You've deployed resources in Google Cloud, and now need to manage your infrastructure as code (IaC) with Terraform. Google provides a tool that you can use to generate Terraform code for resources in a project, folder, or organization.
Before you begin
Prepare Cloud Shell.
Launch Cloud Shell, and set the default Google Cloud project where you want to generate Terraform code for the deployed resources.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in a Terraform configuration file.
In Cloud Shell, install the command-line interface (CLI) for Config Connector.
gcloud components install config-connector
Config Connector lets you use Google Cloud's Terraform bulk-export tool.
If you see
ERROR: (gcloud.components.install) You cannot perform this action because the Google Cloud CLI component manager is disabled for this installation, run the following command instead:sudo apt-get install google-cloud-sdk-config-connector
Enable the Cloud Asset API.
gcloud services enable cloudasset.googleapis.com
Limitations
Some resource types aren't supported for export to Terraform format
even though they are supported by the Terraform Google provider. For a
list of resource types that are supported for export to Terraform format, run
the gcloud beta resource-config list-resource-types command.
Export the entire project configuration to Terraform HCL code
The gcloud beta resource-config bulk-export --resource-format=terraform command exports
resources currently configured in the project, folder, or
organization and prints them to the screen in HCL code format.
gcloud beta resource-config bulk-export \ --project=PROJECT_ID \ --resource-format=terraform
Write the output to a directory structure
If you haven't done so already, create the directory where you want to output the project's configuration:
mkdir OUTPUT_DIRECTORY
Export the project's entire configuration to the directory:
gcloud beta resource-config bulk-export \ --path=OUTPUT_DIRECTORY \ --project=PROJECT_ID \ --resource-format=terraform
The
--pathflag specifies the location to output the HCL code.
After running the command, the HCL code for each resource is output to a
separate .tf file in the following directory structure:
OUTPUT_DIRECTORY/projects/PROJECT_ID/RESOURCE_TYPE
Write the output to a single file
If you don't want to print the output to the screen or create separate .tf
files, you can write all of the output to a single file, as shown in this
example:
gcloud beta resource-config bulk-export --resource-format=terraform >> gcp_resources.tf
Filter the output
Filter the output of the bulk export command by specifying resource types.
List the supported resource types to filter on
For a list of resource types that are supported for export to Terraform format,
run the gcloud beta resource-config list-resource-types command:
gcloud beta resource-config list-resource-types
Optionally, write the output to a file:
gcloud beta resource-config list-resource-types >> strings.txt
In the output, the resource type for Compute Engine VMs is listed as:
KRM KIND: ComputeInstance
You can ignore the KRM KIND: prefix.
Export a single resource type
Use a string, such as ComputeInstance, to export specific resource types for
your project in HCL code format:
gcloud beta resource-config bulk-export \ --resource-types=RESOURCE_TYPE \ --project=PROJECT_ID \ --resource-format=terraform
The --resource-types flag specifies the resource type to output.
Export multiple resource types
Export VM instances and firewall rules in HCL code format:
gcloud beta resource-config bulk-export \ --resource-types=ComputeFirewall,ComputeInstance \ --project=PROJECT_ID \ --resource-format=terraform
Use a file to specify the resource types to export
Create a directory called
tf-output.cd && mkdir tf-output && cd tf-output
Create a file called
types.txt, and add a list of resource types. For example:ComputeBackendBucket ComputeBackendService ComputeForwardingRule
Run the
gcloud beta resource-config bulk-exportcommand with the--resource-types-fileflag:gcloud beta resource-config bulk-export \ --resource-types-file=types.txt \ --path=tf-output \ --project=PROJECT_ID \ --resource-format=terraform
If the project doesn't contain any of a particular resource type, the command succeeds but nothing is output for that resource type.
Troubleshooting
If you see the following error:
"Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled."
Make sure that you have followed the instructions in the Before you begin section.