Use Terraform

To configure Terraform in your Google Distributed Cloud (GDC) air-gapped environment, you must download it and configure it to handle Kubernetes resources.

This document is for all audience groups that need to set up Terraform to manage their air-gapped hardware and software workflows. For more information, see Audiences for GDC air-gapped documentation.

Before you begin

• Download Terraform to your workstation following the documentation provided by HashiCorp: https://developer.hashicorp.com/terraform/install.

• Verify that you have an existing GDC storage bucket. If you don't have a storage bucket, create one. For more information, see Create storage buckets.

• Install the gdcloud CLI. For more information, see Use the gdcloud CLI.

• Generate the kubeconfig file for the API server or cluster that's hosting the resources you want to manage with Terraform. For more information, see Get a kubeconfig file.

Set up Terraform

To set up Terraform in your GDC environment, complete the following:

1. Within your Terraform module, or collection of Terraform files on your workstation, create the main.tf file and add the following configuration:

   terraform {
     backend "s3" {
       bucket = "BUCKET_FQN"
       key = "TF_STATE_PATH"
       endpoint = "BUCKET_ENDPOINT"
       skip_credentials_validation = true
       force_path_style = true
       access_key = "ACCESS_KEY"
       secret_key = "SECRET_KEY"
     }
   }
   

   Replace the following:

   • BUCKET_FQN: the fully qualified name from the Bucket custom resource.

   • TF_STATE_PATH: the path of the Terraform state file to store in the storage bucket.

   • BUCKET_ENDPOINT: the endpoint from the Bucket custom resource.

   • ACCESS_KEY: the access key acquired from the secret containing your access credentials. For more information about acquiring the access key, see Obtain bucket access credentials.

   • SECRET_KEY: the secret key acquired from the secret containing your access credentials. For more information about acquiring the secret key, see Obtain bucket access credentials.

2. Initialize your Terraform state file in the storage bucket you specified in the previous step:

   terraform init
   

   Terraform might ask for an AWS region as a required input, but the value is not used since you're using GDC object storage. Input any AWS region to satisfy the requirement.

3. Deploy the crd-viewer cluster role resource and bind it to your user account:

   kubectl apply --kubeconfig KUBECONFIG -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: crd-viewer
   rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "list", "watch"]
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: crd-viewer-binding
   subjects:
   - kind: User
     name: USER_EMAIL
   roleRef:
     kind: ClusterRole
     name: crd-viewer
     apiGroup: rbac.authorization.k8s.io
   EOF
   

   Replace the following:

   • KUBECONFIG: the kubeconfig file of the API server or cluster that hosts the resources you're managing with Terraform.

   • USER_EMAIL: the email of the user to bind the role to.

   Deploy the crd-viewer role to each API server or cluster you want to use Terraform for.

4. In the main.tf file, insert the following required_providers block:

   terraform {
     required_providers {
       kubernetes = {
         source = "hashicorp/kubernetes"
         version = ">=2.24.0"
       }
     }
   }
   

   This configuration installs the Kubernetes provider to provision and manage Kubernetes resources in your GDC environment.

5. Initialize your Terraform working directory to install the provider:

   terraform init
   

What's next

• Access zones with your tools
• Resource hierarchy
• Connect to an identity provider