Using DM Convert to transition to Kubernetes Resource Model (KRM) or Terraform

Deployment Manager Convert (DM Convert) is a tool you can use to convert your Deployment Manager configurations and templates to other declarative configuration formats that Google supports. Google currently supports Kubernetes Resource Model (KRM) and Terraform.

Why convert to KRM or Terraform?

KRM and Terraform are popular options for managing Google Cloud services and infrastructure. They offer actively-updated ecosystems, with support for modern features such as Secrets management and continuous reconciliation (for KRM).

In 2020, Google launched Config Connector to help customers use Kubernetes to manage Google Cloud resource types. Google also works with HashiCorp to develop the Terraform provider for Google Cloud.

Kubernetes Resource Model (KRM)

KRM is a paradigm for building APIs and resource definitions for declarative configuration management. It represents Google Cloud resources as Custom Resource Definitions (CRDs). For example, you can define an instance of a Cloud Spanner database in KRM as:

kind: SpannerInstance
  name: spanner-instance-sample
  config: regional-us-west1
  displayName: Spanner Instance Sample
  numNodes: 2

KRM's features include continuous reconciliation using Operators, easy-to-read declarative configuration files, and integrations with other Kubernetes tools. For example, when you use the Config Connector add-on for Kubernetes, you can apply changes to your configuration files by running the following command:

kubectl apply -f


Terraform is an open-source tool for provisioning infrastructure. You can use Terraform to write declarative configurations to manage your Google Cloud services and resources.

Supported types and type providers

DM Convert converts Deployment Manager configuration YAML files and Jinja or Python template files to KRM or Terraform configuration files.

To check the current status of DM Convert's support for type providers and resource types, you can use the --list-supported-types flag.

Understanding how DM Convert translates concepts across formats

The following table shows how DM Convert translates concepts from Deployment Manager into KRM and Terraform:

Deployment Manager concept KRM/Config Connector conversion Terraform conversion
References Resource references, if the KRM schema defines the field as a reference. If the KRM schema doesn't define the field as a reference, the Deployment Manager reference is replaced with its resolved value. Terraform references look and behave similarly to Deployment Manager references.
Explicit dependencies (depends_on) No support for explicit dependency ordering. Resources actuate in an eventually-consistent manner. depends_on
Identity and Access Management (IAM) Bindings (authoritative accessControl blocks) IAMPolicy <resource_type>_iam_policy types (for example, google_pubsub_topic_iam_policy)
IAM Bindings (nonauthoritative iamMemberBinding types) IAMPolicyMember <resource_type>_iam_member (for example, google_project_iam_member)
Composite types Composite types are deprecated. DM Convert doesn't convert them. Composite types are deprecated. DM Convert doesn't convert them.
Actions, custom type providers, and outputs Not supported. Actions that have declarative equivalents in Terraform are converted. For more details, refer to Support for Actions.

Support for Actions in DM Convert (for Terraform)

Actions is a Preview feature for Deployment Manager that extends the set of available API methods. Actions is unsupported, and DM Convert doesn't convert Actions that don't have declarative equivalents in Terraform, such as:

  • Patch, delete, and list APIs

  • APIs defined in custom type providers

  • Custom APIs, such as sqladmin-v1beta4:sql.instances.restart

DM Convert does support conversion to Terraform equivalents for Actions in the following cases:

  • It replaces Action calls to APIs that insert a resource with equivalent Terraform resources. For example, action: gcp-types/storage-v1:storage.buckets.insert converts to google_storage_bucket.

  • It converts Action calls to APIs that get a resource to Terraform data types whenever possible. For example, actions: gcp-types/compute-v1:compute.subnetworks.get converts to google_compute_subnetwork.

  • It converts setIamPolicy commands to either *_iam_policy (authoritative) or *_iam_member (non-authoritative) resources, depending on whether or not they're used with getIamPolicy.

For information on migrating usage of Actions to declarative alternatives within Deployment Manager, visit Replacing usage of Actions.

Data collection in DM Convert

What we collect, by default

By default, the DM Convert tool sends anonymous usage data to Google to help us maintain and improve the tool. When the DM Convert tool executes, data about the requested operation, the success of the operation, and the timing of the conversion is collected. This data is anonymous, and excludes any personally identifiable information, sensitive data, or customer content.

The usage data might contain:

  • Conversion command input parameters: We record the parameter values of your conversion command when running the tool, including the output format (KRM or Terraform) and boolean representations of whether other flags are specified (we don't collect the specific values of those flags).

  • Conversion result: We record the results of the conversion, including the conversion status (SUCCESS or FAILURE) as well as the error code and error message, if an issue occurs.

  • Conversion time: We record the start and end times of the conversion.

How we use this data

Google collects and processes the usage data to:

  • Understand how the tool is used, including which features and settings are most popular.

  • Diagnose unsuccessful usage of the tool, and provide guidance to users seeking technical assistance.

  • Improve the tool by resolving issues and potentially increasing feature coverage.

Opting out of data collection

Google collects usage data by default when you execute a conversion, but this data collection can be disabled.

To disable the data collection for a specific conversion, you can specify the flag --opt_out_data_collection=true in your conversion command. To continue to opt out of this data collection going forward, you must specify the flag every time that you run a conversion.

To enable the data collection for a specific conversion, you can specify the flag --opt_out_data_collection=false in your conversion command, or omit the flag from your command.