Terraforming GCP Part 1: Creating an Admin Project
Level: Intermediate-Advanced
GCP (Google Cloud Platform) organizes all your GCP resources into a project. Projects form the basis for creating, enabling, and all Cloud Platform resources. A common pattern would be to create a project for production and a project for staging.
When managing your infrastructure through automation, such as GCloud SDK, Ansible, or Terraform, you would normally create cloud resources using a service account from an existing project. Alternatively, you may want to keep resources that are needed for managing a project separate form the actual projects you create. You can do this by creating an Administration Project.
Below is how you can use Admin project pattern for use with Terraform.
Prerequisite
Before we begin, you need to have a google account that is associated to an organization, the root node in GCP resource hierarchy, and administrative rights to this organization. The common Gmail account does NOT have this access. You can create an organization through G-Suite, which costs money, or for free with a Cloud Identity.
Before creating either one of these, you need to own a domain name. During the process of creating a Cloud Identity, google can verify domain ownership through variety of online domain registrars, such as GoDaddy.
Creating Admin Project for Terraform
Assuming you have a domain setup with G-Suite or Cloud Identity so that you can use an organization, you can begin by creating a Admin project and link it to a billing account.
Permissions and Credentials
Now that we have a linked project, we have a few chores below:
- Create service account and download service account credentials
- Grant permissions to manage projects and GCS bucket (which will be used later to store Terraform state)
- Grant permissions to service account (requires organization) associated with Admin project
Store State in Bucket
For small teams, the Terraform state can be encrypted with git-crypt or another tool, and then saved into the git repository in encrypted format.
Alternatively, another option would be to store this in a GCS bucket.
Wrapping Up
In this article I focused on the prerequisite concept material and initial setup of GCP credentials using an Admin project pattern. I will follow up with initializing your Terraform environment using these credentials, and then creating some resources using Terraform.
Reference
This story is directly based on the tutorial Managing GCP Proejct with Terraform by Dan Isla on June 18, 2017.
