GCP Provider 使用指南 #
Provider 配置 #
基本配置 #
hcl
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 4.0"
}
}
}
provider "google" {
project = "my-project-id"
region = "us-central1"
zone = "us-central1-a"
}
认证方式 #
hcl
provider "google" {
project = "my-project-id"
region = "us-central1"
credentials = file("service-account.json")
}
使用环境变量:
bash
export GOOGLE_CREDENTIALS='{"type":"service_account",...}'
export GOOGLE_PROJECT="my-project-id"
export GOOGLE_REGION="us-central1"
使用 gcloud CLI:
bash
gcloud auth application-default login
多项目配置 #
hcl
provider "google" {
alias = "prod"
project = "prod-project-id"
region = "us-central1"
}
provider "google" {
alias = "dev"
project = "dev-project-id"
region = "us-central1"
}
resource "google_compute_instance" "prod" {
provider = google.prod
name = "prod-instance"
machine_type = "e2-micro"
zone = "us-central1-a"
}
常用资源 #
VPC 网络 #
hcl
resource "google_compute_network" "main" {
name = "main-vpc"
auto_create_subnetworks = false
labels = {
environment = "production"
}
}
resource "google_compute_subnetwork" "main" {
name = "main-subnet"
ip_cidr_range = "10.0.0.0/24"
region = "us-central1"
network = google_compute_network.main.id
secondary_ip_range {
range_name = "pods"
ip_cidr_range = "10.1.0.0/16"
}
secondary_ip_range {
range_name = "services"
ip_cidr_range = "10.2.0.0/16"
}
}
resource "google_compute_firewall" "ssh" {
name = "allow-ssh"
network = google_compute_network.main.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
}
resource "google_compute_firewall" "http" {
name = "allow-http"
network = google_compute_network.main.name
allow {
protocol = "tcp"
ports = ["80", "443"]
}
source_ranges = ["0.0.0.0/0"]
}
计算实例 #
hcl
resource "google_compute_instance" "web" {
name = "web-server"
machine_type = "e2-micro"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
size = 20
}
}
network_interface {
subnetwork = google_compute_subnetwork.main.id
access_config {
}
}
metadata = {
ssh-keys = "user:${file("~/.ssh/id_rsa.pub")}"
}
labels = {
environment = "production"
}
tags = ["web", "http-server"]
}
Cloud Storage #
hcl
resource "google_storage_bucket" "main" {
name = "my-unique-bucket-name"
location = "US"
force_destroy = true
uniform_bucket_level_access = true
versioning {
enabled = true
}
encryption {
default_kms_key_name = google_kms_crypto_key.bucket.id
}
labels = {
environment = "production"
}
}
resource "google_storage_bucket_iam_member" "public" {
bucket = google_storage_bucket.main.name
role = "roles/storage.objectViewer"
member = "allUsers"
}
Cloud SQL #
hcl
resource "google_sql_database_instance" "main" {
name = "main-instance"
database_version = "MYSQL_8_0"
region = "us-central1"
settings {
tier = "db-f1-micro"
backup_configuration {
enabled = true
}
ip_configuration {
ipv4_enabled = true
authorized_networks {
value = "0.0.0.0/0"
}
}
}
deletion_protection = false
}
resource "google_sql_database" "main" {
name = "main-db"
instance = google_sql_database_instance.main.name
}
resource "google_sql_user" "main" {
name = "admin"
instance = google_sql_database_instance.main.name
password = var.db_password
}
GKE 集群 #
hcl
resource "google_container_cluster" "main" {
name = "main-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
network = google_compute_network.main.name
subnetwork = google_compute_subnetwork.main.name
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "services"
}
}
resource "google_container_node_pool" "main" {
name = "main-node-pool"
location = "us-central1"
cluster = google_container_cluster.main.name
node_count = 3
node_config {
preemptible = false
machine_type = "e2-medium"
labels = {
environment = "production"
}
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
}
}
Cloud Functions #
hcl
resource "google_storage_bucket_object" "source" {
name = "function-source.zip"
bucket = google_storage_bucket.main.name
source = "function-source.zip"
}
resource "google_cloudfunctions_function" "main" {
name = "main-function"
description = "My function"
runtime = "python310"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.main.name
source_archive_object = google_storage_bucket_object.source.name
trigger_http = true
entry_point = "handler"
labels = {
environment = "production"
}
}
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.main.project
region = google_cloudfunctions_function.main.region
cloud_function = google_cloudfunctions_function.main.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
数据源 #
查询项目 #
hcl
data "google_project" "main" {
project_id = "my-project-id"
}
查询镜像 #
hcl
data "google_compute_image" "debian" {
family = "debian-11"
project = "debian-cloud"
}
查询 GKE 集群 #
hcl
data "google_container_cluster" "main" {
name = "existing-cluster"
location = "us-central1"
}
provider "kubernetes" {
host = "https://${data.google_container_cluster.main.endpoint}"
token = data.google_client_config.current.access_token
cluster_ca_certificate = base64decode(
data.google_container_cluster.main.master_auth[0].cluster_ca_certificate
)
}
data "google_client_config" "current" {}
最佳实践 #
1. 使用模块 #
hcl
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 7.0"
project_id = var.project_id
network_name = "main-vpc"
routing_mode = "GLOBAL"
subnets = [
{
subnet_name = "subnet-01"
subnet_ip = "10.10.10.0/24"
subnet_region = "us-central1"
}
]
}
2. 标签管理 #
hcl
locals {
common_labels = {
environment = var.environment
project = var.project_name
managed_by = "terraform"
}
}
resource "google_compute_instance" "web" {
name = "web-server"
machine_type = "e2-micro"
zone = "us-central1-a"
labels = local.common_labels
}
3. 启用 API #
hcl
resource "google_project_service" "compute" {
service = "compute.googleapis.com"
}
resource "google_project_service" "container" {
service = "container.googleapis.com"
}
resource "google_project_service" "sqladmin" {
service = "sqladmin.googleapis.com"
}
下一步 #
掌握了 GCP Provider 后,接下来学习 Kubernetes Provider,了解如何管理 Kubernetes 资源!
最后更新:2026-03-29