Infrastructure as Code (IaC) with Terraform

Introduction to IaC on Google Cloud

For a Professional Cloud Architect, Infrastructure as Code (IaC) is the foundation of a reliable, scalable, and auditable cloud environment. It moves infrastructure management from "manual clicks" to "declarative code," enabling version control, peer reviews, and automated testing.

While Google Cloud offers Deployment Manager, the industry standard and Google's primary recommendation is Terraform.

Plain-Language Explanation: Infrastructure as Code

IaC is like the difference between cooking a meal from memory and using a world-class recipe.

Analogy 1 — The Master Recipe (The Code)

Manual configuration is like cooking by "feeling"—it might taste good once, but you'll never make it exactly the same way again. IaC is a Master Recipe. It lists every ingredient (VMs, Networks, Databases) and exactly how to combine them. If you need to "cook" the same environment for 10 different departments, you just follow the same recipe 10 times.

Analogy 2 — The Architectural Blueprint (The Plan)

Think of IaC as a Digital Blueprint for a skyscraper. Instead of building a wall and then realizing it's in the wrong place, you see the entire design on your screen first. You can run "simulations" (Terraform Plan) to see what will happen before you ever move a single brick. If the blueprint is approved by the safety inspectors (Peer Review), the building is constructed automatically.

Analogy 3 — The Time Machine (Version Control)

Because your infrastructure is code, you can use Version Control (Git). It's like having a Time Machine. If you deploy a change that breaks the network, you don't have to scramble to remember what you clicked. You just "undo" the last commit and travel back in time to the last known healthy state of your data center.

Core Terraform Concepts for Architects

1. Declarative vs. Imperative

• Declarative (Terraform): You tell the system the "End State" (e.g., "I want 5 VMs"). The system figures out how to get there.
• Imperative (gcloud scripts): You tell the system the "Steps" (e.g., "Create VM 1, then Create VM 2..."). This is harder to maintain and prone to errors.

2. State Management

The State File is the "Source of Truth" for Terraform. It maps your code to the real resources in GCP.

• Remote State: Store state in a Cloud Storage (GCS) bucket. This allows teams to collaborate and provides state locking (to prevent two people from changing the same thing at once).
• State Locking: Essential for preventing corruption during concurrent runs.

3. Modules

Modules are the "Lego Bricks" of your infrastructure.

• Reusability: Create a standard "VPC Module" that includes subnets, firewalls, and logging, and reuse it across every project.
• Consistency: Ensures that every team follows the same organizational standards.

The Cloud Foundation Toolkit (CFT)

The Cloud Foundation Toolkit is a set of Google-maintained Terraform modules that reflect best practices for security, networking, and governance.

• Architect Tip: Don't reinvent the wheel. Use CFT modules for core components like Project Folders, VPCs, and IAM to ensure you're following Google's "Golden Path."

Automated Provisioning Pipelines

Infrastructure should be deployed via CI/CD Pipelines (e.g., Cloud Build, GitHub Actions).

• Plan Phase: Run terraform plan and post the output to a Pull Request for review.
• Apply Phase: Once the PR is merged, the pipeline runs terraform apply to make the changes in production.
• Security Scanning: Integrate tools like Terraform Validator or Checkov into the pipeline to catch security misconfigurations before they are deployed.

Config Connector and GitOps

Config Connector is a Kubernetes add-on that allows you to manage GCP resources using Kubernetes manifests.

• GitOps: The "Desired State" is stored in Git. A controller (like Config Connector or Anthos Config Management) continuously monitors Git and ensures the GCP environment matches the code.
• Self-healing: If someone manually deletes a VM in the console, Config Connector will notice the discrepancy and automatically recreate it.

Security Best Practices for IaC

• Least Privilege: The service account used by the CI/CD pipeline should only have the permissions necessary to manage the specific resources in its scope.
• Secret Management: Never hardcode secrets in .tf files. Use Secret Manager or environment variables.
• Immutable Infrastructure: Instead of patching existing VMs, use IaC to destroy the old ones and provision new ones with the updated configuration.

FAQ — Infrastructure as Code Provisioning

Q1. Why choose Terraform over Deployment Manager?

Terraform is cloud-agnostic (can manage multiple clouds), has a much larger community/ecosystem, and is currently Google's primary recommendation for large-scale infrastructure.

Q2. What happens if I lose my Terraform state file?

Losing the state file is a "disaster" scenario. Terraform will no longer know which resources it manages. You would have to manually "import" every resource back into a new state file, which is extremely time-consuming. Always use GCS for remote state with versioning enabled.

Q3. Can I use Terraform to manage non-GCP resources?

Yes. Terraform can manage SaaS products (like Datadog, Cloudflare, or PagerDuty) alongside your GCP infrastructure, allowing you to define your entire stack in code.

Q4. What is "Drift" in IaC?

Drift occurs when someone makes manual changes to resources in the GCP Console. This makes the real-world infrastructure different from the code. Regular terraform plan runs can detect and remediate drift.

Q5. Is it better to have one giant Terraform file or many small ones?

Many small ones. Use a modular structure. Large state files become slow to process and increase the "blast radius" if something goes wrong.

Final Architect Tip

For the PCA exam, focus on State Management and Collaboration. Understand that Remote State in GCS with Locking is the only way for a team to safely use Terraform. Also, be familiar with the Cloud Foundation Toolkit as the preferred way to start a new landing zone. If a question asks about "maintaining consistency across 100 projects," the answer is Terraform Modules.