Terraform Essentials: Service Account - gem-terraform-sa-create
David Nguyen
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
Click Activate Cloud Shell
at the top of the Google Cloud console.
When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:
Your Cloud Platform project in this session is set to YOUR_PROJECT_ID
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
- (Optional) You can list the active account name with this command:
gcloud auth list
Copied!
Click Authorize.
Your output should now look like this:
Output:
ACTIVE: *
ACCOUNT: student-01-xxxxxxxxxxxx@qwiklabs.net
To set the active account, run:
$ gcloud config set account `ACCOUNT`
- (Optional) You can list the project ID with this command:
gcloud config list project
Copied!
Output:
[core]
project = <project_ID>
Example output:
[core]
project = qwiklabs-gcp-44776a13dea667a6
Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.
Overview
This lab demonstrates how to create a Google Cloud service account using HashiCorp Terraform. You will define the necessary resources in a Terraform configuration file, initialize Terraform, and then apply the configuration to create the service account. This lab assumes you have a basic understanding of Google Cloud and Terraform.
Task 1. Configure Google Cloud Project
Before you begin, configure your Google Cloud project. This includes setting the project ID, region, and zone. Also, enable the IAM API.
Set your Project ID:
qwiklabs-gcp-02-2382fe5fa47agcloud config set project qwiklabs-gcp-02-2382fe5fa47aCopied!
Note:
This command sets your active project.Set your default region to
us-central1gcloud config set compute/region us-central1Copied!
Note:
This command sets your active compute region.Set your default zone to
us-central1-cgcloud config set compute/zone us-central1-cCopied!
Note:
This command sets your active compute zone.Enable the IAM API.
gcloud services enable iam.googleapis.comCopied!
Note:
This command enables the IAM API.
Task 2. Create a Cloud Storage Bucket for Terraform State
Terraform uses a state file to track the resources it manages. For collaboration and persistence, it's best to store this state file in a remote backend like Google Cloud Storage (GCS).
Create a Cloud Storage bucket. Ensure the bucket name is globally unique and prefixed with your project ID:
qwiklabs-gcp-02-2382fe5fa47agcloud storage buckets create gs://qwiklabs-gcp-02-2382fe5fa47a-tf-state --project=qwiklabs-gcp-02-2382fe5fa47a --location=us-central1 --uniform-bucket-level-accessCopied!
Note:
This command creates a Cloud Storage bucket in the specified region to store the Terraform state file.Enable versioning on the GCS bucket:
gsutil versioning set on gs://qwiklabs-gcp-02-2382fe5fa47a-tf-stateCopied!
Note:
This enables versioning on the bucket.
Task 3. Create a Terraform Configuration File
Now, define the Terraform configuration to create the resource.
Create a new directory for your Terraform configuration files.
mkdir terraform-service-account && cd $_Copied!
Note:
This creates a new directory and changes the current directory to it.Create a file named
main.tfwith the following content:terraform { required_providers { google = { source = "hashicorp/google" version = "~> 4.0" } } backend "gcs" { bucket = "qwiklabs-gcp-02-2382fe5fa47a-tf-state" prefix = "terraform/state" } } provider "google" { project = var.project_id region = var.region } resource "google_service_account" "default" { account_id = "terraform-sa" display_name = "Terraform Service Account" }Copied!
Note:
This configuration defines a Google Cloud service account namedterraform-sa.Create a
variables.tffile.variable "project_id" { type = string description = "The GCP project ID" default = "qwiklabs-gcp-02-2382fe5fa47a" } variable "region" { type = string description = "The GCP region" default = "us-central1" }Copied!
Task 4. Initialize and Apply Terraform Configuration
Now, initialize Terraform, apply the configuration, and verify that the service account is created.
Initialize Terraform.
terraform initCopied!
Note:
This command initializes Terraform in the current directory.Apply the Terraform configuration.
terraform apply -auto-approveCopied!
Note:
This command applies the configuration and creates the resource. The-auto-approveflag automatically approves the changes.Verify that the service account has been created in the Google Cloud Console or using the gcloud CLI.
gcloud iam service-accounts list --project=qwiklabs-gcp-02-2382fe5fa47aCopied!
Note:
This command lists the service accounts in your project.
Task 5. Clean Up Resources
To avoid incurring unwanted charges, destroy the resources created in this lab.
Destroy the Terraform-managed infrastructure.
terraform destroy -auto-approveCopied!
Note:
This command destroys the resources created by Terraform. The-auto-approveflag automatically approves the destruction.
Solution of Lab
curl -LO raw.githubusercontent.com/ePlus-DEV/storage/refs/heads/main/labs/gem-terraform-sa-create/lab.sh
sudo chmod +x lab.sh
./lab.sh
Script alternative
curl -LO raw.githubusercontent.com/quiccklabs/Labs_solutions/refs/heads/master/Terraform%20Essentials%20Service%20Account/quicklab.sh
sudo chmod +x quicklab.sh
./quicklab.sh
Subscribe to my newsletter
Read articles from David Nguyen directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
David Nguyen
David Nguyen
A passionate full-stack developer from @ePlus.DEV