Infra provisioned by Terraform in Google Cloud

• Gcloud CLI
• Kubectl

Config Gcloud CLI
Be authenticated using the commands below.
*infrastructure is provisioned in europe-west2 region. You can use your desired region by adjusting the TF_VAR_region variable in the main workflow

gcloud init
gcloud auth application-default login   

Bucket name must be globally unique. You can use a bucket name that contains the project id e.g terraform-state-<project_id>

gsutil mb -p <project_id> -c <storage_class> -l <region> gs://<bucket_name>

Enable remote state versioning

gsutil versioning set on gs://<bucket_name>

1. Create a new service account for Terraform, add a new KEY, download the generated JSON file with the service account credentials.

gcloud iam service-accounts create <serviceAccountName> --project <project_id>
gcloud iam service-accounts keys create key.json --iam-account=<serviceAccount.email>

2.Assign required roles to the new service account

gcloud projects add-iam-policy-binding <project_id> --member='serviceAccount:<serviceAccount.email>' --role='roles/storage.admin'   
gcloud projects add-iam-policy-binding <project_id> --member='serviceAccount:<serviceAccount.email>' --role='roles/storage.objectAdmin'   
gcloud projects add-iam-policy-binding <project_id> --member='serviceAccount:<serviceAccount.email>' --role='roles/compute.admin'

3.Enable the Google APIs. Make sure that gcloud is configured with the right project

gcloud config set project <project_id>

gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable iap.googleapis.com

1. Encode the file's content in BASE64 format and store it as a secret named GCP_TF_SA_CREDS_BASE64 on GitHub, in a new Github environment with protection rules is preferred. See the following link for setting a new Github environment. If you do so, make sure that the right environment is defined in the main workflow.

name: Infra managed by terraform

on:
  push:
    branches:
      - main

jobs:
  deployment:
    runs-on: ubuntu-latest
    environment: <your_new_environment>
    steps:
      - name: provisioning
        # ...provisioning-specific steps

cat key.json | base64

or using the base64encode.org online

2. Set the required tf_variables in the main workflow. Note environment variables must have the TF_VAR_ prefix in order to be visible in the Terraform code.

3. Push your changes. You can use the Github workflow status page to monitor the progress of the workflow.

1. Move the credentials (plain json file) of the service account to the root path of the project

2. Create the variables.auto.tfvars file and set the following variables inside

credentials        = "./credentials.json"
project_id         = "project_id"
region             = "region"
name               = "workspace_name"

# Fetch terraform resources
terraform init

# Check the execution plan
terraform plan

# Apply changes
terraform apply

# Destroy Infrastructure
terraform destroy

The --auto-approve option tells Terraform not to require interactive approval of the plan before applying it e.g terraform apply --auto-approve

Get in touch with me on LinkedIn:

• LinkedIn account

License under the MIT License (MIT)

Copyright © 2022 Dimitris Kargatzis

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.