Forem: Abraham Naiborhu The latest articles on Forem by Abraham Naiborhu (@abrahamparn). https://forem.com/abrahamparn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2683454%2F646ff8d2-3b9f-4e5f-a7b3-425aecb33cdd.jpeg Forem: Abraham Naiborhu https://forem.com/abrahamparn en Terraform Drift Detection and Recovery on Google Cloud: Plan, Import, State, and GitHub Actions Abraham Naiborhu Tue, 26 May 2026 09:06:50 +0000 https://forem.com/abrahamparn/terraform-drift-detection-and-recovery-on-google-cloud-plan-import-state-and-github-actions-3a83 https://forem.com/abrahamparn/terraform-drift-detection-and-recovery-on-google-cloud-plan-import-state-and-github-actions-3a83 <p>Hi! so this is my fourth terraform artefact. I'd like to say that creating infrastructure with Terraform is one thing, but using Terraform when reality changes outside the code is another thing.</p> <p>For the fourth artifact in my Terraform x Google Cloud portfolio, I wanted to explore a more operational topic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform drift detection, import, and state recovery. </code></pre> </div> <p>In this project, i will not be building a large infrastructure platform. This project is about understanding what happens when:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>someone changes infrastructure manually Terraform state no longer matches real infrastructure an existing resource needs to be imported a resource is accidentally removed from state drift needs to be detected automatically </code></pre> </div> <p>The artifact repository:</p> <p><a href="https://github.com/abrahamparn/terraform-gcp-drift-import-recovery" rel="noopener noreferrer">terraform-gcp-drift-import-recovery</a></p> <p>The main goal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Understand Terraform failure modes, not only Terraform provisioning. </code></pre> </div> <h2> Why I Built This Artifact </h2> <p>My previous Terraform artifacts focused on building and delivering infrastructure.</p> <p>The portfolio journey looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Artifact 1 — Terraform GCP Foundation Artifact 2 — Production-Lite GCP Web Platform Artifact 3 — Terraform CI/CD with GitHub Actions and WIF Artifact 4 — Drift Detection, Import, and State Recovery </code></pre> </div> <p>The first three artifacts answered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I create infrastructure? Can I structure it properly? Can I expose it securely? Can I automate Terraform plan and apply? </code></pre> </div> <p>This fourth artifact answers a different question:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What happens when Terraform is no longer the only actor changing infrastructure? </code></pre> </div> <p>That question matters because real cloud environments are rarely perfect.</p> <p>Someone may change a firewall rule manually.</p> <p>Someone may create a resource directly from the console.</p> <p>Someone may remove a resource from Terraform state by mistake.</p> <p>Someone may perform an emergency change and forget to update the code.</p> <p>This artifact is about detecting, understanding, and recovering from those situations.</p> <h2> What This Project Demonstrates </h2> <p>This project demonstrates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform remote state baseline GCP infrastructure creation manual drift simulation terraform plan drift detection terraform plan -detailed-exitcode terraform plan -refresh-only terraform state list terraform state show terraform state pull terraform state rm terraform import importing manually created GCP resources recovering after state removal scheduled drift detection with GitHub Actions GitHub issue creation when drift is detected Workload Identity Federation no service account JSON key </code></pre> </div> <p>The lab intentionally uses simple Google Cloud resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC subnet firewall rule service account </code></pre> </div> <p>That is deliberate.</p> <p>The objective is not infrastructure complexity.</p> <p>The objective is Terraform behavior.</p> <h2> Why I Created a Separate Repository </h2> <p>I created this as a separate repository instead of adding it into my production-lite web platform repo.</p> <p>Reason:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>This lab intentionally creates abnormal infrastructure situations. </code></pre> </div> <p>It includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>manual changes outside Terraform state removal resource import drift simulation drift detection recovery scenarios </code></pre> </div> <p>Those activities should not be mixed into a main application platform repository.</p> <p>This project is a controlled failure-mode lab.</p> <h2> Repository Structure </h2> <p>The repository is structured like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-drift-import-recovery/ ├── README.md ├── .gitignore ├── versions.tf ├── providers.tf ├── backend.tf.example ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example ├── locals.tf ├── environments/ │ └── dev.tfvars ├── imports/ │ ├── imported-network.tf.example │ └── imported-firewall.tf.example ├── docs/ │ ├── architecture.md │ ├── drift-detection-lab.md │ ├── import-lab.md │ ├── state-recovery-lab.md │ ├── scheduled-drift-detection.md │ ├── operations-runbook.md │ ├── verification.md │ ├── design-decisions.md │ └── release-process.md ├── scripts/ │ ├── simulate-drift.sh │ ├── create-manual-import-resources.sh │ ├── cleanup-manual-import-resources.sh │ └── bootstrap-wif-github.sh └── .github/ ├── workflows/ │ ├── terraform-plan.yml │ └── drift-detection.yml └── ISSUE_TEMPLATE/ └── drift_report.md </code></pre> </div> <p>The structure separates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>baseline Terraform code manual drift scripts import examples state recovery documentation scheduled drift detection workflow GitHub issue template </code></pre> </div> <h2> Baseline Infrastructure </h2> <p>The baseline infrastructure is intentionally small.</p> <p>It creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>custom VPC subnet firewall rule service account </code></pre> </div> <p>The firewall rule is the main drift target.</p> <p>Why?</p> <p>Because firewall rules are easy to modify manually and easy for Terraform to detect.</p> <p>For example, Terraform may define:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>allowed port: tcp:80 </code></pre> </div> <p>Then someone manually changes it to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>allowed ports: tcp:80,tcp:8080 </code></pre> </div> <p>That difference is drift.</p> <h2> Remote State Design </h2> <p>This project uses a GCS backend for Terraform state.</p> <p>I added two GitHub repository variables for the state configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TF_STATE_BUCKET = terraform-gcp-production-lite-tfstate TF_STATE_PREFIX = terraform-gcp-drift-import-recovery/dev </code></pre> </div> <p>Instead of committing a real <code>backend.tf</code>, the GitHub Actions workflow writes the backend config dynamically.</p> <p>The workflow step looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Write Terraform backend config</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_STATE_BUCKET</span><span class="pi">:</span> <span class="s">${{ vars.TF_STATE_BUCKET }}</span> <span class="na">TF_STATE_PREFIX</span><span class="pi">:</span> <span class="s">${{ vars.TF_STATE_PREFIX }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">set -euo pipefail</span> <span class="s">if [[ -z "${TF_STATE_BUCKET}" ]]; then</span> <span class="s">echo "TF_STATE_BUCKET repository variable is required." &gt;&amp;2</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="s">if [[ -z "${TF_STATE_PREFIX}" ]]; then</span> <span class="s">echo "TF_STATE_PREFIX repository variable is required." &gt;&amp;2</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="s">cat &gt; backend.tf &lt;&lt;EOF</span> <span class="s">terraform {</span> <span class="s">backend "gcs" {</span> <span class="s">bucket = "${TF_STATE_BUCKET}"</span> <span class="s">prefix = "${TF_STATE_PREFIX}"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">EOF</span> </code></pre> </div> <p>This keeps the backend configuration flexible across environments.</p> <p>It also avoids hardcoding my state bucket and prefix directly in the workflow logic.</p> <h2> Lab 1 — Simulating Drift </h2> <p>The first lab simulates drift manually.</p> <p>After deploying the baseline infrastructure, I modify the firewall rule outside Terraform.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">FIREWALL_RULE_NAME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> firewall_rule_name<span class="si">)</span><span class="s2">"</span> gcloud compute firewall-rules update <span class="s2">"</span><span class="k">${</span><span class="nv">FIREWALL_RULE_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--allow</span><span class="o">=</span>tcp:80,tcp:8080 </code></pre> </div> <p>At this point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform code says: tcp:80 Google Cloud says: tcp:80,tcp:8080 </code></pre> </div> <p>That is drift.</p> <p>Terraform code, Terraform state, and real infrastructure are no longer aligned.</p> <h2> Lab 2 — Detecting Drift with Terraform Plan </h2> <p>After simulating drift, I run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>Terraform detects that the real firewall rule no longer matches the desired configuration.</p> <p>The plan proposes to restore the firewall rule back to the Terraform-defined state.</p> <p>That is the simplest drift detection mechanism:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Run terraform plan. If Terraform proposes unexpected changes, investigate. </code></pre> </div> <h2> Lab 3 — Using <code>-detailed-exitcode</code> </h2> <p>For automation, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="se">\</span> <span class="nt">-input</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-no-color</span> <span class="se">\</span> <span class="nt">-detailed-exitcode</span> <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> <span class="nt">-out</span><span class="o">=</span>tfplan </code></pre> </div> <p>The important behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>exit code 0 = no changes exit code 1 = error exit code 2 = changes detected </code></pre> </div> <p>This is useful because a CI/CD workflow can use the exit code to determine whether drift exists.</p> <p>In this artifact:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0 means no drift 2 means drift detected 1 means Terraform error </code></pre> </div> <h2> Lab 4 — Refresh-Only Planning </h2> <p>I also documented refresh-only planning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> <span class="nt">-refresh-only</span> </code></pre> </div> <p>This is useful when I want to inspect how real infrastructure differs from Terraform state.</p> <p>Normal plan answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What would Terraform change to make infrastructure match the code? </code></pre> </div> <p>Refresh-only plan answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What has changed in real infrastructure compared to Terraform state? </code></pre> </div> <p>Both are useful, but they answer different operational questions.</p> <h2> Lab 5 — Recovering from Drift </h2> <p>If the manual change was not approved, the recovery is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>Terraform restores the resource to the desired configuration.</p> <p>In this case, it removes the manually added port <code>8080</code>.</p> <p>Then I can confirm that the environment is clean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> <span class="nt">-detailed-exitcode</span> </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>exit code 0 </code></pre> </div> <p>That means Terraform sees no pending changes.</p> <h2> Lab 6 — Importing Existing Infrastructure </h2> <p>The next scenario is different.</p> <p>Instead of changing an existing Terraform-managed resource, I create a resource manually outside Terraform.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks create manual-import-network <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--subnet-mode</span><span class="o">=</span>custom </code></pre> </div> <p>This VPC exists in Google Cloud, but Terraform does not know about it.</p> <p>To bring it under Terraform management, I need two things:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform resource configuration terraform import </code></pre> </div> <p>Example Terraform configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"imported_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"manual-import-network"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">routing_mode</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="p">}</span> </code></pre> </div> <p>Then import:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform import <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> google_compute_network.imported_network <span class="se">\</span> <span class="s2">"projects/</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">/global/networks/manual-import-network"</span> </code></pre> </div> <p>After import:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state list terraform state show google_compute_network.imported_network terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>The objective is to reach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No changes. </code></pre> </div> <p>That means the Terraform configuration and imported real resource are aligned.</p> <h2> Lab 7 — State Inspection </h2> <p>Terraform state is the mapping between Terraform resource addresses and real infrastructure objects.</p> <p>Useful commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state list </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state show google_compute_firewall.allow_http_internal </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state pull <span class="o">&gt;</span> state-backups/before-recovery.json </code></pre> </div> <p>I included state inspection because drift and import are hard to understand without understanding state.</p> <p>Terraform state answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Which real resource is this Terraform resource address connected to? </code></pre> </div> <h2> Lab 8 — State Recovery After Accidental State Removal </h2> <p>This lab simulates a state mistake.</p> <p>First, I back up state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> state-backups terraform state pull <span class="o">&gt;</span> state-backups/before-state-rm.json </code></pre> </div> <p>Then I remove a resource from state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state <span class="nb">rm </span>google_compute_firewall.allow_http_internal </code></pre> </div> <p>Important:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>This does not delete the real firewall rule. It only removes the mapping from Terraform state. </code></pre> </div> <p>Now Terraform no longer knows that the real firewall rule belongs to the configuration.</p> <p>If I run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>Terraform may try to create the firewall rule again.</p> <p>But the resource already exists in Google Cloud.</p> <p>The correct recovery is to import it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform import <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> google_compute_firewall.allow_http_internal <span class="se">\</span> <span class="s2">"projects/</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">/global/firewalls/</span><span class="k">${</span><span class="nv">FIREWALL_RULE_NAME</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p>Then verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state list terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>The target result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No changes. </code></pre> </div> <h2> Lab 9 — Scheduled Drift Detection with GitHub Actions </h2> <p>The final part of this artifact is scheduled drift detection.</p> <p>The workflow runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>workflow_dispatch schedule: every day at 23:00 UTC </code></pre> </div> <p>The workflow performs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>checkout repository set up Terraform authenticate to Google Cloud using WIF write backend.tf from repository variables terraform init terraform validate terraform plan -detailed-exitcode upload drift plan artifact create GitHub issue if drift is detected </code></pre> </div> <p>The key step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="se">\</span> <span class="nt">-input</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-no-color</span> <span class="se">\</span> <span class="nt">-detailed-exitcode</span> <span class="se">\</span> <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="se">\</span> <span class="nt">-out</span><span class="o">=</span>tfplan <span class="o">&gt;</span> drift-plan.txt </code></pre> </div> <p>Then the workflow evaluates the exit code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EXIT_CODE</span><span class="k">}</span><span class="s2">"</span> <span class="nt">-eq</span> 0 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"No drift detected."</span> <span class="nb">exit </span>0 <span class="k">elif</span> <span class="o">[[</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EXIT_CODE</span><span class="k">}</span><span class="s2">"</span> <span class="nt">-eq</span> 2 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Drift detected."</span> <span class="nb">exit </span>0 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Terraform plan failed."</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p>This is intentional.</p> <p>If drift is detected, the workflow does not fail as a broken pipeline.</p> <p>It creates a GitHub issue.</p> <p>Why?</p> <p>Because drift is not always a technical failure.</p> <p>Sometimes drift is an intentional emergency change that needs to be reconciled.</p> <p>The workflow should create visibility, not immediately destroy or revert something.</p> <h2> GitHub Issue Creation When Drift Is Detected </h2> <p>When Terraform returns exit code <code>2</code>, the workflow creates a GitHub issue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh issue create <span class="se">\</span> <span class="nt">--title</span> <span class="s2">"</span><span class="k">${</span><span class="nv">ISSUE_TITLE</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--body-file</span> drift-issue-body.md <span class="se">\</span> <span class="nt">--label</span> <span class="s2">"drift,terraform,incident"</span> </code></pre> </div> <p>The issue tells the operator to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>download the drift plan artifact review whether the drift was intentional or accidental revert accidental drift with Terraform apply update Terraform code if the change was intentional close the issue only after plan returns exit code 0 </code></pre> </div> <p>This turns drift detection into an operational workflow.</p> <p>Not just a command.</p> <h2> Authentication with Workload Identity Federation </h2> <p>Like my previous Terraform CI/CD artifact, this project does not use a service account JSON key.</p> <p>GitHub Actions authenticates to Google Cloud using Workload Identity Federation.</p> <p>The flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions OIDC token -&gt; Google Workload Identity Provider -&gt; Terraform drift CI/CD service account -&gt; Google Cloud APIs </code></pre> </div> <p>This keeps the workflow keyless.</p> <p>No long-lived Google Cloud service account key is stored in GitHub.</p> <h2> Why I Do Not Auto-Apply Drift Fixes </h2> <p>It may be tempting to do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>detect drift automatically run terraform apply </code></pre> </div> <p>I intentionally did not do that.</p> <p>Reason:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Not all drift is accidental. </code></pre> </div> <p>Some drift may come from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>emergency production fix approved console change another migration process temporary incident workaround </code></pre> </div> <p>The right first response is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>detect notify review decide then reconcile </code></pre> </div> <p>Automatic remediation can be dangerous if the workflow does not understand why the drift happened.</p> <p>So this artifact creates a GitHub issue instead.</p> <h2> What This Artifact Taught Me </h2> <p>The biggest lesson:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform is not only a provisioning tool. Terraform is also a control system. </code></pre> </div> <h2> What I Would Do Differently in Production </h2> <p>For a production environment, I would improve this further with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>least-privilege custom IAM role Slack or email notification deduplication of drift issues severity classification separate environments policy-as-code checks cost impact review state backup automation manual approval before remediation </code></pre> </div> <p>But for this artifact, the core objective is complete:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>simulate drift detect drift understand state recover state import resources automate drift visibility </code></pre> </div> terraform googlecloud devops sre Terraform CI/CD with Google Cloud: Plan on Pull Request and Apply with Approval Abraham Naiborhu Sun, 24 May 2026 10:59:40 +0000 https://forem.com/abrahamparn/terraform-cicd-with-google-cloud-plan-on-pull-request-and-apply-with-approval-3h3m https://forem.com/abrahamparn/terraform-cicd-with-google-cloud-plan-on-pull-request-and-apply-with-approval-3h3m <p>Simple Terraform codes on laptop is alright for learning. But, at some point, things gotten more complex and infrastructure changes need a more controlled workflow.</p> <p>For my second Terraform x Google Cloud portfolio artifact, I had already built a production like web platform with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC app and DB subnets Cloud NAT private backend VMs regional Managed Instance Group HTTP/HTTPS Load Balancer Cloud Armor security policy remote Terraform state modular Terraform structure </code></pre> </div> <p>In this version, I added the next operational layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform CI/CD </code></pre> </div> <p>The goal was simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pull Request -&gt; Terraform Plan Manual Approval -&gt; Terraform Apply No service account JSON key </code></pre> </div> <p>This became:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v2.0 — Terraform CI/CD with GitHub Actions and Workload Identity Federation </code></pre> </div> <p>Checkout my github! <a href="https://github.com/abrahamparn/terraform-gcp-production-lite-web-platform" rel="noopener noreferrer">terraform-gcp-production-lite-web-platform</a></p> <h2> Why I Built This </h2> <p>Before this version, the workflow was still done locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>local terminal -&gt; terraform fmt -&gt; terraform validate -&gt; terraform plan -&gt; terraform apply </code></pre> </div> <p>That works for my learning, But i understand that in a team setting this way of doing things locally is not sustainable.</p> <p>Thus, making me questions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can the change be reviewed before apply? Can the Terraform plan run automatically on pull request? Can apply require approval? Can GitHub Actions authenticate to Google Cloud without a static key? Can the workflow use remote state safely? </code></pre> </div> <p>v2.0 was built to answer those questions.</p> <h2> What v2.0 Adds </h2> <p>This release adds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions Terraform plan on pull request Terraform apply through manual workflow GitHub environment approval before apply Workload Identity Federation Google service account impersonation No service account JSON key Remote state access from CI/CD GitHub CLI-based release workflow </code></pre> </div> <p>The important part is not just automation.</p> <p>The important part is change control.</p> <h2> Final CI/CD Flow </h2> <p>The new workflow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pull Request -&gt; terraform fmt -check -&gt; terraform init -&gt; terraform validate -&gt; terraform plan -&gt; upload plan artifact -&gt; comment plan summary on PR Manual Apply -&gt; workflow_dispatch -&gt; confirm input: APPLY -&gt; GitHub environment approval -&gt; terraform plan -out=tfplan -&gt; terraform apply tfplan </code></pre> </div> <p>This separates review from execution.</p> <p>The PR workflow answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What will Terraform change? </code></pre> </div> <p>The apply workflow answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Are we approved to apply this change? </code></pre> </div> <h2> Authentication Design </h2> <p>The most important security decision in this version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No service account JSON key. </code></pre> </div> <p>Instead of storing a long-lived Google Cloud key in GitHub Secrets, the workflow uses Workload Identity Federation.</p> <p>The authentication flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions OIDC token -&gt; Google Workload Identity Provider -&gt; Terraform CI/CD service account impersonation -&gt; Google Cloud APIs </code></pre> </div> <p>The GitHub repository is restricted through the Workload Identity Provider attribute condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>assertion.repository == "abrahamparn/terraform-gcp-production-lite-web-platform" </code></pre> </div> <p>That means the provider is only intended to trust this specific repository.</p> <h2> Why Workload Identity Federation Matters </h2> <p>A service account JSON key is a long-lived credential.</p> <p>If it leaks, the impact can be serious.</p> <p>Workload Identity Federation avoids that by allowing GitHub Actions to exchange its OIDC identity for short-lived Google Cloud access.</p> <p>For this project, GitHub Actions impersonates a dedicated service account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-cicd@PROJECT_ID.iam.gserviceaccount.com </code></pre> </div> <p>This gives the CI/CD pipeline a clear operational identity.</p> <h2> Workflow 1 — Terraform Plan on Pull Request </h2> <p>The first workflow runs on pull requests to <code>main</code>.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/terraform-plan.yml </code></pre> </div> <p>The workflow performs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>checkout repository set up Terraform authenticate to Google Cloud using WIF set up gcloud terraform fmt -check -recursive terraform init terraform validate terraform plan generate plain-text plan upload plan artifact comment plan summary on PR </code></pre> </div> <p>In the screenshot, the Terraform Plan workflow successfully completed all steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Checkout repository Set up Terraform Authenticate to Google Cloud Set up gcloud Terraform format check Terraform init Terraform validate Terraform plan Generate plain-text plan Upload Terraform plan artifact Comment plan summary on PR </code></pre> </div> <p>This is the main review workflow.</p> <p>It allows infrastructure changes to be reviewed before they are applied.</p> <h2> Workflow 2 — Terraform Apply with Manual Approval </h2> <p>The second workflow is manually triggered.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/terraform-apply.yml </code></pre> </div> <p>The workflow uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>workflow_dispatch confirm_apply input GitHub environment: terraform-apply manual approval terraform plan before apply terraform apply using saved plan file </code></pre> </div> <p>The apply workflow has two jobs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform Plan Before Apply Terraform Apply </code></pre> </div> <p>In the screenshot, the apply workflow succeeded after environment approval.</p> <p>The deployment protection section shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Environment: terraform-apply Approval: approved Comment: go on </code></pre> </div> <p>That approval gate is the main safety control before applying infrastructure changes.</p> <h2> Why I Still Run Plan Before Apply </h2> <p>One question I had while building this was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Should the apply workflow reuse the PR plan artifact? </code></pre> </div> <p>For this version, I decided not to.</p> <p>Instead, the apply workflow creates a fresh plan immediately before apply.</p> <p>Why?</p> <p>Because PR plan artifacts can become stale.</p> <p>Between PR review and manual apply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>state may change main branch may change plan artifact may expire another workflow may run </code></pre> </div> <p>So the safer v2.0 pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PR plan = review signal Apply workflow plan = final execution plan </code></pre> </div> <p>Then the apply step uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply tfplan </code></pre> </div> <p>This keeps apply tied to the plan generated inside the apply workflow.</p> <h2> GitHub Environment Approval </h2> <p>The apply workflow uses this environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-apply </code></pre> </div> <p>This allows GitHub deployment protection rules to act as the approval gate.</p> <p>The result is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No automatic apply from pull request. No apply just because code was pushed. Apply only happens after manual workflow trigger and approval. </code></pre> </div> <h2> Repository Variables </h2> <p>I used GitHub repository variables for non-secret configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT_ID GCP_PROJECT_NUMBER GCP_REGION GCP_WORKLOAD_IDENTITY_PROVIDER GCP_SERVICE_ACCOUNT TF_WORKING_DIR TF_VERSION </code></pre> </div> <p>These values are not service account keys.</p> <p>No Google Cloud JSON key is stored in GitHub.</p> <h2> Environment tfvars Strategy </h2> <p>One practical issue with Terraform CI/CD is variable management.</p> <p>My project uses a lot of variables such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>subnets firewall_rules service_accounts Cloud Armor rules managed SSL certificate domains </code></pre> </div> <p>Passing all of that through <code>TF_VAR_*</code> environment variables would become messy.</p> <p>So for this portfolio project, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environments/dev.tfvars </code></pre> </div> <p>This file contains non-sensitive environment configuration.</p> <p>The workflow runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-var-file</span><span class="o">=</span>environments/dev.tfvars <span class="nt">-out</span><span class="o">=</span>tfplan </code></pre> </div> <p>Important rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Only non-sensitive values should be committed. </code></pre> </div> <p>Secrets should not be placed in <code>dev.tfvars</code>.</p> <h2> GitHub CLI Operations </h2> <p>I also tried to minimize GitHub UI usage.</p> <p>For example, releases can be created using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh release create v2.0.0 <span class="se">\</span> <span class="nt">--title</span> <span class="s2">"v2.0.0 — Terraform CI/CD with GitHub Actions and WIF"</span> <span class="se">\</span> <span class="nt">--notes</span> <span class="s2">"This release adds Terraform plan on pull request, manual approval before apply, and no key Google Cloud authentication through WIF."</span> </code></pre> </div> <p>The pull request can also be created using CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh <span class="nb">pr </span>create <span class="se">\</span> <span class="nt">--base</span> main <span class="se">\</span> <span class="nt">--head</span> feature/v2.0-terraform-cicd-wif <span class="se">\</span> <span class="nt">--title</span> <span class="s2">"add Terraform CI/CD with GitHub Actions and WIF"</span> <span class="se">\</span> <span class="nt">--body</span> <span class="s2">"This PR introduces Terraform CI/CD with GitHub Actions, plan on pull request, manual approval before apply, and Workload Identity Federation with no SA JSON key."</span> </code></pre> </div> <p>And the manual apply workflow can be triggered with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh workflow run <span class="s2">"Terraform Apply"</span> <span class="se">\</span> <span class="nt">-f</span> <span class="nv">confirm_apply</span><span class="o">=</span>APPLY <span class="se">\</span> <span class="nt">-f</span> <span class="nv">git_ref</span><span class="o">=</span>main </code></pre> </div> <p>The only part where UI is still useful is the environment approval step, because that is the point of having a manual deployment gate.</p> <h2> Evidence From the Workflow Runs </h2> <p>For this version, I captured two main screenshots.</p> <h3> Terraform Plan Workflow </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9xxmhdvm42ahs3wai1hl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9xxmhdvm42ahs3wai1hl.png" alt=" " width="799" height="453"></a></p> <p>The Terraform Plan workflow succeeded on pull request.</p> <p>It completed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>authentication to Google Cloud terraform fmt check terraform init terraform validate terraform plan plan artifact upload PR plan comment </code></pre> </div> <p>This proves the review workflow works.</p> <h3> Terraform Apply Workflow </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5al81t6zvzsgzfhw1on.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5al81t6zvzsgzfhw1on.png" alt=" " width="800" height="453"></a></p> <p>The Terraform Apply workflow also succeeded.</p> <p>It was manually triggered from <code>main</code>, required environment approval, then executed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform Plan Before Apply Terraform Apply </code></pre> </div> <p>The deployment protection section shows that the <code>terraform-apply</code> environment was approved before apply continued.</p> <p>This proves the execution workflow works.</p> <h2> One Warning I Noticed </h2> <p>The workflow showed a warning related to Node.js 20 actions being deprecated.</p> <p>This did not break the workflow.</p> <p>The run still succeeded.</p> <h2> What This Version Does Not Solve Yet </h2> <p>v2.0 is intentionally focused.</p> <p>It does not yet include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>policy-as-code cost estimation drift detection automation custom least-privilege Terraform IAM role multi-environment promotion automatic rollback scheduled plan </code></pre> </div> <p>Those are future improvements.</p> <p>For this version, the objective was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>reviewable plan manual approved apply keyless authentication </code></pre> </div> <h2> Final Architecture After v2.0 </h2> <p>The infrastructure platform now has two layers:</p> <h3> Runtime platform </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTPS Load Balancer Cloud Armor Backend Service Regional MIG Private backend VMs Cloud NAT </code></pre> </div> <h3> Delivery platform </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Pull Request Terraform Plan workflow GitHub Environment Approval Terraform Apply workflow Workload Identity Federation No service account JSON key </code></pre> </div> <p>That is the main improvement.</p> <p>The project moved from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I can provision infrastructure. </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I can manage infrastructure changes through a controlled delivery workflow. </code></pre> </div> <h2> Version Timeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.0 — Production-Lite HTTP Platform v1.1 — HTTPS and Custom Domain v1.2 — Security Hardening with Cloud Armor v2.0 — Terraform CI/CD with GitHub Actions and WIF </code></pre> </div> <p>Next, I may continue with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v2.1 — Drift Detection and Recovery </code></pre> </div> <p>Because after CI/CD, the next important Terraform question is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What happens when someone changes infrastructure outside Terraform? </code></pre> </div> googlecloud terraform devops cloud Terraforming a Production-Lite GCP Web Platform: MIG, Cloud NAT, Load Balancer, and Private Backends Abraham Naiborhu Wed, 20 May 2026 06:18:00 +0000 https://forem.com/abrahamparn/terraforming-a-production-lite-gcp-web-platform-mig-cloud-nat-load-balancer-and-private-backends-1bfg https://forem.com/abrahamparn/terraforming-a-production-lite-gcp-web-platform-mig-cloud-nat-load-balancer-and-private-backends-1bfg <p>Hi! After building my first Terraform artifact, The GCP Foundation Lite, I wanted to move one layer higher.</p> <p>I wanted to answer a more complex question:</p> <blockquote> <p>Can I provision infrastructure for an actual web platform?</p> </blockquote> <p>Thus, I created this project titled "Production-Lite GCP Web Platform" using Terraform.</p> <p>This project provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>reserved database subnet</li> <li>map-based firewall rules</li> <li>Cloud NAT</li> <li>custom service account</li> <li>regional Managed Instance Group</li> <li>instance template</li> <li>startup script</li> <li>HTTP health check</li> <li>backend service</li> <li>external HTTP load balancer</li> <li>remote Terraform state</li> <li>reusable Terraform modules</li> </ul> <p>The goal was not to create a full enterprise platform, but to create a small but production-shaped infra pattern that can run an application.</p> <p>But, before i go even further, do check my github repository at <a href="https://github.com/abrahamparn/terraform-gcp-production-lite-web-platform" rel="noopener noreferrer">terraform-gcp-production-lite-web-platform</a></p> <h2> Why I Built This </h2> <p>In my first artifact, I focused on the foundation layer.</p> <p>That project included: </p> <ul> <li>remote Terraform state</li> <li>versioned GCS state bucket</li> <li>custom VPC</li> <li>role-based subnets</li> <li>firewall rules</li> <li>service accounts</li> <li>IAM bindings</li> <li>reusable modules</li> </ul> <p>That was useful because it helped me understand how to create the base layer of a Google Cloud environment.</p> <p>But a foundation alone does not run an application.</p> <p>So for this second artifact, I wanted to build something closer to a real web platform.</p> <p>The objective was to move from this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform creates the foundation. </code></pre> </div> <p>To this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform provisions infrastructure that can serve application traffic. </code></pre> </div> <h2> What This Project Builds </h2> <p>This project creates:</p> <ul> <li>custom VPC network</li> <li>application subnet</li> <li>reserved database subnet</li> <li>firewall rules</li> <li>Cloud Router</li> <li>Cloud NAT</li> <li>custom application service account</li> <li>instance template</li> <li>regional Managed Instance Group</li> <li>HTTP health check</li> <li>backend service</li> <li>external HTTP load balancer</li> <li>global forwarding rule</li> <li>startup script</li> <li>simple web application endpoint</li> <li>remote state in GCS</li> </ul> <p>The application VMs are private.</p> <p>They do not have external IP addresses.</p> <p>Users access the application through the external HTTP load balancer.</p> <p>Outbound internet access from the private VMs is handled through Cloud NAT.</p> <h2> High-Level Architecture </h2> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User ↓ External HTTP Load Balancer ↓ Backend Service ↓ Regional Managed Instance Group ↓ Private Application VM ↓ Application Endpoint </code></pre> </div> <p>For outbound access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private Application VM ↓ Cloud NAT ↓ Internet </code></pre> </div> <p>The important point is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Inbound traffic enters through the load balancer. Outbound traffic leaves through Cloud NAT. The backend VM does not need a public IP address. </code></pre> </div> <h2> Architecture Diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User / Browser | v External HTTP Load Balancer | v Target HTTP Proxy | v URL Map | v Backend Service | v Regional Managed Instance Group | v Private App VM(s) | v Application running from startup script Private App VM(s) | v Cloud NAT | v Outbound Internet </code></pre> </div> <h2> What Production-Lite Means </h2> <p>For this project, production-lite means the infrastructure follows production-style patterns without trying to become a full enterprise platform.</p> <p>This project includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>private backend instances load balancer entry point health checks Managed Instance Group Cloud NAT service account separation firewall rules remote state Terraform modules </code></pre> </div> <p>But this version does not include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTPS custom domain Cloud Armor Cloud SQL Secret Manager CI/CD multi-region deployment blue-green deployment Kubernetes </code></pre> </div> <p>Those features are important, but I intentionally deferred them.</p> <p>The goal of v1.0 is to keep the scope focused:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I provision a production-shaped HTTP web platform with private backends? </code></pre> </div> <h2> Why Private Backend Instances Matter </h2> <p>One of the most important design choices in this project is that the backend VMs do not have external IP addresses.</p> <p>In the instance template, the network interface does not include an <code>access_config</code> block.</p> <p>Conceptually, the pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="c1"># No access_config block.</span> <span class="c1"># This intentionally creates VMs without external IP addresses.</span> <span class="p">}</span> </code></pre> </div> <p>This means the VM is not directly exposed to the internet.</p> <p>Instead, application traffic must go through the load balancer.</p> <p>That is a better pattern than exposing a VM directly with a public IP address.</p> <p>A direct public VM might be fine for a quick test, but for an application platform, I want a cleaner entry point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet -&gt; Load Balancer -&gt; Backend Service -&gt; Private VM </code></pre> </div> <h2> Why Cloud NAT Is Needed </h2> <p>Because the backend VMs are private, they do not have direct outbound internet access through an external IP.</p> <p>However, the VM still needs outbound access for operational tasks such as:</p> <ul> <li>running <code>apt-get update</code> </li> <li>installing packages</li> <li>downloading dependencies</li> <li>calling external services</li> <li>bootstrapping the application during startup</li> </ul> <p>This is where Cloud NAT is useful.</p> <p>Cloud NAT allows private resources to initiate outbound internet connections without assigning public IP addresses to those resources.</p> <p>In this project, Cloud NAT is created using:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT gateway</li> <li>selected subnet configuration</li> </ul> <p>The important improvement from my earlier lab is that I do not need to NAT every subnet.</p> <p>For this artifact, the app subnet receives NAT.</p> <p>The reserved database subnet does not receive NAT by default.</p> <p>This is the intended posture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app subnet -&gt; Cloud NAT enabled db subnet -&gt; Cloud NAT not enabled by default </code></pre> </div> <p>That separation is small, but architecturally meaningful.</p> <h2> Why I Used a Managed Instance Group </h2> <p>A standalone VM is simpler.</p> <p>But a standalone VM does not really show platform thinking.</p> <p>For this artifact, I used a <strong>regional Managed Instance Group</strong>.</p> <p>The MIG uses:</p> <ul> <li>instance template</li> <li>target size</li> <li>named port</li> <li>autohealing policy</li> <li>health check</li> </ul> <p>The difference is important.</p> <p>A standalone VM says:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I created a server. </code></pre> </div> <p>A Managed Instance Group says:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I defined how application instances should be created, managed, replaced, and checked. </code></pre> </div> <p>That is a stronger infrastructure pattern.</p> <h2> Why I Used an External HTTP Load Balancer </h2> <p>The external HTTP load balancer acts as the public entry point.</p> <p>The load balancer connects to the backend service, and the backend service connects to the Managed Instance Group.</p> <p>The request flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User -&gt; Global forwarding rule -&gt; Target HTTP proxy -&gt; URL map -&gt; Backend service -&gt; Managed Instance Group -&gt; Application VM </code></pre> </div> <p>This is more realistic than opening port 80 directly on a public VM.</p> <p>It also allows me to test important infrastructure concepts:</p> <ul> <li>backend services</li> <li>health checks</li> <li>named ports</li> <li>firewall rules for health check probes</li> <li>load-balanced application access</li> </ul> <h2> Why Health Checks Matter </h2> <p>The load balancer needs to know whether the backend instances are healthy.</p> <p>For that, I use an HTTP health check.</p> <p>The application exposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET / GET /healthz GET /metadata </code></pre> </div> <p>The <code>/healthz</code> endpoint is used by the health check.</p> <p>This is better than using <code>/</code> as the health check path because <code>/</code> is usually a user-facing route, while <code>/healthz</code> is explicitly meant for machine health checking.</p> <p>The expected response is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>A simple health endpoint is enough for this version.</p> <p>The goal is not to build a complex application.</p> <p>The goal is to prove that the infrastructure can route traffic to a healthy backend.</p> <h2> Application Endpoints </h2> <p>The sample application exposes three endpoints.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>/</code></td> <td>Root endpoint</td> </tr> <tr> <td><code>/healthz</code></td> <td>Health check endpoint</td> </tr> <tr> <td><code>/metadata</code></td> <td>Instance information endpoint</td> </tr> </tbody> </table></div> <p>The root endpoint returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hi from Terraform GCP Production-Lite Platform </code></pre> </div> <p>The health endpoint returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>The metadata endpoint returns information such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-gcp-production-lite-web-platform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev-web-mig-xxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The application is intentionally small.</p> <p>Terraform and infrastructure design are the focus.</p> <h2> Repository Structure </h2> <p>The repository structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-production-lite-web-platform/ ├── README.md ├── .gitignore ├── versions.tf ├── providers.tf ├── backend.tf.example ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example ├── locals.tf ├── docs/ │ ├── architecture.md │ ├── deployment-runbook.md │ ├── operations-runbook.md │ ├── verification.md │ ├── design-decisions.md │ └── version-roadmap.md ├── scripts/ │ └── startup.sh └── modules/ ├── network/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── iam/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── nat/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── compute/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf └── load-balancer/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>There are five main modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network iam nat compute load-balancer </code></pre> </div> <p>Each module has a specific responsibility.</p> <h2> Module Responsibilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>network</code></td> <td>VPC, subnets, firewall rules</td> </tr> <tr> <td><code>iam</code></td> <td>Service accounts and IAM role bindings</td> </tr> <tr> <td><code>nat</code></td> <td>Cloud Router and Cloud NAT</td> </tr> <tr> <td><code>compute</code></td> <td>Instance template and Managed Instance Group</td> </tr> <tr> <td><code>load-balancer</code></td> <td>HTTP load balancer resources</td> </tr> </tbody> </table></div> <p>The root module connects them together.</p> <p>The root module should answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What components make up this platform? How are those components connected? </code></pre> </div> <p>The child modules should answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How is each infrastructure area implemented? </code></pre> </div> <p>This separation makes the repository easier to read.</p> <h2> Root Module Composition </h2> <p>The root <code>main.tf</code> composes the platform.</p> <p>At a high level, the order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network iam nat health check compute load balancer IAP IAM bindings </code></pre> </div> <p>This order makes sense because:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Compute needs network and IAM. NAT needs network. The load balancer needs the instance group. IAP access needs IAM and firewall rules. </code></pre> </div> <p>The root module should not contain all low-level resources.</p> <p>It should orchestrate modules.</p> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The VPC is created as a custom mode VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">routing_mode</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="p">}</span> </code></pre> </div> <p>I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want explicit control over subnet ranges.</p> <p>This is cleaner than relying on automatically created subnets.</p> <h2> Map-Based Subnets </h2> <p>Instead of hardcoding each subnet as a separate resource, I define subnets as a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.1.0/24"</span> <span class="nx">private_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.2.0/24"</span> <span class="nx">private_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"database-reserved"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The network module then creates subnets using <code>for_each</code>.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">private_google_access</span> <span class="p">}</span> </code></pre> </div> <p>This is more flexible than writing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"db"</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>If I want to add another subnet later, I can add another map entry.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">cache</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.3.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"cache"</span> <span class="p">}</span> </code></pre> </div> <p>The module does not need to change.</p> <h2> Map-Based Firewall Rules </h2> <p>The network module also creates firewall rules from a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-lb-health-check</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Google Cloud load balancer health checks and proxy traffic."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH to private backend instances through IAP."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The module creates firewall rules using <code>for_each</code> and dynamic <code>allow</code> blocks.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I prefer this pattern because traffic policy becomes data-driven.</p> <p>The module does not need to know every possible firewall rule.</p> <p>It only needs to know how to create firewall rules from structured input.</p> <h2> Firewall Rules Used </h2> <p>For this version, I use three main firewall rules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>allow-lb-health-check</code></td> <td>Allows Google load balancer and health check traffic to backend VMs</td> </tr> <tr> <td><code>allow-iap-ssh</code></td> <td>Allows SSH through IAP TCP forwarding</td> </tr> <tr> <td><code>allow-internal</code></td> <td>Allows internal traffic inside the platform CIDR</td> </tr> </tbody> </table></div> <p>The important security decision is that I do not open SSH to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>Instead, SSH access is designed around IAP.</p> <h2> IAM Module </h2> <p>The IAM module creates service accounts.</p> <p>For this artifact, the main service account is the application VM service account.</p> <p>Example input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_accounts</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"dev-prod-lite-app-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Production Lite App Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account used by private application VM instances."</span> <span class="nx">project_roles</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"roles/logging.logWriter"</span><span class="p">,</span> <span class="s2">"roles/monitoring.metricWriter"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The service account is attached to the application instances.</p> <p>This is cleaner than using the default Compute Engine service account.</p> <p>It also makes the identity of the workload explicit.</p> <h2> NAT Module </h2> <p>The NAT module creates:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT</li> </ul> <p>In my earlier lab, Cloud NAT was applied to all subnets.</p> <p>For this artifact, I wanted a more intentional design.</p> <p>So NAT is applied only to selected subnet keys.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">nat_subnet_keys</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"app"</span><span class="p">]</span> </code></pre> </div> <p>That means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app subnet gets outbound internet through Cloud NAT db subnet does not get NAT by default </code></pre> </div> <p>This is a small design improvement, but it shows better network intent.</p> <p>The app tier needs outbound access for package installation and application operations.</p> <p>The reserved database tier should be more restricted.</p> <h2> Compute Module </h2> <p>The compute module creates:</p> <ul> <li>instance template</li> <li>regional Managed Instance Group</li> <li>named port</li> <li>autohealing policy</li> </ul> <p>The instance template defines:</p> <ul> <li>machine type</li> <li>boot disk</li> <li>network interface</li> <li>startup script</li> <li>service account</li> <li>network tags</li> </ul> <p>The important part is the network interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="c1"># No access_config block.</span> <span class="p">}</span> </code></pre> </div> <p>This keeps the VM private.</p> <p>The MIG then uses the instance template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_region_instance_group_manager"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">base_instance_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_size</span> <span class="nx">version</span> <span class="p">{</span> <span class="nx">instance_template</span> <span class="p">=</span> <span class="nx">google_compute_instance_template</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">named_port</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> <span class="nx">auto_healing_policies</span> <span class="p">{</span> <span class="nx">health_check</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="nx">initial_delay_sec</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The named port is important because the backend service uses it to send traffic to the correct backend port.</p> <h2> Load Balancer Module </h2> <p>The load balancer module creates:</p> <ul> <li>global IP address</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule</li> </ul> <p>The backend service connects the load balancer to the MIG.</p> <p>Conceptually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-backend"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">port_name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">health_checks</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="p">]</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">backend_instance_group</span> <span class="nx">balancing_mode</span> <span class="p">=</span> <span class="s2">"UTILIZATION"</span> <span class="nx">capacity_scaler</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The load balancer then exposes the service through a global forwarding rule.</p> <p>For v1.0, I use HTTP on port 80.</p> <p>HTTPS will come later in v1.1.</p> <h2> Startup Script </h2> <p>The startup script bootstraps the application when the VM starts.</p> <p>The script installs dependencies, creates the application files, and starts the service.</p> <p>A simplified version of the application behavior is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET / -&gt; returns a simple message GET /healthz -&gt; returns ok GET /metadata -&gt; returns hostname and version information </code></pre> </div> <p>The important operational improvement is that the application should run as a systemd service.</p> <p>That is better than running a background process with <code>&amp;</code>.</p> <p>With systemd, I can check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status prod-lite-app </code></pre> </div> <p>And view logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>journalctl <span class="nt">-u</span> prod-lite-app <span class="nt">--no-pager</span> <span class="nt">-n</span> 50 </code></pre> </div> <h2> Remote State </h2> <p>Like the first artifact, this project uses a GCS backend for Terraform state.</p> <p>Example backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"YOUR_TERRAFORM_STATE_BUCKET"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-production-lite-web-platform/v1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The state path becomes something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://YOUR_TERRAFORM_STATE_BUCKET/terraform-gcp-production-lite-web-platform/v1/default.tfstate </code></pre> </div> <p>Using remote state is important because this project is no longer a tiny one-file local experiment.</p> <p>It has multiple modules and multiple cloud resources.</p> <p>Remote state gives the project a more realistic workflow.</p> <h2> Git Safety </h2> <p>I do not commit real <code>.tfvars</code> files.</p> <p>The repository includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <p>But ignores:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>The <code>.gitignore</code> includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.terraform/ *.tfstate *.tfstate.* *.tfvars *.tfplan crash.log .DS_Store </code></pre> </div> <p>This avoids committing local values, real project IDs, or state files.</p> <h2> Running the Project </h2> <p>The execution flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Configure backend 2. Configure terraform.tfvars 3. Run terraform fmt 4. Run terraform init 5. Run terraform validate 6. Run terraform plan 7. Run terraform apply 8. Verify the load balancer and backend health </code></pre> </div> <h3> Configure Backend </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>backend.tf.example backend.tf </code></pre> </div> <p>Then edit the bucket name.</p> <h3> Configure Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>terraform.tfvars.example terraform.tfvars </code></pre> </div> <p>Then edit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project_id</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">admin_principal</span> <span class="err">=</span> <span class="s2">"user:your-email@example.com"</span> </code></pre> </div> <h3> Run Terraform </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> terraform init terraform validate terraform plan terraform apply </code></pre> </div> <h2> Expected Output </h2> <p>After deployment, Terraform should output values such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network_name subnets firewall_rules cloud_nat_name cloud_router_name health_check_name mig_name mig_instance_group load_balancer_ip load_balancer_url curl_test_command curl_health_check_command platform_summary </code></pre> </div> <p>The most important output is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>load_balancer_url </code></pre> </div> <p>That URL is used to test the application.</p> <h2> Verification </h2> <p>After deployment, I can test the root endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hi from Terraform GCP Production-Lite Platform </code></pre> </div> <p>Test the health endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP/healthz </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ok </code></pre> </div> <p>Test the metadata endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://LOAD_BALANCER_IP/metadata </code></pre> </div> <p>Expected response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-gcp-production-lite-web-platform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev-web-mig-xxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Verifying the Infrastructure </h2> <p>Verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list </code></pre> </div> <p>Verify the subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list </code></pre> </div> <p>Verify firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list </code></pre> </div> <p>Verify Cloud NAT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute routers nats list <span class="se">\</span> <span class="nt">--router</span><span class="o">=</span>dev-nat-router <span class="se">\</span> <span class="nt">--region</span><span class="o">=</span>asia-southeast2 </code></pre> </div> <p>Verify the Managed Instance Group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instance-groups managed list </code></pre> </div> <p>Verify backend health:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health BACKEND_SERVICE_NAME <span class="nt">--global</span> </code></pre> </div> <p>Verify the application VM does not have an external IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list </code></pre> </div> <p>This is one of the most important checks.</p> <p>The application should be reachable through the load balancer, not directly through a public VM IP.</p> <h2> Accessing the Private VM Through IAP </h2> <p>Since the VM has no external IP, direct SSH is not available.</p> <p>Instead, I use IAP TCP forwarding.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute ssh INSTANCE_NAME <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--tunnel-through-iap</span> </code></pre> </div> <p>This requires:</p> <ul> <li>IAM permission for IAP tunnel access</li> <li>OS Login role</li> <li>firewall rule allowing IAP source range</li> <li>correct target tag on the VM</li> </ul> <p>The firewall source range for IAP TCP forwarding is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is better than opening SSH to the public internet.</p> <h2> Troubleshooting Notes </h2> <h3> Load Balancer Returns 502 </h3> <p>Possible causes:</p> <ul> <li>application failed to start</li> <li>health check path is wrong</li> <li>firewall rule does not allow health check probes</li> <li>target tag mismatch</li> <li>named port mismatch</li> <li>backend service points to the wrong instance group</li> </ul> <p>Useful commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health BACKEND_SERVICE_NAME <span class="nt">--global</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status prod-lite-app </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>journalctl <span class="nt">-u</span> prod-lite-app <span class="nt">--no-pager</span> <span class="nt">-n</span> 100 </code></pre> </div> <h3> VM Cannot Install Packages </h3> <p>Possible cause:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud NAT is not configured correctly. </code></pre> </div> <p>Useful check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://example.com </code></pre> </div> <p>Run that from inside the VM.</p> <h3> IAP SSH Fails </h3> <p>Possible causes:</p> <ul> <li>missing IAP role</li> <li>missing OS Login role</li> <li>missing service account user role</li> <li>missing IAP firewall rule</li> <li>wrong VM network tag</li> </ul> <p>Check firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name~iap"</span> </code></pre> </div> <h2> Important Design Decisions </h2> <h3> 1. Use private backend VMs </h3> <p>The backend application instances do not have external IP addresses.</p> <p>This reduces direct exposure and forces traffic through the load balancer.</p> <h3> 2. Use Cloud NAT </h3> <p>The private VMs still need outbound access.</p> <p>Cloud NAT allows that without assigning public IPs to the VMs.</p> <h3> 3. Use map-based subnet definitions </h3> <p>Subnets are defined through a map so the network module stays reusable.</p> <p>Adding another subnet should not require another resource block.</p> <h3> 4. Use map-based firewall rules </h3> <p>Firewall rules are also defined through a map.</p> <p>This keeps ingress policy data-driven and easier to extend.</p> <h3> 5. Use a Managed Instance Group </h3> <p>The application tier is managed as a group based on an instance template.</p> <p>This is more production-shaped than a standalone VM.</p> <h3> 6. Use HTTP only in v1.0 </h3> <p>HTTPS is intentionally deferred to v1.1.</p> <p>The v1.0 goal is to prove:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>private backends Cloud NAT MIG health checks HTTP load balancing firewall rules remote state </code></pre> </div> <h3> 7. Reserve a DB subnet without provisioning a database </h3> <p>The DB subnet demonstrates tiered network design.</p> <p>A database is not provisioned in v1.0 because this artifact focuses on the web platform infrastructure.</p> <h2> What I Learned </h2> <p>This artifact helped me understand that application infrastructure is not only about creating a VM.</p> <p>A proper platform needs several parts to work together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>networking identity firewall rules NAT compute lifecycle health checks load balancing state management documentation </code></pre> </div> <p>The most interesting part for me was seeing how small configuration details affect the whole platform.</p> <p>For example:</p> <ul> <li>if the firewall source range is wrong, the load balancer cannot reach the backend</li> <li>if the health check path is wrong, the backend becomes unhealthy</li> <li>if Cloud NAT is missing, private VMs may fail during startup</li> <li>if the MIG named port does not match the backend service, traffic may not route correctly</li> <li>if SSH is opened to <code>0.0.0.0/0</code>, the design becomes weaker</li> </ul> <p>This project made me appreciate that infrastructure is a system.</p> <p>Each component has to be designed with the others in mind.</p> <h2> What I Intentionally Did Not Add </h2> <p>I intentionally did not add HTTPS in this version.</p> <p>I also did not add:</p> <ul> <li>Cloud Armor</li> <li>Cloud SQL</li> <li>Secret Manager</li> <li>CI/CD</li> <li>custom domain</li> <li>blue-green deployment</li> <li>autoscaling policy</li> <li>multi-region deployment</li> </ul> <p>Those are useful, but I want this artifact to stay focused.</p> <p>The purpose of v1.0 is to build the core web platform first.</p> <h2> Next Step </h2> <p>The next version will be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.1 — HTTPS and Custom Domain </code></pre> </div> <p>That version should add:</p> <ul> <li>Google-managed SSL certificate</li> <li>custom domain</li> <li>HTTPS target proxy</li> <li>global forwarding rule on port 443</li> <li>optional HTTP-to-HTTPS redirect</li> </ul> <p>After that, I want to continue with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.2 — Security Hardening v2.0 — Terraform CI/CD with GitHub Actions and Workload Identity Federation v2.1 — Drift, Import, and State Recovery v3.0 — Database and Secrets </code></pre> </div> <h2> References </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform GCS backend: https://developer.hashicorp.com/terraform/language/backend/gcs Google Cloud — Store Terraform state in Cloud Storage: https://cloud.google.com/docs/terraform/resource-management/store-state Google Cloud — External Application Load Balancer overview: https://cloud.google.com/load-balancing/docs/https Google Cloud — Terraform examples for external Application Load Balancers: https://cloud.google.com/load-balancing/docs/https/ext-http-lb-tf-module-examples Google Cloud — Cloud NAT overview: https://cloud.google.com/nat/docs/overview Google Cloud — IAP TCP forwarding: https://cloud.google.com/iap/docs/using-tcp-forwarding </code></pre> </div> devops googlecloud infrastructure terraform Building a GCP Terraform Foundation: VPC, IAM, and Remote State Abraham Naiborhu Fri, 15 May 2026 13:58:12 +0000 https://forem.com/abrahamparn/building-a-gcp-terraform-foundation-vpc-iam-and-remote-state-54jp https://forem.com/abrahamparn/building-a-gcp-terraform-foundation-vpc-iam-and-remote-state-54jp <p>After going through several Terraform learning labs, I wanted to create my first Terraform artifact.</p> <p>The goal was not to build a full production landing zone, but to build a clean GCP Terraform Foundation Lite project.</p> <p>This project is meant to prove that I can bootstrap the basic foundation layer of a Google Cloud environment using Terraform.</p> <p>It includes:</p> <ul> <li>remote Terraform state</li> <li>versioned GCS state bucket</li> <li>custom VPC network</li> <li>role-based public and private subnets</li> <li>firewall rules</li> <li>service accounts</li> <li>IAM bindings</li> <li>reusable modules</li> <li>basic naming convention</li> <li>GitHub-safe variable patterns</li> </ul> <h2> Why I Built This </h2> <p>In my earlier Terraform labs, I learned individual concepts:</p> <ul> <li>installing Terraform</li> <li>creating a VPC</li> <li>using variables</li> <li>using outputs</li> <li>storing remote state in GCS</li> <li>creating modules</li> <li>creating service accounts</li> <li>using Terraform with GitHub Actions</li> </ul> <p>But those were learning labs. For this project, I wanted to convert those lessons into a cleaner artifact.</p> <p>The objective was to create something that looks closer to a real Terraform repository. It's still simple, but structured enough to show a proper foundation pattern.</p> <h2> What This Project Builds </h2> <p>This project creates:</p> <ul> <li>Google Cloud Storage bucket for Terraform state</li> <li>object versioning for state recovery</li> <li>custom VPC network</li> <li>public-facing subnet</li> <li>private workload subnet</li> <li>IAP SSH firewall rule</li> <li>internal traffic firewall rule</li> <li>application service account</li> <li>CI/CD service account</li> <li>optional IAM bindings</li> </ul> <p>The project is intentionally called Foundation Lite because it is not a full enterprise landing zone. It is a smaller version focused on the fundamentals.</p> <h2> Why Remote State Matters </h2> <p>By default, Terraform can store state locally in a file called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate </code></pre> </div> <p>That is acceptable for early learning. However, from the labs I learn that local state is risky when the project becomes more serious.</p> <p>If state only exists on my machine, then several problems appear:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What if the file is deleted? What if another person needs to work on the infrastructure? What if two people run Terraform at the same time? What if I need to recover a previous state version? </code></pre> </div> <p>For this project, I used Google Cloud Storage as the remote backend that stores Terraform state. Furthermore, I also enabled Object Versioning on the bucket because it gives me a recovery path if the state object is accidentally overwritten or deleted.</p> <p>Reference:</p> <p><a href="https://developer.hashicorp.com/terraform/language/backend/gcs" rel="noopener noreferrer">https://developer.hashicorp.com/terraform/language/backend/gcs</a></p> <p><a href="https://cloud.google.com/storage/docs/samples/storage-bucket-tf-with-versioning" rel="noopener noreferrer">https://cloud.google.com/storage/docs/samples/storage-bucket-tf-with-versioning</a></p> <h2> Why Bootstrap Is Separate </h2> <p>One important thing I learned is that the GCS bucket for Terraform state must exist before Terraform can use it as a backend.</p> <p>That creates a bootstrapping problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform needs a backend bucket. But Terraform cannot use the backend bucket before it exists. </code></pre> </div> <p>So I separated the project into two stages:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Folder</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Stage 1</td> <td><code>bootstrap/state-bucket</code></td> <td>Creates the GCS state bucket</td> </tr> <tr> <td>Stage 2</td> <td><code>foundation</code></td> <td>Uses the GCS bucket as backend and creates the foundation resources</td> </tr> </tbody> </table></div> <p>This separation makes the workflow clearer.</p> <p>First, I bootstrap the state bucket.</p> <p>Then I use that bucket to manage the foundation.</p> <h2> Repository Structure </h2> <p>The repository structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-foundation-lite/ ├── README.md ├── .gitignore ├── docs/ │ └── architecture.md ├── bootstrap/ │ └── state-bucket/ │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── terraform.tfvars.example ├── foundation/ │ ├── backend.tf │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── terraform.tfvars.example └── modules/ ├── network/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf └── iam/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>There are two main folders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bootstrap/ foundation/ </code></pre> </div> <p>And two reusable modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/network modules/iam </code></pre> </div> <h2> Architecture </h2> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Bootstrap Terraform ↓ GCS State Bucket with Object Versioning ↓ Foundation Remote Backend ↓ Foundation Root Module ↓ Network Module + IAM Module </code></pre> </div> <p>The network module creates the VPC, subnets, and firewall rules.</p> <p>The IAM module creates service accounts and optional IAM role bindings.</p> <h2> Important Note About Public and Private Subnets in GCP </h2> <p>In Google Cloud, subnets are not inherently public or private in the same way as AWS.</p> <p>A subnet becomes public-facing or private based on how workloads inside it are configured.</p> <p>For example:</p> <ul> <li>whether instances have external IPs</li> <li>whether traffic enters through a load balancer</li> <li>whether Cloud NAT exists</li> <li>what firewall rules allow</li> <li>how routing and exposure are designed</li> </ul> <p>So in this project, I use <code>public</code> and <code>private</code> as role-based names.</p> <p>They describe the intended function of each subnet.</p> <p>They are not native GCP subnet types.</p> <h2> Stage 1: Bootstrap State Bucket </h2> <p>The first Terraform stage creates the GCS state bucket.</p> <p>Folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bootstrap/state-bucket </code></pre> </div> <p>The bucket resource looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"terraform_state"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">state_bucket_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_access_prevention</span> <span class="p">=</span> <span class="s2">"enforced"</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">versioning</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"terraform-state"</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"bootstrap"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There are several important settings here.</p> <h3> Uniform Bucket-Level Access </h3> <p>This keeps access management simpler by using IAM at the bucket level.</p> <h3> Public Access Prevention </h3> <p>This prevents the state bucket from accidentally becoming public.</p> <p>Terraform state can contain sensitive infrastructure information, so the state bucket should never be publicly accessible.</p> <h3> Object Versioning </h3> <p>Object Versioning gives a recovery path if the Terraform state object is accidentally deleted or overwritten.</p> <p>This is important because Terraform state is critical to Terraform-managed infrastructure.</p> <h2> Stage 2: Foundation Backend </h2> <p>After the bucket exists, the foundation stage can use it as a backend.</p> <p>Folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>foundation </code></pre> </div> <p>Example backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-gcp-project-id-tfstate"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"foundation"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This stores the foundation state at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://your-gcp-project-id-tfstate/foundation/default.tfstate </code></pre> </div> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>custom VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The module receives subnet definitions using a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">public</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.1.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"public-facing"</span> <span class="p">}</span> <span class="nx">private</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.2.0/24"</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"private-workload"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The VPC is created as a custom mode VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want explicit control over the subnet ranges.</p> <p>This is cleaner than relying on automatically created subnets.</p> <h2> Firewall Rules </h2> <p>The network module also creates firewall rules from a map.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic inside the foundation CIDR range."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.10.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The IAP SSH rule is intentionally scoped to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is the source range used by IAP TCP forwarding.</p> <p>I used this instead of opening SSH from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>That is a better security habit.</p> <h2> IAM Module </h2> <p>The IAM module creates service accounts.</p> <p>Example input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_accounts</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Application Workload Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account intended for application workloads."</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="nx">cicd</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"CI/CD Terraform Service Account"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account intended for Terraform automation."</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The module creates service accounts using <code>for_each</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"service_accounts"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_accounts</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.name_prefix}-${each.key}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">display_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="p">}</span> </code></pre> </div> <p>This keeps identity creation separate from network creation.</p> <p>That separation makes the repository easier to understand.</p> <h2> Naming Convention </h2> <p>The project uses a simple naming pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environment-nameprefix-resource </code></pre> </div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-foundation-vpc dev-foundation-public-subnet dev-foundation-private-subnet dev-foundation-app dev-foundation-cicd </code></pre> </div> <p>The goal is not to create the perfect naming standard.</p> <p>The goal is to avoid random resource names.</p> <p>Even a simple naming convention makes infrastructure easier to inspect later.</p> <h2> Git Safety </h2> <p>I do not commit real <code>.tfvars</code> files.</p> <p>The repository includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <p>but ignores:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>The <code>.gitignore</code> includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.terraform/ *.tfstate *.tfstate.* *.tfvars *.tfvars.json !*.tfvars.example *.tfplan .DS_Store </code></pre> </div> <p>This keeps local values and state files out of GitHub.</p> <p>That is important because Terraform state and tfvars files can contain project-specific or sensitive information.</p> <h2> Running the Project </h2> <p>The execution order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Run bootstrap 2. Create the state bucket 3. Update foundation/backend.tf with the bucket name 4. Run foundation 5. Verify resources in GCP </code></pre> </div> <h3> Bootstrap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>bootstrap/state-bucket <span class="nb">cp </span>terraform.tfvars.example terraform.tfvars terraform init terraform <span class="nb">fmt </span>terraform validate terraform plan terraform apply </code></pre> </div> <h3> Foundation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ../../foundation <span class="nb">cp </span>terraform.tfvars.example terraform.tfvars terraform init terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> terraform validate terraform plan terraform apply </code></pre> </div> <h2> Expected Output </h2> <p>The foundation output should show a summary similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>foundation_summary = { environment = "dev" network_name = "dev-foundation-vpc" subnet_count = 2 firewall_count = 2 service_accounts = ["app", "cicd"] } </code></pre> </div> <p>This confirms that Terraform created:</p> <ul> <li>one VPC</li> <li>two subnets</li> <li>two firewall rules</li> <li>two service accounts</li> </ul> <h2> Verification </h2> <p>I can verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-foundation-vpc"</span> </code></pre> </div> <p>Verify subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-foundation-vpc"</span> </code></pre> </div> <p>Verify firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute firewall-rules list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-foundation-vpc"</span> </code></pre> </div> <p>Verify service accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam service-accounts list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"email~dev-foundation"</span> </code></pre> </div> <p>Verify remote state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://your-gcp-project-id-tfstate/foundation/ </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://your-gcp-project-id-tfstate/foundation/default.tfstate </code></pre> </div> <h2> Next Step </h2> <p>This artifact only creates the foundation layer.</p> <p>The next artifact will build on top of this idea by provisioning a production-lite GCP web platform.</p> <p>That project will include:</p> <ul> <li>Cloud NAT</li> <li>Managed Instance Group</li> <li>instance template</li> <li>health check</li> <li>HTTP load balancer</li> <li>private backend instances</li> </ul> <p>The foundation answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I bootstrap a clean Terraform-managed GCP environment? </code></pre> </div> <p>The next artifact answers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Can I provision infrastructure for an actual application platform? </code></pre> </div> devops google infrastructure terraform CI/CD for Terraform on GCP: Plan on Pull Request, Apply with Approval, No Static Keys Abraham Naiborhu Wed, 13 May 2026 15:04:16 +0000 https://forem.com/abrahamparn/cicd-for-terraform-on-gcp-plan-on-pull-request-apply-with-approval-no-static-keys-3kpm https://forem.com/abrahamparn/cicd-for-terraform-on-gcp-plan-on-pull-request-apply-with-approval-no-static-keys-3kpm <p>Hi guys, so, this will be my last lab.</p> <p>In the previous labs, I used Terraform from my local machine.<br> The workflow was simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>local terminal -&gt; terraform plan -&gt; terraform apply </code></pre> </div> <p>That worked for learning, but it is not how I want to manage infrastructure changes in a more professional setup.</p> <p>For this lab, I wanted to move Terraform execution into GitHub Actions.</p> <p>The target workflow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pull Request -&gt; terraform fmt -&gt; terraform validate -&gt; terraform plan Manual Approval -&gt; terraform apply </code></pre> </div> <p>The main goal is not only automation.</p> <p>The main goal is infrastructure change control.</p> <p>In this lab, I built a Terraform CI/CD workflow using:</p> <ul> <li>GitHub Actions</li> <li>Google Cloud Workload Identity Federation</li> <li>Terraform remote state in Google Cloud Storage</li> <li><code>terraform fmt -check</code></li> <li><code>terraform validate</code></li> <li><code>terraform plan</code></li> <li>manual <code>terraform apply</code> </li> <li>no downloaded service account JSON key</li> </ul> <p>The key idea is:</p> <blockquote> <p>Terraform should not only create infrastructure. Terraform changes should also be reviewed before they are applied.</p> </blockquote> <h2> Why This Lab Matters </h2> <p>Infrastructure as Code without review is dangerous.</p> <p>Why only application code that needs review? why not Terraform? Thus, A better workflow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>write Terraform code open pull request run terraform fmt and validate run terraform plan review the change apply only after approval </code></pre> </div> <p>This makes Terraform closer to a professional engineering workflow.</p> <h2> Why Workload Identity Federation? </h2> <p>One important decision in this lab was to avoid using a service account JSON key.</p> <p>Instead, I used Workload Identity Federation.</p> <p>The authentication flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions OIDC token ↓ Google Workload Identity Provider ↓ Google service account impersonation ↓ Terraform can access Google Cloud </code></pre> </div> <p>This means I do not need to download a long-lived service account key and store it in GitHub Secrets.</p> <p>For this lab, GitHub Actions impersonates a Google Cloud service account through Workload Identity Federation.</p> <p>Reference:</p> <p><a href="https://github.com/google-github-actions/auth" rel="noopener noreferrer">https://github.com/google-github-actions/auth</a></p> <p><a href="https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions" rel="noopener noreferrer">https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions</a></p> <h2> What This Lab Creates </h2> <p>The infrastructure itself is intentionally simple.</p> <p>This lab creates:</p> <ul> <li>one custom VPC network</li> <li>one subnet</li> <li>remote Terraform state in Google Cloud Storage</li> </ul> <p>Why simple?</p> <p>Because the focus of this lab is not infrastructure complexity.</p> <p>The focus is the Terraform delivery workflow.</p> <p>I wanted the CI/CD workflow to be easy to debug before applying it to a bigger project such as my production-lite GCP web platform.</p> <h2> Folder Structure </h2> <p>The folder structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab/ ├── .github/ │ └── workflows/ │ ├── lab-09-terraform-plan.yml │ └── lab-09-terraform-apply.yml └── 09-terraform-cicd-github-actions/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>The Terraform code lives inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>09-terraform-cicd-github-actions/ </code></pre> </div> <p>The GitHub Actions workflows live inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/ </code></pre> </div> <h2> Terraform Backend </h2> <p>The backend uses Google Cloud Storage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/09-terraform-cicd-github-actions"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This keeps the state for this lab separate from the previous labs.</p> <p>The expected state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/default.tfstate </code></pre> </div> <h2> Terraform Configuration </h2> <p>The Terraform configuration creates a small VPC and subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.subnet_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> <span class="err">}</span> </code></pre> </div> <p>The expected resources are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network google_compute_subnetwork.subnet </code></pre> </div> <h2> Variables </h2> <p>The root variables are defined in <code>variables.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"cicd-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"cicd-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.90.1.0/24"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>project</code> variable does not have a default value.</p> <p>That is intentional.</p> <p>I do not want to hardcode the Google Cloud project ID inside the Terraform configuration.</p> <p>In GitHub Actions, I pass the value using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <h2> GitHub Repository Variables </h2> <p>In GitHub, I added repository variables under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Settings -&gt; Secrets and variables -&gt; Actions -&gt; Variables </code></pre> </div> <p>The variables are:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>Example Value</th> </tr> </thead> <tbody> <tr> <td><code>GCP_PROJECT_ID</code></td> <td><code>terraform-gcp-learning-lab</code></td> </tr> <tr> <td><code>GCP_REGION</code></td> <td><code>asia-southeast2</code></td> </tr> <tr> <td><code>GCP_WORKLOAD_IDENTITY_PROVIDER</code></td> <td><code>projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-provider</code></td> </tr> <tr> <td><code>GCP_SERVICE_ACCOUNT</code></td> <td><code>terraform-cicd@PROJECT_ID.iam.gserviceaccount.com</code></td> </tr> <tr> <td><code>TF_WORKING_DIR</code></td> <td><code>09-terraform-cicd-github-actions</code></td> </tr> <tr> <td><code>TF_VERSION</code></td> <td><code>1.15.1</code></td> </tr> </tbody> </table></div> <p>These are repository variables, not service account keys.</p> <p>There is no downloaded JSON key.</p> <h2> Plan Workflow </h2> <p>The plan workflow runs on pull request.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/lab-09-terraform-plan.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Lab 09 - Terraform Plan</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">09-terraform-cicd-github-actions/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">.github/workflows/lab-09-terraform-plan.yml"</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">read</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_IN_AUTOMATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">TF_INPUT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt, validate, and plan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ vars.TF_WORKING_DIR }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to Google Cloud using WIF</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ vars.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.GCP_SERVICE_ACCOUNT }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ vars.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init -input=false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan \</span> <span class="s">-input=false \</span> <span class="s">-no-color \</span> <span class="s">-var="project=${{ vars.GCP_PROJECT_ID }}" \</span> <span class="s">-var="region=${{ vars.GCP_REGION }}"</span> </code></pre> </div> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <p>The <code>id-token: write</code> permission is required for GitHub Actions to request an OIDC token for Workload Identity Federation.</p> <h2> Apply Workflow </h2> <p>The apply workflow is manually triggered.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/workflows/lab-09-terraform-apply.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Lab 09 - Terraform Apply</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_IN_AUTOMATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">TF_INPUT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan and apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ vars.TF_WORKING_DIR }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to Google Cloud using WIF</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ vars.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.GCP_SERVICE_ACCOUNT }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ vars.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform fmt check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init -input=false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform plan output file</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan \</span> <span class="s">-input=false \</span> <span class="s">-no-color \</span> <span class="s">-out=tfplan \</span> <span class="s">-var="project=${{ vars.GCP_PROJECT_ID }}" \</span> <span class="s">-var="region=${{ vars.GCP_REGION }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform apply approved plan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -input=false -auto-approve tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform output</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform output</span> </code></pre> </div> <p>The apply workflow uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="s">terraform-apply</span> </code></pre> </div> <p>In GitHub, I configured this environment with required approval.</p> <p>So the apply step is not fully automatic.</p> <p>It still requires manual approval.</p> <h2> The Error I Encountered </h2> <p>My first plan workflow failed.</p> <p>The error was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Invalid value for variable on variables.tf line 1: variable "project" { var.project is "" The project variable must not be empty. </code></pre> </div> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project is "" </code></pre> </div> <p>This means Terraform did receive the variable, but the value was empty.</p> <p>The workflow line was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <p>So the likely issue was that <code>vars.GCP_PROJECT_ID</code> was empty or not configured correctly in GitHub Actions.</p> <p>The authentication step still worked, but Terraform failed during the plan stage because the <code>project</code> variable was empty.</p> <p>That was a useful lesson.</p> <p>Authentication and Terraform input variables are related, but they are not the same thing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WIF authentication lets GitHub Actions access Google Cloud. Terraform variables tell Terraform what values to use. </code></pre> </div> <p>In this case, WIF was working, but my Terraform variable was not being passed correctly.</p> <h2> The Fix </h2> <p>The fix was to check the GitHub repository variables.</p> <p>In GitHub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Repository -&gt; Settings -&gt; Secrets and variables -&gt; Actions -&gt; Variables </code></pre> </div> <p>I made sure this variable existed exactly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT_ID </code></pre> </div> <p>with value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>The variable name must match exactly.</p> <p>This:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT_ID </code></pre> </div> <p>is not the same as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PROJECT_ID </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GCP_PROJECT </code></pre> </div> <p>After fixing the variable, the workflow was able to pass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-var</span><span class="o">=</span><span class="s2">"project=</span><span class="k">${</span><span class="p">{ vars.GCP_PROJECT_ID </span><span class="k">}</span><span class="s2">}"</span> </code></pre> </div> <p>correctly into Terraform.</p> <h2> Optional Debugging Step </h2> <p>A safe debugging step is to print whether the variable exists without printing sensitive values.</p> <p>For this lab, <code>GCP_PROJECT_ID</code> is not a secret, so printing it is acceptable.</p> <p>I can add this temporarily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug repository variables</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "TF_WORKING_DIR=${{ vars.TF_WORKING_DIR }}"</span> <span class="s">echo "GCP_REGION=${{ vars.GCP_REGION }}"</span> <span class="s">echo "GCP_PROJECT_ID length=$(echo -n '${{ vars.GCP_PROJECT_ID }}' | wc -c)"</span> </code></pre> </div> <p>If the length is <code>0</code>, the variable is missing or not available to the workflow.</p> <p>I would remove this debug step after the workflow is stable.</p> <h2> The Successful Result </h2> <p>After fixing the variable, the workflow worked.</p> <p>The plan workflow successfully ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform fmt -check terraform init terraform validate terraform plan </code></pre> </div> <p>Then the manual apply workflow successfully deployed the infrastructure.</p> <p>The apply workflow created:</p> <ul> <li>VPC network</li> <li>subnet</li> </ul> <p>The important thing is not that the infrastructure was complex.</p> <p>The important thing is that Terraform was executed through GitHub Actions using Workload Identity Federation without a service account key.</p> <h2> Verifying the Infrastructure </h2> <p>After apply, I can verify the VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-cicd-network"</span> </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-cicd-network </code></pre> </div> <p>Then verify the subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-cicd-subnet"</span> </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-cicd-subnet </code></pre> </div> <p>I can also verify the remote state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/ </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/09-terraform-cicd-github-actions/default.tfstate </code></pre> </div> <h2> What I Learned </h2> <p>This lab taught me that Terraform CI/CD is not only about running Terraform commands in GitHub Actions.</p> <p>There are several separate concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions workflow Google Cloud authentication Workload Identity Federation Terraform remote state Terraform variable injection manual approval before apply </code></pre> </div> <p>The error I encountered was useful because it showed that successful Google Cloud authentication does not guarantee Terraform has received the right input values.</p> <p>WIF solved the authentication problem.</p> <p>GitHub repository variables solved the Terraform input problem.</p> <p>The key lesson was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Authentication answers: who is running Terraform? Variables answer: what values should Terraform use? </code></pre> </div> <p>Those are different concerns.</p> <h2> Next Step </h2> <p>This lab is not the final artifact yet.</p> <p>This is the learning lab for my future Terraform CI/CD artifact.</p> <p>The next step is to take this same pattern and apply it to my larger Terraform project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Production-Lite GCP Web Platform </code></pre> </div> <p>That project will combine:</p> <ul> <li>Terraform modules</li> <li>remote state</li> <li>VPC and subnets</li> <li>Cloud NAT</li> <li>Managed Instance Group</li> <li>HTTP load balancer</li> <li>GitHub Actions CI/CD</li> <li>Workload Identity Federation</li> </ul> <p>At that point, the infrastructure will not only be reproducible.</p> <p>It will also be reviewable and safely deployable through CI/CD.</p> <h2> References </h2> <ul> <li><a href="https://docs.github.com/actions/learn-github-actions/variables" rel="noopener noreferrer">GitHub Actions variables</a></li> <li><a href="https://github.com/google-github-actions/auth" rel="noopener noreferrer">Google GitHub Actions authentication</a></li> <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation" rel="noopener noreferrer">Google Cloud Workload Identity Federation</a></li> <li><a href="https://developer.hashicorp.com/terraform/language/values/variables" rel="noopener noreferrer">Terraform input variables</a></li> </ul> cicd github googlecloud terraform Managed Instance Group, Cloud NAT, Service Account, and HTTP Load Balancer Abraham Naiborhu Mon, 11 May 2026 09:40:55 +0000 https://forem.com/abrahamparn/managed-instance-group-cloud-nat-service-account-and-http-load-balancer-3fp7 https://forem.com/abrahamparn/managed-instance-group-cloud-nat-service-account-and-http-load-balancer-3fp7 <p>In the previous lab, I created a private VM with no external IP and accessed it through IAP.</p> <p>That lab worked for private access, but it also exposed an important issue.</p> <p>The VM could be private, but without outbound internet access, the startup script could fail when trying to install packages.</p> <p>In my case, Nginx installation failed because the VM had no external IP and no Cloud NAT.</p> <p>That taught me an important distinction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP = controlled inbound administrative access Cloud NAT = outbound internet access for private resources </code></pre> </div> <p>So in this lab, I wanted to build a more complete serving pattern.</p> <p>Instead of using a single VM, I moved to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>instance template -&gt; Managed Instance Group -&gt; health check -&gt; backend service -&gt; HTTP load balancer </code></pre> </div> <p>I also added Cloud NAT so the private backend instances can install Nginx during startup without needing external IP addresses.</p> <h2> What This Lab Builds </h2> <p>This lab provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>Cloud Router</li> <li>Cloud NAT</li> <li>custom service account for MIG instances</li> <li>IAM bindings</li> <li>firewall rule for Google Cloud load balancer and health check traffic</li> <li>internal firewall rule</li> <li>HTTP health check</li> <li>instance template</li> <li>regional managed instance group</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule</li> <li>external HTTP load balancer IP</li> </ul> <p>The high-level architecture is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ↓ Global forwarding rule ↓ Target HTTP proxy ↓ URL map ↓ Backend service ↓ Regional Managed Instance Group ↓ Private backend VMs ↓ outbound only Cloud NAT </code></pre> </div> <h2> Why This Lab Matters </h2> <p>The previous private VM lab was about controlled administrative access.</p> <p>This lab is about serving traffic properly.</p> <p>A single VM is not enough for a production-like serving pattern.</p> <p>A better pattern is to place backend instances inside a Managed Instance Group and expose them through a load balancer.</p> <p>The backend instances remain private.</p> <p>The public entry point is the load balancer.</p> <p>Cloud NAT gives the backend instances outbound internet access for startup tasks such as package installation.</p> <h2> Folder Structure </h2> <p>The folder structure for this lab is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>08-mig-nat-http-lb/ ├── backend.tf ├── main.tf ├── outputs.tf ├── startup.sh ├── terraform.tfvars ├── variables.tf ├── modules/ │ ├── gcp-cloud-nat/ │ ├── gcp-http-lb/ │ ├── gcp-mig/ │ ├── gcp-network/ │ └── gcp-service-account/ </code></pre> </div> <p>This lab uses five modules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>gcp-network</code></td> <td>Creates VPC, subnets, and firewall rules</td> </tr> <tr> <td><code>gcp-cloud-nat</code></td> <td>Creates Cloud Router and Cloud NAT</td> </tr> <tr> <td><code>gcp-service-account</code></td> <td>Creates a custom service account</td> </tr> <tr> <td><code>gcp-mig</code></td> <td>Creates instance template and managed instance group</td> </tr> <tr> <td><code>gcp-http-lb</code></td> <td>Creates the HTTP load balancer resources</td> </tr> </tbody> </table></div> <h2> Remote State </h2> <p>This lab still uses Google Cloud Storage as the Terraform backend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/08-mig-http-load-balancer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Each lab uses a different prefix so the state files do not collide.</p> <h2> Root Module </h2> <p>The root module wires all child modules together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"cloud_nat"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-cloud-nat"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_self_link</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"service_account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-service-account"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_service_account_id}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_service_account_display_name}"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"mig"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-mig"</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">mig_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_zone</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_machine_type</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">mig_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_tags</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">mig_instance_count</span> <span class="nx">app_port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">health_check_self_link</span> <span class="p">=</span> <span class="nx">google_compute_health_check</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">cloud_nat</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"http_lb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-http-lb"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">lb_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lb_name</span> <span class="nx">backend_instance_group</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">mig</span><span class="p">.</span><span class="nx">mig_instance_group</span> <span class="nx">health_check_self_link</span> <span class="p">=</span> <span class="nx">google_compute_health_check</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">app_port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> </code></pre> </div> <p>The important dependency flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module -&gt; Cloud NAT module network module -&gt; MIG module service account module -&gt; MIG module MIG module -&gt; HTTP load balancer module </code></pre> </div> <p>The most important lines are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">network_self_link</span> <span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">mig_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">service_account</span><span class="err">.</span><span class="nx">email</span> <span class="nx">backend_instance_group</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">mig</span><span class="err">.</span><span class="nx">mig_instance_group</span> </code></pre> </div> <p>These lines connect the modules together.</p> <h2> Cloud NAT Module </h2> <p>The Cloud NAT module creates a Cloud Router and Cloud NAT gateway.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_router"</span> <span class="s2">"router"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.router_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_self_link</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_router_nat"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.nat_name}"</span> <span class="nx">router</span> <span class="p">=</span> <span class="nx">google_compute_router</span><span class="p">.</span><span class="nx">router</span><span class="p">.</span><span class="nx">name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">nat_ip_allocate_option</span> <span class="p">=</span> <span class="s2">"AUTO_ONLY"</span> <span class="nx">source_subnetwork_ip_ranges_to_nat</span> <span class="p">=</span> <span class="s2">"ALL_SUBNETWORKS_ALL_IP_RANGES"</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">=</span> <span class="s2">"ERRORS_ONLY"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This solves the issue from the previous lab.</p> <p>The backend instances can remain private while still having outbound internet access.</p> <h2> Service Account Module </h2> <p>This lab also creates a custom service account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">account_id</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">display_name</span> <span class="p">}</span> </code></pre> </div> <p>The MIG instances use this service account instead of relying on the default Compute Engine service account.</p> <p>The root module passes the service account email into the MIG module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">service_account</span><span class="err">.</span><span class="nx">email</span> </code></pre> </div> <h2> MIG Module </h2> <p>The MIG module creates an instance template and a regional managed instance group.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance_template"</span> <span class="s2">"template"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}-template-"</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">disk</span> <span class="p">{</span> <span class="nx">source_image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="nx">auto_delete</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">boot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">disk_type</span> <span class="p">=</span> <span class="s2">"pd-balanced"</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> <span class="nx">metadata_startup_script</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">startup_script_path</span><span class="p">)</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">service_account</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_account_email</span> <span class="nx">scopes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://www.googleapis.com/auth/cloud-platform"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There is no external IP configuration in the network interface.</p> <p>That means the backend instances remain private.</p> <p>The regional managed instance group uses the template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_region_instance_group_manager"</span> <span class="s2">"mig"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">base_instance_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.mig_name}"</span> <span class="nx">target_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_size</span> <span class="nx">version</span> <span class="p">{</span> <span class="nx">instance_template</span> <span class="p">=</span> <span class="nx">google_compute_instance_template</span><span class="p">.</span><span class="nx">template</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">named_port</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> <span class="nx">distribution_policy_zones</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">zone</span><span class="p">]</span> <span class="nx">auto_healing_policies</span> <span class="p">{</span> <span class="nx">health_check</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="nx">initial_delay_sec</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The named port is important because the backend service uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>port_name = "http" </code></pre> </div> <p>So the MIG and backend service need to agree on the named port.</p> <h2> HTTP Load Balancer Module </h2> <p>The HTTP load balancer module creates:</p> <ul> <li>global IP address</li> <li>backend service</li> <li>URL map</li> <li>target HTTP proxy</li> <li>global forwarding rule </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"lb_ip"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-ip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.lb_name}-backend"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">port_name</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">health_checks</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">health_check_self_link</span> <span class="p">]</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">backend_instance_group</span> <span class="nx">balancing_mode</span> <span class="p">=</span> <span class="s2">"UTILIZATION"</span> <span class="nx">capacity_scaler</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The backend service points to the instance group output from the MIG module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">backend_instance_group</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">mig</span><span class="err">.</span><span class="nx">mig_instance_group</span> </code></pre> </div> <p>That is the connection between the load balancer and the backend instances.</p> <h2> Firewall Rules </h2> <p>The firewall rules are still created by the network module.</p> <p>The load balancer and health check rule allows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">source_ranges</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> </code></pre> </div> <p>The MIG instances also use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">mig_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> </code></pre> </div> <p>This means the firewall rule applies to the backend instances.</p> <p>The rule allows traffic on port 80:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">allow</span> <span class="err">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <h2> Startup Script </h2> <p>The startup script installs Nginx and creates a simple HTML page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx <span class="nv">HOSTNAME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> <span class="nv">LOCAL_IP</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span> <span class="nt">-I</span> | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span><span class="s2">"</span> <span class="nb">cat</span> <span class="o">&gt;</span> /var/www/html/index.html <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &lt;!doctype html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Terraform MIG Load Balancer Lab&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h1&gt;Hello from Terraform Lab 008&lt;/h1&gt; &lt;p&gt;This page is served from a private VM inside a Managed Instance Group.&lt;/p&gt; &lt;p&gt;Hostname: </span><span class="k">${</span><span class="nv">HOSTNAME</span><span class="k">}</span><span class="sh">&lt;/p&gt; &lt;p&gt;Internal IP: </span><span class="k">${</span><span class="nv">LOCAL_IP</span><span class="k">}</span><span class="sh">&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="no">EOF </span>systemctl <span class="nb">enable </span>nginx systemctl restart nginx </code></pre> </div> <p>In the previous private VM lab, this script failed because the VM had no external IP and no Cloud NAT.</p> <p>In this lab, Cloud NAT should allow the backend instances to reach the internet and install Nginx successfully.</p> <h2> Variables </h2> <p>For local values, I used <code>terraform.tfvars</code>.</p> <p>Public article version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">admin_principal</span> <span class="err">=</span> <span class="s2">"user:your-email@example.com"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"mig-lb-network"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.80.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-lb-health-check</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Google Cloud load balancer health checks and proxy traffic."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.191.0.0/16"</span><span class="p">,</span> <span class="s2">"130.211.0.0/22"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.80.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">mig_name</span> <span class="err">=</span> <span class="s2">"web-mig"</span> <span class="nx">mig_instance_count</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">mig_machine_type</span> <span class="err">=</span> <span class="s2">"e2-micro"</span> <span class="nx">mig_zone</span> <span class="err">=</span> <span class="s2">"asia-southeast2-a"</span> <span class="nx">mig_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> <span class="nx">mig_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"web-backend"</span><span class="p">]</span> <span class="nx">mig_service_account_id</span> <span class="err">=</span> <span class="s2">"web-mig-sa"</span> <span class="nx">mig_service_account_display_name</span> <span class="err">=</span> <span class="s2">"Web MIG Service Account"</span> <span class="nx">lb_name</span> <span class="err">=</span> <span class="s2">"web-lb"</span> <span class="nx">app_port</span> <span class="err">=</span> <span class="mi">80</span> </code></pre> </div> <p>I do not commit the real <code>terraform.tfvars</code> file to GitHub.</p> <p>For GitHub, I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars.example </code></pre> </div> <h2> Initialize, Format, and Validate </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>The validation result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Terraform Plan </h2> <p>The plan should show resources across multiple modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network module.cloud_nat module.service_account module.mig module.http_lb </code></pre> </div> <p>The important thing here is not just the number of resources.</p> <p>The important thing is the dependency chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC and subnets are created first. Cloud NAT is attached to the network. Instance template uses the app subnet and service account. MIG creates backend instances. Backend service uses the MIG instance group. Load balancer exposes the backend service. </code></pre> </div> <h2> Terraform Apply </h2> <p>After reviewing the plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>The apply process may take several minutes because the MIG needs time to create backend instances and the load balancer needs time to detect healthy backends.</p> <h2> Outputs </h2> <p>Useful outputs from this lab include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output load_balancer_ip terraform output load_balancer_url terraform output curl_test_command terraform output lab_summary </code></pre> </div> <p>The most important output is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>load_balancer_url </code></pre> </div> <p>This is the public HTTP endpoint for the lab.</p> <h2> Testing the Load Balancer </h2> <p>To test the load balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> <span class="si">$(</span>terraform output <span class="nt">-raw</span> load_balancer_url<span class="si">)</span> </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK </code></pre> </div> <p>The response body should contain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello from Terraform Lab 008 </code></pre> </div> <p>To test whether traffic may reach different backend instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..5<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="si">$(</span>terraform output <span class="nt">-raw</span> load_balancer_url<span class="si">)</span> | <span class="nb">grep </span>Hostname <span class="k">done</span> </code></pre> </div> <p>If both backend instances are healthy and receiving traffic, the hostname may change across requests.</p> <h2> Verifying Backend Health </h2> <p>I can check backend health using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute backend-services get-health dev-web-lb-backend <span class="se">\</span> <span class="nt">--global</span> </code></pre> </div> <p>Expected health state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HEALTHY </code></pre> </div> <p>If the backend is unhealthy, possible causes include:</p> <ul> <li>startup script still running</li> <li>Nginx failed to install</li> <li>health check firewall rule is wrong</li> <li>named port mismatch</li> <li>backend instances are not listening on port 80</li> </ul> <h2> Verifying Private Backend Instances </h2> <p>The backend instances should not have external IP addresses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name~dev-web-mig"</span> </code></pre> </div> <p>The external IP column should be empty.</p> <p>This confirms that the backend instances are private.</p> <p>The load balancer is public, but the backend instances are not directly exposed.</p> <h2> Verifying Cloud NAT </h2> <p>To verify Cloud NAT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute routers nats list <span class="se">\</span> <span class="nt">--router</span><span class="o">=</span>dev-nat-router <span class="se">\</span> <span class="nt">--region</span><span class="o">=</span>asia-southeast2 </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-nat-gateway </code></pre> </div> <p>This confirms that Cloud NAT exists for the VPC.</p> <h2> Verifying Remote State </h2> <p>The remote state should be stored in Google Cloud Storage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/08-mig-http-load-balancer/ </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/08-mig-http-load-balancer/default.tfstate </code></pre> </div> <h2> What I Learned </h2> <p>This lab connected several important Terraform and Google Cloud concepts.</p> <p>The previous labs taught me:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>how to create resources how to use variables how to use outputs how to use remote state how to create modules how to create a private VM </code></pre> </div> <p>This lab combined those concepts into a more realistic serving architecture.</p> <p>The most important lesson is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>A private backend can still serve public traffic through a load balancer. </code></pre> </div> <p>The backend instances do not need external IP addresses.</p> <p>The public entry point is the load balancer.</p> <p>The backend instances can still install packages during startup because Cloud NAT provides outbound internet access.</p> <p>Another important lesson is how Terraform modules compose infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module creates network outputs Cloud NAT module uses network output service account module creates workload identity MIG module uses subnet and service account outputs load balancer module uses MIG output </code></pre> </div> <h2> Next Step </h2> <p>This lab uses an HTTP load balancer.</p> <p>The next improvement would be to move from HTTP to HTTPS.</p> <p>That would introduce:</p> <ul> <li>managed SSL certificate</li> <li>domain mapping</li> <li>HTTPS proxy</li> <li>forwarding rule on port 443</li> <li>possibly Cloud DNS</li> </ul> <p>That would make the infrastructure closer to a real public-facing production setup.</p> googlecloud infrastructure networking tutorial Private VM Access with IAP, OS Login, and Service Account Abraham Naiborhu Sun, 10 May 2026 08:06:49 +0000 https://forem.com/abrahamparn/private-vm-access-with-iap-os-login-and-service-account-4m5c https://forem.com/abrahamparn/private-vm-access-with-iap-os-login-and-service-account-4m5c <p>In the previous Terraform lab, I created a private Compute Engine VM using module composition.</p> <p>The VM was created from a reusable <code>gcp-vm</code> module, while the network was created from a reusable <code>gcp-network</code> module.</p> <p>That lab helped me understand this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input </code></pre> </div> <p>For this lab, I wanted to improve the access pattern.</p> <p>Previously, the VM already had:</p> <ul> <li>no external IP</li> <li>an IAP SSH firewall rule</li> <li>the <code>iap-ssh</code> network tag</li> </ul> <p>However, that was only half of the private access story.</p> <p>In this lab, I wanted to make the private VM access pattern more complete by adding:</p> <ul> <li>custom VM service account</li> <li>OS Login</li> <li>IAP TCP forwarding access</li> <li>IAM bindings</li> <li>startup script verification</li> <li>SSH access through IAP</li> </ul> <p>The goal was to move from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VM exists </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VM exists, has no external IP, and can be accessed in a controlled way through IAP. </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab provisions:</p> <ul> <li>custom VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>firewall rule for IAP SSH</li> <li>internal firewall rule</li> <li>custom VM service account</li> <li>IAM binding for IAP TCP forwarding</li> <li>IAM binding for OS Login</li> <li>IAM binding for service account usage</li> <li>private Compute Engine VM</li> <li>startup script for Nginx installation</li> <li>remote Terraform state in Google Cloud Storage</li> </ul> <p>The important thing is that the VM has <strong>no external IP address</strong>.</p> <h2> Architecture </h2> <p>The structure is now composed of three child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>07-private-vm-access-iap/ ├── modules/ │ ├── gcp-network/ │ ├── gcp-service-account/ │ └── gcp-vm/ </code></pre> </div> <p>The root module wires them together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module │ ├── module.network │ ├── VPC │ ├── app subnet │ ├── db subnet │ ├── IAP SSH firewall rule │ └── internal firewall rule │ ├── module.vm_service_account │ └── custom VM service account │ ├── IAM bindings │ ├── IAP tunnel access │ ├── OS Login admin access │ └── service account user access │ └── module.vm └── private VM </code></pre> </div> <p>The main Terraform pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input service account module output -&gt; root module -&gt; VM module input IAM bindings -&gt; controlled private VM access </code></pre> </div> <h2> Why IAP? </h2> <p>Normally, if a VM has an external IP, I can SSH into it from the internet if the firewall allows it.</p> <p>But exposing SSH publicly is not a good habit.</p> <p>For this lab, I wanted the VM to stay private.</p> <p>So instead of giving the VM an external IP, I used Identity-Aware Proxy TCP forwarding.</p> <p>The firewall rule allows SSH only from Google’s IAP TCP forwarding source range:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>The VM also has this network tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>So the firewall rule applies only to instances with that tag.</p> <h2> Why OS Login? </h2> <p>I also enabled OS Login.</p> <p>Instead of managing SSH keys manually in project or instance metadata, OS Login allows VM login access to be controlled through IAM.</p> <p>For this lab, the selected admin principal receives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>roles/compute.osAdminLogin </code></pre> </div> <p>This allows the principal to log in through OS Login with admin-level access.</p> <h2> Why a Custom Service Account? </h2> <p>I also created a dedicated service account for the VM.</p> <p>The service account is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com </code></pre> </div> <p>This is better than blindly using the default Compute Engine service account.</p> <p>In real environments, each workload should have an identity that matches what it needs to do.</p> <p>For this lab, the service account exists mainly to practice a cleaner VM identity pattern.</p> <h2> Backend Configuration </h2> <p>This lab still uses remote state in Google Cloud Storage.</p> <p>Example <code>backend.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/07-private-vm-access-iap"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This means the state for this lab is isolated from the previous labs.</p> <h2> Root Module </h2> <p>The root module calls three child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm_service_account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-service-account"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.vm_service_account_id}"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment} ${var.vm_service_account_display_name}"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-vm"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_tags</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="nx">enable_oslogin</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_oslogin</span> <span class="p">}</span> </code></pre> </div> <p>The important lines are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> <span class="nx">service_account_email</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vm_service_account</span><span class="err">.</span><span class="nx">email</span> </code></pre> </div> <p>This means the VM module does not create its own network or service account.</p> <p>Instead, it consumes outputs from other modules.</p> <h2> IAM Bindings </h2> <p>This lab also creates IAM bindings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"iap_tunnel_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iap.tunnelResourceAccessor"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"os_admin_login"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/compute.osAdminLogin"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_service_account_iam_member"</span> <span class="s2">"vm_service_account_user"</span> <span class="p">{</span> <span class="nx">service_account_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iam.serviceAccountUser"</span> <span class="nx">member</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">admin_principal</span> <span class="p">}</span> </code></pre> </div> <p>These roles support the access pattern:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Role</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>roles/iap.tunnelResourceAccessor</code></td> <td>Allows IAP TCP forwarding</td> </tr> <tr> <td><code>roles/compute.osAdminLogin</code></td> <td>Allows OS Login with admin privileges</td> </tr> <tr> <td><code>roles/iam.serviceAccountUser</code></td> <td>Allows the principal to use the VM service account</td> </tr> </tbody> </table></div> <h2> Network Module </h2> <p>The network module creates:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> <p>The firewall rule for IAP SSH allows traffic from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>and targets instances tagged with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>My Terraform output showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"allow-iap-ssh" = { "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } </code></pre> </div> <h2> VM Module </h2> <p>The VM module creates the private Compute Engine instance.</p> <p>The VM resource uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> </code></pre> </div> <p>There is no <code>access_config</code> block.</p> <p>That means the VM does not receive an external IP address.</p> <p>The VM also uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">metadata</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">enable-oslogin</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">enable_oslogin</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>and attaches the custom service account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_account</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_account_email</span> <span class="nx">scopes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://www.googleapis.com/auth/cloud-platform"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Terraform Apply Result </h2> <p>After running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>the lab completed successfully.</p> <p>The output showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_name = "dev-iap-private-vm" vm_internal_ip = "10.60.1.2" vm_machine_type = "e2-micro" vm_service_account_email = "dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com" vm_zone = "asia-southeast2-a" </code></pre> </div> <p>The lab summary showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "environment" = "dev" "firewall_count" = 2 "iap_ssh_enabled_pattern" = true "network_name" = "dev-iap-private-network" "os_login_enabled" = true "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 "vm_external_ip" = "none" "vm_internal_ip" = "10.60.1.2" "vm_name" = "dev-iap-private-vm" "vm_service_account_email" = "dev-iap-private-vm-sa@terraform-gcp-learning-lab.iam.gserviceaccount.com" "vm_subnet_key" = "app" "vm_zone" = "asia-southeast2-a" } </code></pre> </div> <p>This confirmed that the VM was created privately with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_external_ip = "none" </code></pre> </div> <h2> Verifying That the VM Has No External IP </h2> <p>I verified the VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances describe dev-iap-private-vm <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"table(name,networkInterfaces[0].networkIP,networkInterfaces[0].accessConfigs)"</span> </code></pre> </div> <p>The result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME NETWORK_IP ACCESS_CONFIGS dev-iap-private-vm 10.60.1.2 </code></pre> </div> <p>The <code>ACCESS_CONFIGS</code> field is empty.</p> <p>That confirms that the VM has no external IP address.</p> <h2> SSH Command Through IAP </h2> <p>Terraform also generated the IAP SSH command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcloud compute ssh dev-iap-private-vm --zone=asia-southeast2-a --tunnel-through-iap </code></pre> </div> <p>This command is important because the VM is private.</p> <p>Without an external IP, I cannot SSH directly from the public internet.</p> <p>The intended access path is through IAP TCP forwarding.</p> <h2> The One Thing That Failed: Startup Script Internet Access </h2> <p>Almost everything worked.</p> <p>But one thing failed.</p> <p>The startup script tried to install Nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx </code></pre> </div> <p>The VM failed to fetch the Nginx package from Debian repositories.</p> <p>The error was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Failed to fetch https://deb.debian.org/debian-security/pool/updates/main/n/nginx/nginx_1.22.1-9%2bdeb12u4_amd64.deb Cannot initiate the connection to deb.debian.org:443 Network is unreachable </code></pre> </div> <p>This happened because the VM has no external IP address and I did not configure Cloud NAT.</p> <p>So the VM was private, but it also had no outbound internet path to reach Debian package repositories.</p> <p>This is an important distinction.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP solves private administrative access into the VM. Cloud NAT solves outbound internet access from the VM. </code></pre> </div> <p>In this lab, I configured IAP access, but I did not configure Cloud NAT yet.</p> <p>That means SSH through IAP can work, but installing packages from the internet during startup may fail.</p> <p>This is not a Terraform failure.</p> <p>This is a network design gap.</p> <h2> What Worked </h2> <p>The successful parts were:</p> <ul> <li>custom VPC created</li> <li>app and db subnets created</li> <li>VM created in the app subnet</li> <li>VM has no external IP</li> <li>custom service account attached to the VM</li> <li>OS Login enabled</li> <li>IAP SSH firewall rule created</li> <li>IAP SSH command generated</li> <li>Terraform outputs confirmed the infrastructure</li> <li>remote state continued to work</li> </ul> <p>The key output was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_external_ip = "none" vm_internal_ip = "10.60.1.2" iap_ssh_enabled_pattern = true os_login_enabled = true </code></pre> </div> <p>That means the core private access pattern was successfully provisioned.</p> <h2> What Did Not Work </h2> <p>The startup script verification did not fully work because the VM could not install Nginx.</p> <p>The command that would normally verify Nginx was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> http://localhost </code></pre> </div> <p>But since Nginx installation failed, this verification could not succeed yet.</p> <p>The root cause was not the startup script itself.</p> <p>The root cause was that the private VM had no outbound internet path.</p> <h2> How I Would Fix This Next </h2> <p>There are several ways to fix this.</p> <p>The most appropriate next lab is to add:</p> <ul> <li>Cloud Router</li> <li>Cloud NAT</li> <li>private VM outbound internet access</li> <li>startup script retry</li> <li>Nginx installation verification</li> </ul> <p>That would allow the VM to stay private while still being able to reach package repositories on the internet.</p> <p>The improved design would be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private VM ↓ outbound internet Cloud NAT ↓ Internet package repositories </code></pre> </div> <p>The VM would still have no external IP.</p> <p>But it could access the internet for outbound traffic through Cloud NAT.</p> <h2> What I Learned </h2> <p>This lab clarified an important distinction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private inbound access and private outbound access are different problems. </code></pre> </div> <p>IAP helps solve inbound administrative access.</p> <p>It lets me access a private VM without giving it an external IP.</p> <p>But IAP does not automatically give the VM outbound internet access.</p> <p>For outbound internet access from a VM with no external IP, I need something like Cloud NAT.</p> <p>This is an important infrastructure lesson.</p> <p>At first, I thought:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The VM has IAP, so it should be fine. </code></pre> </div> <p>But that was incomplete.</p> <p>The better understanding is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAP = controlled inbound access to private VM Cloud NAT = outbound internet access from private VM </code></pre> </div> <p>This failure actually made the lab better because it revealed a real production design consideration.</p> terraform googlecloud devops infrastructure Creating a VM from Network Module Outputs Abraham Naiborhu Sat, 09 May 2026 15:49:20 +0000 https://forem.com/abrahamparn/creating-a-vm-from-network-module-outputs-41ko https://forem.com/abrahamparn/creating-a-vm-from-network-module-outputs-41ko <p>In the previous lab, I created a reusable Terraform module for Google Cloud networking.</p> <p>That module created:</p> <ul> <li>a custom VPC network</li> <li>multiple subnets</li> <li>firewall rules</li> <li>outputs for network, subnet, and firewall information</li> </ul> <p>That was already an improvement from writing every resource directly in the root configuration.</p> <p>However, the network module was still isolated. It created network resources, but nothing else was consuming those outputs yet.</p> <p>So in this lab, I wanted to take the next logical step:</p> <blockquote> <p>Create a Compute Engine VM that uses the subnet output from the network module.</p> </blockquote> <p>At first, I considered creating the VM directly in the root module. But then I changed the format and added a second module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-vm </code></pre> </div> <p>So now the lab has two child modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network modules/gcp-vm </code></pre> </div> <p>The purpose of this lab is to understand module composition.</p> <p>The main idea is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The network module creates the network. The network module exposes subnet outputs. The root module passes the selected subnet output into the VM module. The VM module creates a VM inside that subnet. </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab creates:</p> <ul> <li>one custom VPC network</li> <li>two subnets</li> <li>two firewall rules</li> <li>one Compute Engine VM</li> <li>a startup script that installs Nginx</li> <li>remote state in Google Cloud Storage</li> <li>outputs from both the network module and VM module</li> </ul> <p>The final result from Terraform was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 6 added, 0 changed, 0 destroyed. </code></pre> </div> <p>The six resources were:</p> <ol> <li>VPC network</li> <li>app subnet</li> <li>db subnet</li> <li>IAP SSH firewall rule</li> <li>internal firewall rule</li> <li>Compute Engine VM</li> </ol> <h2> Folder Structure </h2> <p>The final folder structure is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>06-gcp-vm-and-network-module/ ├── backend.tf ├── main.tf ├── modules │ ├── gcp-network │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── gcp-vm │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── outputs.tf ├── README.md ├── startup.sh ├── terraform.tfvars ├── terraform.tfvars.example └── variables.tf </code></pre> </div> <p>There are now two child modules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><code>gcp-network</code></td> <td>Creates VPC, subnets, and firewall rules</td> </tr> <tr> <td><code>gcp-vm</code></td> <td>Creates the Compute Engine VM</td> </tr> </tbody> </table></div> <p>The root module is responsible for wiring them together.</p> <h2> The Main Concept: Module Composition </h2> <p>In the previous lab, the network module created subnets and exposed them through outputs.</p> <p>The output looked conceptually like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">subnet_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">self_link</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Because of this output, the root module can access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>In this lab, that value is passed into the VM module.</p> <p>The important pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>network module output -&gt; root module -&gt; VM module input </code></pre> </div> <p>This was the main learning point.</p> <h2> Remote State </h2> <p>This lab still uses Google Cloud Storage as the Terraform backend.</p> <p>Example <code>backend.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/06-gcp-vm-and-network-module"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/default.tfstate </code></pre> </div> <p>Each lab has a different backend prefix so that the state files do not collide.</p> <h2> Root <code>main.tf</code> </h2> <p>The root <code>main.tf</code> configures the provider and calls both modules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-vm"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_tags</span> <span class="nx">subnetwork_self_link</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">].</span><span class="nx">self_link</span> <span class="nx">startup_script_path</span> <span class="p">=</span> <span class="s2">"${path.module}/startup.sh"</span> <span class="p">}</span> </code></pre> </div> <p>The most important line is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork_self_link</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>This line means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Get the selected subnet from the network module output and pass it into the VM module. </code></pre> </div> <p>If:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>then Terraform resolves:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>That is the subnet used by the VM.</p> <h2> Why This is Better Than Hardcoding the Subnet </h2> <p>Without module outputs, I could hardcode the subnet like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork</span> <span class="err">=</span> <span class="s2">"dev-app-subnet"</span> </code></pre> </div> <p>But that is weaker.</p> <p>The VM module should not guess or hardcode the subnet.</p> <p>Instead, the network module creates the subnet, exposes the subnet self-link, and the root module passes that value into the VM module.</p> <p>This makes the dependency clear.</p> <p>The VM depends on the subnet created by the network module.</p> <h2> VM Module </h2> <p>The VM module is responsible for creating the Compute Engine instance.</p> <p>Inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-vm/main.tf </code></pre> </div> <p>the VM resource is defined like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"app_vm"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.vm_name}"</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="nx">size</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"pd-balanced"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnetwork_self_link</span> <span class="p">}</span> <span class="nx">metadata_startup_script</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">startup_script_path</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The VM does not receive an external IP address because there is no <code>access_config</code> block inside the <code>network_interface</code>.</p> <p>That means the VM is private.</p> <p>This is intentional.</p> <p>For this lab, I wanted the VM to use an internal IP only.</p> <h2> Startup Script </h2> <p>The VM uses a startup script to install Nginx.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>startup.sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail apt-get update <span class="nt">-y</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> nginx <span class="nb">cat</span> <span class="o">&gt;</span> /var/www/html/index.html <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &lt;!doctype html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Terraform Module Output VM&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h1&gt;Hello from Terraform&lt;/h1&gt; &lt;p&gt;This VM was created using a subnet output from the network module.&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="no">EOF </span>systemctl <span class="nb">enable </span>nginx systemctl restart nginx </code></pre> </div> <p>The startup script is passed into the VM module using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">startup_script_path</span> <span class="err">=</span> <span class="s2">"${path.module}/startup.sh"</span> </code></pre> </div> <p>Then the VM module reads it using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">metadata_startup_script</span> <span class="err">=</span> <span class="nx">file</span><span class="err">(</span><span class="nx">var</span><span class="err">.</span><span class="nx">startup_script_path</span><span class="err">)</span> </code></pre> </div> <h2> Firewall Rules </h2> <p>The network module creates two firewall rules.</p> <h3> IAP SSH Rule </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-allow-iap-ssh </code></pre> </div> <p>This allows SSH from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>with the target tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>The VM also has the tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>That means the IAP SSH firewall rule applies to this VM.</p> <h3> Internal Rule </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-allow-internal </code></pre> </div> <p>This allows internal traffic from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10.50.0.0/16 </code></pre> </div> <p>This is used for internal communication between the lab subnets.</p> <h2> Variables </h2> <p>The local values are stored in <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.50.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.50.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.50.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">vm_name</span> <span class="err">=</span> <span class="s2">"module-output-vm"</span> <span class="nx">vm_machine_type</span> <span class="err">=</span> <span class="s2">"e2-micro"</span> <span class="nx">vm_zone</span> <span class="err">=</span> <span class="s2">"asia-southeast2-a"</span> <span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> <span class="nx">vm_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> </code></pre> </div> <p>The important VM value is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>This tells Terraform to place the VM in the app subnet.</p> <h2> Initialize Terraform </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Because this lab uses two child modules, Terraform initializes both modules.</p> <p>Expected output includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing modules... - network in modules/gcp-network - vm in modules/gcp-vm </code></pre> </div> <h2> Format and Validate </h2> <p>Because this lab has nested module folders, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Terraform Plan </h2> <p>Next, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform planned to create six resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 6 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>The planned resources included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_firewall.ingress_rules["allow-iap-ssh"] module.network.google_compute_firewall.ingress_rules["allow-internal"] module.network.google_compute_network.vpc_network module.network.google_compute_subnetwork.subnets["app"] module.network.google_compute_subnetwork.subnets["db"] module.vm.google_compute_instance.app_vm </code></pre> </div> <p>This plan output is important because it shows the module boundaries.</p> <p>Network resources are created under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>The VM is created under:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.vm </code></pre> </div> <h2> Apply </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform completed successfully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 6 added, 0 changed, 0 destroyed. </code></pre> </div> <h2> Terraform Outputs </h2> <p>After apply, I checked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>The output showed the network, subnet, firewall, and VM information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "environment" = "dev" "firewall_count" = 2 "network_name" = "dev-network-module" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 "vm_external_ip" = "none" "vm_internal_ip" = "10.50.1.2" "vm_name" = "dev-module-output-vm" "vm_subnet_key" = "app" "vm_subnet_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "vm_zone" = "asia-southeast2-a" } </code></pre> </div> <p>This confirms several important things:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Output</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>vm_name</code></td> <td>VM was created as <code>dev-module-output-vm</code> </td> </tr> <tr> <td><code>vm_internal_ip</code></td> <td>VM received internal IP <code>10.50.1.2</code> </td> </tr> <tr> <td><code>vm_external_ip</code></td> <td>VM has no external IP</td> </tr> <tr> <td><code>vm_subnet_key</code></td> <td>VM selected the <code>app</code> subnet</td> </tr> <tr> <td><code>vm_subnet_link</code></td> <td>VM consumed the app subnet self-link from the network module</td> </tr> </tbody> </table></div> <p>The VM output also showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_selected_subnet_key = "app" vm_selected_subnet_self_link = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" </code></pre> </div> <p>This proves that the VM was attached to the subnet created by the network module.</p> <h2> Subnet Outputs </h2> <p>The subnet outputs showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>subnets = { "app" = { "cidr_range" = "10.50.1.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "name" = "dev-app-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" } "db" = { "cidr_range" = "10.50.2.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" "name" = "dev-db-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" } } </code></pre> </div> <p>This confirms that the network module created both the app and db subnets.</p> <h2> Firewall Outputs </h2> <p>The firewall outputs showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_rules = { "allow-iap-ssh" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-iap-ssh" "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } "allow-internal" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-internal" "name" = "dev-allow-internal" "source_ranges" = toset([ "10.50.0.0/16", ]) "target_tags" = toset(null) /* of string */ } } </code></pre> </div> <p>The IAP SSH rule targets instances with the tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iap-ssh </code></pre> </div> <p>The VM also uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_tags</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> </code></pre> </div> <p>So the firewall rule is connected to the VM through network tags.</p> <h2> Verify the VM </h2> <p>I can verify the VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-module-output-vm"</span> </code></pre> </div> <p>I can also inspect the VM network interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute instances describe dev-module-output-vm <span class="se">\</span> <span class="nt">--zone</span><span class="o">=</span>asia-southeast2-a <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(networkInterfaces[0].subnetwork,networkInterfaces[0].networkIP,networkInterfaces[0].accessConfigs)"</span> </code></pre> </div> <p>The expected result is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>subnetwork: dev-app-subnet internal IP: 10.50.1.2 external IP/accessConfigs: empty </code></pre> </div> <p>This means the VM is private and does not have an external IP.</p> <h2> Verify Remote State </h2> <p>Because this lab uses the GCS backend, the state is stored remotely.</p> <p>I can verify it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/06-gcp-vm-and-network-module/default.tfstate </code></pre> </div> <h2> Destroy </h2> <p>Because this is still a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform destroyed the resources managed by this lab.</p> <h2> What I Learned </h2> <p>This lab helped me understand Terraform module composition more clearly.</p> <p>In the previous lab, I had one child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-network </code></pre> </div> <p>In this lab, I added another child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-vm </code></pre> </div> <p>The most important lesson was not just creating a VM.</p> <p>The important lesson was passing an output from one module into another module.</p> <p>The flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcp-network creates subnets gcp-network outputs subnet self-links root module selects the app subnet root module passes the subnet self-link into gcp-vm gcp-vm creates a VM in that subnet </code></pre> </div> <p>The key Terraform expression is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vm_subnet_key</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>Breaking it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>means the network child module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.subnets </code></pre> </div> <p>means the subnet output from that module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[var.vm_subnet_key] </code></pre> </div> <p>means select one subnet from the subnet map.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.self_link </code></pre> </div> <p>means use the selected subnet self-link.</p> <p>So if:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vm_subnet_key</span> <span class="err">=</span> <span class="s2">"app"</span> </code></pre> </div> <p>Terraform uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">subnets</span><span class="p">[</span><span class="s2">"app"</span><span class="p">]</span><span class="err">.</span><span class="nx">self_link</span> </code></pre> </div> <p>This is then passed into the VM module.</p> <p>That is the main pattern I wanted to learn:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module output -&gt; root module -&gt; another module input </code></pre> </div> <h2> Next Step </h2> <p>The next logical step is to improve the VM access pattern.</p> <p>Right now, the VM has no external IP and has an IAP SSH firewall rule.</p> <p>The next lab could focus on testing private VM access through IAP, or improving the module further by adding:</p> <ul> <li>service account for the VM</li> <li>IAM binding for IAP SSH</li> <li>OS Login configuration</li> <li>startup script verification</li> <li>HTTP health check or internal-only web service testing</li> </ul> terraform googlecloud devops infrastructure Building a Reusable VPC, Subnets, and Firewall Rules Module Abraham Naiborhu Sat, 09 May 2026 07:16:13 +0000 https://forem.com/abrahamparn/building-a-reusable-vpc-subnets-and-firewall-rules-module-10p8 https://forem.com/abrahamparn/building-a-reusable-vpc-subnets-and-firewall-rules-module-10p8 <p>In the previous Terraform labs, I created Google Cloud resources directly from the root configuration.</p> <p>That worked, but the structure was still quite simple.</p> <p>Every resource was defined directly inside the main Terraform configuration. For a small lab, that is fine. But as the infrastructure grows, putting everything in one root configuration can become harder to maintain.</p> <p>So in this lab, I started learning Terraform modules.</p> <p>The goal is to turn the previous VPC and subnet configuration into a reusable local module.</p> <p>But instead of only creating one VPC and one subnet, I made the lab slightly more practical by creating:</p> <ul> <li>one custom VPC network</li> <li>two subnets</li> <li>two firewall rules</li> <li>reusable module inputs</li> <li>module outputs</li> <li>remote state using Google Cloud Storage</li> </ul> <h2> What is a Terraform Module? </h2> <p>A Terraform module is a collection of Terraform configuration files that are managed together.</p> <p>In simple terms, a module is like a reusable infrastructure component.</p> <p>For this lab, I created a local module called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network </code></pre> </div> <p>This module is responsible for creating the GCP network resources.</p> <p>The root configuration calls that module and passes values into it.</p> <h2> Root Module vs Child Module </h2> <p>The folder where I run Terraform commands is the root module.</p> <p>In this lab, the root module is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ </code></pre> </div> <p>The reusable child module is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/modules/gcp-network/ </code></pre> </div> <p>The root module is the entry point.</p> <p>The child module is the reusable implementation.</p> <p>The mental model is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module = caller Child module = reusable implementation Child module variables = function parameters Child module outputs = return values </code></pre> </div> <p>Since I have written JavaScript before, this feels similar to calling a function.</p> <p>The root module passes values into the child module, and the child module creates the infrastructure based on those values.</p> <h2> Final Folder Structure </h2> <p>The folder structure for this lab is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars ├── terraform.tfvars.example └── modules/ └── gcp-network/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>For GitHub, I only commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>05-gcp-network-module/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── modules/ └── gcp-network/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>I do not commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars .terraform/ terraform.tfstate </code></pre> </div> <h2> Backend Configuration </h2> <p>This lab still uses remote state with Google Cloud Storage.</p> <p>In <code>backend.tf</code>, I configured the GCS backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/05-gcp-network-module"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>The state path is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab/05-gcp-network-module/default.tfstate </code></pre> </div> <p>Each lab should have its own state prefix.</p> <p>This avoids accidentally mixing state from different labs.</p> <h2> Root <code>main.tf</code> </h2> <p>The root <code>main.tf</code> configures the provider and calls the child module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">firewall_rules</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> </code></pre> </div> <p>The most important part is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="p">}</span> </code></pre> </div> <p>This tells Terraform to use the local module inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network </code></pre> </div> <p>The root module passes values such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="nx">region</span> <span class="nx">network_name</span> <span class="nx">subnets</span> <span class="nx">firewall_rules</span> </code></pre> </div> <p>into the child module.</p> <h2> Root <code>variables.tf</code> </h2> <p>In the root <code>variables.tf</code>, I declared the values that the lab accepts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Default Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"asia-southeast2"</span><span class="p">,</span> <span class="s2">"asia-southeast1"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Region must be one of: asia-southeast2, asia-southeast1, or us-central1."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, staging, or prod."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"network-module"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Network name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of subnets to create inside the VPC."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">alltrue</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">subnet_key</span><span class="p">))</span> <span class="err">&amp;&amp;</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">cidr_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="p">])</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Each subnet key must be a valid lowercase name, and each cidr_range must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of ingress firewall rules to create."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">[])</span> <span class="nx">allow</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="p">}))</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">alltrue</span><span class="p">(</span><span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">rule_name</span><span class="p">,</span> <span class="nx">rule</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">source_range</span> <span class="nx">in</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="err">:</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">source_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="p">]</span> <span class="p">]))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Every firewall source range must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is more advanced than the previous labs because I am no longer passing only simple strings.</p> <p>For <code>subnets</code>, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">map</span><span class="err">(</span><span class="nx">object</span><span class="err">(</span><span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span><span class="err">))</span> </code></pre> </div> <p>For <code>firewall_rules</code>, I used a more complex object structure because each firewall rule can contain:</p> <ul> <li>description</li> <li>source ranges</li> <li>target tags</li> <li>allowed protocols and ports</li> </ul> <h2> Child Module <code>variables.tf</code> </h2> <p>Inside the child module, I also declared the variables that the module expects.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/variables.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Default Google Cloud region for regional resources."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of subnets to create inside the VPC."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of ingress firewall rules to create."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">),</span> <span class="p">[])</span> <span class="nx">allow</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="p">}))</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p>At first, having variables in both the root module and child module felt repetitive.</p> <p>But the purpose is different.</p> <p>The root variables receive values from the outside, usually from <code>terraform.tfvars</code>.</p> <p>The child module variables define the input contract of the reusable module.</p> <p>The flow is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars ↓ root variables.tf ↓ root main.tf module block ↓ child module variables.tf ↓ child module main.tf resources </code></pre> </div> <h2> Child Module <code>main.tf</code> </h2> <p>Inside the child module, I defined the actual GCP resources.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/main.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">final_network_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">final_network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There are several important concepts here.</p> <h2> Using <code>locals</code> </h2> <p>I used a local value to build the final network name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">final_network_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="p">}</span> </code></pre> </div> <p>This means if:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> </code></pre> </div> <p>then the final network name becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-network-module </code></pre> </div> <h2> Creating Multiple Subnets with <code>for_each</code> </h2> <p>Instead of creating subnet resources one by one, I used <code>for_each</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}-subnet"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">region</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This lets Terraform create multiple subnet resources from a map.</p> <p>For example, in my <code>terraform.tfvars</code>, I defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Terraform then creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-app-subnet dev-db-subnet </code></pre> </div> <p>This is better than duplicating two separate <code>google_compute_subnetwork</code> blocks.</p> <h2> Creating Firewall Rules with <code>for_each</code> </h2> <p>I also used <code>for_each</code> for firewall rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">target_tags</span> <span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This allows me to define firewall rules from a map instead of hardcoding each rule directly in the module.</p> <h2> Using a Dynamic Block </h2> <p>The firewall rule uses a dynamic block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">dynamic</span> <span class="s2">"allow"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allow</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">ports</span> <span class="p">=</span> <span class="nx">allow</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ports</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I used this because a firewall rule can allow multiple protocols.</p> <p>For example, the internal rule allows:</p> <ul> <li>TCP</li> <li>UDP</li> <li>ICMP</li> </ul> <p>Instead of hardcoding multiple <code>allow</code> blocks, the dynamic block generates them from the input value.</p> <h2> Child Module Outputs </h2> <p>The child module also exposes outputs.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/gcp-network/outputs.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_self_link"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The self-link of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subnets created by this module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet_key</span><span class="p">,</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnets</span> <span class="err">:</span> <span class="nx">subnet_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">self_link</span> <span class="p">=</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Firewall rules created by this module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">rule_key</span><span class="p">,</span> <span class="nx">rule</span> <span class="nx">in</span> <span class="nx">google_compute_firewall</span><span class="p">.</span><span class="nx">ingress_rules</span> <span class="err">:</span> <span class="nx">rule_key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">name</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">source_ranges</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">target_tags</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>These outputs allow the root module to consume and display the values created inside the child module.</p> <h2> Root Outputs </h2> <p>The root module then exposes selected module outputs.</p> <p>File:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>outputs.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network name created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network ID created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subnets created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"firewall_rules"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Firewall rules created by the network module."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">firewall_rules</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Summary of this module-based network lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">subnet_count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnets</span><span class="p">)</span> <span class="nx">firewall_count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">firewall_rules</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The root output references the child module output like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">network</span><span class="err">.</span><span class="nx">network_name</span> </code></pre> </div> <p>This means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Get the network_name output from the network module. </code></pre> </div> <h2> <code>terraform.tfvars</code> </h2> <p>For local values, I used <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"network-module"</span> <span class="nx">subnets</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.1.0/24"</span> <span class="p">}</span> <span class="nx">db</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_range</span> <span class="p">=</span> <span class="s2">"10.40.2.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">firewall_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">allow-iap-ssh</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH through IAP only."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"35.235.240.0/20"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iap-ssh"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">allow-internal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal traffic between lab subnets."</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.40.0.0/16"</span><span class="p">]</span> <span class="nx">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This creates:</p> <ul> <li>one VPC</li> <li>two subnets</li> <li>two firewall rules</li> </ul> <p>The IAP SSH source range is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>35.235.240.0/20 </code></pre> </div> <p>This is used for Identity-Aware Proxy TCP forwarding.</p> <p>I used this instead of opening SSH to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0/0 </code></pre> </div> <p>because opening SSH to the whole internet is not a good habit.</p> <h2> Initialize Terraform </h2> <p>After preparing the files, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Because this lab uses a module, Terraform also initialized the module.</p> <p>The expected output includes something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing modules... - network in modules/gcp-network </code></pre> </div> <p>This is different from the previous labs.</p> <p>Previously, Terraform initialized only the backend and provider.</p> <p>Now, Terraform also recognizes the local child module.</p> <h2> Format and Validate </h2> <p>Because this lab has Terraform files inside the module folder, I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Plan </h2> <p>Next, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>The expected plan was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 5 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_network.vpc_network module.network.google_compute_subnetwork.subnets["app"] module.network.google_compute_subnetwork.subnets["db"] module.network.google_compute_firewall.ingress_rules["allow-iap-ssh"] module.network.google_compute_firewall.ingress_rules["allow-internal"] </code></pre> </div> <p>This is an important difference.</p> <p>Previously, resource addresses looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network </code></pre> </div> <p>Now, because the resource is created inside a module, the address starts with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.network.google_compute_network.vpc_network </code></pre> </div> <p>This means the resource is managed inside the <code>network</code> module.</p> <h2> Apply </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform created the resources successfully.</p> <h2> Terraform Output </h2> <p>After the apply completed, I checked the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>The result was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_rules = { "allow-iap-ssh" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-iap-ssh" "name" = "dev-allow-iap-ssh" "source_ranges" = toset([ "35.235.240.0/20", ]) "target_tags" = toset([ "iap-ssh", ]) } "allow-internal" = { "id" = "projects/terraform-gcp-learning-lab/global/firewalls/dev-allow-internal" "name" = "dev-allow-internal" "source_ranges" = toset([ "10.40.0.0/16", ]) "target_tags" = toset(null) /* of string */ } } lab_summary = { "environment" = "dev" "firewall_count" = 2 "network_name" = "dev-network-module" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet_count" = 2 } network_id = "projects/terraform-gcp-learning-lab/global/networks/dev-network-module" network_name = "dev-network-module" subnets = { "app" = { "cidr_range" = "10.40.1.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" "name" = "dev-app-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-app-subnet" } "db" = { "cidr_range" = "10.40.2.0/24" "id" = "projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" "name" = "dev-db-subnet" "region" = "asia-southeast2" "self_link" = "https://www.googleapis.com/compute/v1/projects/terraform-gcp-learning-lab/regions/asia-southeast2/subnetworks/dev-db-subnet" } } </code></pre> </div> <p>The output confirms that Terraform created:</p> <ul> <li>one VPC network</li> <li>two subnets</li> <li>two firewall rules</li> </ul> <p>The <code>lab_summary</code> output is especially useful because it gives a quick summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>firewall_count = 2 subnet_count = 2 network_name = "dev-network-module" </code></pre> </div> <h2> Verify the VPC in Google Cloud </h2> <p>I also verified the VPC using the Google Cloud CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks list <span class="nt">--filter</span><span class="o">=</span><span class="s2">"name=dev-network-module"</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME SUBNET_MODE BGP_ROUTING_MODE IPV4_RANGE GATEWAY_IPV4 INTERNAL_IPV6_RANGE dev-network-module CUSTOM REGIONAL </code></pre> </div> <p>This confirms that the VPC network was created in custom subnet mode.</p> <h2> Verify the Subnets </h2> <p>Then I checked the subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute networks subnets list <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"network:dev-network-module"</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME REGION NETWORK RANGE STACK_TYPE IPV6_ACCESS_TYPE INTERNAL_IPV6_PREFIX EXTERNAL_IPV6_PREFIX UTILIZATION_DETAILS dev-app-subnet asia-southeast2 dev-network-module 10.40.1.0/24 IPV4_ONLY dev-db-subnet asia-southeast2 dev-network-module 10.40.2.0/24 IPV4_ONLY </code></pre> </div> <p>This confirms that both subnets were created:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Subnet</th> <th>CIDR Range</th> </tr> </thead> <tbody> <tr> <td><code>dev-app-subnet</code></td> <td><code>10.40.1.0/24</code></td> </tr> <tr> <td><code>dev-db-subnet</code></td> <td><code>10.40.2.0/24</code></td> </tr> </tbody> </table></div> <h2> Verify Remote State </h2> <p>Because this lab uses the GCS backend, I verified the remote state file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/05-gcp-network-module/ </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/05-gcp-network-module/default.tfstate </code></pre> </div> <p>This confirms that the Terraform state is stored in Google Cloud Storage.</p> <h2> Destroy </h2> <p>Because this is still a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Then I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Terraform destroyed the resources managed by this lab.</p> <p>The GCS state bucket was not destroyed because it was created outside this Terraform configuration.</p> <h2> What I Learned </h2> <p>This lab helped me understand Terraform modules much better.</p> <p>Previously, I created infrastructure directly in the root configuration.</p> <p>Now, I separated the configuration into two layers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Root module = decides what to deploy Child module = defines how to deploy it </code></pre> </div> <p>The root module calls the child module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/gcp-network"</span> <span class="p">}</span> </code></pre> </div> <p>The child module creates the actual resources:</p> <ul> <li>VPC</li> <li>subnets</li> <li>firewall rules</li> </ul> terraform googlecloud devops infrastructure Terraform tfvars and Safer Variable Values Abraham Naiborhu Sat, 09 May 2026 07:07:52 +0000 https://forem.com/abrahamparn/terraform-tfvars-and-safer-variable-values-4eon https://forem.com/abrahamparn/terraform-tfvars-and-safer-variable-values-4eon <p>In the previous lab, I configured Terraform remote state using Google Cloud Storage. I like that, but there was still one part of the workflow that i think can be automated.</p> <p>Every time I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform asked me to manually enter the Google Cloud project ID. I don't like that. So in this lab, I will improve the configuration by introducing:</p> <ul> <li><code>terraform.tfvars</code></li> <li><code>terraform.tfvars.example</code></li> <li>safer GitHub patterns</li> <li>variable validation</li> <li>cleaner environment-based naming</li> </ul> <p>The goal is not only to make Terraform stop asking for the project ID manually.</p> <p>The goal is to make the configuration cleaner, safer, and closer to how Terraform is usually managed in a real project.</p> <p>Reference: <a href="https://developer.hashicorp.com/terraform/language/values/variables" rel="noopener noreferrer">terraform website</a></p> <h2> Goals </h2> <p>The goals for this lab are simple:</p> <ol> <li>Use <code>terraform.tfvars</code> to provide local variable values.</li> <li>Stop typing the project ID manually during <code>terraform plan</code> and <code>terraform apply</code>.</li> <li>Use <code>terraform.tfvars.example</code> as a safe template for GitHub.</li> <li>Keep the real <code>terraform.tfvars</code> file out of version control.</li> <li>Add validation rules to prevent bad variable values.</li> <li>Continue using Google Cloud Storage as the remote backend.</li> </ol> <h2> Previous Problem </h2> <p>In the previous configuration, I declared the <code>project</code> variable like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Because this variable does not have a default value, Terraform asked me to enter it manually.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform would ask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>Then I had to type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>The same thing happened when running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>This works, but it is repetitive.</p> <p>A better way is to provide variable values using a <code>terraform.tfvars</code> file.</p> <h2> What is <code>terraform.tfvars</code>? </h2> <p><code>terraform.tfvars</code> is a variable definition file.</p> <p>Instead of manually typing variable values in the terminal, I can store those values in a file.</p> <p>Terraform automatically loads a file named:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>when running commands like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan terraform apply terraform destroy </code></pre> </div> <p>This means I can define the values once and reuse them across Terraform commands.</p> <h2> Final Folder Structure </h2> <p>For this lab, my folder structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>04-tfvars-safe-variable-values/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>However, for GitHub, I should only commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>04-tfvars-safe-variable-values/ ├── backend.tf ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.tfvars.example └── README.md </code></pre> </div> <p>I should not commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>because real <code>.tfvars</code> files can contain environment-specific values or sensitive values.</p> <h2> Step 1: Configure the GCS Backend </h2> <p>Because the previous lab already created a GCS bucket for Terraform state, I reused the same bucket.</p> <p>My state bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>In <code>backend.tf</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/04-tfvars-safe-variable-values"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The important part here is the <code>prefix</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">prefix</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab/04-tfvars-safe-variable-values"</span> </code></pre> </div> <p>This gives the lab its own remote state path.</p> <p>I do not want this lab to share the same state file as the previous remote state lab. Each lab should have its own isolated state path to avoid state collision.</p> <h2> Step 2: Create <code>variables.tf</code> </h2> <p>Next, I created <code>variables.tf</code>.</p> <p>This time, I did not only declare basic variables. I also added:</p> <ul> <li>descriptions</li> <li>types</li> <li>default values</li> <li>validation rules </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">0</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"The project variable must not be empty."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"asia-southeast2"</span><span class="p">,</span> <span class="s2">"asia-southeast1"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Region must be one of: asia-southeast2, asia-southeast1, or us-central1."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name used for resource naming."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, staging, or prod."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Network name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]([-a-z0-9]*[a-z0-9])?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Subnet name must use lowercase letters, numbers, and hyphens. It must start with a letter and end with a letter or number."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.30.0.0/24"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Subnet CIDR range must be a valid CIDR block, for example 10.30.0.0/24."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This makes the variables more self-documenting.</p> <p>For example, this is better:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> </code></pre> </div> <p>than only writing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{}</span> </code></pre> </div> <p>The validation rules are also useful because they help catch bad values before Terraform creates or changes infrastructure.</p> <h2> Step 3: Create <code>main.tf</code> </h2> <p>Next, I created <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.subnet_name}"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>A custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>A subnet inside the VPC</td> </tr> </tbody> </table></div> <p>The naming is now controlled by variables.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">name</span> <span class="err">=</span> <span class="s2">"${var.environment}-${var.network_name}"</span> </code></pre> </div> <p>If:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> </code></pre> </div> <p>then the final VPC name becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev-tfvars-network </code></pre> </div> <p>This is better than hardcoding one static name for every environment.</p> <h2> Step 4: Create <code>outputs.tf</code> </h2> <p>I also created an <code>outputs.tf</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The environment used for this lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The final VPC network name."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC network ID."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The final subnet name."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The subnet CIDR range."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Summary of the Terraform tfvars lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>lab_summary</code> output is useful because it shows the key values from the lab in one structured output.</p> <h2> Step 5: Create <code>terraform.tfvars</code> </h2> <p>Now I created the real local values file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>terraform.tfvars </code></pre> </div> <p>Inside <code>terraform.tfvars</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"terraform-gcp-learning-lab"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This is the file that Terraform will automatically read.</p> <p>Because of this file, Terraform no longer needs to ask me to enter the <code>project</code> value manually.</p> <h2> Step 6: Create <code>terraform.tfvars.example</code> </h2> <p>The real <code>terraform.tfvars</code> file should not be committed to GitHub.</p> <p>However, I still want other people to understand what values are needed to recreate the lab.</p> <p>So I created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>terraform.tfvars.example </code></pre> </div> <p>Inside <code>terraform.tfvars.example</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">project</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"asia-southeast2"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_name</span> <span class="err">=</span> <span class="s2">"tfvars-network"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"tfvars-subnet"</span> <span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This file is safe to commit because it does not contain my actual project-specific values.</p> <p>The pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Commit terraform.tfvars.example. Do not commit terraform.tfvars. </code></pre> </div> <h2> Step 7: Update <code>.gitignore</code> </h2> <p>At the root of my GitHub repository, I updated <code>.gitignore</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Terraform local files .terraform/ *.tfstate *.tfstate.* # Terraform variable files that may contain sensitive or environment-specific values *.tfvars *.tfvars.json # Keep example variable files !*.tfvars.example # Crash logs crash.log crash.*.log # macOS .DS_Store </code></pre> </div> <p>This makes Git ignore real <code>.tfvars</code> files but still allow <code>.tfvars.example</code> files.</p> <p>This is important because <code>.tfvars</code> files may contain values that should not be exposed publicly.</p> <h2> Step 8: Initialize Terraform </h2> <p>After preparing the files, I initialized Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Successfully configured the backend "gcs"! </code></pre> </div> <p>This means Terraform is using the GCS backend for remote state.</p> <h2> Step 9: Format and Validate </h2> <p>Then I formatted the files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>After that, I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Step 10: Run <code>terraform plan</code> </h2> <p>Now I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>This time, Terraform did not ask me to manually enter the project value.</p> <p>That is because Terraform automatically loaded the value from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfvars </code></pre> </div> <p>Expected plan summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 2 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:</p> <ul> <li>one custom VPC network</li> <li>one subnet</li> </ul> <p>This is the first improvement of the lab.</p> <p>The workflow is now cleaner because the repeated variable values are stored in a local <code>.tfvars</code> file.</p> <h2> Step 11: Test Variable Validation </h2> <p>Before applying the configuration, I tested the validation rules.</p> <p>First, I intentionally changed the environment value in <code>terraform.tfvars</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"development"</span> </code></pre> </div> <p>Then I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform returned a validation error because the accepted values are only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev staging prod </code></pre> </div> <p>The expected error is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Environment must be one of: dev, staging, or prod. </code></pre> </div> <p>After testing, I changed it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> </code></pre> </div> <p>Then I tested the subnet CIDR validation.</p> <p>I changed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"not-a-cidr"</span> </code></pre> </div> <p>Then I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform returned an error because the value was not a valid CIDR block.</p> <p>The expected error is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Subnet CIDR range must be a valid CIDR block, for example 10.30.0.0/24. </code></pre> </div> <p>After testing, I changed it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_cidr_range</span> <span class="err">=</span> <span class="s2">"10.30.0.0/24"</span> </code></pre> </div> <p>This is the second improvement of the lab.</p> <p>Terraform does not only accept values from <code>terraform.tfvars</code>. It can also validate whether the values are acceptable before creating infrastructure.</p> <h2> Step 12: Apply the Configuration </h2> <p>After confirming that the validation works, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform showed the execution plan and asked for confirmation.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 2 added, 0 changed, 0 destroyed. </code></pre> </div> <p>Terraform also displayed the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Outputs: environment = "dev" subnet_cidr_range = "10.30.0.0/24" subnet_name = "dev-tfvars-subnet" vpc_network_name = "dev-tfvars-network" lab_summary = { "cidr" = "10.30.0.0/24" "environment" = "dev" "network" = "dev-tfvars-network" "project" = "terraform-gcp-learning-lab" "region" = "asia-southeast2" "subnet" = "dev-tfvars-subnet" } </code></pre> </div> <p>The exact output may look slightly different depending on the project and Terraform output order.</p> <h2> Step 13: Verify Remote State </h2> <p>Because this lab uses the GCS backend, I verified that the remote state was created in the correct path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/04-tfvars-safe-variable-values/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/04-tfvars-safe-variable-values/default.tfstate </code></pre> </div> <p>This confirms that the lab still uses remote state, but now with cleaner variable handling.</p> <h2> Step 14: Query Outputs </h2> <p>I can query all outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>I can also query the summary output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output lab_summary </code></pre> </div> <p>Or get the output in JSON format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> </code></pre> </div> <p>The JSON output can be useful when Terraform output needs to be consumed by another tool or script.</p> <h2> Step 15: Destroy the Infrastructure </h2> <p>Because this is only a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform showed the destroy plan and asked for confirmation.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Destroy complete! Resources: 2 destroyed. </code></pre> </div> <p>The GCS bucket is not destroyed because it was not created by this Terraform configuration.</p> <h2> What I Learned </h2> <p>The main lesson from this lab is that Terraform variable management is not only about convenience.</p> <p>At first, I only wanted to avoid typing the project ID repeatedly.</p> <p>But after adding <code>terraform.tfvars</code>, <code>terraform.tfvars.example</code>, <code>.gitignore</code>, and validation rules, I realized that variable management also affects:</p> <ul> <li>safety</li> <li>repeatability</li> <li>collaboration</li> <li>repository hygiene</li> <li>infrastructure naming consistency</li> </ul> <h2> Next Step </h2> <p>This lab improved the variable workflow.</p> <p>The next logical step is to make the Terraform configuration reusable by introducing modules.</p> <p>So far, every lab defines resources directly in the root configuration.</p> <p>In the next lab, I want to learn how to turn the VPC and subnet configuration into a reusable Terraform module.</p> terraform googlecloud devops infrastructureascode Storing Terraform State in Google Cloud Storage Abraham Naiborhu Thu, 07 May 2026 08:19:10 +0000 https://forem.com/abrahamparn/storing-terraform-state-in-google-cloud-storage-14de https://forem.com/abrahamparn/storing-terraform-state-in-google-cloud-storage-14de <p>Again with another journey of mine!<br> In my previous Terraform labs, I created Google Cloud resources using Terraform with local state. By default, Terraform stores state locally in a file called:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform.tfstate </code></pre> </div> <p>Previously, we are doing this locally, and now i want to try it in GCS (google cloud storage) to store my remote state. </p> <p>In this article, I will move from local Terraform state to remote state using Google Cloud Storage. Thus, my goal is to use the remote state using Google Cloud Storage.</p> <h2> What This Lab Creates </h2> <p>We will create:</p> <ul> <li>a Google Cloud Storage bucket for Terraform state</li> <li>a Terraform GCS backend configuration</li> <li>a custom VPC network</li> <li>a custom subnet</li> <li>a remote Terraform state file stored in GCS</li> </ul> <p>My state bucket name is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state </code></pre> </div> <p>The state path in the bucket is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <h2> Why Remote State Matters </h2> <p>Terraform state is important because it tracks the relationship between Terraform configuration and real infrastructure.</p> <p>For example, when Terraform creates a VPC, it stores information about that VPC in the state file.</p> <p>So, when i run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Terraform compares:</p> <ol> <li>my current Terraform configuration</li> <li>the current state</li> <li>the real infrastructure in Google Cloud</li> </ol> <p>Then Terraform decides what needs to be created, changed, or destroyed.</p> <p>This is why state management is important.</p> <p>If I only store state locally, it becomes harder to collaborate, recover, or operate Terraform safely.</p> <p>Using Google Cloud Storage as the backend helps move the state file away from my local laptop and into a remote location.</p> <h2> Step 1: Set Environment Variables </h2> <p>First, I set the environment variables for my project, state bucket, and region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PROJECT_ID</span><span class="o">=</span>terraform-gcp-learning-lab <span class="nb">export </span><span class="nv">STATE_BUCKET</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">-terraform-state"</span> <span class="nb">export </span><span class="nv">REGION</span><span class="o">=</span><span class="s2">"asia-southeast2"</span> </code></pre> </div> <p>In my case:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PROJECT_ID = terraform-gcp-learning-lab STATE_BUCKET = terraform-gcp-learning-lab-terraform-state REGION = asia-southeast2 </code></pre> </div> <p>I used <code>asia-southeast2</code> because this is the Jakarta region and currently I am in Jakarta.</p> <h2> Step 2: Create the GCS Bucket </h2> <p>Next, I created the Google Cloud Storage bucket that will store the Terraform state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets create gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--uniform-bucket-level-access</span> </code></pre> </div> <p>This creates a GCS bucket with uniform bucket-level access enabled.</p> <p>Uniform bucket-level access means access control is managed at the bucket level using IAM, instead of mixing IAM and object-level ACLs.</p> <h2> Step 3: Enable Bucket Versioning </h2> <p>After creating the bucket, I enabled versioning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets update gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--versioning</span> </code></pre> </div> <p>This is useful because Terraform state is important. So if you change it or remove it, you can go back to the previous version anytime you want.</p> <p>If the state file is accidentally overwritten, bucket versioning can help provide a recovery path.</p> <h2> Step 3: Enable Bucket Versioning </h2> <p>After creating the bucket, I enabled versioning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage buckets update gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--versioning</span> </code></pre> </div> <p>This is useful because Terraform state is important.</p> <p>If the state file is accidentally overwritten, bucket versioning can help provide a recovery path.</p> <p>I created a new folder for this lab:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>03-remote-state-gcs <span class="nb">cd </span>03-remote-state-gcs </code></pre> </div> <p>Then I created the Terraform files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>backend.tf main.tf variables.tf outputs.tf </code></pre> </div> <p>The folder structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03-remote-state-gcs/ ├── backend.tf ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h2> Step 5: Configure the GCS Backend </h2> <p>The backend configuration tells Terraform where to store state.</p> <p>In <code>backend.tf</code>, I added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab-terraform-state"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"terraform-gcp-learning-lab/03-remote-state-gcs"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>bucket</code> is the GCS bucket name.</p> <p>The <code>prefix</code> is the path inside the bucket where Terraform will store the state file.</p> <p>In this lab, Terraform will store the state at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>One important note:</p> <p>Backend configuration cannot use normal Terraform variables like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">bucket</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">bucket_name</span> </code></pre> </div> <p>That is because Terraform needs to configure the backend before it evaluates variables.</p> <p>So for this beginner lab, I hardcoded the bucket name directly inside <code>backend.tf</code>.</p> <h2> Step 6: Create <code>variables.tf</code> </h2> <p>Next, I created the input variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"asia-southeast2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"remote-state-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"remote-state-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.20.0.0/24"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>project</code> variable does not have a default value.</p> <p>This means Terraform will ask me to provide the project ID when running commands such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <h2> Step 7: Create <code>main.tf</code> </h2> <p>This is my <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates two resources:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>Custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>Subnet inside the VPC</td> </tr> </tbody> </table></div> <p>I set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>because I want to create a custom mode VPC.</p> <p>That means the subnet is created explicitly by Terraform instead of being automatically created by Google Cloud.</p> <h2> Step 8: Create <code>outputs.tf</code> </h2> <p>I also created a simple <code>outputs.tf</code> file to display useful information after the resources are created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range of the subnet."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>These outputs make it easier to see selected infrastructure information after running <code>terraform apply</code>.</p> <h2> Step 9: Initialize Terraform </h2> <p>Before applying the configuration, I initialized Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>This command initializes the working directory, downloads the provider, and configures the GCS backend.</p> <p>The important part is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Successfully configured the backend "gcs"! </code></pre> </div> <p>This means Terraform is now configured to store state in Google Cloud Storage.</p> <h2> Step 10: Format and Validate </h2> <p>After initialization, I formatted the Terraform files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>Then I validated the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Success! The configuration is valid. </code></pre> </div> <h2> Step 11: Run Terraform Plan </h2> <p>Next, I reviewed the execution plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p>Because the <code>project</code> variable does not have a default value, Terraform asked me to enter it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>I entered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>Terraform then generated a plan.</p> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 2 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>Terraform planned to create:</p> <ul> <li>one VPC network</li> <li>one subnet</li> </ul> <h2> Step 12: Apply the Configuration </h2> <p>After reviewing the plan, I applied the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform asked for the project value again.</p> <p>I entered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab </code></pre> </div> <p>Then Terraform asked for confirmation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: </code></pre> </div> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>After the apply finished, Terraform created the VPC and subnet.</p> <h2> Step 13: Verify the State File in GCS </h2> <p>After applying the configuration, I checked the bucket.</p> <p>The state file was created under this path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>This confirms that Terraform state is now stored in Google Cloud Storage.</p> <p>To check it using the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud storage <span class="nb">ls </span>gs://<span class="k">${</span><span class="nv">STATE_BUCKET</span><span class="k">}</span>/terraform-gcp-learning-lab/03-remote-state-gcs/ </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gs://terraform-gcp-learning-lab-terraform-state/terraform-gcp-learning-lab/03-remote-state-gcs/default.tfstate </code></pre> </div> <p>This is the key result of the lab.</p> <p>The infrastructure is still managed by Terraform, but the state is no longer stored only as a local <code>terraform.tfstate</code> file.</p> <h2> Step 14: Query the Outputs </h2> <p>I can still query outputs normally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>Even though the state is remote, Terraform commands still work from my local terminal.</p> <p>The difference is that Terraform reads and writes state from the GCS backend.</p> <h2> Step 15: Destroy the Infrastructure </h2> <p>Because this is only a learning lab, I destroyed the resources after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform asked for the project value again.</p> <p>Then it showed the destroy plan.</p> <p>I typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>yes </code></pre> </div> <p>This destroyed the VPC and subnet managed by Terraform.</p> <p>Important note:</p> <p>This does not delete the GCS bucket because the bucket was created manually using <code>gcloud</code>, not by this Terraform configuration.</p> <h2> What I Learned </h2> <p>In this lab, I learned that Terraform state is one of the most important parts of Terraform.</p> <p>Previously, my Terraform state was stored locally.</p> <p>After this lab, my Terraform state is stored remotely in Google Cloud Storage.</p> <h2> Next Step </h2> <p>This lab still asks me to enter the <code>project</code> variable manually.</p> <p>In the next article, I want to improve the workflow by using:</p> <ul> <li><code>terraform.tfvars</code></li> <li>cleaner variable values</li> <li>safer GitHub patterns using <code>terraform.tfvars.example</code> </li> </ul> <p>That should make the Terraform workflow more practical and less repetitive.</p> terraform googlecloud devops infrastructureascode Terraform Outputs on GCP: Querying Useful Data from a VPC, Subnet, and VM Abraham Naiborhu Tue, 05 May 2026 16:08:17 +0000 https://forem.com/abrahamparn/terraform-outputs-on-gcp-querying-useful-data-from-a-vpc-subnet-and-vm-3nek https://forem.com/abrahamparn/terraform-outputs-on-gcp-querying-useful-data-from-a-vpc-subnet-and-vm-3nek <p>Hi, we are back again. Previously, I created a simple Google Cloud VPC and then improved the configuration by introducing variables.</p> <p>This time, I want to continue with another Terraform concept: <strong>outputs</strong>. But, we will not be using the previous code, because adding outputs for one vpc is too simple. So, I made the lab slightly more practical.</p> <p>In this lab, I will create:</p> <ul> <li>a custom VPC network</li> <li>a subnet with a defined CIDR range</li> <li>a small Compute Engine VM</li> <li>Terraform outputs to query useful information after provisioning</li> </ul> <p>The goal is to understand how Terraform outputs can expose important infrastructure data after resources are created.</p> <p>Reference: <a href="https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-outputs" rel="noopener noreferrer">Hasicorp website about gcp tutorial</a></p> <h2> Why Outputs Matter </h2> <p>When Terraform creates infrastructure, it stores a lot of resource data in the state file. However, as users, we usually do not need to read everything.</p> <p>Most of the time, we only care about specific values, such as:</p> <ul> <li>the VM internal IP address</li> <li>the VPC name</li> <li>the subnet CIDR range</li> <li>the VM self-link</li> <li>a structured summary of the created resources</li> </ul> <p>This is where outputs are useful.</p> <p>Outputs allow us to expose selected resource information after <code>terraform apply</code>.</p> <p>They can also be queried later using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <h2> What This Lab Builds </h2> <p>This lab creates three Google Cloud resources:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>google_compute_network.vpc_network</code></td> <td>Custom VPC network</td> </tr> <tr> <td><code>google_compute_subnetwork.subnet</code></td> <td>Regional subnet inside the VPC</td> </tr> <tr> <td><code>google_compute_instance.vm_instance</code></td> <td>Small Compute Engine VM inside the subnet</td> </tr> </tbody> </table></div> <p>The VM will be created without an external public IP address.</p> <p>This happens because the <code>network_interface</code> block does not include an <code>access_config</code> block.</p> <p>For this lab, that is fine because the goal is not to SSH into the VM or expose an application. The goal is to learn how Terraform outputs work.</p> <h2> Create a new lab folder </h2> <p>Because this is a new lab, I created a new folder.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>learn-terraform-gcp-lab-output <span class="nb">cd </span>learn-terraform-gcp-lab-output </code></pre> </div> <p><br> Then create three files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>main.tf variables.tf outputs.tf </code></pre> </div> <p>The folder should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>learn-terraform-gcp-lab-output/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h2> Create <code>variables.tf</code> </h2> <p>First, open <code>variables.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano variables.tf </code></pre> </div> <p>Then add the following variable declarations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud project ID where resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud region where regional resources will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Google Cloud zone where the VM instance will be created."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1-c"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-network"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range for the subnet."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.10.0.0/24"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the Compute Engine VM instance."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-output-vm"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"machine_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The machine type for the Compute Engine VM instance."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"e2-micro"</span> <span class="p">}</span> </code></pre> </div> <p>This file only declares the input variables Terraform can accept.</p> <p>The important distinction is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>variables.tf declares input variables. main.tf uses those variables. outputs.tf exposes selected resource data after apply. </code></pre> </div> <h2> Create <code>main.tf</code> </h2> <p>Next, open <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano main.tf </code></pre> </div> <p>Then add the following Terraform configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"vm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Understanding <code>main.tf</code> </h3> <h4> Google Provider </h4> <p>The provider block tells Terraform which Google Cloud project, region, and zone to use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> </code></pre> </div> <p>The values come from the variables declared in <code>variables.tf</code>.</p> <h4> Custom VPC Network </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"vpc_network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_name</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>This creates a custom VPC network.</p> <p>The important part is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">auto_create_subnetworks</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p>This means Google Cloud will not automatically create subnets for us.</p> <p>Instead, we will define our own subnet manually.</p> <h4> Subnet </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr_range</span> <span class="p">}</span> </code></pre> </div> <p>This creates a subnet inside the VPC.</p> <p>The subnet uses this CIDR range:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10.10.0.0/24 </code></pre> </div> <p>This value comes from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">var</span><span class="err">.</span><span class="nx">subnet_cidr_range</span> </code></pre> </div> <h4> Compute Engine VM </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"vm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This creates a small Compute Engine VM using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>e2-micro </code></pre> </div> <p>The VM is attached to the subnet using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnetwork</span> <span class="err">=</span> <span class="nx">google_compute_subnetwork</span><span class="err">.</span><span class="nx">subnet</span><span class="err">.</span><span class="nx">id</span> </code></pre> </div> <p>Because there is no <code>access_config</code> block, this VM does not get an external public IP address.</p> <p>It only receives an internal IP address from the subnet.</p> <h2> Create <code>outputs.tf</code> </h2> <p>Now we create the output definitions.</p> <p>Open <code>outputs.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano outputs.tf </code></pre> </div> <p>Then add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_network_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VPC network created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_network_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the VPC network created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the subnet created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr_range"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The CIDR range of the subnet created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_instance_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the VM instance created by Terraform."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_instance_zone"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The zone where the VM instance was created."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_internal_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The internal IP address of the VM instance."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">network_interface</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">network_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_self_link"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The self-link of the VM instance."</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lab_summary"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A structured summary of the resources created in this lab."</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">vpc_network</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_name</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">vm_name</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="nx">vm_internal_ip</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">vm_instance</span><span class="p">.</span><span class="nx">network_interface</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">network_ip</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is the main focus of the lab.</p> <p>Instead of only creating resources, we are selecting which resource attributes should be easy to view after provisioning.</p> <h2> Format the Terraform Files </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform <span class="nb">fmt</span> </code></pre> </div> <p>This formats the Terraform configuration files.</p> <p>Initialize Terraform</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p>This initializes the working directory and downloads the Google provider.</p> <h2> Validate the Configuration </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform validate </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Success! The configuration is valid. </code></pre> </div> <h2> Apply the Configuration </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Because the <code>project</code> variable does not have a default value, Terraform will ask for it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>var.project The Google Cloud project ID where resources will be created. Enter a value: </code></pre> </div> <p>Enter your Google Cloud project ID.</p> <p>Terraform will show the execution plan.</p> <p>In my case, Terraform planned to create three resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 3 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>The resources were:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_network.vpc_network google_compute_subnetwork.subnet google_compute_instance.vm_instance </code></pre> </div> <p>Terraform also showed that some output values were only known after apply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_internal_ip = (known after apply) vm_self_link = (known after apply) </code></pre> </div> <p>That makes sense because the VM internal IP and self-link do not exist until Google Cloud creates the VM.</p> <p>After reviewing the plan, type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <h2> Apply Result </h2> <p>After Terraform finished provisioning, my output looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Outputs: lab_summary = { "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } subnet_cidr_range = "10.10.0.0/24" subnet_name = "terraform-output-subnet" vm_instance_name = "terraform-output-vm" vm_instance_zone = "us-central1-c" vm_internal_ip = "10.10.0.2" vpc_network_id = "projects/terraform-gcp-learning-lab/global/networks/terraform-output-network" vpc_network_name = "terraform-output-network" </code></pre> </div> <p>At this point, Terraform had created:</p> <ul> <li>one VPC network</li> <li>one subnet</li> <li>one VM instance</li> </ul> <p>It also exposed selected infrastructure data through outputs.</p> <h2> Query the Outputs </h2> <p>After apply, we can query all outputs using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab_summary = { "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } subnet_cidr_range = "10.10.0.0/24" subnet_name = "terraform-output-subnet" vm_instance_name = "terraform-output-vm" vm_instance_zone = "us-central1-c" vm_internal_ip = "10.10.0.2" vpc_network_id = "projects/terraform-gcp-learning-lab/global/networks/terraform-output-network" vpc_network_name = "terraform-output-network" </code></pre> </div> <p>We can also query one specific output.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output vm_internal_ip </code></pre> </div> <p>The result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"10.10.0.2" </code></pre> </div> <p>This is useful because I do not need to inspect the full Terraform state just to find the VM internal IP address.</p> <h2> Query a Structured Output </h2> <p>I also created a structured output called <code>lab_summary</code>.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output lab_summary </code></pre> </div> <p>Example result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "project" = "terraform-gcp-learning-lab" "region" = "us-central1" "subnet_cidr" = "10.10.0.0/24" "subnet_name" = "terraform-output-subnet" "vm_internal_ip" = "10.10.0.2" "vm_name" = "terraform-output-vm" "vpc_name" = "terraform-output-network" "zone" = "us-central1-c" } </code></pre> </div> <p>This is more readable than scanning the full state file.</p> <h2> Output as JSON </h2> <p>Terraform can also return outputs in JSON format.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> </code></pre> </div> <p>This returns structured JSON data.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"vm_internal_ip"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sensitive"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.10.0.2"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"vpc_network_name"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sensitive"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"terraform-output-network"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We can also save the output into a JSON file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output <span class="nt">-json</span> <span class="o">&gt;</span> terraform-outputs.json </code></pre> </div> <p>This can be useful when another script, pipeline, or tool needs to consume Terraform output data.</p> <h2> Inspect Terraform State </h2> <p>Outputs are useful, but they do not replace state.</p> <p>Terraform still stores resource information in the state file.</p> <p>To list resources tracked by Terraform, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state list </code></pre> </div> <p>My result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google_compute_instance.vm_instance google_compute_network.vpc_network google_compute_subnetwork.subnet </code></pre> </div> <p>Then I tried to inspect the Compute Engine instance with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state show google_compute_instance </code></pre> </div> <p>Terraform returned an error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error parsing instance address: google_compute_instance This command requires that the address references one specific instance. To view the available instances, use "terraform state list". Please modify the address to reference a specific instance. </code></pre> </div> <p>This happened because <code>google_compute_instance</code> is only the resource type.</p> <p>Terraform needs the full resource address.</p> <p>The correct command is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform state show google_compute_instance.vm_instance </code></pre> </div> <p>This command showed detailed information about the VM, including:</p> <ul> <li>machine type</li> <li>zone</li> <li>internal IP</li> <li>boot disk</li> <li>subnet</li> <li>scheduling configuration</li> <li>shielded instance configuration</li> </ul> <p>This was a useful mistake because it clarified the difference between:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource type </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource address </code></pre> </div> <h2> Destroy the Infrastructure </h2> <p>Because this lab creates a VM, I destroyed the resources after testing.</p> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p>Terraform will ask for the project value again if it was not provided through another method.</p> <p>Then it will show a destroy plan.</p> <p>In my case, the destroy plan showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 0 to add, 0 to change, 3 to destroy. </code></pre> </div> <p>It also showed that outputs would be removed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Changes to Outputs: - lab_summary = {...} -&gt; null - vm_internal_ip = "10.10.0.2" -&gt; null - vpc_network_name = "terraform-output-network" -&gt; null </code></pre> </div> <p>After reviewing the destroy plan, type:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">yes</span> </code></pre> </div> <p>Important: wait until Terraform shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Destroy complete! Resources: 3 destroyed. </code></pre> </div> <p>After that, you can also verify from the Google Cloud Console that the VM, subnet, and VPC have been removed.</p> <p>What I Learned</p> <p>From this lab, I learned that Terraform outputs are not just decoration at the end of <code>terraform apply</code>.</p> <p>Outputs are a clean way to expose the specific infrastructure values that matter.</p> <p>Instead of manually searching through the state file or Google Cloud Console, I can query useful values directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output terraform output vm_internal_ip terraform output lab_summary terraform output <span class="nt">-json</span> </code></pre> </div> <p>The most important idea for me is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform creates infrastructure, state tracks infrastructure, and outputs expose selected infrastructure data. </code></pre> </div> <p>I also learned that outputs can be simple values or structured objects.</p> <p>For example, <code>vm_internal_ip</code> is a simple string output, while <code>lab_summary</code> is a structured output that groups multiple values together.</p> <p>This makes outputs useful not only for humans, but also for automation.</p> <h2> Next Step </h2> <p>This lab still asks me to manually enter the <code>project</code> variable during <code>terraform apply</code> and <code>terraform destroy</code>.</p> <p>In the next lab, I want to improve that by using:</p> <ul> <li><code>terraform.tfvars</code></li> <li><code>terraform.tfvars.example</code></li> <li>safer variable value management</li> <li>avoiding repeated manual input</li> </ul> <p>That should make the Terraform workflow cleaner and more practical.</p> terraform gcp devops