Terraform for Google Cloud Essential Guide E-Book

Terraform for Google Cloud Essential Guide

Learn how to provision infrastructure in Google Cloud securely and efficiently

Bernd Nordhausen

BIRMINGHAM—MUMBAI

Terraform for Google Cloud Essential Guide

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Rahul Nair

Publishing Product Manager: Niranjan Naikwadi

Content Development Editor: Sujata Tripathi

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Sean Lobo

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Aparna Bhagat

Senior Marketing Coordinator: Nimisha Dua

Marketing Coordinator: Gaurav Christian

First published: January 2023

Production reference: 1161222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80461-962-9

www.packt.com

Contributors

About the author

Bernd Nordhausen is an independent cloud consultant and Google Cloud trainer. He is a seasoned cloud architect with over 25 years of experience working with industry leaders such as Intel and Accenture. He holds over a dozen cloud certifications from all three major cloud service providers.

Bernd was previously the technical lead for the Google Cloud practice at Accenture Southeast Asia. In that role, he developed and implemented several large-scale deployments on Google Cloud using Terraform.

In a different century, Bernd received his B.Sc. in mathematics from the University of Alabama, and his M.Sc. and Ph.D. in computer science from the University of California, Irvine. When his head is not in the cloud, Bernd is an aspiring woodworker and trail runner. He also has a website where he talks more about his work, expertise, services and life at https://www.nordhausenconsulting.com/

I’d like to thank Packt for reaching out and encouraging me to write this book, and then for the great people they brought in to help. I particularly want to thank Radek Simko for his excellent feedback. His input made this book what it is.

About the reviewer

Radek Simko is a senior software engineer at HashiCorp. He has been involved in various parts of the Terraform ecosystem for the last 5 years. He has contributed to maintaining the AWS provider, created the official Kubernetes provider, and bootstrapped the initial decoupled version of the plugin SDK. Since early 2020, he has been focusing on improving support for Terraform in editors via a dedicated language server. Prior to HashiCorp, he worked at Time Inc. for over 3 years, where he pioneered Terraform and proposed a number of bug fixes and features externally as an open-source contributor. Radek was born and raised in the Czech Republic, but he calls the UK his second home and enjoys traveling in his free time.

Table of Contents

Preface

Part 1: Getting Started: Learning the Fundamentals

1

Getting Started with Terraform on Google Cloud

Technical requirements

The rise of DevOps

Infrastructure as Code

Terraform

Running Terraform in Google Cloud Shell

Terraform language

Terraform workflow

Running Terraform in your local environment

Authentication using a service account

Authentication using a service account and environment variable

Service account impersonation

Parameterizing Terraform

Comparing authentication methods

Summary

2

Exploring Terraform

Technical requirements

Understanding the Terraform state

Interacting with the Terraform state

Understanding destructive changes

Avoiding configuration drift

Additional state commands

Using the backend state

Understanding Terraform meta-arguments

The provider meta-argument

The count meta-argument

The for_each meta-argument

The depends_on meta-argument

The lifecycle meta-argument

Using the self_link attribute

Summary

3

Writing Efficient Terraform Code

Technical requirements

Terraform types and values

Using Terraform expressions

Dynamic blocks

Conditional expressions

Terraform functions

Referencing existing data using data sources

Using output values

Tips to develop Terraform code efficiently

Summary

4

Writing Reusable Code Using Modules

Technical requirements

Building modules

Writing flexible modules

Sharing modules using Google Cloud Storage and Git repositories

Using public module repositories

Summary

5

Managing Environments

Technical requirements

Google resource hierarchy

Using workspaces to manage environments

Using a directory structure to manage environments

Using remote states

Using template files

Managing Terraform at scale

Summary

Part 2: Completing the Picture: Provisioning Infrastructure on Google Cloud

6

Deploying a Traditional Three-Tier Architecture

Technical requirements

Overview

Laying the foundation

Provisioning the database

Provisioning a MIG and global load balancer

Summary

7

Deploying a Cloud-Native Architecture Using Cloud Run

Technical requirements

Overview

Provisioning Redis and connecting it via a VPC connector

Using Terraform to configure a flexible load balancer for Cloud Run

Using Terraform to provision Cloud Run services

To Terraform or not to Terraform

Summary

8

Deploying GKE Using Public Modules

Technical requirements

Overview

Developing a variable strategy

Provisioning a network using the public module

Provisioning a GKE cluster using the public module

Using workspaces to deploy to development and production environments

Summary

Part 3: Wrapping It Up: Integrating Terraform with Google Cloud

9

Developing Terraform Code Efficiently

Technical requirements

VS Code Terraform Extension

Syntax highlighting and validation

Intelligent auto-completion

Code navigation

tflint

Checkov

Terragrunt

Summary

10

Google Cloud Integration

Technical requirements

Using Terraform with Cloud Build

Building a service catalog with Terraform solutions

Importing and exporting Terraform resources

Google Cloud export

Summary

Closing thoughts

Index

Other Books You May Enjoy

Part 1: Getting Started: Learning the Fundamentals

The first part covers the fundamentals of Terraform for Google Cloud. We start with an overview of Infrastructure as Code and Terraform, then show four methods to authenticate Terraform with Google Cloud. We introduce the Terraform workflow and go in-depth into the Terraform state file, which is essential to understand how Terraform operates. Chapter 3 introduces some of the unique concepts of the Terraform language that help to write Terraform code. Chapter 4 introduces Terraform modules so you can reuse and share Terraform code and utilize public Terraform modules. There are two main methods of managing multiple environments such as development, testing, and production in Terraform. Chapter 5 details both of them and discusses the pros and cons of each approach.

Throughout Part 1, we use simple but realistic code examples to focus on the language concepts. After reading Part 1, you will have a thorough understanding of the Terraform language and its inner workings, so you can build complex deployments in Google Cloud using Terraform.

This part of the book comprises the following chapters:

1

Getting Started with Terraform on Google Cloud

Let us start with a brief introduction to DevOps and the central role of Infrastructure as Code (IaC) in this emerging software development practice. Then, we will discuss why Terraform has emerged as the de facto IaC tool and why knowing Terraform is essential for any aspiring cloud engineer and cloud architect. After that, you will learn how to use Terraform to provision resources in Google Cloud.

Thus, by the end of the chapter, you will better understand why you should use Terraform to provision cloud infrastructure. You’ll also have learned how to authenticate Terraform and provision your first Google Cloud resources using Terraform.

In this chapter, we are going to cover the following main topics:

Technical requirements

This chapter and the remainder of this book require you to have a Google Cloud account. You can use an existing Google Cloud project, but we recommend creating a new clean project for you to follow along. You should also have the Google Cloud command-line interface (CLI) installed on your local PC and be familiar with basic gcloud commands. Please see https://cloud.google.com/sdk/docs/install for detailed instructions on how to download the CLI.

Of course, we are using Terraform. Terraform is available on all common operating systems and is easy to install. You can download the version for your operating system at https://www.terraform.io/downloads. HashiCorp is constantly improving the tool by providing updates and upgrades. For the writing of this book, we are using v1.3.3. The code should work with any version greater than v.1.3.0. However, we suggest you download this particular version if you run into any issues.

The source code for this chapter and all other chapters is available at https://github.com/PacktPublishing/Terraform-for-Google-Cloud-Essential-Guide.

We recommend that you download the code, enabling you to follow along. We organized the code into analogous chapters and sections and indicated the appropriate subdirectories.

The rise of DevOps

The rise of cloud computing since mid-2000 has been spectacular. Hardly a month goes by without the three hyperscalers (Amazon Web Services (AWS), Azure, and Google Cloud) announcing the opening of a new data center region. Cloud computing—in particular, public cloud—offers an incredible array of technologies at a nearly infinite scale. This has led to a new way of deploying and operating IT. DevOps combines two areas that were traditionally distinct phases in software development—development and operations. DevOps aims to deliver software at a much faster pace than the traditional Waterfall model was able to. By combining historically distinct phases and teams, DevOps methodology can deliver software much more rapidly and with higher quality than traditional software methodology.

One key aspect of DevOps is automation. Combining several separate tools into a pipeline, we can deliver software from development to production with minimal human intervention. This concept of continuous integration and continuous delivery, usually referred to as CI/CD, integrates managing source code, provisioning the IT infrastructure, compiling (if necessary), packaging, testing, and deploying into a pipeline. A CI/CD pipeline requires automation at every step to execute efficiently.

Infrastructure as Code

Automating the provisioning of the IT infrastructure is a key component of a CI/CD pipeline and is known as IaC. In traditional on-prem computing, servers and networking infrastructure provision was a long-drawn and manual process. It started with ordering IT hardware, the physical setup of the hardware, and configuration, such as installing the operating system and configuring the network infrastructure. This process would often take weeks or months. Virtualization somewhat helped the process, but the provisioning of the infrastructure would generally still fall onto a separate team before developers could start deploying the fruit of their labor into a test environment, much less a production one.

The rise of cloud computing shortened this process from months to days and even hours. Infrastructure can now be provisioned through a graphical user interface (GUI) known as the web console. Initially, this was a straightforward process as the number of services and configuration options were manageable. However, as more services became available and the configuration options increased exponentially, provisioning networks, servers, databases, and other managed services became tedious and error-prone.

A key objective in DevOps is to have essentially identical environments. That is, the development, test, and production environments should be the same except for some minor configuration changes; for example, the database in development and production should be identical except for the number of CPUs and the size of memory.

However, configuring complex environments using the web console is tedious and error prone. Using what is sometimes derided as ClickOps, the provisioning of even a medium-complex environment requires hundreds, if not thousands, of user interactions or clicks.

Using a CLI can help with configuring multiple environments. One can develop scripts that combine multiple CLI commands into a single executable. However, managing and making changes is next to impossible using a CLI.

Enter IaC. IaC is the provisioning of infrastructure using code rather than a web console or a CLI. For example, you can write code to achieve the same step instead of using the web console and going through several manual steps to provision a server. For example, the main.tf file featured in this chapter shows the configuration of a server with the Debian operating system. The server, called cloudshell, is an e2-micro instance placed in the us-central1-a region.

Once you have the code, you can reuse it repeatedly. That is, you can deploy many servers with minimal or no change. Since, it is regular code, you can use version control and source code revision systems to manage your code. This facilitates effective teamwork.

Furthermore, IaC can be integrated into a CI/CD pipeline, including testing and validation. That is, you can validate and test the provisioning of servers before they are deployed. Thus, you can provision complex infrastructure involving hundreds of servers, complex networking, and multiple services within minutes rather than days or weeks. Ultimately, this makes the software development release process faster and more secure, which is precisely the objective of DevOps.

A CI/CD pipeline includes many steps besides IaC. One of the steps is configuration management, which includes configuring servers such as installing updates, libraries, and code. Ansible, Puppet, and Chef are common configuration management tools. Some overlap exists between configuration management tools and IaC tools. Configuration management tools can provision some infrastructure, while IaC tools perform some configuration tasks. However, infrastructure provisioning and configuration management should generally be considered two separate steps better served by different tools.

Terraform

Terraform has become the most popular IaC tool in recent years. While each cloud platform has its proprietary IaC tool (AWS has CloudFormation, Azure has Azure Resource Manager, and Google Cloud has Deployment Manager), Terraform is unique in that it is platform agnostic. You can use Terraform to provision infrastructure in any cloud provider and for many other platforms such as vSphere and Google Workspace.