To configure Terraform in your Google Distributed Cloud (GDC) air-gapped environment, you must download it and configure it to handle Kubernetes resources.
This document is for all audience groups that need to set up Terraform to manage their air-gapped hardware and software workflows. For more information, see Audiences for GDC air-gapped documentation .
Before you begin
-
Download Terraform to your workstation following the documentation provided by HashiCorp: https://developer.hashicorp.com/terraform/install .
-
Verify that you have an existing GDC storage bucket. If you don't have a storage bucket, create one. For more information, see Create storage buckets .
-
Install the gdcloud CLI. For more information, see Use the gdcloud CLI .
-
Generate the kubeconfig file for the API server or cluster that's hosting the resources you want to manage with Terraform. For more information, see Get a kubeconfig file .
Set up Terraform
To set up Terraform in your GDC environment, complete the following:
-
Within your Terraform module, or collection of Terraform files on your workstation, create the
main.tffile and add the following configuration:terraform { backend "s3" { bucket = " BUCKET_FQN " key = " TF_STATE_PATH " endpoint = " BUCKET_ENDPOINT " skip_credentials_validation = true force_path_style = true access_key = " ACCESS_KEY " secret_key = " SECRET_KEY " } }Replace the following:
-
BUCKET_FQN: the fully qualified name from theBucketcustom resource. -
TF_STATE_PATH: the path of the Terraform state file to store in the storage bucket. -
BUCKET_ENDPOINT: the endpoint from theBucketcustom resource. -
ACCESS_KEY: the access key acquired from the secret containing your access credentials. For more information about acquiring the access key, see Obtain bucket access credentials . -
SECRET_KEY: the secret key acquired from the secret containing your access credentials. For more information about acquiring the secret key, see Obtain bucket access credentials .
-
-
Initialize your Terraform state file in the storage bucket you specified in the previous step:
terraform initTerraform might ask for an AWS region as a required input, but the value is not used since you're using GDC object storage. Input any AWS region to satisfy the requirement.
-
Deploy the
crd-viewercluster role resource and bind it to your user account:kubectl apply --kubeconfig KUBECONFIG -f - <<EOF apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRole metadata : name : crd-viewer rules : - apiGroups : [ "apiextensions.k8s.io" ] resources : [ "customresourcedefinitions" ] verbs : [ "get" , "list" , "watch" ] --- apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRoleBinding metadata : name : crd-viewer-binding subjects : - kind : User name : USER_EMAIL roleRef : kind : ClusterRole name : crd-viewer apiGroup : rbac.authorization.k8s.io EOFReplace the following:
-
KUBECONFIG: the kubeconfig file of the API server or cluster that hosts the resources you're managing with Terraform. -
USER_EMAIL: the email of the user to bind the role to.
Deploy the
crd-viewerrole to each API server or cluster you want to use Terraform for. -
-
In the
main.tffile, insert the followingrequired_providersblock:terraform { required_providers { kubernetes = { source = "hashicorp/kubernetes" version = ">=2.24.0" } } }This configuration installs the Kubernetes provider to provision and manage Kubernetes resources in your GDC environment.
-
Initialize your Terraform working directory to install the provider:
terraform init
