Terraform with GCP

--- name: Terraform with GCP description: Use when you need to provision, manage, or destroy Google Cloud Platform infrastructure using Infrastructure as Code. Essential for GCP resource automation, environment consistency, and scalable cloud deployments. metadata: author: skynet version: 1.0.0 category: infrastructure --- # Terraform with GCP ## Setup and Authentication ### Install and Configure ```bash # Install Terraform curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" sudo apt-get update && sudo apt-get install terraform # Install gcloud CLI curl https://sdk.cloud.google.com | bash exec -l $SHELL gcloud init # Authenticate for Terraform gcloud auth application-default login ``` ### Provider Configuration ```hcl terraform { required_providers { google = { source = "hashicorp/google" version = "~> 5.0" } } required_version = ">= 1.0" } provider "google" { project = var.project_id region = var.region zone = var.zone } ``` ## Core Workflow Commands ### Project Initialization ```bash # Initialize new project terraform init # Initialize with backend configuration terraform init -backend-config="bucket=my-tf-state-bucket" # Upgrade providers terraform init -upgrade ``` ### Planning and Deployment ```bash # Create execution plan terraform plan -var-file="terraform.tfvars" # Apply with auto-approve terraform apply -auto-approve # Apply specific target terraform apply -target=google_compute_instance.web_server # Destroy infrastructure terraform destroy -var-file="terraform.tfvars" ``` ## Common GCP Resources ### Compute Engine Instance ```hcl resource "google_compute_instance" "web_server" { name = "web-server" machine_type = "e2-medium" zone = var.zone boot_disk { initialize_params { image = "debian-cloud/debian-11" size = 20 type = "pd-standard" } } network_interface { network = "default" access_config { # Ephemeral public IP } } metadata_startup_script = file("startup-script.sh") tags = ["web-server", "http-server"] } ``` ### VPC Network and Firewall ```hcl resource "google_compute_network" "vpc_network" { name = "my-vpc" auto_create_subnetworks = false } resource "google_compute_subnetwork" "subnet" { name = "my-subnet" ip_cidr_range = "10.0.0.0/24" region = var.region network = google_compute_network.vpc_network.id } resource "google_compute_firewall" "allow_http" { name = "allow-http" network = google_compute_network.vpc_network.name allow { protocol = "tcp" ports = ["80", "443"] } source_ranges = ["0.0.0.0/0"] target_tags = ["http-server"] } ``` ### Cloud Storage Bucket ```hcl resource "google_storage_bucket" "static_site" { name = "${var.project_id}-static-site" location = "US" force_destroy = true uniform_bucket_level_access = true website { main_page_suffix = "index.html" not_found_page = "404.html" } cors { origin = ["*"] method = ["GET", "HEAD", "PUT", "POST", "DELETE"] response_header = ["*"] max_age_seconds = 3600 } } ``` ## State Management ### Remote State with Cloud Storage ```hcl terraform { backend "gcs" { bucket = "my-terraform-state-bucket" prefix = "terraform/state" } } ``` ### State Commands ```bash # Show current state terraform show # List resources in state terraform state list # Import existing resource terraform import google_compute_instance.example projects/my-project/zones/us-central1-a/instances/my-instance # Remove resource from state terraform state rm google_compute_instance.example # Move resource in state terraform state mv google_compute_instance.old google_compute_instance.new ``` ## Decision Tree: Resource Selection ``` Infrastructure Need? ├── Compute Workload? │ ├── Containers → GKE (google_container_cluster) │ ├── Serverless → Cloud Run (google_cloud_run_service) │ └── VMs → Compute Engine (google_compute_instance) ├── Storage Need? │ ├── Object Storage → Cloud Storage (google_storage_bucket) │ ├── Database → Cloud SQL (google_sql_database_instance) │ └── File System → Filestore (google_filestore_instance) └── Networking? ├── Load Balancing → Load Balancer (google_compute_global_forwarding_rule) ├── VPN → VPN Gateway (google_compute_vpn_gateway) └── Custom Network → VPC (google_compute_network) ``` ## Advanced Patterns ### Variable Configuration ```hcl # variables.tf variable "project_id" { description = "GCP Project ID" type = string } variable "region" { description = "GCP Region" type = string default = "us-central1" } variable "instance_config" { description = "Instance configuration" type = object({ machine_type = string disk_size = number image = string }) default = { machine_type = "e2-medium" disk_size = 20 image = "debian-cloud/debian-11" } } ``` ### Data Sources ```hcl data "google_compute_zones" "available" { region = var.region } data "google_compute_image" "debian" { family = "debian-11" project = "debian-cloud" } resource "google_compute_instance" "example" { name = "example" machine_type = "e2-medium" zone = data.google_compute_zones.available.names[0] boot_disk { initialize_params { image = data.google_compute_image.debian.self_link } } } ``` ## Troubleshooting ### Common Errors and Solutions **Error: `quota exceeded`** ```bash # Check quota usage gcloud compute project-info describe --project=PROJECT_ID # Request quota increase through console or: gcloud alpha compute quotas list --filter="region:(us-central1)" ``` **Error: `insufficient permissions`** ```bash # Check current permissions gcloud auth list gcloud config get-value account # Re-authenticate gcloud auth application-default login # Set correct project gcloud config set project PROJECT_ID ``` **Error: `resource already exists`** ```bash # Import existing resource terraform import RESOURCE_TYPE.RESOURCE_NAME RESOURCE_ID # Example: terraform import google_compute_instance.web projects/my-project/zones/us-central1-a/instances/web ``` ### Debug Commands ```bash # Enable verbose logging export TF_LOG=DEBUG terraform plan # Validate configuration terraform validate # Format configuration terraform fmt -recursive # Check for security issues terraform plan | grep -i "force_destroy\|public" ``` ### State Recovery ```bash # Backup current state cp terraform.tfstate terraform.tfstate.backup # Refresh state from real infrastructure terraform refresh # Force unlock state (if locked) terraform force-unlock LOCK_ID ```