GCP Archives - For all your terraform needs

Terraform for IAM resource creation

anuj — Mon, 21 Aug 2023 14:06:43 +0000

Overview

Is terraform a suitable tool for creating and managing cloud IAM resources? The short answer is – no. Especially, if you are going to be dealing with a large number of such creation requests.

Time taken to apply terraform for IAM

Check whether the IAM resource already exists – across all buckets that store state. This could take hours. Can you afford to wait for hours for a simple identity creation or a role assignment?

State drift – Console based roles and assignments

Certain IAM actions performed via the console will cause state drift. The next run of your IAM script will not pick these up – and essentially wipe them out.

Of course, if you have IAM creation etc. locked out for console users, you will not face this particular issue.

Summary

For smaller scoped IAM requests – say you have a dozen or so requests to deal with – terraform for IAM may be a workable solution.

The post Terraform for IAM resource creation appeared first on For all your terraform needs.

Error – ‘registry.terraform.io/hashicorp/local: there is no package for registry.terraform.io/hashicorp/local cached in .terraform/providers’

anuj — Wed, 19 Oct 2022 13:11:20 +0000

Terraform init or terraform init -upgrade or terraform apply fails with this error message:

The installed provider plugins are not consistent with the packages selected in the dependency lock file:
│ – registry.terraform.io/hashicorp/azurerm: the cached package for registry.terraform.io/hashicorp/azurerm x.y.x. (in .terraform\providers) does not match any of the checksums recorded in the dependency lock file
│ – registry.terraform.io/hashicorp/random: there is no package for registry.terraform.io/hashicorp/random 3.4.3 cached in .terraform\providers

Resolution

Step 1 – Look for this lock file (terraform.lock.hcl) in your current module. Delete it.

Step 2 – Re Run terraform init -upgrade

Terraform apply fails

The post Error – ‘registry.terraform.io/hashicorp/local: there is no package for registry.terraform.io/hashicorp/local cached in .terraform/providers’ appeared first on For all your terraform needs.

What if there is no Terraform Support for certain GCP Features?

anuj — Sun, 03 Jul 2022 21:56:18 +0000

Sometimes, there isn’t Terraform GCP support for a particular feature – e.g. use asset manager to retrieve all resources, e.g. upload of a file to a Kubernetes pod) that lacks Terraform support.

terraform-google-gcloud

This module allows you to use gcloud, gsutil, any gcloud component in Terraform.

This module does not create any resources on GCP itself, rather exposes the GCP SDK to you for usage in null resources & external data resources.

What about accomplishing the same thing on azure?

provider "azurerm" {   features {  } } 
resource "azurerm_resource_group" "rg" 
{   name     = "TFRDemo"   
    location = ""   
    provisioner "local-exec" 
     {     
       command = "az account show --output table" 
     } 
}

The post What if there is no Terraform Support for certain GCP Features? appeared first on For all your terraform needs.

More on Remote State and State Files

anuj — Sun, 03 Jul 2022 21:55:46 +0000

State File Locking is something terraform does by default. But what if the actual backend does not support locking (e.g. S3 by itself doesn’t – S3 with DynamoDB does).

If locking of the state file is not natively supported, you must ensure that you do a terraform state pull each time, before renewing your work. (Also See Managing Terraform State )

Summary

Check hashicorp’s documentation to determine whether a backend supports locking or not. E.g. S3 doesn’t support locking by default, but with a little effort, you can make S3’s remote state locking capable.

The post More on Remote State and State Files appeared first on For all your terraform needs.

Terraform SaaS versus Terraform Enterprise (TFE)

anuj — Wed, 19 Jan 2022 05:20:09 +0000

This is a work in progress….

How does Terraform Cloud SaaS work?

Through IP Range API and Remote Access

Licensing

TFE licensing is per workspace (state files)

License for SaaS is per user

The post Terraform SaaS versus Terraform Enterprise (TFE) appeared first on For all your terraform needs.

How many Pipelines?

anuj — Mon, 12 Jul 2021 02:17:01 +0000

Also read How many Non Prod Environments should you have?

The TWO most commonly implemented ones would be the managed infrastructure services pipeline (or just infra pipeline) and the app pipeline.

A Foundational Pipeline would include setting up the original organization and folder structure in GCP.

application and infrastructure pipelines GCP

Need an experienced Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

The post How many Pipelines? appeared first on For all your terraform needs.

Deep Monitoring – Vulnerability Management on GCP VMs

anuj — Fri, 11 Jun 2021 20:12:33 +0000

First, let us distinguish between Image Protection and Instance Protection.

Instance Protection – Protection of a running instance

GCP Shielded VMs – Vulnerability Management built in

Image Protection – Protection of images before they become instances (golden images)

Qualys SaaS Portal

Dashboard displaying violations
No Remediation Possible

Prisma SaaS

Remediation of certain violations Possible

Rapid 7

Prisma SaaS versus Qualys

Work in progress

Need an experienced AWS/GCP/Azure/DevSecOps Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.

The post Deep Monitoring – Vulnerability Management on GCP VMs appeared first on For all your terraform needs.