GCP Infrastructure Deployment: Terraform & GitHub Actions

Amaresh Pelleti

This blog post demonstrates how to securely deploy infrastructure to Google Cloud Platform (GCP) using reusable GitHub Actions workflows and Terraform. We’ll showcase a demo pipeline leveraging pre-built templates for plan generation and infrastructure application, highlighting key security considerations and reusability benefits.

Target Audience: This post is geared towards developers, DevOps engineers, and security professionals interested in automating infrastructure deployments on GCP with security best practices and code re-use.

Project Goals: Our demo aims to:

  • Automate secure infrastructure deployments using Terraform and GitHub Actions.
  • Utilize reusable workflows for plan generation and deployment.
  • Implement security measures like TFSec scanning and secrets management.
  • Demonstrate pipeline reusability for deploying across different environments.

Benefits:

  • Streamlined Deployments: Automate infrastructure changes with efficient plan generation and application.
  • Improved Security: Leverage TFSec scanning for code quality checks and secrets management for secure credential storage.
  • Enhanced Reusability: Reduce code duplication and maintenance with reusable workflows adaptable to various environments.
  • Increased Efficiency: Focus on infrastructure logic while GitHub Actions handles the deployment orchestration.

Let’s dive into the code:

Reusable Workflows:

  • terraform-plan.yml: This template automates Terraform plan generation with optional TFSec scanning. It accepts inputs like Terraform path, version, variables file, and GCP backend configuration.
  • terraform-apply.yml: This template applies a pre-generated Terraform plan. It downloads the plan artifact from GitHub Actions and executes terraform apply.

Add GCP service account key to secrets in github actions

Setting – > Secrets and variables -> Secrets -> click “New repository secret” -> add name of the secret to use in pipeline we use TF_SA and copy the json file content to the secret

Main Pipeline (pipeline.yml):

YAML

name: 'Infra_build'

on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:
  Dev_Plan:
    uses: littleworks-inc/gcp_terraform_demo/.github/workflows/terraform-pan.yml@main
    with:
      path: .
      tf_version: latest
      gcp_backend_bucket: gcp-gitlab-ci-demo-01
      gcp_backend_bucket_prefix: terraform
      tf_vars_file: dev.tfvars 
      enable_TFSEC: true 
      # environment: dev
    secrets:
      GOOGLE_CREDENTIALS: ${{ secrets.TF_SA }}

  Dev_Deploy:
    needs: Dev_Plan
    uses: littleworks-inc/gcp_terraform_demo/.github/workflows/terraform-apply.yml@main
    with:
      path: .
      tf_version: latest
      gcp_backend_bucket: gcp-gitlab-ci-demo-01
      gcp_backend_bucket_prefix: terraform
      tf_vars_file: dev.tfvars 
      # environment: dev
    secrets:
      GOOGLE_CREDENTIALS: ${{ secrets.TF_SA }}

Explanation of Variables:

  • path: Path to your Terraform configuration directory.
  • tf_version: Terraform version (optional, defaults to latest).
  • gcp_backend_bucket: GCP Storage bucket for Terraform state files.
  • gcp_backend_bucket_prefix: Folder within the bucket for state files.
  • tf_vars_file: Terraform variables file defining configuration values.
  • enable_TFSEC: Enable TFSec scanning for code quality checks (optional).
  • GOOGLE_CREDENTIALS: GCP service account secret stored in GitHub Actions.

Redeploying Across Environments:

This pipeline’s beauty lies in its reusability. By changing specific inputs, you can adapt it to deploy to different environments:

  • Environment-specific variables: Create separate tf_vars files for each environment (e.g., dev.tfvars, prod.tfvars). Reference the appropriate file based on the environment you’re deploying to.
  • Secret management: Store environment-specific credentials for GCP accounts using different secrets in GitHub Actions. Reference the relevant secret based on the environment.
  • Conditional deploy jobs: Consider using environment variables or labels to trigger specific deploy jobs for different environments.

Remember:

  • Securely store GCP credentials using secrets management in GitHub Actions.
  • Regularly scan your Terraform code for security vulnerabilities using TFSec.
  • Adapt the pipeline and variables to fit your specific infrastructure and environment needs.

Additional Resources:

By leveraging reusable workflows and best practices, you can achieve secure and efficient infrastructure deployments on GCP using GitHub Actions and Terraform.

This is just a starting point. Feel free to customize and expand upon this demo to suit your project’s requirements. And remember, security should always be a top priority!