GCP Authentication with Terraform 小記 - ADCs

GCP Authentication with Terraform 小記 - ADCs

Terraform: 1.7.1-dev 

Google Cloud SDK 461.0.0.0

OS: openSUSE Leap 15.5 in Azure

今天要來實作 Terraform 驗證方式

如果你是練習 Terraform 官方文件

• https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build#set-up-gcp

• 在 Set up GCP 那段, 你可能用的是 Service Account Key 的方式來進行驗證, 在  Provider 的credentials 指定檔案所在的 位置 NAME.json

這個時候就會有個想法, 我在使用 Terraform in GCP 的時候一定要建立 Service Account Key 嗎？ 還是有不同的方式?

這邊引用一下 Terraform 官方的文件

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication

• 在自己的 workstation 可以使用 ADCs (https://cloud.google.com/sdk/gcloud/reference/auth/application-default )

• 在 Google Cloud 可以用 Service Account

Service Account 的方式在 Terrafrom 的官方練習就嘗試過了

• https://developer.hashicorp.com/terraform/tutorials/gcp-get-started

今天來  Lab  Application Default Credentials (ADC) 方式

首先我在 Azure 上面建立一個 openSUSE Leap 15.5 的  VM

• 因為在 GCP 上面就可以直接用 Cloud Shell, 或是 gcloud SDK 取得也相對方便, 所以在不同的平台上面建立 VM 驗證

• 安裝 Terraform - 參考之前自己的文件 https://sakananote2.blogspot.com/2023/12/terraform-in-opensuse-leap-155.html

登入 openSUSE Leap 15.5

觀察資訊

> ls  ~/.config/gcloud/

active_config  config_sentinel  configurations  default_configs.db  gce  logs

此時剛裝好 terraform 以及 google Cloud SDK

進行初始化

> gcloud init

Welcome! This command will take you through the configuration of gcloud.

Your current configuration has been set to: [default]

You can skip diagnostics next time by using the following flag:

  gcloud init --skip-diagnostics

Network diagnostic detects and fixes local network connection issues.

Checking network connection...done.                                                                                     

Reachability Check passed.

Network diagnostic passed (1/1 checks passed).

You must log in to continue. Would you like to log in (Y/n)? Y

Go to the following link in your browser:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=31555942549.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsdk.cloud.google.com%2Fauthcode.html&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=oxpO5ubmYhf7xOYF0yyADDXPA4pWkW&prompt=consent&access_type=offline&code_challenge=lQ7DbRpJUX1eFFBejQlR8qbiRoywmEgfJsgl4qx6Nbk&code_challenge_method=S256

Enter authorization code: 4/0AfJohXlD7SgI9MOd7zfJLph0sKwGcU1p5_i5rwby9G32SjPE8yoBiUItUwe5V2OLda2gxw

• 開啟連結, 填入 authorization code

• 選取預設的 project

• 決定要不要設定預設的 Region

初始化完成後, 再次觀察目錄

> ls  ~/.config/gcloud/

access_tokens.db  config_sentinel  credentials.db      gce                 logs

active_config     configurations   default_configs.db  legacy_credentials

先不執行 gcloud auth application-default login

來直接執行  Terraform 看看會發生那種狀況

參考官方文件

• https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build

建立實作目錄

> mkdir  learn-terraform-gcp

進入工作目錄

> cd  learn-terraform-gcp

建立 main.tf

terraform {

  required_providers {

    google = {

      source = "hashicorp/google"

      version = "4.51.0"

    }

  }

}

provider "google" {

#  credentials = file("<NAME>.json")

  project = "sakana-3"

  region  = "us-central1"

  zone    = "us-central1-c"

}

resource "google_compute_network" "vpc_network" {

  name = "terraform-network"

}

• 這邊我故意先把 credentials 註解起來

進行  初始化

> terraform  init

> terraform  plan

Planning failed. Terraform encountered an error while generating this plan.

╷

│ Error: Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

│ 

│   with provider["registry.terraform.io/hashicorp/google"],

│   on main.tf line 10, in provider "google":

│   10: provider "google" {

• 這邊因為找不到驗證資訊就會出現錯誤

建立  local authentication credentials

> gcloud  auth  application-default  login

Go to the following link in your browser:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=764186021852-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsdk.cloud.google.com%2Fapplicationdefaultauthcode.html&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login&state=NdqQVFWU6dxpcH7eO5XqyqgGJalzr6&prompt=consent&access_type=offline&code_challenge=XrLVHJTkJCx00pDeoOEHSBLy9W0W-gWoZmc69lIEXSY&code_challenge_method=S256

Enter authorization code: 4/0AgJohXnEmaeA3UmFir2QTz_Dgi6zFJtvsWQqsu-t39J9jtI8Wli1CqxbEWrTFtJfYeEUug

Credentials saved to file: [/home/sakana/.config/gcloud/application_default_credentials.json]

These credentials will be used by any library that requests Application Default Credentials (ADC).

Quota project "sakana-3" was added to ADC which can be used by Google client libraries for billing and quota. Note that some services may still bill the project owning the resource.

• 一樣驗證驗證碼

• 會產生 Credentials  到 ~/.config/gcloud/application_default_credentials.json

觀察資訊

> ls ~/.config/gcloud/

access_tokens.db  application_default_credentials.json  configurations  default_configs.db  legacy_credentials

active_config     config_sentinel                       credentials.db  gce                 logs

再次嘗試

> terraform  plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the

following symbols:

  + create

Terraform will perform the following actions:

  # google_compute_network.vpc_network will be created

  + resource "google_compute_network" "vpc_network" {

      + auto_create_subnetworks         = true

      + delete_default_routes_on_create = false

      + gateway_ipv4                    = (known after apply)

      + id                              = (known after apply)

      + internal_ipv6_range             = (known after apply)

      + mtu                             = (known after apply)

      + name                            = "terraform-network"

      + project                         = (known after apply)

      + routing_mode                    = (known after apply)

      + self_link                       = (known after apply)

    }

Plan: 1 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if

you run "terraform apply" now.

也可以實際 apply 測試

> terraform  apply

建立成功, 也可以到 console 觀察

練習結束 刪除資源

> terraform  destroy

這個實驗可以多注意到一件事情, 我的 main.tf 中沒有使用 credentials = file("<NAME>.json")

也就是你是使用 ADCs  不一定要進行該項設定

又往 Terraform and GCP 前進一步

~ enjoy it

Reference

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication

• https://sakananote2.blogspot.com/2023/12/terraform-in-opensuse-leap-155.html 

• https://sakananote2.blogspot.com/2023/09/opensuse-leap-155.html

• https://developer.hashicorp.com/terraform/tutorials/gcp-get-started

• https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build