Setting Up Terraform Cloud with GCP

This demo is a basic walkthrough for setting up Terraform Cloud for GCP. This demo is geared to those who have a basic understanding of GCP and Terraform already.

When writing this, HashiCorp’s only documentation for setting up Terraform Cloud was in AWS lingo, I am hoping they will be adding a GCP equivalent demo soon. I spent about two days trying to figure how to get GCP and Terraform Cloud to work properly. My hope is this helps some of my fellow GCP cloud users.

Why Terraform cloud vs CLI?

• Remote state management
• Easy VCS integrations
• Audibility and governance
• Collaboration

Here is the link for in-depth overview of Terraform Cloud benefits.

First, create a Terraform Cloud account, you can do so by visiting here.
(Don’t forget to confirm your email address!)

Once your email address if confirmed and you are signed into Terraform Cloud you will be prompted to choose two options, and for this demo you need to select, “Start from scratch”.

You will be prompted to create an organization, and need to enter an organization name, it can be anything you’d like it. You will also need to enter an email, and I recommend the email used to create the Terraform Cloud account.

After creating an organization, the next step should be to, “Choose your workflow”. Leave this page up and open a new tab for the GCP console.

Once in the GCP console, open up Cloud Shell in the project you’re looking to integrate Terraform cloud with. Then create a service account.

gcloud iam service-accounts {service_account_name} \
--description "service account for Terraform Cloud" \
--display-name "Terraform Cloud"

When the service account is created a role will need to be bound to it, in an enterprise situation I would recommend creating a custom role for your service account. In this demo I am deploying a GCE instance; assigning the predefined computeinstanceAdmin.v1 role.

gcloud projects add-iam-policy-binding terraformclouddemo \
--member "serviceAccount:{service_account_email}"
--role "{role}"

Next, you will need to generate a JSON key. This will be used for Terraform Cloud to execute runs. Once the JSON key is created, it will download to your local computer. I recommend renaming it for better visibility.

Be sure to create a JSON key

I renamed my key: tfdemo.json

Important, you need to format the JSON key into a single line for it to work as an environment variable in Terraform Cloud. Open your JSON key with vim.

vi tfdemo.json
press :
type %s;\n; ;g
press : again
type wq

The service account key will transform from multi-line to a single line.

Now to shift focus back to Terraform cloud:

In Terraform Cloud UI, select “Version control workflow” and select your VCS provider. For this demo I will be using GitHub.

Follow the prompts to connect Terraform Cloud and GitHub.

Select the repository you wish to integrate with (I created “terraformdemo” prior to this).

When the workspace is created you will be prompted to, “configure variables”. Proceed with configuring the variables, you will need to to configure “environment variables”.

Select, “Add variable”, and add the service account key here.

It is very important you name the key (inside Terraform Cloud) GOOGLE_CREDENTIALS, or else you will get an error. For the value, copy/paste your formatted JSON key, then select the “sensitive” box to ensure the value is not in plain text after saving.
P.S i’ve noticed after copy/pasting the key it adds a blank line at the end in the Terraform Cloud value UI, and you will get an error if you do not backspace it out.

Now that the Terraform cloud workspace is created and connected to your VPS provider, you are ready to queue a plan (assuming you have Terraform files in your repository). Queuing a plan will trigger Terraform Cloud to scan the root directory of the repository. If you configured your environment variable correctly there will be a, “needs confirmation” in your run tab. Click, “run” Terraform Cloud will run the terraform plan. You need to verify the plan prior to running Terraform apply, similar to the CLI.

If everything looks good with the plan, select, “confirm and apply” to processed with the run. A green checkmark means the resource was deployed. If there is an error, Terraform Cloud will show you in detail why the error is occurring.

Verify in the GCP console that the resource was deployed. In my demo I deployed a simple GCE instance.

Success!

Congratulations you setup and deployed resources with Terraform Cloud!

Part 2 coming soon, where we build off this and add GitHub Actions for a full CI/CD pipeline

Bio: Jake has been in IT for 4 years and is currently an IT Engineer for Aunt Bertha. He currently holds a CompTIA S+, Google ACE certification, Google PCA certification and is pursuing the Terraform Associates certification.