HashiCorp Terraform is a powerful open-source infrastructure automation tool that enables you to provision and manage infrastructure as code. Google has been collaborating with HashiCorp since 2013 to enable customers who use Terraform and other HashiCorp tools to make optimal use of Google Cloud Platform (GCP) services and features. This codelab teaches you how to use Terraform to create a VM running a webserver on GCE with a public IP address.

What you'll learn

Self-paced environment setup

If you don't already have a Google Account (Gmail or Google Apps), you must create one. Sign-in to Google Cloud Platform console (console.cloud.google.com) and create a new project:

Remember the project ID, a unique name across all Google Cloud projects (the name above has already been taken and will not work for you, sorry!). It will be referred to later in this codelab as PROJECT_ID.

Next, you'll need to enable billing in the Cloud Console in order to use Google Cloud resources.

Running through this codelab shouldn't cost you more than a few dollars, but it could be more if you decide to use more resources or if you leave them running (see "cleanup" section at the end of this document).

New users of Google Cloud Platform are eligible for a $300 free trial.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the GCP Console click the Cloud Shell icon on the top right toolbar:

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this lab can be done with simply a browser.

Before using Terraform, you must first install it locally. This will enable you to use the terraform CLI.

You could browse to the Terraform website, but this section will teach you how to download, verify, and install Terraform securely. Even though Terraform is downloaded over a TLS connection, it may still be possible for a skilled attacker to compromise the underlying storage system or network transport. For that reason, in addition to serving the binaries over TLS, HashiCorp also signs the checksums of each release with their private key. Thus, to verify the integrity of a download, we must:

  1. Import and trust HashiCorp's GPG public key
  2. Download the Terraform binary
  3. Download the Terraform checksums
  4. Download the Terraform checksum signature
  5. Verify the signature of the checksum against HashiCorp's GPG key
  6. Verify the checksums of the binary against the file

This way, even if an attacker were able to compromise the network transport and underlying storage component, they wouldn't be able to sign the checksums with HashiCorp's GPG key. If this operation is successful, we have an extremely high degree of confidence that the software is untainted.

Since that process can be tedious, we will leverage a Docker container to do it for us. Execute the following command to install Terraform locally. We install Terraform into $HOME/bin because that will persist between restarts on Cloud Shell.

$ docker run -v $HOME/bin:/software sethvargo/hashicorp-installer terraform 0.11.10
$ sudo chown -R $(whoami):$(whoami) $HOME/bin/

Add the bin to our path:

$ export PATH=$HOME/bin:$PATH

Finally, optionally, explore the Terraform CLI help. Do not execute any non-help commands.

$ terraform -h

Enable the Google Compute Engine API. This only needs to be done once per project to make the API accessible.

$ gcloud services enable compute.googleapis.com

Add a Terraform config file that creates a compute instance with a unique name and an external IP. On startup, this compute instance will install apache and overwrite the Apache web server default web page. Because we need the instance to be accessible by any IP, we also add a firewall rule that allows HTTP traffic from anywhere to instances that have the http-server tag.

Download the Terraform configuration from GitHub:

$ curl -sSfO https://raw.githubusercontent.com/sethvargo/terraform-gcp-examples/master/public-instance-webserver/main.tf

There are a few things to note in the specification:

Terraform Configuration File

resource "google_compute_instance" "default" {
  name         = "vm-${random_id.instance_id.hex}"
  machine_type = "f1-micro"
  zone         = "us-west1-a"

  # ...
}

We can now run Terraform. First, initialize Terraform to download the latest version of the Google and Random providers.

$ terraform init

Run a plan step to validate the configuration syntax and show a preview of what will be created.

$ terraform plan

The plan output shows Terraform is going to create a google_compute_firewall_rule, a google_compute_instance, and a random_id resource.

Now execute Terraform apply to apply those changes:

$ terraform apply

You will see output like this:

Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value:

Enter "yes" to the prompt. After the apply has finished, you should see an output similar to the following.

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

ip = <some value here...>

Copy and paste the value for the instance's IP into your web browser to see your server's welcome page! (Note: it can take a few minutes for the instance to boot and be provisioned).

When you no longer need the infrastructure you created, destroy it using the destroy command.

$ terraform destroy

Just like before, Terraform will prompt you for confirmation:

Plan: 0 to add, 0 to change, 3 to destroy.
Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.
  Enter a value:

Type "yes" and Terraform will destroy the infrastructure.

You learned how to run HashiCorp Terraform on Google Cloud to create a VM running a webserver.

Clean up

If you are done exploring, please consider deleting your project.

Learn More

License

This work is licensed under a Creative Commons Attribution 2.0 Generic License.