Need clarification on using Terraform to manage Google Cloud projects

0
votes

I read this article on using Terraform with GCP:

https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform

I almost have it working, but I ran into some issues and wanted some clarification.

I made a terraform admin project, and made a service account in that project with the roles/viewer and roles/storage.admin roles. I then made a bucket in the admin project and use that as the terraform backend storage.

terraform {                                                                                                                                                                                                        
  backend "gcs" {                                                                                                                                                                                                  
    bucket      = "test-terraform-admin-1"                                                                                                                                                                         
    prefix      = "terraform/state"                                                                                                                                                                                
    credentials = "service-account.json"                                                                                                                                                                           
  }                                                                                                                                                                                                                
}

I then use that service account to create another project and provision resources in that project:

provider "google" {                                                                                                                                                                                                
  alias       = "company_a"                                                                                                                                                                                    
  credentials = "./service-account.json"                                                                                                                                                                           
  region      = "us-east4"                                                                                                                                                                                         
  zone        = "us-east4-c"                                                                                                                                                                                       
  version = "~> 2.12"                                                                                                                                                                                              
}

resource "google_project" "project" {                                                                                                                                                                              
  name            = var.project_name                                                                                                                                                                               
  project_id      = "${random_id.id.hex}"                                                                                                                                                                          
  billing_account = "${var.billing_account}"                                                                                                                                                                       
  org_id          = "${var.org_id}"                                                                                                                                                                                
}

I thought that it would be sufficient to enable services for the project created with terraform like this:

resource "google_project_service" "container_service" {                                                                                                                                                            
  project = "${google_project.project.project_id}"                                                                                                                                                                 
  service = "container.googleapis.com"                                                                                                                                                                             
}

However, I got an error when terraform tried to create my gke cluster:

resource "google_container_cluster" "primary" {                                                                                                                                                                    
  project = "${google_project.project.project_id}"                                                                                                                                                                 
  name    = "main-gke-cluster"                                                                                                                                                                                     

  node_pool {                                                                                                                                                                                                      
    ....
  }                                                                                                                                                                                                             
  network = "${google_compute_network.vpc_network.self_link}"                                                                                                                                                      
}

It said that the container service was not enabled yet for my project, and it referenced the terraform admin project ID (not the project created with the google_project resource!). It seems that I have to enable the services on the terraform admin project in order for the service account to access those services on any projects created by the service account.

In fact, I can get it working without ever enabling the container, servicenetworking, etc. services on the create project as long as they are enabled on the terraform admin project.

Is there some parent/child relationship between the projects where services in one project are inherited by projects created from a service account in the parent project? This seems to be the case, but I cannot find any documentation about this anywhere.

Thanks for listening!

1
google-cloud-platformterraform-provider-gcp

1 Answers

0
votes

In my company, we created a folder and a service account in this folder. Then, we created a project for terraform and each terraform job use the folder level service account for creating projects and resources into this folder.

As the role and permission are inherited from folder to lower level (folders or projects) we don't have issue to create resources.

I don't if it helps your specific issue, but for us, it solved a lot and simplify the service account management.