This tutorial demonstrates how to import Google Cloud resources into a Infrastructure Manager deployment. You can only import resources that were provisioned using Terraform.
If you have a Terraform configuration and have not yet deployed it on Google Cloud, then see deploy infrastructure using Infrastructure Manager.
This tutorial begins with deploying a Virtual Private Cloud (VPC) onto Google Cloud using the Terraform CLI. Then, this tutorial demonstrates how to import these deployed resources into Infrastructure Manager so that the resources can be managed as an Infrastructure Manager deployment.
You can use the example in this tutorial to understand how to import other Google Cloud resources into Infra Manager. To import the deployment into Infra Manager, the Terraform configuration used to provision the resources does need to comply with the constraints, and the resources need to have been provisioned using a supported Terraform version.
Costs
This tutorial uses the following billable components of Google Cloud:
Before you begin
- 
    
      
        
        Sign in to your Google Account.If you don't already have one, sign up for a new account. 
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Infrastructure Manager API: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable config.googleapis.com 
- 
Set up authentication: - 
    Ensure that you have the Create Service Accounts IAM role
    (roles/iam.serviceAccountCreator). Learn how to grant roles.
- 
    Create the service account: gcloud iam service-accounts create SERVICE_ACCOUNT_NAME Replace SERVICE_ACCOUNT_NAMEwith a name for the service account.
- 
    
      Grant the roles/config.agentIAM role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=roles/config.agent Replace the following: - SERVICE_ACCOUNT_NAME: the name of the service account
- PROJECT_ID: the project ID where you created the service account
 
 
- 
    Ensure that you have the Create Service Accounts IAM role
    (
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Infrastructure Manager API: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable config.googleapis.com 
- 
Set up authentication: - 
    Ensure that you have the Create Service Accounts IAM role
    (roles/iam.serviceAccountCreator). Learn how to grant roles.
- 
    Create the service account: gcloud iam service-accounts create SERVICE_ACCOUNT_NAME Replace SERVICE_ACCOUNT_NAMEwith a name for the service account.
- 
    
      Grant the roles/config.agentIAM role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=roles/config.agent Replace the following: - SERVICE_ACCOUNT_NAME: the name of the service account
- PROJECT_ID: the project ID where you created the service account
 
 
- 
    Ensure that you have the Create Service Accounts IAM role
    (
- Install a supported version of Terraform.
Deploy resources to Google Cloud
The Google Cloud resource that you deploy in this tutorial is a VPC. This section shows you how to deploy the resource to use as an example for importing deployed resources into Infra Manager.
This tutorial uses the us-central1 region. If you want to use another region,
then you can use any of the location where Infra Manager runs. See
Infrastructure Manager locations
for the list of valid locations.
Grant permissions for resources in the configuration
You have granted permissions needed to run Infra Manager, but you also need to grant permissions that are specific to the resources described in the configuration you are deploying.
Grant permissions to be able to create the VPC network, which is the resource defined in the Terraform configuration:
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --role=roles/compute.networkAdmin
Replace the following:
- SERVICE_ACCOUNT_NAME: the name of the service account.
- PROJECT_ID: your project ID.
Deploy resources using the Terraform CLI
- Create a VPC network using the following Terraform configuration. To do so, run the following command: - mkdir vpc_to_import cd vpc_to_import cat <<EOF > main.tf variable "project_id" { type = string } resource "google_compute_network" "vpc_network" { name = "my-custom-mode-network" project = var.project_id } EOF
- Deploy the configuration using the Terraform CLI using the following command: - terraform init echo "************** TERRAFORM APPLY ******************" terraform apply -var="project_id=PROJECT_ID" -auto-approve cd ..
When the VPC is provisioned, you see output that begins with
the text Creation complete.
The VPC that is defined in the Terraform configuration is now
deployed on Google Cloud. Terraform creats a state file, and this file is
on the file system next to the main.tf file.
Create a placeholder deployment in Infrastructure Manager
To import resources into Infra Manager, you need an existing deployment in Infra Manager.
This tutorial uses a storage bucket to store the Terraform configuration. If you are using this tutorial to understand how to import other deployments into Infra Manager, then you can store the Terraform configuration in a storage bucket, public Git repository, or on your local machine.
- Add an empty Terraform configuration to the storage bucket: - gcloud storage buckets create gs://import-deployment-configuration --project=PROJECT_ID mkdir placeholder_deployment cd placeholder_deployment cat <<EOF > main.tf EOF gcloud storage cp main.tf gs://import-deployment-configuration cd ..
- Create a deployment using Infra Manager. - gcloud infra-manager deployments apply projects/PROJECT_ID/locations/us-central1/deployments/import-deployment \ --gcs-source gs://import-deployment-configuration \ --input-values project_id=PROJECT_ID \ --service-account projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT- When the deployment is done, you see: - Creating the deployment...done
You now have an Infra Manager deployment. Next, you need to add the state file and Terraform configuration to this deployment so that this deployment manages the VPC.
Import the state file and Terraform configuration
To manage the deployed resource (the VPC) using Infra Manager, you need to add the state file and the Terraform configuration to Infra Manager.
Lock the deployment
Lock the Infra Manager deployment so you can make changes to its state.
LOCK_ID=$(gcloud infra-manager deployments lock projects/PROJECT_ID/locations/us-central1/deployments/import-deployment --format="get(lockId)")
Import the Terraform state file into Infra Manager
Import the state file for your deployed resources. This state file was created by Terraform when you deployed the VPC using the Terraform CLI.
Upload the Terraform state file to the Infra Manager deployment.
SIGNED_STATE_UPLOAD_URL=$(gcloud infra-manager deployments import-statefile projects/PROJECT_ID/locations/us-central1/deployments/import-deployment --lock-id ${LOCK_ID} --format="get(signedUri)")
cd vpc_to_import
curl -s -X PUT --upload-file terraform.tfstate $SIGNED_STATE_UPLOAD_URL
Upload the Terraform configuration to the Cloud Storage bucket
Now that you have uploaded the Terraform state file, you also need to upload the Terraform configuration that you used to create the VPC network. Infra Manager needs the Terraform state file so that when a Infra Manager preview is run, it doesn't find any changes to the resources.
Upload the Terraform configuration to Cloud Storage using the following command:
gcloud storage cp main.tf gs://import-deployment-configuration
Unlock the deployment
If you are using this tutorial to understand how to import any resources into Infra Manager, ensure that the state file and Terraform configuration don't have differences. If there are differences between the state file and the Terraform configuration, then ensure that the state file describes the resources that you want deployed. When you unlock the deployment, if there are differences between the state file and Terraform configuration, then when you unlock the deployment Infra Manager creates or deletes resources to match the state file.
You need to unlock the deployment to be able to manage the resources using Infra Manager. In this tutorial, the state file and Terraform configuration describe the same configuration, and so Infra Manager doesn't create or delete any resources.
Release the lock from the deployment by running the following.
gcloud infra-manager deployments unlock projects/PROJECT_ID/locations/us-central1/deployments/import-deployment \
--project PROJECT_ID \
--location us-central1 \
--lock-id ${LOCK_ID}
Now that the state file and Terraform configuration are added to your Infra Manager deployment, you have finished importing the deployed resources. The deployed VPC is now managed by Infra Manager.
Preview resource changes
Run a preview on the deployment to confirm that the Terraform state and the resources deployed on Google Cloud are in sync.
- Create a preview using the following command: - gcloud infra-manager previews create projects/PROJECT_ID/locations/us-central1/previews/IMPORT_DEPLOYMENT_PREVIEW_NAME \ --gcs-source gs://import-deployment-configuration \ --deployment projects/PROJECT_ID/locations/us-central1/deployments/import-deployment \ --service-account projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --location us-central1
- Get preview details to make sure it has finished successfully. - gcloud infra-manager previews describe projects/PROJECT_ID/locations/us-central1/previews/IMPORT_DEPLOYMENT_PREVIEW_NAME
- Export the preview to review changes. - SIGNED_BIN_PLAN_URL=$(gcloud infra-manager previews export projects/PROJECT_ID/locations/us-central1/previews/IMPORT_DEPLOYMENT_PREVIEW_NAME --format "get(result.binarySignedUri)") curl -X GET --output tfplan.out $SIGNED_BIN_PLAN_URL
- Ensure the configuration is present locally and initialized with the following command: - terraform init
- Run Terraform show to review changes between Infrastructure Manager deployment state and the configuration. - terraform show tfplan.out
If the VPC resource on Google Cloud and the state file are in
sync, then terraform show outputs the following validating that
Infrastructure Manager does not see any changes between deployment state and the
configuration. You see an output similar to the following:
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
You have now imported the deployed resources so that they are managed by Infra Manager. For example, you can now use Infra Manager to update the deployment.
You can also update the deployment to validate that the deployment was successfully imported into Infra Manager.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
Delete individual resources
Delete the VPC and the metadata about the deployment:
gcloud infra-manager deployments delete projects/PROJECT_ID/locations/us-central1/deployments/quickstart-deployment