Deploy infrastructure using Infrastructure Manager

This page describes how to use Infrastructure Manager to provision a set of Google Cloud resources that are defined in a Terraform configuration.

To preview a deployment without provisioning resources, see Preview a deployment.

You can deploy to multiple projects and multiple locations. The service account needs permissions for the resources and projects where the resources are deployed. See Access control with IAM for the list of permissions.

This page assumes you are familiar with Terraform. For details, see Terraform and Infrastructure Manager.

Before you begin

  1. Enable Infra Manager.
  2. Ensure that you have the IAM permissions needed to create deployments: roles/config.admin.
  3. Ensure you have a service account with the needed permissions. For details, see Configure the service account.
  4. Identify the Terraform configuration to deploy. Ensure that this Terraform configuration complies with the constraints. Specifically, ensure that the configuration does not contain sensitive data.
  5. If you want to preview the deployment before configuring resources, then see Preview a deployment.
  6. Confirm your organization's quota for products associated with your intended infrastructure. You may face deployment errors if your intended infrastructure exceeds your organization's quota for the products your deployment uses. See quotas and limits for more information.

Grant permissions specific to the configuration

To deploy Google Cloud resources that are specified in the Terraform configuration, the service account that you use to call Infra Manager needs the required permissions that are specific to the resources you are deploying.

These permissions are in addition to the permissions needed to use the Infra Manager service.

For details about granting permissions for the Google Cloud resources and ensuring you have access to the needed projects, see Configure the service account.

Deploy a Terraform configuration stored in a Cloud Storage bucket

This section describes deploying a Terraform configuration that is stored in a Cloud Storage bucket. A storage bucket allows you to control access to the configuration.

You can also deploy a Terraform configuration that is stored in a Git repository, or stored on your local machine.

  1. Ensure the Terraform configuration is in a Cloud Storage bucket. See Upload a configuration to a storage bucket for more details.

  2. If the storage bucket is in a different project from the project where you are running Infra Manager, then you need to ensure that Infra Manager's service account has read permission for the bucket. See Configure the service account for more details.

    If the storage bucket is in the same project as Infra Manager, read permission to the bucket is already enabled.

  3. Deploy the Terraform configuration:

    gcloud infra-manager deployments apply projects/PROJECT_ID/locations/LOCATION/deployments/DEPLOYMENT_ID \
        --service-account projects/SERVICE_ACCOUNT_PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT \
        --gcs-source gs://BUCKET_NAME/OBJECT_NAME \
        --quota-validation=QUOTA_VALIDATION \
        --input-values=INPUT_1_NAME=VALUE,INPUT_2_NAME=VALUE \
        --tf-version-constraint=TERRAFORM_VERSION \
        --annotation="ANNOTATION_KEY=ANNOTATION_VALUE"
    

    Replace:

    • PROJECT_ID: the project ID where Infrastructure Manager runs.
    • LOCATION: the location where Infra Manager runs. See Infrastructure Manager locations for the list of valid locations.
    • DEPLOYMENT_ID: the deployment identifier that you specify. See Deployment name for details about constraints on the deployment identifier.
    • SERVICE_ACCOUNT: the name of the service account you use to call Infra Manager.
    • SERVICE_ACCOUNT_PROJECT_ID is the project ID of the service account. It's common for this to be the same project where Infrastructure Manager runs.
    • BUCKET_NAME: the name of the storage bucket where the configuration is stored.
    • OBJECT_NAME: the object name of the configuration file. This object can be a directory or a zip file, but not a Terraform file. If you are using object versioning, you can also specify the object's generation number. For more details, see Use versioned objects.

      If the storage bucket is the root path of the Terraform configuration, then OBJECT_NAME is optional.

    • Optional: QUOTA_VALIDATION: the value that determines whether quota validation for resources in your Terraform configuration files is enabled or enforced when you create a deployment. Possible values include:

      • ENABLED: Enable computing quota validation for resources in Terraform configuration files. Provides visibility on resources with insufficient quotas.
      • ENFORCED: Enforce quota validation so that your deployment will fail if there isn't sufficient quota available for the infrastructure defined in your Terraform configuration file

      If quota-validation is not defined, quota validation on Terraform configuration files will be disabled. This is the default value. Quota validation applies on limited Google Cloud resources. For more information, see Quotas and limits

    • INPUT_1_NAME=VALUE and INPUT_2_NAME=VALUE: any input values in the Terraform configuration, including ones that are not defined by default. For example, you could specify the project where you deploy the resources as project_id=my-project.

      If all input values are defined by default in the configuration, then this flag is optional.

    • Optional: TERRAFORM_VERSION: the version of Terraform for Infra Manager to use to create the deployment. See supported Terraform version for the list of supported versions. If you remove this optional flag, the latest supported version of Terraform is used.

    • Optional: ANNOTATION_KEY and ANNOTATION_VALUE represent a key-value pair of free-form text that can be attached to your Infra Manager deployments. For more information about the use and constraints of annotations and labels, see Annotations and labels.

Deploy a Terraform configuration stored in a Git repository

This section describes how to work with a Terraform configuration that is stored in a Git repository. You can also deploy a Terraform configuration that is stored in a storage bucket, or stored on your local machine.

  1. Ensure that you have installed Git.
  2. If your Terraform configuration is stored in a private Git repository, you need to connect your Git host and repository to Cloud Build.

  3. Deploy the Terraform configuration:

    gcloud infra-manager deployments apply projects/PROJECT_ID/locations/LOCATION/deployments/DEPLOYMENT_ID \
        --service-account projects/SERVICE_ACCOUNT_PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT \
        --git-source-repo="GIT_REPO" \
        --git-source-directory="DIRECTORY" \
        --git-source-ref="REF" \
        --quota-validation=QUOTA_VALIDATION \
        --input-values=INPUT_1_NAME=VALUE,INPUT_2_NAME=VALUE \
        --tf-version-constraint=TERRAFORM_VERSION \
        --annotation="ANNOTATION_KEY=ANNOTATION_VALUE"
    

    Replace:

    • PROJECT_ID: the project ID where Infrastructure Manager runs.
    • LOCATION: the location where Infra Manager runs. See Infrastructure Manager locations for the list of locations.
    • DEPLOYMENT_ID: the deployment identifier that you specify. See Deployment name for details about constraints on the deployment identifier.
    • SERVICE_ACCOUNT: the name of the service account you use to call Infra Manager.
    • SERVICE_ACCOUNT_PROJECT_ID is the project ID of the service account. It's common for this to be the same project where Infrastructure Manager runs.
    • GIT_REPO: the Git repository.
    • DIRECTORY: the directory that has the Terraform configuration.
    • REF: the Git reference of the configuration. The reference is optional. If you do not specify the reference, the Git repository's default configured branch is used.
    • Optional: QUOTA_VALIDATION: the value that determines whether quota validation for resources in your Terraform configuration files is enabled or enforced when you create a deployment. Possible values include:

      • ENABLED: Enable computing quota validation for resources in Terraform configuration files. Provides visibility on resources with insufficient quotas.
      • ENFORCED: Enforce quota validation so that your deployment will fail if there isn't sufficient quota available for the infrastructure defined in your Terraform configuration files.

      If quota-validation is not defined, quota validation on Terraform configuration files will be disabled. This is the default value. Quota validation applies on limited Google Cloud resources. For more information, see Quotas and limits

    • INPUT_1_NAME=VALUE and INPUT_2_NAME=VALUE: any input values in the Terraform configuration, including ones that are not defined by default. For example, you could specify the project where you deploy the resources as project_id=my-project.

      If all input values are defined by default in the configuration, then this flag is optional.

    • Optional: TERRAFORM_VERSION: the version of Terraform for Infra Manager to use to create the deployment. See supported Terraform version for the list of supported versions. If you remove this optional flag, the latest supported version of Terraform is used.

    • Optional: ANNOTATION_KEY and ANNOTATION_VALUE represent a key-value pair of free-form text that can be attached to your Infra Manager deployments. For more information about the use and constraints of annotations and labels, see Annotations and labels.

Deploy a Terraform configuration stored on your local machine

This section describes how to work with a Terraform configuration that is stored on your local machine. You can also deploy a Terraform configuration that is stored in a storage bucket, or stored in a Git repository.

  1. If you use Cloud Shell, then you need to upload the configuration to Cloud Shell. For details, see Manage files with Cloud Shell.

  2. Deploy the Terraform configuration:

    gcloud infra-manager deployments apply projects/PROJECT_ID/locations/LOCATION/deployments/DEPLOYMENT_ID \
        --service-account projects/SERVICE_ACCOUNT_PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT \
        --local-source="LOCAL_DIRECTORY" \
        --quota-validation=QUOTA_VALIDATION \
        --input-values=INPUT_1_NAME=VALUE,INPUT_2_NAME=VALUE \
        --tf-version-constraint=TERRAFORM_VERSION \
        --annotation="ANNOTATION_KEY=ANNOTATION_VALUE"
    

    Replace:

    • PROJECT_ID: the project ID where Infrastructure Manager runs.
    • LOCATION: the location where Infra Manager runs. See Infrastructure Manager locations for the list of locations.
    • DEPLOYMENT_ID: the deployment identifier that you specify. See Deployment name for details about constraints on the deployment identifier.
    • SERVICE_ACCOUNT: the name of the service account you use to call Infra Manager.
    • LOCAL_DIRECTORY: the local directory storing the Terraform configuration. If you are using Cloud Shell, this is the directory in Cloud Shell where the configuration is stored.
    • SERVICE_ACCOUNT_PROJECT_ID is the project ID of the service account. It's common for this to be the same project where Infrastructure Manager runs.
    • Optional: QUOTA_VALIDATION: the value that determines whether quota validation for resources in your Terraform configuration files is enabled or enforced when you create a deployment. Possible values include:

      • ENABLED: Enable computing quota validation for resources in Terraform configuration files. Provides visibility on resources with insufficient quotas.
      • ENFORCED: Enforce quota validation so that your deployment will fail if there isn't sufficient quota available for the infrastructure defined in your Terraform configuration file

      If quota-validation is not defined, quota validation on Terraform configuration files will be disabled. This is the default value. Quota validation applies on limited Google Cloud resources. For more information, see Quotas and limits

    • INPUT_1_NAME=VALUE and INPUT_2_NAME=VALUE: any input values in the Terraform configuration, including ones that are not defined by default. For example, you could specify the project where you deploy the resources as project_id=my-project.

      If all input values are defined by default in the configuration, then this flag is optional.

    • Optional: TERRAFORM_VERSION: the version of Terraform for Infra Manager to use to create the deployment. See supported Terraform version for the list of supported versions. If you remove this optional flag, the latest supported version of Terraform is used.

    • Optional: ANNOTATION_KEY and ANNOTATION_VALUE represent a key-value pair of free-form text that can be attached to your Infra Manager deployments. For more information about the use and constraints of annotations and labels, see Annotations and labels.

What's next