Skip to content

quick and dirty Terraform service account setup for Individual account types

License

Notifications You must be signed in to change notification settings

todd-dsm/gcp-tf-admin-indi

Repository files navigation

gcp-tf-admin-indi

This is based on a great piece, Managing GCP Projects with Terraform, by the community. Unfortunately it's:

  • matured and not all the steps work as expected.
  • definitely made for Business accounts.

As a result, had a weird time auth'ing Terraform to build stuff; thought I would save others the first few steps.

Before you begin

There are 2 types of accounts in the GCP world:

  • Individual
  • Business (organizational hierarchy)

This walk-through assumes you already have a GCP account for an Individual with billing already setup.

This walk-through assumes a POSIX-like workstation; either macOS or Linux.

It assumes the first (admin) user is configured, authenticated and authorized to perform the first few steps.

You can assume that I'm just starting out and, therefore, this is a very narrow view of the world and, in all likelihood, there is a better way to solve.

Leftovers

When this is over you should have a few things, a:

  • quick test for Terraform credentials and access
  • build pattern which, I'm not proud of but, illustrates a flow.
  • templated setup for quick building

Pregame

  • You must have a GCP account
  • You must have a payment type input (debit/credit card)
  • That project must be configured in the shell with gcloud
  • You must be authenticated with gcloud

NOTE: think about the names you assign to projects; they shouldn't be too revealing.

Installs

To get going, we need a few things:

Homebrew after all, we're not savages.

brew cask install --force google-cloud-sdk

brew install terraform

gsutil for managing Google Storage from the CLI

The configurations are coming soon to the wiki; not there yet.

Do the Work

NOTES:

  • this should be done in 1 shell. ;-)
  • if you see anything weird, check the issues in this repo, even the closed ones.

git clone [email protected]:todd-dsm/gcp-tf-admin-indi.git && cd gcp-tf-admin-indi/

Source-in your env vars by passing an argument to the script. The argument is your deployment environment; E.G.: stage, prod, etc

source setup/env-vars.sh stage

This file will discover your Project ID, Billing ID and other relevant details. Check the output. If the Project is not configured in the terminal and Billing is not setup in the WebUI do that now and re-run the step above or subsequent steps will exit.

Run the script

setup/create-tf-admin.sh 2>&1 | tee /tmp/create-tf-admin.out

set -x is turned on; you'll be able to see all the gory details on-screen and in the log.

Now your admin user [email protected] account is associated with a service account and you can run Terraform with it.

cat ~/.config/gcloud/tf-{TF_VAR_currentProject}.json to see the service account details.

There seems to be a bug in gcloud and it will not recognize the GOOGLE_APPLICATION_CREDENTIALS value from the export at the end of the script. Just drop it in your ~/.bashrc file: (example)

grep GOOGLE ~/.bashrc
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.config/gcloud/tf-myProjectID.json"

and source it in: source ~/.bashrc. for some reason that's the only way it will work.

Terraform

For reasons you'll come to find on your own, the Terraform bits have been abstracted away to a Makefile. To run it:

Initialize

$ make tf-init 
terraform init -get=true

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "google" (1.19.1)...
- Downloading plugin for provider "random" (2.0.0)...
...
* provider.google: version = "~> 1.19"
* provider.random: version = "~> 2.0"
...
Terraform has been successfully initialized!

Plan

$ make plan
...
terraform plan -no-color \
	-out=/tmp/kubes-stage-la.plan 2>&1 | tee /tmp/tf-stage-la-plan.out
Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
...
------------------------------------------------------------------------

This plan was saved to: /tmp/kubes-stage-la.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "/tmp/kubes-stage-la.plan"

Apply

$ make apply
...
terraform apply --auto-approve -no-color \                                 
    -input=false /tmp/kubes-stage-la.plan 2>&1 | tee /tmp/tf-stage-la-plan.out

This will apply the plan, create a log of the proceedings and store state in the bucket; it takes about 20 seconds. To see the backup:

$ gsutil ls -r gs://${TF_VAR_currentProject}
gs://${TF_VAR_currentProject}/terraform/:

gs://${TF_VAR_currentProject}/terraform/state/:
gs://${TF_VAR_currentProject}/terraform/state/default.tfstate  <-- your state!

Destroy the Terraformed configuration

This will destroy remote resources from GCP, sync the state again and remove local stuff; it takes about 15 seconds.

terraform destroy --force -auto-approve 2>&1 | \
	tee /tmp/tf-stage-la-destroy.out

Destroy complete!
rm -f "/tmp/kubes-stage-la.plan"
rm -rf .terraform

Afterwards

You're left with a project-specific Terraform service account that you can use to build stuff. That service account is empowered to do most everything it needs to. If not, it's generally a matter of enabling more APIs.

Effectively, you're ready to start terraforming.

Challenge

Set a DNS A Record for the host. Output the A Record, then use it to login.

About

quick and dirty Terraform service account setup for Individual account types

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published