Skip to content

liewwy19/terraform-gcp-template

 
 

Repository files navigation

terraform-gcp-template

Terraform template for GCP

Workflow features

  • Authenticating via Workload Identity Federation
  • Run terraform apply
    • Automatically running on main branch
    • Manual running on any branch
  • Run terraform plan, terraform fmt and tflint
  • Post terraform plan report to PullRequest comment and Job Summaries
  • Slack notification

Requirements

  • GitHub Actions
  • Terraform v1.0+

Usage of this template

1. Install tools

2. Create a repository using this template

3. Setup Cloud SDK

gcloud auth application-default login
gcloud config set project ${GCP_PROJECT_ID}

4. Prepare for Deployment Manager

At first, enable Cloud Deployment Manager V2 API

Add roles/iam.securityAdmin to [GCP_PROJECT_NUMBER]@cloudservices.gserviceaccount.com

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} --member=serviceAccount:${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

5. Run Deployment Manager

Download deployment-manager/setup-terraform.jinja and deployment-manager/setup-terraform.jinja.schema

Run Deployment Manager

gcloud deployment-manager deployments create setup-terraform --template /path/to/setup-terraform.jinja --properties backendBucketName:${BACKEND_BUCKET_NAME},backendBucketLocation:${BACKEND_BUCKET_LOCATION}

Properties

6. Register secrets to GitHub repository

7. Edit files for local apply

  • Upgrade to the latest version if necessary

Edit followings

Edit followings

  • terraform.backend.bucket
    • Same to BACKEND_BUCKET_NAME

Upgrade to the latest version if necessary

  • terraform.required_providers.google.version
  • terraform.required_providers.google-beta.version
  • terraform.required_version

8. Run Terraform from local

tfenv install

terraform init

# Run followings if you upgraded providers
terraform init -upgrade
git add .terraform.lock.hcl
git commit -m "terraform init -upgrade"

terraform plan
terraform apply

9. Edit file for GitHub Actions

Edit followings

10. Check if GitHub Actions build is executed

git push and check your repository

Troubleshooting

ERROR: Identity and Access Management (IAM) API has not been used in project

API is activated within Deployment Manager, but it takes time for it to actually be activated, resulting in the following error.

Waiting for create [operation-1661583070797-5e73374b31d17-d7e061b5-aef21baf]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1661583070797-5e73374b31d17-d7e061b5-aef21baf]: errors:
- code: RESOURCE_ERROR
  location: /deployments/setup-terraform/resources/terraform
  message: '{"ResourceType":"iam.v1.serviceAccount","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"usageLimits","message":"Identity
    and Access Management (IAM) API has not been used in project 111111111111 before
    or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=111111111111

Please run gcloud deployment-manager deployments update (NOT create ) after a few minutes. (Arguments are the same as for create)

Maintenance for Terraform repository

Upgrade Terraform core

  1. Check latest version
  2. Edit TERRAFORM_VERSION in .github/workflows/terraform.yml
  3. Edit .terraform-version
  4. Run tfenv install

Upgrade Terraform providers (automatically)

  1. Edit .github/dependabot.yml
  2. Wait for Dependabot to create a PullRequests

Upgrade Terraform providers (manually)

  1. Check latest versions
  2. Edit terraform.required_providers.google.version and terraform.required_providers.google-beta.version in versions.tf
  3. Run terraform init -upgrade

Other solution

About

Terraform template for GCP

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL 69.8%
  • Jinja 30.2%