首先

这篇文章是 terraform Advent Calendar 2019 的第10天。
由于我试着使用 Terraform Cloud 来管理现有的 GCP 资源，所以想要介绍一下配置方法。

创建环境 (Zuò

.tf ファイルを GitHub で管理する
既存の GCP のリソースを .tf ファイルに自動変換する
branch を切って commit & push すると自動で terraform plan する
master branch に merge すると自動で terraform apply する
ローカル環境でも terraform plan が叩ける

负责管理的人

提前准备好的东西

• Terraform Cloud のアカウントと organization の登録

• Terraform Cloud を terraform の remote として利用するための設定

例: ~/.terraformrc に token を設定するなど

gcloud コマンドの設定

terraformer のインストール

在GCP上创建服务帐户

在GitHub上创建一个存储库。

完成后，将其克隆到本地。

在Terraform Cloud上创建工作区。

在Terraform Cloud上注册GCP的认证信息。

启用Terraform Cloud的自动应用功能

将设置更改为在GitHub上推送时自动执行terraform plan和terraform apply。

使用 terraformer 将现有的 GCP 资源导入

使用 terraformer 导入 GCP 资源。
为了使用 terraformer，需要配置 terraform provider，因此编写 google provider 的设置。

variable "GOOGLE_APPLICATION_CREDENTIALS_JSON" {
  type    = string
  default = ""
}

provider "google" {
  version     = "v3.1.0"
  project     = "bgpat-188622"
  credentials = var.GOOGLE_APPLICATION_CREDENTIALS_JSON
}

var.GOOGLE_APPLICATION_CREDENTIALS_JSON 存储了在 Terraform Cloud 上配置的 GCP 的认证信息。
由于默认值为空字符串，因此在本地运行时将使用 gcloud 命令的认证信息。

在放置文件后，运行terraform init并将google插件放置在缓存中。

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "google" (hashicorp/google) 3.1.0...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

使用 Terraformer import 将 GCP 资源转换为 .tf 文件。

$ terraformer import google --projects=bgpat-188622 --resources=dns
2019/12/10 07:55:53 google importing project bgpat-188622 region global
2019/12/10 07:55:54 google importing... dns
2019/12/10 07:55:59 Refreshing state... google_dns_record_set.tfer--bgpat-002D-dev_bgpat-002E-dev-002E--002D-NS
︙
2019/12/10 07:56:01 google Connecting.... 
2019/12/10 07:56:01 google save dns
2019/12/10 07:56:01 google save tfstate for dns

确认已经正确地导入了吗？

$ tree generated/
generated/
└── google
    └── bgpat-188622
        └── dns
            └── global
                ├── dns_managed_zone.tf
                ├── dns_record_set.tf
                ├── outputs.tf
                ├── provider.tf
                └── terraform.tfstate

4 directories, 5 files

由于Terraformer生成的文件不支持v0.12的语法，因此需要使用terraform 0.12upgrade进行转换。

$ terraform 0.12upgrade generated/google/bgpat-188622/dns/global/

This command will rewrite the configuration files in the given directory so
that they use the new syntax features from Terraform v0.12, and will identify
any constructs that may need to be adjusted for correct operation with
Terraform v0.12.

We recommend using this command in a clean version control work tree, so that
you can easily see the proposed changes as a diff against the latest commit.
If you have uncommited changes already present, we recommend aborting this
command and dealing with them before running this command again.

Would you like to upgrade the module in generated/google/bgpat-188622/dns/global?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes

-----------------------------------------------------------------------------

Upgrade complete!

The configuration files were upgraded successfully. Use your version control
system to review the proposed changes, make any necessary adjustments, and
then commit.

从生成的目录中提取所需信息。

$ cp generated/google/bgpat-188622/dns/global/{dns_managed_zone.tf,dns_record_set.tf} ./

将 tfsate 同步到 Terraform Cloud

如果继续保持这样的状态，由于现有资源不存在于 tfstate 中，执行 apply 操作时将出错并尝试创建新资源。为了避免这种情况，将由 terraformer 生成的 tfstate 上传到 Terraform Cloud 中。

写 terraform 远程配置文件。
根据环境调整 organization 和 workspace.name。

terraform {
  backend "remote" {
    hostname     = "app.terraform.io"
    organization = "bgpat"

    workspaces {
      name = "bgpatdev-terraform"
    }
  }
}

再次执行 terraform init 命令，然后使用 terraform state push 将 tfstate 上传到 Terraform Cloud。

$ terraform init

Initializing the backend...

Successfully configured the backend "remote"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
$ terraform state push generated/google/bgpat-188622/dns/global/terraform.tfstate 
Releasing state lock. This may take a few moments...

确认动作

为了确认操作，我们将生成的文件进行 git commit 和 git push。

$ git checkout -b import
Switched to a new branch 'import'
$ git add dns_managed_zone.tf dns_record_set.tf provider.tf remote.tf
$ git commit -m 'Import by terraformer'
[import b0ffec7] Import by terraformer
 4 files changed, 109 insertions(+)
 create mode 100755 dns_managed_zone.tf
 create mode 100755 dns_record_set.tf
 create mode 100644 provider.tf
 create mode 100644 remote.tf
$ git push -u origin HEAD
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 8 threads
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.37 KiB | 1.37 MiB/s, done.
Total 6 (delta 0), reused 0 (delta 0)
remote: 
remote: Create a pull request for 'import' on GitHub by visiting:
remote:      https://github.com/bgpat/bgpat.dev-terraform/pull/new/import
remote: 
To https://github.com/bgpat/bgpat.dev-terraform
 * [new branch]      HEAD -> import
Branch 'import' set up to track remote branch 'import' from 'origin'.