/terraform-gcp-template

Terraform template for Google Cloud (GCP)

Primary LanguageHCLMIT LicenseMIT

terraform-gcp-template

Terraform template for Google Cloud (GCP)

Workflow features

  • Authenticating via Workload Identity Federation
  • Run terraform apply
    • Automatically running on main branch
    • Manual running on any branch
  • Run terraform plan, terraform fmt and tflint
  • Post terraform plan report to PullRequest comment and Job Summaries
  • Slack notification

Requirements

  • GitHub Actions
  • Terraform v1.0+

Usage of this template

1. Install tools

2. Create a repository using this template

3. Setup Cloud SDK

gcloud auth login
# or
gcloud auth application-default login

gcloud config set project ${GCP_PROJECT_ID}

4. Prepare for Deployment Manager

At first, enable Cloud Deployment Manager V2 API

Add roles/iam.securityAdmin to [GCP_PROJECT_NUMBER]@cloudservices.gserviceaccount.com

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} --member=serviceAccount:${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

5. Run Deployment Manager

Download deployment-manager/setup-terraform.jinja and deployment-manager/setup-terraform.jinja.schema

Run Deployment Manager

gcloud deployment-manager deployments create setup-terraform --template /path/to/setup-terraform.jinja --properties backendBucketName:${BACKEND_BUCKET_NAME},backendBucketLocation:${BACKEND_BUCKET_LOCATION}

Properties

6. Register secrets to GitHub repository

7. Edit files for local apply

.terraform-version

  • Upgrade to the latest version if necessary

terraform.tfvars

Edit followings

backend.tf

Edit followings

  • terraform.backend.bucket
    • Same to BACKEND_BUCKET_NAME

versions.tf

Upgrade to the latest version if necessary

  • terraform.required_providers.google.version
  • terraform.required_providers.google-beta.version
  • terraform.required_version

8. Run Terraform from local

tfenv install

terraform init

# Run followings if you upgraded providers
terraform init -upgrade
git add .terraform.lock.hcl
git commit -m "terraform init -upgrade"

terraform plan
terraform apply

9. Edit file for GitHub Actions

.github/workflows/terraform.yml

Edit followings

10. Check if GitHub Actions build is executed

git push and check your repository

Troubleshooting

ERROR: Identity and Access Management (IAM) API has not been used in project

API is activated within Deployment Manager, but it takes time for it to actually be activated, resulting in the following error.

Waiting for create [operation-1661583070797-5e73374b31d17-d7e061b5-aef21baf]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1661583070797-5e73374b31d17-d7e061b5-aef21baf]: errors:
- code: RESOURCE_ERROR
  location: /deployments/setup-terraform/resources/terraform
  message: '{"ResourceType":"iam.v1.serviceAccount","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"usageLimits","message":"Identity
    and Access Management (IAM) API has not been used in project 111111111111 before
    or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=111111111111

Please run gcloud deployment-manager deployments update (NOT create ) after a few minutes. (Arguments are the same as for create)

Maintenance for Terraform repository

Upgrade Terraform core

  1. Check latest version
  2. Edit .terraform-version
  3. Run tfenv install

Upgrade Terraform providers (automatically)

  1. Edit .github/dependabot.yml
  2. Wait for Dependabot to create a PullRequests

Upgrade Terraform providers (manually)

  1. Check latest versions
  2. Edit terraform.required_providers.google.version and terraform.required_providers.google-beta.version in versions.tf
  3. Run terraform init -upgrade

Other solution