Creating a Terraform configuration

When curating Service Catalog solutions for your organization, you can create a Terraform configuration, or config, which your users deploy using Terraform. After you create the configuration, you can share it with users by assigning it to catalogs.

In this guide, you use Cloud Build to run Terraform commands in the latest version of the Terraform Docker image, and you use Cloud Storage to store and manage Terraform resources such as modules and state files.

For resources and guidance on using Terraform, see Using Terraform with Google Cloud.

Before you begin

  • You must have the following Identity and Access Management (IAM) roles:

    • Catalog Admin OR Catalog Manager for the Google Cloud organization associated with the Google Cloud project which has Service Catalog enabled. If you don't have this role, contact your Organization Administrator to request access.
    • Storage Admin for the Google Cloud project where you want to create your solution. If your Terraform config is in a different project, you must also have the Storage Admin role for the project that contains your Terraform config.
    • Cloud Build Editor for the Google Cloud project where you want to create the solution.

    If you plan to use your own service account, you must also have the Service Account User role for the Google Cloud project that contains the service account that you plan to use.

    If you don't have these roles, contact your Organization Administrator to request access.

  • If you plan to use your own service account, your service account must have the following IAM roles:

    • Storage Admin for the Google Cloud project where you want to create your solution. If your Terraform config is in a different project, your service account must also have the role Storage Object Viewer for the project containing the Terraform config.
    • Logs Writer for the Google Cloud project where you want to create your solution.

    If you don't have these roles, contact your Organization Administrator to request access.

  • Set up Cloud Build in the project where you're creating the config:

    1. Enable the Cloud Build API.

      Enable the API

      Enabling the API automatically creates a Cloud Build service account that you use in the following step.
    2. Go to the Cloud Build page.
    3. On the Left Panel, select Settings.
    4. Use the service account provided under the section Service account email.
    5. If you aren't using your own service account, grant the following IAM roles to the service account. For steps to grant roles, see Configuring access for Cloud Build Service Account.

Uploading your configuration files to Cloud Storage

You use Cloud Storage to manage your Terraform configuration files for Service Catalog.

Creating a Cloud Storage bucket

To set up Cloud Storage, create a bucket in the same project where you enabled Service Catalog for your organization:

  1. In the Google Cloud console, go to the Cloud Storage Buckets page.

    Go to Buckets page

  2. Click Create bucket.
  3. On the Create a bucket page, enter your bucket information. To go to the next step, click Continue.
    • For Name your bucket, enter a name that meets the bucket naming requirements.
    • For Choose where to store your data, do the following:
      • Select a Location type option.
      • Select a Location option.
    • For Choose a default storage class for your data, select a storage class.
    • For Choose how to control access to objects, select an Access control option.
    • For Advanced settings (optional), specify an encryption method, a retention policy, or bucket labels.
  4. Click Create.

Enabling Object Versioning

You must use Object Versioning for your bucket to protect your Terraform configuration from being deleted or overwritten. To enable Object Versioning, see Cloud Storage's documentation on Using Object Versioning.

Granting access to your bucket

When users in your organization deploy the configuration, their Cloud Build service account must have read access to your bucket. If your bucket is stored in the same Google Cloud project where users deploy the configuration, then the service account already has this access.

If your users are deploying the configuration in a different Google Cloud project, grant access to the bucket using one of the following methods:

  • Grant the Storage Object Viewer (roles/storage.objectViewer) role to your users' Cloud Build service accounts, or to a Google Cloud resource where your users deploy Terraform configurations, such as a project, folder, or organization.

  • Use an Access Control List (ACL) to manage access to the bucket.

For details on managing access to buckets, see Cloud Storage's Overview of access control.

Creating and uploading a Terraform module

After setting up your Cloud Storage bucket, you must create and upload a Terraform module, which is a container of all of your configuration files. Service Catalog uses the module to automatically generate a JSON schema file to define the variables of your configuration.

When you call modules outside of the current directory, use the remote path instead of a relative path. For example, instead of source = "../../", use source = "GoogleCloudPlatform/cloud-run/google".

For modules of common Google Cloud use cases, see Terraform blueprints and modules for Google Cloud.

The following code sample illustrates a Terraform configuration file, main.tf:


variable "machine_type" {
  type    = string
  default = "n1-standard-1"
}

variable "zone" {
  type    = string
  default = "us-central1-a"
}

variable "deployment_identifier" {
  description = "The unique name for your instance"
  type        = string
}

resource "google_compute_instance" "default" {
  name         = "vm-${var.deployment_identifier}"
  machine_type = var.machine_type
  zone         = var.zone

  boot_disk {
    device_name = "boot"
    auto_delete = true
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"
    access_config {
      // Ephemeral IP
    }
  }
}

After creating your module, compress the file(s) into a zip file. Make sure the module is stored at the root of the zip file.

To ensure proper storage of the module when you zip your Terraform files, run the following command: none zip solution.zip file1.tf file2.tf file3.tf

Then, upload the zip file to your bucket. For steps to upload the zip file, see Cloud Storage's documentation on Uploading objects.

Creating the configuration in Service Catalog

After setting up a Cloud Storage bucket with your Terraform module, you create a Service Catalog solution that includes the bucket.

To create the Terraform configuration as a Service Catalog solution:

  1. Go to the Service Catalog Admin Solutions page in the Google Cloud console.
    Go to the Solutions page

  2. To choose the Google Cloud project, click Select.

  3. Click Create solution. In the drop-down list, select Create Terraform config.

  4. Enter a name, description, and tagline for your Terraform configuration. The tagline is a short description of a solution that users see as they browse Service Catalog.

  5. In the Link to Terraform config field, provide the link to the Cloud Storage bucket that contains your zip file for the Terraform module, such as gs://my-terraform-bucket/my-zip-file.zip.

  6. Optionally, upload an icon for the solution. The recommended dimensions for an icon are 80 by 80 pixels.

  7. Optionally, enter a support link and contact information for the creator.

  8. Optionally, add a link to the documentation for the solution.

  9. Select the Terraform version you want to use to deploy the solution.

  10. Optionally, you can provide your own service account by clicking the checkbox next to Select or enter your own service account. If your service account is located in the same Google Cloud project where you're creating your solution, select Select a service account from the current project, and select your service account from the drop-down menu. If your service account is located in a different Google Cloud project from your solution, select Enter a service account email from any project, and enter the email of your service account.

  11. Click CREATE.

The solution is created and appears on the Service Catalog Admin Solutions page.

The following screenshot illustrates creating a Terraform configuration:

Create a Terraform configuration

Next steps