As we’ve used Terraform workspaces to manage multiple environments, the preceding code selects an existing Terraform workspace with the branch name denoted by ${GITHUB_REF##*/} or creates a new one. Workspaces are important here as we want to use the same configuration with different variable values for different environments. The Terraform workspaces correspond to environments, and environments correspond to the Git branch. So, as we have the dev and prod environments, we have the corresponding Terraform workspaces and Git branches.
From the Terraform and workflow configuration, we can deduce that we will need the following:
• A service account for Terraform to authenticate and authorize the GCP API and a JSON key file that we need to add as a GitHub secret
• The project ID that we’ll configure as a GitHub secret
• A GCS bucket that we’ll use as a backend for Terraform
So, let’s go ahead and create a service account within GCP so that Terraform can use it to authenticate and authorize with the Google APIs. Use the following commands to create the service account, provide relevant Identity and Access Management (IAM) permissions, and download the credentials file:
$ PROJECT_ID=
$ gcloud iam service-accounts create terraform \
–description=”Service Account for terraform” \
–display-name=”Terraform”
$ gcloud projects add-iam-policy-binding $PROJECT_ID \
–member=”serviceAccount:terraform@$PROJECT_ID.iam.gserviceaccount.com” \ –role=”roles/editor”
$ gcloud iam service-accounts keys create key-file \
–iam-account=terraform@$PROJECT_ID.iam.gserviceaccount.com
You will see a file called key-file within your working directory. Now, navigate to https:// github.com//mdo-environments/settings/secrets/ actions/new and create a secret named GCP_CREDENTIALS. For the value, print the key-file file, copy its contents, and paste it into the values field of the GitHub secret.
Next, create another secret, PROJECT_ID, and specify your GCP project ID within the values field.
The next thing we need to do is create a GCS bucket for Terraform to use as a remote backend. To do this, run the following command:
$ gsutil mb gs://tf-state-mdo-terraform-${PROJECT_ID}
Additionally, we need to enable the GCP APIs that Terraform will use to create the resources. To do this, run the following command:
$ gcloud services enable iam.googleapis.com container.googleapis.com
So, now that all the prerequisites have been met, we can push our code to the repository. Run the following commands to do this:
$ git add –all
$ git commit -m ‘Initial commit’
$ git push –set-upstream origin dev
As soon as we push the code, we’ll see that the GitHub Actions workflow has been triggered. Soon, the workflow will apply the configuration and create the Kubernetes cluster. This should appear as follows:
Figure 12.8 – GitOps with GitHub Actions and Terraform
To verify whether the cluster has been created successfully, run the following command:
$ gcloud container clusters list
NAME: mdo-cluster-dev
LOCATION: us-central1-a
MASTER_VERSION: 1.27.3-gke.100
MASTER_IP: x.x.x.x
MACHINE_TYPE: e2-medium
NODE_VERSION: 1.27.3-gke.100
NUM_NODES: 3
STATUS: RUNNING
As you can see, the mdo-cluster-dev cluster is running successfully in the environment. If we make any changes to the Terraform configuration, the changes will automatically be applied. We’ve successfully created our Environment using an Environment repository. That is the push model GitOps in action for you. Now, we need to run our application in the environment; to manage and deploy the application, we will need a dedicated CD tool. As stated previously, we will use Argo CD for this, so let’s look at it.
