Creating a Terraform configuration

When curating Private Catalog solutions for your organization, you can create a Terraform configuration, or config, which your users deploy using Terraform. After you create the configuration, you can share it with users by assigning it to catalogs.

In this guide, you use Cloud Build to run Terraform commands in the latest version of the Terraform Docker image, and you use Cloud Storage to store and manage Terraform resources such as modules and state files.

For resources and guidance on using Terraform, see Using Terraform with Google Cloud.

Before you begin

  • You must have the following Identity and Access Management (IAM) roles:

    • Catalog Admin (roles/cloudprivatecatalogproducer.admin) OR Catalog Manager (roles/cloudprivatecatalogproducer.manager) for the Google Cloud project where Private Catalog is enabled.
    • Storage Admin (roles/storage.admin) for the project where Private Catalog is enabled.
    • Cloud Build Editor (roles/cloudbuild.builds.editor) for the project where you want to create the solution.

      If you don't have these roles, contact your Organization Administrator to request access.

  • Set up Cloud Build in the project where you're creating the config:

    1. Enable the Cloud Build API.

      Enable the API

      Enabling the API automatically creates a Cloud Build service account that you use in the following step.

    2. Grant the following IAM roles to the service account:

      For steps on granting roles, see Configuring access for Cloud Build Service Account.

Uploading your configuration files to Cloud Storage

You use Cloud Storage to manage your Terraform configuration files for Private Catalog.

Creating a Cloud Storage bucket

To set up Cloud Storage, create a bucket in the same project where you enabled Private Catalog for your organization:

  1. In the Cloud Console, go to the Cloud Storage Browser page.

    Go to Browser

  2. Click Create bucket.
  3. On the Create a bucket page, enter your bucket information. To go to the next step, click Continue.
    • For Name your bucket, enter a name that meets the bucket naming requirements.
    • For Choose where to store your data, do the following:
      • Select a Location type option.
      • Select a Location option.
    • For Choose a default storage class for your data, select a storage class.
    • For Choose how to control access to objects, select an Access control option.
    • For Advanced settings (optional), specify an encryption method, a retention policy, or bucket labels.
  4. Click Create.

Enabling Object Versioning

You must use Object Versioning for your bucket to protect your Terraform configuration from being deleted or overwritten. To enable Object Versioning, see Cloud Storage's documentation on Using Object Versioning.

Granting access to your bucket

When users in your organization deploy the configuration, their Cloud Build service account must have read access to your bucket. If your bucket is stored in the same Cloud project where users deploy the configuration, then the service account already has this access.

If your users are deploying the configuration in a different Cloud project, grant access to the bucket using one of the following methods:

  • Grant the Storage Object Viewer (roles/storage.objectViewer) role to your users' Cloud Build service accounts, or to a Google Cloud resource where your users deploy Terraform configurations, such as a project, folder, or organization.

  • Use an Access Control List (ACL) to manage access to the bucket.

For details on managing access to buckets, see Cloud Storage's Overview of access control.

Creating and uploading a Terraform module

After setting up your Cloud Storage bucket, you must create and upload a Terraform module, which is a container of all of your configuration files. Private Catalog uses the module to automatically generate a JSON schema file to define the variables of your configuration.

For modules of common Google Cloud use cases, see the Cloud Foundation Toolkit.

The following code sample illustrates a Terraform configuration file, main.tf:


variable "machine_type" {
  type    = string
  default = "n1-standard-1"
}

variable "zone" {
  type    = string
  default = "us-central1-a"
}

variable "deployment_identifier" {
  description = "The unique name for your instance"
  type        = string
}

resource "google_compute_instance" "default" {
  name         = "vm-${var.deployment_identifier}"
  machine_type = var.machine_type
  zone         = var.zone

  boot_disk {
    device_name = "boot"
    auto_delete = true
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
    access_config {
      // Ephemeral IP
    }
  }
}

After creating your module, compress the file(s) into a zip file. Make sure the module is stored at the root of the zip file (Do not use subdirectories).

Then, upload the zip file to your bucket. For steps to upload the zip file, see Cloud Storage's documentation on Uploading objects.

Creating the configuration in Private Catalog

After setting up a Cloud Storage bucket with your Terraform module, you create a Private Catalog solution that includes the bucket.

To create the Terraform configuration as a Private Catalog solution:

  1. Go to the Private Catalog Admin Solutions page in the Cloud Console.
    Go to the Solutions page

  2. Click Select to choose the Google Cloud project.

  3. Click CREATE SOLUTION. In the drop-down list, select Create Terraform config.

  4. Enter a name, description, and tagline for your Terraform configuration. The tagline is a short description of a solution that users see as they browse Private Catalog.

  5. In the Link to Terraform config field, provide the link to the Cloud Storage bucket that contains your zip file for the Terraform module, such as gs://my-terraform-bucket/my-zip-file.zip.

  6. Optionally, upload an icon for the solution. The recommended dimensions for an icon are 80 by 80 pixels.

  7. Optionally, enter a support link and contact information for the creator.

  8. Optionally, add a link to the documentation for the solution.

  9. Click CREATE.

The solution is created and appears on the Private Catalog Admin Solutions page.

The following screenshot illustrates creating a Terraform configuration:

Create a Terraform
configuration

Next steps