Before we start deploying our Terraform code for GCP (Google Cloud Platform), we will need to create and configure a Service Account in the Google Console.
In this example, we will create a master Service Account with permissions at Organization-level and Project-level.
- Organization-level permissions are required to create resources at the Organization level, for example, Folders and Projects.
- Project-level permissions are required to create resources at the project level, for example, Google Storage Accounts or VM instances.
Note: for demo purposes, we will create a Service Account with lots of permissions, feel free to add or remove permissions to adapt to your environment.
1. So, What is a Service Account?
A Service Account is a special kind of account used by an application (Terraform in this case) to make authorized API calls.
A Service Account is identified by its email address, which is unique to the account.
Two important differences between Service Accounts and User Accounts:
- Service Accounts don’t have passwords, and cannot log in via browsers.
- Service Accounts are associated with private/public RSA key-pairs that are used for authentication to Google.
2. Requirements:
We will need a Project to create our Service Account, if we have an existing Project, jump to point 5.
Also, we will require to have an Organization resource as a prerequisite to use Folders or other resources at the Organization-Level. If we don’t need resources at the Organization-level, we can skip point 3.
3. Creating an Organization (optional)
We open our console and just below the Hamburger icon on the top left, we will see our organization name. If we have an organization, jump to the next step.
If we don’t have an organization, and we see the No organization name, we will need one.
To create a new organization, we need to go to the IAM & Admin menu https://console.cloud.google.com/iam-admin and select the Identity & Organization option:
Then we have two options, use Cloud Identity or G Suite. The description of both services is in the image below. If our company is using other Google products, the second is probably a better option.
4. Creating a Project (optional)
In this step, we will create a project, to store our Service Account.
We click on the Organization name, located next to Google Cloud Platform.
Then click on the NEW PROJECT button
and we give a name to the project and click the CREATE button.
5. Creating a Service Account
We select our root project, we click the IAM & Admin menu, Service Accounts option, and finally, on the + Create Service Account button.
We enter a name and description for the Service Account and click the CREATE button.
In this step, we grant the Service Account access to the project. We will need to add the following Roles and click the CONTINUE button.
- Organization Administrator
- Storage Admin → Full access to Google Cloud Storage
- Compute Admin → Full control of Compute Engine resources (Virtual Machines)
- Kubernetes Engine Admin → Full management of Kubernetes Clusters
Note: please feel free to add or remove roles if you need it.
In the last step, we grant users access to the Service Account.
We click on the + CREATE KEY button to generate our authentication key file. This key in JSON format will be used by Terraform to authenticate to GCP.
We download the JSON file and store it in a secure folder or vault.
We click on the Done button to create the Service Account, and here is our new Service Account:
Finally, we copy the email address, will need it on the next step.
6. Giving Organization Permissions to the Service Account (optional)
In this step, we will give our Service Account, permissions required at the Organization-level.
We click on the Identity & Organization option, under the IAM & Admin menu, select our Organization, and click on the SELECT button.
In this step, we click on the SET PERMISSIONS button, located under Set Permissions, to give permissions to our Service Account.
We click on the + Add button.
We paste the email address and add the user to the following roles and we click on the SAVE button.
- Folder Admin
- Billing Account Administrator
- Service Usage Admin
- Project Creator
- Logging Admin
7. Enabling Required API
In this step, we will enable several API required to execute Terraform scripts.
Note: Again, you maybe need to enable other API or keep some of these API disabled.
7.1. Enabling the Cloud Resource Manager API
We select our root project, type cloud resource on the search box and select Cloud Resource Manager API
and we click on the ENABLE button to enable the API.
7.2. Enabling the Cloud Billing API
We select our root project, type cloud billing on the search box and select Cloud Billing API
and we click on the ENABLE button to enable the API.
7.3. Enabling the Identity and Access Management (IAM) API
We select our root project, type Identity and Access Management on the search box and select Identity and Access Management (IAM) API
and we click on the ENABLE button to enable the API.
8. Configuring the Terraform Provider File.
In this step, we are going to configure the Terraform and GCP providers. Providers create, manage, and update infrastructure resources, through API calls.
Note: For clarity, we will create two files: provider-main.tf and provider-variables.tf. You are free to incorporate the code into main.tf and variables.tf or combine in a single file.
We create the provider-variables.tf file and add the following code to the file:
# GCP authentication file
variable "gcp_auth_file" {
type = string
description = "GCP authentication file"
}# define GCP region
variable "gcp_region" {
type = string
description = "GCP region"
}# define GCP project name
variable "gcp_project" {
type = string
description = "GCP project name"
}
Then we create the provider-main.tf file and add the following code:
terraform {
required_version = ">= 0.12"
}provider "google" {
project = var.gcp_project
credentials = file(var.gcp_auth_file)
region = var.gcp_region
}
Finally, we use Provider in the terraform.tfvars file:
# GCP Settings
gcp_project = "kopicloud-root"
gcp_region = "europe-west4"
gcp_auth_file = "../auth/artful-wind-277808-8fa36bbabd8c.json"
And that’s all folks. If you liked this story, please show your support by 👏 for this story. Thank you for reading!