GCP Authentication with Terraform 小記 - ADCs
Terraform: 1.7.1-dev
Google Cloud SDK 461.0.0.0
OS: openSUSE Leap 15.5 in Azure
今天要來實作 Terraform 驗證方式
如果你是練習 Terraform 官方文件
在 Set up GCP 那段, 你可能用的是 Service Account Key 的方式來進行驗證, 在 Provider 的credentials 指定檔案所在的 位置 NAME.json
這個時候就會有個想法, 我在使用 Terraform in GCP 的時候一定要建立 Service Account Key 嗎? 還是有不同的方式?
這邊引用一下 Terraform 官方的文件
在自己的 workstation 可以使用 ADCs (https://cloud.google.com/sdk/gcloud/reference/auth/application-default )
在 Google Cloud 可以用 Service Account
Service Account 的方式在 Terrafrom 的官方練習就嘗試過了
今天來 Lab Application Default Credentials (ADC) 方式
首先我在 Azure 上面建立一個 openSUSE Leap 15.5 的 VM
因為在 GCP 上面就可以直接用 Cloud Shell, 或是 gcloud SDK 取得也相對方便, 所以在不同的平台上面建立 VM 驗證
安裝 Terraform - 參考之前自己的文件 https://sakananote2.blogspot.com/2023/12/terraform-in-opensuse-leap-155.html
登入 openSUSE Leap 15.5
觀察資訊
> ls ~/.config/gcloud/
active_config config_sentinel configurations default_configs.db gce logs
此時剛裝好 terraform 以及 google Cloud SDK
進行初始化
> gcloud init
Welcome! This command will take you through the configuration of gcloud.
Your current configuration has been set to: [default]
You can skip diagnostics next time by using the following flag:
gcloud init --skip-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic passed (1/1 checks passed).
You must log in to continue. Would you like to log in (Y/n)? Y
Go to the following link in your browser:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=31555942549.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsdk.cloud.google.com%2Fauthcode.html&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=oxpO5ubmYhf7xOYF0yyADDXPA4pWkW&prompt=consent&access_type=offline&code_challenge=lQ7DbRpJUX1eFFBejQlR8qbiRoywmEgfJsgl4qx6Nbk&code_challenge_method=S256
Enter authorization code: 4/0AfJohXlD7SgI9MOd7zfJLph0sKwGcU1p5_i5rwby9G32SjPE8yoBiUItUwe5V2OLda2gxw
開啟連結, 填入 authorization code
選取預設的 project
決定要不要設定預設的 Region
初始化完成後, 再次觀察目錄
> ls ~/.config/gcloud/
access_tokens.db config_sentinel credentials.db gce logs
active_config configurations default_configs.db legacy_credentials
先不執行 gcloud auth application-default login
來直接執行 Terraform 看看會發生那種狀況
參考官方文件
建立實作目錄
> mkdir learn-terraform-gcp
進入工作目錄
> cd learn-terraform-gcp
建立 main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.51.0"
}
}
}
provider "google" {
# credentials = file("<NAME>.json")
project = "sakana-3"
region = "us-central1"
zone = "us-central1-c"
}
resource "google_compute_network" "vpc_network" {
name = "terraform-network"
}
這邊我故意先把 credentials 註解起來
進行 初始化
> terraform init
> terraform plan
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block. No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'. Original error: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
│
│ with provider["registry.terraform.io/hashicorp/google"],
│ on main.tf line 10, in provider "google":
│ 10: provider "google" {
這邊因為找不到驗證資訊就會出現錯誤
建立 local authentication credentials
> gcloud auth application-default login
Go to the following link in your browser:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=764186021852-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsdk.cloud.google.com%2Fapplicationdefaultauthcode.html&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login&state=NdqQVFWU6dxpcH7eO5XqyqgGJalzr6&prompt=consent&access_type=offline&code_challenge=XrLVHJTkJCx00pDeoOEHSBLy9W0W-gWoZmc69lIEXSY&code_challenge_method=S256
Enter authorization code: 4/0AgJohXnEmaeA3UmFir2QTz_Dgi6zFJtvsWQqsu-t39J9jtI8Wli1CqxbEWrTFtJfYeEUug
Credentials saved to file: [/home/sakana/.config/gcloud/application_default_credentials.json]
These credentials will be used by any library that requests Application Default Credentials (ADC).
Quota project "sakana-3" was added to ADC which can be used by Google client libraries for billing and quota. Note that some services may still bill the project owning the resource.
一樣驗證驗證碼
會產生 Credentials 到 ~/.config/gcloud/application_default_credentials.json
觀察資訊
> ls ~/.config/gcloud/
access_tokens.db application_default_credentials.json configurations default_configs.db legacy_credentials
active_config config_sentinel credentials.db gce logs
再次嘗試
> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create
Terraform will perform the following actions:
# google_compute_network.vpc_network will be created
+ resource "google_compute_network" "vpc_network" {
+ auto_create_subnetworks = true
+ delete_default_routes_on_create = false
+ gateway_ipv4 = (known after apply)
+ id = (known after apply)
+ internal_ipv6_range = (known after apply)
+ mtu = (known after apply)
+ name = "terraform-network"
+ project = (known after apply)
+ routing_mode = (known after apply)
+ self_link = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.
也可以實際 apply 測試
> terraform apply
建立成功, 也可以到 console 觀察
練習結束 刪除資源
> terraform destroy
這個實驗可以多注意到一件事情, 我的 main.tf 中沒有使用 credentials = file("<NAME>.json")
也就是你是使用 ADCs 不一定要進行該項設定
又往 Terraform and GCP 前進一步
~ enjoy it
Reference
https://sakananote2.blogspot.com/2023/12/terraform-in-opensuse-leap-155.html
https://sakananote2.blogspot.com/2023/09/opensuse-leap-155.html
https://developer.hashicorp.com/terraform/tutorials/gcp-get-started
https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build