <code>access_config</code> block, this VM does not get an external public IP address.</p> <p>It only receives an internal IP address from the subnet.</p> <h2> Create <code>outputs.tf</code> </h2> <p>Now we create the output definitions.</p> <p>Open <code>outputs.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano outputs.tf </code></pre> </div> <p>Then add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range of the subnet created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_instance_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VM instance created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_instance_zone"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The zone where the VM instance was created."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_internal_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The internal IP address of the VM instance."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">network_interface</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">network_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_self_link"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The self-link of the VM instance."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A structured summary of the resources created in this lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_name</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="nx">vm_internal_ip</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">network_interface</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">network_ip</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is the main focus of the lab.</p> <p>Instead of only creating resources, we are selecting which resource attributes should be easy to view after provisioning.</p> <h2> Format the Terraform Files </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>This formats the Terraform configuration files.</p> <p>Initialize Terraform</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>This initializes the working directory and downloads the Google provider.</p> <h2> Validate the Configuration </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Success! The configuration is valid. </code></pre> </div> <h2> Apply the Configuration </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Because the <code>project</code> variable does not have a default value, Terraform will ask for it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>Enter your Google Cloud project ID.</p> <p>Terraform will show the execution plan.</p> <p>In my case, Terraform planned to create three resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 3 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>The resources were:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network google_compute_subnetwork.subnet google_compute_instance.vm_instance </code></pre> </div> <p>Terraform also showed that some output values were only known after apply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_internal_ip = (known after apply) vm_self_link = (known after apply) </code></pre> </div> <p>That makes sense because the VM internal IP and self-link do not exist until Google Cloud creates the VM.</p> <p>After reviewing the plan, type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <h2> Apply Result </h2> <p>After Terraform finished provisioning, my output looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Outputs: lab_summary = { "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } subnet_cidr_range = "10.10.0.0/24" subnet_name = "terraform-output-subnet" vm_instance_name = "terraform-output-vm" vm_instance_zone = "us-central1-c" vm_internal_ip = "10.10.0.2" vpc_network_id = "projects/terraform-gcp-learning-lab/global/networks/terraform-output-network" vpc_network_name = "terraform-output-network" </code></pre> </div> <p>At this point, Terraform had created:</p> <ul> <li>one VPC network</li> <li>one subnet</li> <li>one VM instance</li> </ul> <p>It also exposed selected infrastructure data through outputs.</p> <h2> Query the Outputs </h2> <p>After apply, we can query all outputs using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } subnet_cidr_range = "10.10.0.0/24" subnet_name = "terraform-output-subnet" vm_instance_name = "terraform-output-vm" vm_instance_zone = "us-central1-c" vm_internal_ip = "10.10.0.2" vpc_network_id = "projects/terraform-gcp-learning-lab/global/networks/terraform-output-network" vpc_network_name = "terraform-output-network" </code></pre> </div> <p>We can also query one specific output.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output vm_internal_ip </code></pre> </div> <p>The result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"10.10.0.2" </code></pre> </div> <p>This is useful because I do not need to inspect the full Terraform state just to find the VM internal IP address.</p> <h2> Query a Structured Output </h2> <p>I also created a structured output called <code>lab_summary</code>.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output lab_summary </code></pre> </div> <p>Example result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } </code></pre> </div> <p>This is more readable than scanning the full state file.</p> <h2> Output as JSON </h2> <p>Terraform can also return outputs in JSON format.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> </code></pre> </div> <p>This returns structured JSON data.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"vm_internal_ip"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sensitive"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.10.0.2"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"vpc_network_name"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sensitive"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-output-network"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We can also save the output into a JSON file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> <span class="o">&gt;</span> terraform-outputs.json </code></pre> </div> <p>This can be useful when another script, pipeline, or tool needs to consume Terraform output data.</p> <h2> Inspect Terraform State </h2> <p>Outputs are useful, but they do not replace state.</p> <p>Terraform still stores resource information in the state file.</p> <p>To list resources tracked by Terraform, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state list </code></pre> </div> <p>My result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_instance.vm_instance google_compute_network.vpc_network google_compute_subnetwork.subnet </code></pre> </div> <p>Then I tried to inspect the Compute Engine instance with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state show google_compute_instance </code></pre> </div> <p>Terraform returned an error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error parsing instance address: google_compute_instance This command requires that the address references one specific instance. To view the available instances, use "terraform state list". Please modify the address to reference a specific instance. </code></pre> </div> <p>This happened because <code>google_compute_instance</code> is only the resource type.</p> <p>Terraform needs the full resource address.</p> <p>The correct command is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state show google_compute_instance.vm_instance </code></pre> </div> <p>This command showed detailed information about the VM, including:</p> <ul> <li>machine type</li> <li>zone</li> <li>internal IP</li> <li>boot disk</li> <li>subnet</li> <li>scheduling configuration</li> <li>shielded instance configuration</li> </ul> <p>This was a useful mistake because it clarified the difference between:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource type </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource address </code></pre> </div> <h2> Destroy the Infrastructure </h2> <p>Because this lab creates a VM, I destroyed the resources after testing.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform will ask for the project value again if it was not provided through another method.</p> <p>Then it will show a destroy plan.</p> <p>In my case, the destroy plan showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 0 to add, 0 to change, 3 to destroy. </code></pre> </div> <p>It also showed that outputs would be removed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Changes to Outputs: - lab_summary = {...} -&gt; null - vm_internal_ip = "10.10.0.2" -&gt; null - vpc_network_name = "terraform-output-network" -&gt; null </code></pre> </div> <p>After reviewing the destroy plan, type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <p>Important: wait until Terraform shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Destroy complete! Resources: 3 destroyed. </code></pre> </div> <p>After that, you can also verify from the Google Cloud Console that the VM, subnet, and VPC have been removed.</p> <p>What I Learned</p> <p>From this lab, I learned that Terraform outputs are not just decoration at the end of <code>terraform apply</code>.</p> <p>Outputs are a clean way to expose the specific infrastructure values that matter.</p> <p>Instead of manually searching through the state file or Google Cloud Console, I can query useful values directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output terraform output vm_internal_ip terraform output lab_summary terraform output <span class="nt">-json</span> </code></pre> </div> <p>The most important idea for me is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform creates infrastructure, state tracks infrastructure, and outputs expose selected infrastructure data. </code></pre> </div> <p>I also learned that outputs can be simple values or structured objects.</p> <p>For example, <code>vm_internal_ip</code> is a simple string output, while <code>lab_summary</code> is a structured output that groups multiple values together.</p> <p>This makes outputs useful not only for humans, but also for automation.</p> <h2> Next Step </h2> <p>This lab still asks me to manually enter the <code>project</code> variable during <code>terraform apply</code> and <code>terraform destroy</code>.</p> <p>In the next lab, I want to improve that by using:</p> <ul> <li><code>terraform.tfvars</code></li> <li><code>terraform.tfvars.example</code></li> <li>safer variable value management</li> <li>avoiding repeated manual input</li> </ul> <p>That should make the Terraform workflow cleaner and more practical.</p> terraform gcp devops Terraform Variables: Cleaning Up My First GCP VPC Configuration Abraham Naiborhu Mon, 04 May 2026 10:40:26 +0000 https://dev.to/abrahamparn/terraform-variables-and-outputs-cleaning-up-my-first-gcp-vpc-configuration-2eh2 https://dev.to/abrahamparn/terraform-variables-and-outputs-cleaning-up-my-first-gcp-vpc-configuration-2eh2 <p>In my previous Terraform article, I created my first Terraform-managed Google Cloud resource: a simple VPC network.</p> <p>The first version worked, but the configuration was still very basic. As someone who has written a lot of JavaScript code, one thing immediately felt uncomfortable: too many values were hardcoded directly inside <code>main.tf</code>.</p> <p>That made me wonder:</p> <blockquote> <p>There should be something similar to variables in Terraform, right?</p> </blockquote> <p>After checking Terraform’s documentation, the answer is yes.</p> <p>Terraform supports input variables, which allow configuration values to be reused and changed without directly modifying the main infrastructure logic.</p> <p>In this article, I will improve the previous Terraform configuration by introducing:</p> <ul> <li><code>variables.tf</code></li> <li>input variables</li> <li>default values</li> <li>variable usage inside <code>main.tf</code> </li> </ul> <p>Reference: <a href="https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-variables" rel="noopener noreferrer">Terraform GCP variables tutorial</a></p> <h2> Previous Configuration </h2> <p>To recap, this was the previous <code>main.tf</code> configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"&lt;PROJECT_ID&gt;"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-network"</span> <span class="p">}</span> </code></pre> </div> <p>This configuration works.</p> <p>However, several values are hardcoded directly inside the provider block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"&lt;PROJECT_ID&gt;"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"us-central1"</span> <span class="nx">zone</span> <span class="err">=</span> <span class="s2">"us-central1-c"</span> </code></pre> </div> <p>For a small lab, this is acceptable.</p> <p>But as the configuration grows, hardcoded values become harder to maintain. If I want to change the project, region, or zone, I need to edit the source configuration directly.</p> <p>A cleaner approach is to declare these values as variables.</p> <h2> Creating <code>variables.tf</code> </h2> <p>First, create a new file called <code>variables.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>variables.tf </code></pre> </div> <p>Then add the following variable definitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> </code></pre> </div> <p>The file name <code>variables.tf</code> is a common convention.</p> <p>Technically, Terraform reads all <code>.tf</code> files in the current working directory. However, separating variables into <code>variables.tf</code> makes the configuration easier to understand and maintain.</p> <h2> Understanding the Variables </h2> <h3> <code>project</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{}</span> </code></pre> </div> <p>The <code>project</code> variable does not have a default value.</p> <p>This means Terraform will ask for the value when we run a command that needs it, such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>This is useful because the Google Cloud project ID may be different depending on the user or environment.</p> <h3> <code>region</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>region</code> variable has a default value.</p> <p>If I do not provide another value, Terraform will use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>us-central1 </code></pre> </div> <h3> <code>zone</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>zone</code> variable also has a default value.</p> <p>For this simple VPC lab, the zone is not very important because a VPC network is a global resource in Google Cloud.</p> <p>However, keeping the zone in the provider configuration is useful because future resources, such as Compute Engine instances, may need it.</p> <h2> Updating <code>main.tf</code> to Use Variables </h2> <p>Now we can update <code>main.tf</code> to use the variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-network"</span> <span class="p">}</span> </code></pre> </div> <p>The important change is inside the provider block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">zone</span> </code></pre> </div> <p>Terraform uses the <code>var.&lt;variable_name&gt;</code> syntax to reference input variables.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">var</span><span class="err">.</span><span class="nx">project</span> </code></pre> </div> <p>means Terraform will use the value provided for the <code>project</code> variable.</p> <h2> Running Terraform Apply </h2> <p>After updating the configuration, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>Then validate the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>If the configuration is valid, the output should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Success! The configuration is valid. </code></pre> </div> <p>Next, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Because the <code>project</code> variable does not have a default value, Terraform will ask for it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>var.project Enter a value: </code></pre> </div> <p>Enter your Google Cloud project ID.</p> <p>Terraform will then show the execution plan and ask for confirmation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Do you want to perform these actions? Terraform will perform the actions described above. Only <span class="s1">'yes'</span> will be accepted to approve. Enter a value: </code></pre> </div> <p>Type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>google_compute_network.vpc_network: Creating... google_compute_network.vpc_network: Still creating... <span class="o">[</span>00m10s elapsed] google_compute_network.vpc_network: Still creating... <span class="o">[</span>00m20s elapsed] google_compute_network.vpc_network: Still creating... <span class="o">[</span>00m30s elapsed] google_compute_network.vpc_network: Still creating... <span class="o">[</span>00m40s elapsed] google_compute_network.vpc_network: Creation <span class="nb">complete </span>after 43s <span class="o">[</span><span class="nb">id</span><span class="o">=</span>projects/terraform-gcp-learning-lab/global/networks/terraform-network] </code></pre> </div> <p>At this point, Terraform has created the VPC network using values from the input variables.</p> <h2> Destroying the Infrastructure </h2> <p>Because this is only a learning lab, I destroyed the resource after testing.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform will ask for the <code>project</code> variable again if it was not provided through another method.</p> <p>Then Terraform will show the destroy plan and ask for confirmation.</p> <p>Type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <p>This removes the VPC network managed by this Terraform configuration.</p> <h2> What Changed? </h2> <p>Previously, the provider configuration looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"&lt;PROJECT_ID&gt;"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> </code></pre> </div> <p>Now it looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> </code></pre> </div> <p>The configuration is still simple, but it is now cleaner.</p> <p>Instead of hardcoding every value inside <code>main.tf</code>, Terraform can read those values from input variables.</p> <h2> What I Learned </h2> <p>From this lab, I learned that Terraform variables help separate configuration values from infrastructure logic.</p> <p>The key idea is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main.tf defines what Terraform should create. variables.tf defines what values Terraform can accept. </code></pre> </div> <p>This makes the configuration easier to reuse and modify.</p> <p>The most important distinction for me is that <code>variables.tf</code> declares variables, but it does not always provide the actual values.</p> <p>If a variable has a default value, Terraform can use it automatically.</p> <p>If a variable does not have a default value, Terraform will ask for the value during execution.</p> <h2> Next Step </h2> <p>This article only introduced basic input variables.</p> <p>In the next article, I want to continue improving this configuration by learning:</p> <ul> <li>how to provide variable values using <code>terraform.tfvars</code> </li> <li>how to avoid typing the project ID repeatedly</li> <li>how to expose useful resource information using Terraform outputs</li> </ul> <p>That should make the configuration more practical and easier to reuse.</p> beginners googlecloud terraform tutorial Provisioning My First GCP VPC with Infrastructure as Code Abraham Naiborhu Sun, 03 May 2026 10:09:18 +0000 https://dev.to/abrahamparn/my-first-terraform-managed-gcp-resource-provider-vpc-plan-apply-and-state-57lj https://dev.to/abrahamparn/my-first-terraform-managed-gcp-resource-provider-vpc-plan-apply-and-state-57lj <p>In my previous article, I documented how I installed Terraform on macOS using Homebrew and fixed a Zsh autocomplete issue.</p> <p>In this article, I am going to be using terraform to provision, update, and destroy a simple set of infrastructure using the sample configuration provided by <a href="https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build" rel="noopener noreferrer">hashicorp</a> </p> <p>The goal is to understand the basic Terraform workflow:</p> <ol> <li>Write configuration</li> <li>Authenticate to Google Cloud</li> <li>Initialize Terraform</li> <li>Format and validate the configuration</li> <li>Review the execution plan</li> <li>Apply the configuration</li> <li>Inspect Terraform state</li> <li>Destroy the infrastructure after the lab</li> </ol> <h2> Prerequisites </h2> <ul> <li>macOS</li> <li>Visual Studio Code</li> <li>Terraform CLI v1.15.1</li> <li>Google Cloud CLI installed locally</li> <li>A Google Cloud account</li> <li>A Google Cloud project with billing enabled</li> <li>Compute Engine API enabled</li> </ul> <h3> Notes about Prerequisites </h3> <ol> <li>To install gcloud cli, go to <a href="https://cloud.google.com/sdk/docs/install" rel="noopener noreferrer">google cloud documentation</a> </li> <li>To install terraform, go to my previous <a href="https://dev.to/abrahamparn/installing-terraform-on-macos-with-homebrew-and-fixing-zsh-autocomplete-error-2gn9">documentation about installation</a> </li> </ol> <h2> Set up GCP </h2> <p>Before Terraform can create infrastructure in Google Cloud, we need to prepare the Google Cloud project.<br> For this lab, the project needs:</p> <ul> <li>A Google Cloud project</li> <li>Billing enabled</li> <li>Compute Engine API enabled</li> </ul> <h3> Create or Select a Google Cloud Project </h3> <p>In the Google Cloud Console, open the project selector at the top of the page. From there, either select an existing project or create a new one. For this lab, make sure the selected project has billing enabled because Terraform will create Google Cloud resources inside the project.</p> <h3> Enable the Compute Engine API </h3> <p>You can run the following commands either from your local terminal, if Google Cloud CLI is installed, or from Cloud Shell.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># make sure you are in the right project</span> gcloud config get-value project <span class="c"># set the project config</span> gcloud config <span class="nb">set </span>project <span class="o">[</span>YOUR_PROJECT_ID] <span class="c"># run enablement</span> gcloud services <span class="nb">enable </span>compute.googleapis.com <span class="c"># Verify enablement</span> gcloud services list <span class="nt">--enabled</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name:compute.googleapis.com"</span> </code></pre> </div> <p>The response should be like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>NAME: compute.googleapis.com TITLE: Compute Engine API </code></pre> </div> <h2> Write the Terraform Configuration </h2> <p>Next, we will write our first Terraform configuration to create a Google Cloud VPC network.</p> <p>Each Terraform configuration should be placed in its own working directory.</p> <p>now, create the directory<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>learn-terraform-gcp </code></pre> </div> <p>Move into the directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>learn-terraform-gcp </code></pre> </div> <p>Create a file called <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>main.tf </code></pre> </div> <p>The name <code>main.tf</code> is a common convention, but Terraform actually reads all <code>.tf</code> files in the current working directory. </p> <p>Open the file using Visual Studio Code or your preferred editor, then add the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"&lt;PROJECT_ID&gt;"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-network"</span> <span class="p">}</span> </code></pre> </div> <p>Replace <code>&lt;PROJECT_ID&gt;</code> with your actual Google Cloud project ID.</p> <h2> Terraform Configuration Explanation </h2> <p>The <code>terraform {}</code> block contains Terraform-level settings.<br> In this example, it defines the required provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The provider source <code>hashicorp/google</code> is shorthand for<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>registry.terraform.io/hashicorp/google </code></pre> </div> <p>This tells Terraform to use the official Google provider from the Terraform Registry.</p> <h3> Required Provider </h3> <p>The <code>required_providers</code> block tells Terraform which provider plugin it needs to download.<br> In this case, Terraform needs the Google provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">google</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> </code></pre> </div> <h3> Provider Configuration </h3> <p>The <code>provider "google"</code> block configures how Terraform connects to Google Cloud.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"&lt;PROJECT_ID&gt;"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> </code></pre> </div> <p>In this lab, the provider is configured with:</p> <ul> <li>Google Cloud project ID</li> <li>Region</li> <li>Zone This tells Terraform where the infrastructure should be created.</li> </ul> <h3> Resource Block </h3> <p>The <code>resource</code> block defines the infrastructure component that Terraform should manage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-network"</span> <span class="p">}</span> </code></pre> </div> <p>In this case:</p> <ul> <li> <code>google_compute_network</code> is the resource type</li> <li> <code>vpc_network</code> is the local Terraform name for the resource</li> <li> <code>terraform-network</code> is the actual VPC network name that will be created in Google Cloud</li> </ul> <p>This resource creates a VPC network in the selected Google Cloud project.</p> <h2> Authenticating to Google Cloud </h2> <p>Terraform must authenticate to Google Cloud before it can create infrastructure. In the terminal, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud auth application-default login </code></pre> </div> <p>Your browser will open and prompt you to log in to your Google Cloud account. After successful authentication, your terminal will display the path where the gcloud CLI saved your credentials.</p> <p>The GCP provider automatically uses these credentials to authenticate against the Google Cloud APIs.</p> <h2> Format the Configuration </h2> <p>Before initializing or applying the configuration, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <h2> Initialize the Directory </h2> <p>Next, initialize the Terraform working directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>This command prepares the working directory and downloads the provider plugins defined in the configuration.</p> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Initializing provider plugins found <span class="k">in </span>the configuration... - Finding hashicorp/google versions matching <span class="s2">"6.8.0"</span>... - Installing hashicorp/google v6.8.0... - Installed hashicorp/google v6.8.0 <span class="o">(</span>signed by HashiCorp<span class="o">)</span> Initializing the backend... Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file <span class="k">in </span>your version control repository so that Terraform can guarantee to make the same selections by default when you run <span class="s2">"terraform init"</span> <span class="k">in </span>the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running <span class="s2">"terraform plan"</span> to see any changes that are required <span class="k">for </span>your infrastructure. All Terraform commands should now work. If you ever <span class="nb">set </span>or change modules or backend configuration <span class="k">for </span>Terraform, rerun this <span class="nb">command </span>to reinitialize your working directory. If you forget, other commands will detect it and remind you to <span class="k">do </span>so <span class="k">if </span>necessary. </code></pre> </div> <h2> Validate the configuration </h2> <p>After initialization, validate the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>If the configuration is valid, the output should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Success! The configuration is valid. </code></pre> </div> <p>Terraform returned an error like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>│ Error: <span class="s2">"name"</span> <span class="o">(</span><span class="s2">"terraform_network"</span><span class="o">)</span> doesn<span class="s1">'t match regexp "^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$" │ │ with google_compute_network.vpc_network, │ on main.tf line 17, in resource "google_compute_network" "vpc_network": │ 17: name = "terraform_network" </span></code></pre> </div> <p>This happened because Google Cloud network names must follow a specific naming rule.<br> In this case, using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-network </code></pre> </div> <p>is valid, while:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform_network </code></pre> </div> <p>is not valid.</p> <h2> Review the Execution Plan </h2> <p>Before creating the infrastructure, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>This command shows what Terraform intends to create, update, or destroy.</p> <p>For this lab, Terraform planned to create one resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 1 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>This is one of the most important Terraform habits.</p> <p>The plan phase is the safety checkpoint.</p> <p>Before applying any change, I should understand whether Terraform is going to:</p> <ul> <li>create a resource</li> <li>update a resource</li> <li>replace a resource</li> <li>destroy a resource</li> </ul> <p>For this first lab, the plan is simple. But in a real environment, reviewing the Terraform plan carefully is critical.</p> <h2> Create the Infrastructure </h2> <p>After reviewing the plan, apply the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform will show the execution plan again and ask for confirmation.</p> <p>the output usually like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: <span class="c"># google_compute_network.vpc_network will be created</span> + resource <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="o">{</span> + auto_create_subnetworks <span class="o">=</span> <span class="nb">true</span> + delete_default_routes_on_create <span class="o">=</span> <span class="nb">false</span> + gateway_ipv4 <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + <span class="nb">id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + internal_ipv6_range <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + mtu <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + name <span class="o">=</span> <span class="s2">"terraform-network"</span> + network_firewall_policy_enforcement_order <span class="o">=</span> <span class="s2">"AFTER_CLASSIC_FIREWALL"</span> + numeric_id <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + project <span class="o">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> + routing_mode <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + self_link <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> <span class="o">}</span> Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only <span class="s1">'yes'</span> will be accepted to approve. Enter a value: </code></pre> </div> <p>now you enter value of <code>yes</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Enter a value: <span class="nb">yes</span> </code></pre> </div> <h2> Inspect Terraform State </h2> <p>Terraform state stores the IDs and properties of the resources that Terraform manages.</p> <p>This allows Terraform to understand the relationship between the configuration file and the actual infrastructure in Google Cloud.</p> <p>Inspect the current state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform show </code></pre> </div> <p>the response should be like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># google_compute_network.vpc_network:</span> resource <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="o">{</span> auto_create_subnetworks <span class="o">=</span> <span class="nb">true </span>delete_default_routes_on_create <span class="o">=</span> <span class="nb">false </span>description <span class="o">=</span> null enable_ula_internal_ipv6 <span class="o">=</span> <span class="nb">false </span>gateway_ipv4 <span class="o">=</span> null <span class="nb">id</span> <span class="o">=</span> <span class="s2">"projects/terraform-gcp-learning-lab/global/networks/terraform-network"</span> internal_ipv6_range <span class="o">=</span> null mtu <span class="o">=</span> 0 name <span class="o">=</span> <span class="s2">"terraform-network"</span> network_firewall_policy_enforcement_order <span class="o">=</span> <span class="s2">"AFTER_CLASSIC_FIREWALL"</span> numeric_id <span class="o">=</span> <span class="s2">"2818444064827549422"</span> project <span class="o">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> routing_mode <span class="o">=</span> <span class="s2">"REGIONAL"</span> self_link <span class="o">=</span> <span class="s2">"https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/global/networks/terraform-network"</span> </code></pre> </div> <p>This was one of the most important lessons from this lab.</p> <p>Terraform is not only a tool that creates infrastructure. Terraform also tracks the infrastructure it manages through state.</p> <p>For this beginner lab, the state is stored locally in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate </code></pre> </div> <h2> Check the Resource in Google Cloud Console </h2> <p>After Terraform finishes creating the VPC network, you can verify it in the Google Cloud Console.</p> <p>Go to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC network &gt; VPC networks </code></pre> </div> <p>You should see a network named:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-network </code></pre> </div> <p>At this point, the VPC exists in Google Cloud and is being managed by Terraform.</p> <h2> Destroy everything </h2> <p>Because this is only a learning lab, I do not want to leave unused resources running in my Google Cloud project.</p> <p>To destroy the infrastructure managed by this Terraform configuration, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform will show a destroy plan and ask for confirmation.</p> <p>Type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <p>Important note: <code>terraform destroy</code> only destroys resources managed by the current Terraform state.</p> <p>In this lab, it will destroy the VPC network created by this configuration.</p> <p>After the destroy process is complete, you can check the Google Cloud Console again to confirm that the VPC network has been removed.</p> beginners googlecloud terraform tutorial