Last active
May 10, 2020 01:29
-
-
Save dinvlad/57a10d624d1b20d7170c8d42d90a45ee to your computer and use it in GitHub Desktop.
Script to configure encrypted GCS backend and GCP project-specific .tfvars for Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -euo pipefail | |
# define GCP project and GCS bucket backend for Terraform state | |
GCP_PROJECT="$1" | |
BACKEND_BUCKET="${2:-${GCP_PROJECT}-terraform}" | |
# create versioned bucket if it doesn't exist, skip otherwise | |
if gsutil mb -p "${GCP_PROJECT}" "gs://${BACKEND_BUCKET}" ; then | |
gsutil versioning set on "gs://${BACKEND_BUCKET}" | |
fi | |
# enable APIs | |
gcloud services enable --project "${GCP_PROJECT}" \ | |
cloudresourcemanager.googleapis.com \ | |
secretmanager.googleapis.com | |
# create secret to encrypt Terraform state if the secret doesn't exist, skip otherwise | |
ENCRYPTION_SECRET="${3:-tf-state}" | |
secret() { | |
gcloud --project "${GCP_PROJECT}" secrets "$@" | |
} | |
if secret create "${ENCRYPTION_SECRET}" --replication-policy automatic ; then | |
python3 -c 'import base64, os; print(base64.b64encode(os.urandom(32)).decode("utf-8"))' \ | |
| secret versions add "${ENCRYPTION_SECRET}" --data-file - | |
fi | |
# access the encryption secret (works both after creation and on re-runs) | |
ENCRYPTION_KEY=$(secret versions access latest --secret ${ENCRYPTION_SECRET}) | |
# configure GCS backend | |
terraform init \ | |
-backend-config "bucket=${BACKEND_BUCKET}" \ | |
-backend-config "encryption_key=${ENCRYPTION_KEY}" | |
# protect backend config | |
chmod 600 .terraform/terraform.tfstate | |
# link to the GCP-project specific Terraform variable overrides; | |
# these will be picked up automatically by Terraform plan from terraform.tfvars link | |
ln -sf "env/${GCP_PROJECT}.tfvars" "terraform.tfvars" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use simply as
./terraform-init.sh "${PROJECT_ID}"
(it doesn't have to be the same as yourgcloud config
project).This also works in automation (e.g. Cloud Build).
After that, you can use other Terraform commands as usual, e.g. simply
terraform plan
orterraform apply
.