What's Terraform?
Terraform is a tool created by Hashicorp which allows us to describe our infrastructure in easily readable code. This code can also be stored in our source code management system to allow us to track changes to our infrastructure over time.
Terraform works by talking to the API endpoints Google provide for the platform to setup our desired infrastructure.
Where do I start ?
First we'll need to configure a "provider" so we can talk to the platform.
You'll need to put the following in your terraform file:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~>3.57"
}
}
}
provider "google" {
project = "my_Project"
}
In the terraform
block above the first thing we're doing is setting up our required providers, where to get the google provider from and the version of that provider.
When we specify the source as hashicorp/google
terraform knows to get the provider from the terraform registry.
While setting the version options isn't required, it does help us to track any changes and mitigate possible breaking changes when applying our infrastructure.
Above we're setting the version of the provider to 3.57
however we are also allowing for any minor bug fixes by using the ~>
prefix in the version field.
More info on version constraints in terraform can be found here
In our provider configuration we're also setting our default project to my_Project
.
Setting the default project here will prevent us from having to set it for each google resource we define.
How will Google know who I am?
As with any good cloud provider Google won't just let any one through the door. So we'll have to let Google know who we are first before we can do anything else.
When we're using terraform there are couple of ways to do this:
Application Default Credentials (ADC)
With the Google Cloud SDK installed on your system; You can run the following commands on your computer to login to google cloud and set your default application
credentials:
First you'll need to login: gcloud auth login
If you're on Windows, Mac or Linux (FreeDesktop.org compatible) it will open your default web browser and prompt you to login to google cloud.
Once complete, you'll need to run gcloud auth application-default login
to trigger
a similar process and set your default application credentials.
If a web browser cannot be opened automatically you will be presented with a URL you can copy and paste into your browser.
If you have multiple browser windows logged in to different accounts it may be a good idea to add the --no-launch-browser
command line option to prevent gcloud
from trying to open the URL for you. You can then copy and paste this in to the browser session you'd like to use for your login.
Credentials file
A Credentials file contains a private key we can use to talk to Google’s API’s and is linked with a service account that has been allocated specific set of permissions.
More information about creating and downloading the service account key can be found here
We can reference our credentials file by adding the following line to our google provider configuration:
Provider “google” {
credentials = “/path/to/keyfile.json”
Project = “my_Project”
}
Alternatively we can also reference our credentials file by setting the GOOGLE_APPLICATION_CREDENTIALS
environment variable, for example:
export GOOGLE_APPLICATION_CREDENTIALS=”/path/to/keyfile.json”
Where you need to make use of a service account key; using the environment variable would be a better option so we can avoid having to change the path to the key file for each person or system that uses it.
It's recommended that a user account is used outside of any automated pipeline operations as these are linked to people and can be deactivated when a user leaves a project or if you need to consult the logs to see who created a resource.
Now you're setup you can start making use of the platform's resources and benefits!
🎉
Top comments (0)