Automating GCP projects creation with Terraform
If you have experience working with AWS and you stumble across GCP bare in mind they follow a really different approach regarding your project structure.
Usually, an AWS enterprise customer will have a root account, and separate accounts for your environments, .i.e Dev, Staging, pre-prod, prod.
With GCP, those concepts are a bit different. Firstly you need to create an Organization based in your domain. You can find more information about how to do it here.
Within the organization, you will be able to create folders and Projects. Folders will help you to isolate requirements for different departments and teams in the parent organization. You can similarly use folders to separate production resources from development resources.
At the bottom of the hierarchy, you will find projects. Projects contain the computing, storage, and networking resources that constitute your apps.
It is a good practice to use IaC when possible. Also, treating your configuration as code allows you to version and manage the lifecycle of your configuration alongside your software artifacts.
Another good practice is to automate the creation and management of your resources, so you will get benefits such as consistency, reproducibility, and testability. As your requirements evolve, automation also simplifies the refactoring of your projects.
We will use terraform on our examples, as this is one of the most used tool in the market and really easy to deal with.
Let’s get it started
In order to achieve this goal using terraform we will need a Seed Project and a Seed Service Account with the necessary roles and enable the necessary API’s in the Seed Project.
Let's create our main project through the CLI. In order to present a functional code, I will not set the organization ID.
First, let’s create the project.
gcloud projects create “seed-project “ — set-as-defaultgcloud beta billing projects link ${SEED_PROJECT_ID} — billing-account <billing_account_id>
create the service account and grant the permissions needed:
gcloud iam service-accounts create terraform — display-name “Terraform admin account”gcloud iam service-accounts keys create ~/.config/gcloud/terraform.json — iam-account terraform@${SEED_PROJECT_ID}.iam.gserviceaccount.comgcloud projects add-iam-policy-binding ${SEED_PROJECT_ID} — member serviceAccount:terraform@${SEED_PROJECT_ID}.iam.gserviceaccount.com — role roles/viewergcloud projects add-iam-policy-binding ${SEED_PROJECT_ID} — member serviceAccount:terraform@${SEED_PROJECT_ID}.iam.gserviceaccount.com — role roles/storage.admingcloud projects add-iam-policy-binding ${SEED_PROJECT_ID} — member serviceAccount:terraform@${SEED_PROJECT_ID}.iam.gserviceaccount.com — role roles/editor
As you can see above, the credentials terraform will use is under the folder ~/.config/gcloud/terraform.json
You will also need to enable some APIs in order to use terraform:
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable compute.googleapis.comNow, you should be good to go.
Terraform Files
provider.tf
provider "google" {
version = "~> 2.18.1"
}main.tf
resource "google_project" "my_project" {
name = "My Project"
project_id = "your-project-id"
org_id = "1234567"
}be aware the project id needs to be unique in GCP!
to finalize, we just need to run the commands:
terraform init
terraform plan
terraform apply # if you agree with the plan above :)That’s all folks.
Let me know what you think!
