Reverse engineering a Terraform solution

I'm going to skip the part where I talk about what Terraform is, the benefits, the money you'll save, how much better your hair will look, and get straight to the part where I tell you how I solved my problem.

Scenario: I have a project where I'm working with a provider I've never used before: Google (or GCP). I need to deploy an HTTPS L7 Load Balancer with Terraform but I don't know this cloud very well.

I have plenty of Terraform experience with Azure and am quite comfortable with the platform, but the GCP cloud is new to me and understanding how these resources link together is difficult to understand at first glance.

Solution: Looking at the Load Balancer instance, there's all these different resources I see in the provider: forwarding rules, URL maps, HTTP proxies, HTTPS proxies, Backends… I have no idea how this stuff is supposed to work together! I downloaded the modules Google published (here) but am still having difficulty implementing them in my environment. The plan would work fine, but applying it errored out.

So I had an idea: what if I deployed a load balancer in the GCP console then reverse engineered it to get a fix on what I need!

Using the GCP Console, I deployed all the basics I would need: a VM and a global external application load balancer. The Load Balancer included the SSL certificate, the Health Check, the Backend, and a Path Rule just to get fancy. The GCP Load Balancer needs an Instance Group as a backend, so I added my VM to an unmanaged instance group as well. Then I was able to work.

My network looks like this:

Looking into the GCP public module I downloaded, I took inventory of the modules I'd need. Some of the modules used the google-beta provider and since this is a client environment, I removed it and stuck with the proven google provider. I'm sticking with IPv4 so I'll skip all the IPv6 shenanigans.

• google_compute_global_forwarding_rule
• google_compute_target_https_proxy
• google_compute_url_map
• google_compute_backend_service
• google_compute_health_check

Some things included in the public module, like the SSL cert and the Firewall rules, I am managing externally and don't want to include here.

I want to import these resources into state and use terraform plan to figure out the drift (and the basic configuration I need). Terraform has the functionality to import existing resources into the state file, but I had to figure out the 'address' of those resources. In GCP, this is known as the 'self_link'. I used the gcloud API to get these values with a list call to get the resources and a describe to show their self_link. Some of these names I configured and some I did not

These are the commands I ran:

• gcloud compute forwarding-rules list -> gcloud compute forwarding-rules describe fe-lb-reverse-tf-demo

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/forwardingRules/fe-lb-reverse-tf-demo

• gcloud compute target-https-proxies list -> gcloud compute target-https-proxies describe lb-reverse-tf-demo-target-proxy

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/targetHttpsProxies/lb-reverse-tf-demo-target-proxy

• gcloud compute url-maps list -> gcloud compute url-maps describe lb-reverse-tf-demo

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/urlMaps/lb-reverse-tf-demo

• gcloud compute backend-services list -> gcloud compute backend-services describe be-reverse-tf-demo

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/backendServices/be-reverse-tf-demo

• gcloud compute health-checks list -> gcloud compute health-checks describe hc-lb-reverse-tf-demo

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/healthChecks/hc-lb-reverse-tf-demo

The target proxy resource also gave me the self_link to the SSL certificate!

https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/sslCertificates/ssl-reverse-tf-demo

This is everything I needed from the GCP side to run my import and rebuild my load balancer.

Now it's time to build out our tfvars file. I filled in the values I saw were required from the variables.tf, and where I needed to reference another resource I was able to use the self_links I pulled above. With a little massaging and figuring out what values I needed to match my existing state, I was able to get a successful plan! The plan gave me the terraform module addresses for my import targets.

• google_compute_global_forwarding_rule.https[0]
• google_compute_target_https_proxy.default[0]
• google_compute_url_map.default[0]
• google_compute_backend_service.default["be-reverse-tf-demo"]
• google_compute_health_check.default["be-reverse-tf-demo"]

Now I'm finally able to run those imports!

terraform import 'google_compute_global_forwarding_rule.https[0]' 'https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/forwardingRules/fe-lb-reverse-tf-demo'

terraform import  'google_compute_target_https_proxy.default[0]' 'https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/targetHttpsProxies/lb-reverse-tf-demo-target-proxy'

terraform import 'google_compute_url_map.default[0]' 'https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/urlMaps/lb-reverse-tf-demo'

terraform import 'google_compute_backend_service.default["be-reverse-tf-demo"]' 'https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/backendServices/be-reverse-tf-demo'

terraform import 'google_compute_health_check.default["be-reverse-tf-demo"]' 'https://www.googleapis.com/compute/v1/projects/reverse-tf-demo/global/healthChecks/hc-lb-reverse-tf-demo'

Now I have imported my load balancer into my terraform state file! Not only that, but I have the terraform configuration I need to manage my load balancer using the public Google Terraform Module and I can deploy any other load balancers I need.

Hope you had fun on this journey with me.