Script to configure encrypted GCS backend and GCP project-specific .tfvars for Terraform

terraform-init.sh

#!/usr/bin/env bash

set -euo pipefail

# define GCP project and GCS bucket backend for Terraform state
GCP_PROJECT="$1"
BACKEND_BUCKET="${2:-${GCP_PROJECT}-terraform}"

# create versioned bucket if it doesn't exist, skip otherwise
if gsutil mb -p "${GCP_PROJECT}" "gs://${BACKEND_BUCKET}" ; then
  gsutil versioning set on "gs://${BACKEND_BUCKET}"
fi

# enable APIs
gcloud services enable --project "${GCP_PROJECT}" \
  cloudresourcemanager.googleapis.com \
  secretmanager.googleapis.com

# create secret to encrypt Terraform state if the secret doesn't exist, skip otherwise
ENCRYPTION_SECRET="${3:-tf-state}"
secret() {
  gcloud --project "${GCP_PROJECT}" secrets "$@"
}
if secret create "${ENCRYPTION_SECRET}" --replication-policy automatic ; then
  python3 -c 'import base64, os; print(base64.b64encode(os.urandom(32)).decode("utf-8"))' \
    | secret versions add "${ENCRYPTION_SECRET}" --data-file -
fi

# access the encryption secret (works both after creation and on re-runs)
ENCRYPTION_KEY=$(secret versions access latest --secret ${ENCRYPTION_SECRET})

# configure GCS backend
terraform init \
  -backend-config "bucket=${BACKEND_BUCKET}" \
  -backend-config "encryption_key=${ENCRYPTION_KEY}"

# protect backend config
chmod 600 .terraform/terraform.tfstate

# link to the GCP-project specific Terraform variable overrides;
# these will be picked up automatically by Terraform plan from terraform.tfvars link
ln -sf "env/${GCP_PROJECT}.tfvars" "terraform.tfvars"

Use simply as ./terraform-init.sh "${PROJECT_ID}" (it doesn't have to be the same as your gcloud config project).

This also works in automation (e.g. Cloud Build).

After that, you can use other Terraform commands as usual, e.g. simply terraform plan or terraform apply.