Setting up a new GCP account with a minimal IAM setup that can be used with TF (IaC)
Today, I will attempt to:
- Open a new GCP cloud account
- Set up their recommended IAM structure
- Create the necessary IAM resources to be used by Terraform/OpenTofu
- Test it out
DISCLAIMER: This is ONE solution of many different approaches. As of today, what you will see here is commonly found in forums. Keep in mind it might evolve.
You will need the following
- A valid credit card (No charges will be made, unless you start deploying stuff)
- A physical address (For the billing)
- An email (This email has to be registered previously as a Google Account)
- gcloud cli
- One of the following:
- Terraform (>v1.10.0) installed
- OpenTofu (>v1.10.0) installed
I created an alias that I will be using throughout the series (learn more about my opinion about terraform vs opentofu)
# If you use Terraform
alias tf="terraform"
# If you use OpenTofu
alias tf="tofu"
Setting up the account:
- Go to https://cloud.google.com/
- Click on Start free
- Follow the instructions
You should be logged in and ready to use the GCP console.
We will not go over the Organisation setup as that is more targeted to production-ready enterprise workloads.
Feel free to use the default project or create a new one If you choose to create a new one, go to the project selector at the top and the click create project. Name it whatever you like
In any case, save the project id, we’ll use it later.
Configure the IAM
We will proceed to create a (Service Account)[https://docs.cloud.google.com/iam/docs/service-account-overview] for TF
We will use Basic > Owner (which is generally not recommended). Basic roles provide broad access to Google Cloud resources, and thus they can be quite insecure. Learn more about GCP roles
However, since I will be using this account with the broadest level of access to experiment… it doesn’t really matter !
- Login using the root/owner account
- Go to IAM & Admin
- Go to Service Accounts and click Create Service Account
- Add a descriptive, but short name, then optionally add a description. I will use
tfandinfrastructure as code service accountrespectively - Click Create and continue
- In permissions, click select role
Basic > Owner - Finally, click Done to skip the last step (Principals with access)
- Once created, click on your new service account
- Go to
Keys > Add key > Create new keyand leaveJSON. I like to use the{{name}} + - + sa(tf-sa.json) - Download it to a safe location in your computer, I’ll use
~/.gcp/(First domkdir ~/.gcp)
Testing it out
We now have the GCP key associated to our TF service account that will allow us to start provisioning Infrastructure as Code. There are multiple ways to authenticate with TF to GCP. The one I will be using is to (export the env var)[https://docs.cloud.google.com/docs/terraform/authentication#auth_using_sa_keys_onprem] GOOGLE_APPLICATION_CREDENTIALS in my ~/.zshrc (note: you might be using Bash, or Fish, so this will change for you)
# export the env var on session start
echo "export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/tf-sa.json" >> ~/.zshrc
# reload
source ~/.zshrc
Let’s test this with TF
You’ll find here all the code bellow
# main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "6.8.0"
}
}
}
provider "google" {
project = "<PROJECT_ID>"
region = "europe-west2"
zone = "europe-west2-a"
}
# data.tf
data "google_billing_account" "main" {
display_name = "Main Billing Account"
open = true
}
# outputs.tf
output "billing_account_id" {
value = data.google_billing_account.main.id
}
This is essentially a “ping” or a “hello world” to verify that TF can talk to GCP
Then do the following
tf init
tf apply
You should be able to see TF communicating with GCP and creating a plan that you will be prompted to apply
Hit yes and then you should see an output like this
billing_account_id = XXXXX
Great, don’t forget to cleanup !
tf destroy