DE Zoomcamp 1.3.1 - Introduction to Terraform Concepts & GCP Pre-Requisites

00:00

hi everyone

00:01

so now we we are going to cover a

00:04

terraform and say we'll do that so

00:07

yeah let's start

00:08

hey everyone how's it going

00:10

so yeah today's session is uh the part

00:14

of the week one session where we are

00:16

we'll be covering the concepts of

00:18

terraform at an introductory level and

00:21

also how to set up your gcp

00:25

infrastructure using terraform so let's

00:27

get started

00:29

and

00:30

i'll just share my screen now

00:35

so terraform is actually an open source

00:38

tool

00:39

by hashicorp and

00:41

it lets you provision infrastructure

00:43

resources with declarative configuration

00:46

files these resources can be virtual

00:48

machines or containers or storage or

00:51

even networking resources

00:53

and apart from this terraform also uses

00:56

an iac style approach which supports

00:59

devops best practices for change

01:01

management which lets you manage

01:03

terraform configuration files and source

01:05

control to maintain an ideal provision

01:07

state for testing and production

01:09

environments

01:10

now what really is ise ise is

01:14

infrastructure as code

01:16

this allows

01:18

you to build it's a framework which

01:20

allows you to build change and manage

01:22

your infrastructure in a safe consistent

01:24

and repeatable way by defining resource

01:27

configurations that you can version

01:29

reuse and share so think of this as a

01:32

git version control but for

01:33

infrastructure

01:36

and this also allows you to manage the

01:37

infrastructure with configuration files

01:39

alone rather than through a graphical

01:42

user interface

01:43

so mainly the advantages are

01:47

it helps you manage your

01:49

infrastructure life cycle

01:51

in a very stack based deployment style

01:53

so basically you can deploy an entire

01:56

cluster of resources together

02:00

like create your entire set of resources

02:02

together and destroy it at any point in

02:04

time while all of these resources within

02:07

a cluster are connected with each other

02:09

you can also commit your configurations

02:11

to version control to safely collaborate

02:14

on your infrastructure

02:15

and the most important part is the

02:18

terraforms state

02:20

which allows you to track resource

02:22

changes throughout your deployments

02:24

so i'll explain more about that a little

02:26

later

02:27

so what we need is only two things here

02:30

one is the terraform client

02:33

which you can download from this link

02:35

based on whatever is your os type

02:38

and follow the instructions through and

02:40

i already have it installed so

02:43

i

02:44

won't exactly show you the steps but

02:46

it's just a two step two to three step

02:48

process and thread it will be

02:49

straightforward

02:51

and the other thing that you would need

02:52

is your gcp account

02:55

uh basically with your google

02:57

id you can also get a free account if

03:00

you have not

03:02

set up an account previously on that id

03:04

and the free version provides up to 300

03:07

euro credits uh this i mean euro in

03:10

terms of the region that we are

03:12

currently in which is germany uh based

03:15

on the region that you are set in you'll

03:17

be getting some free amount of credits

03:19

which would be

03:21

mostly more than enough for all of the

03:24

exercises that we'll be performing

03:26

throughout our course

03:27

uh this is also with a 90-day

03:31

life cycle

03:32

so you do not really need to worry if

03:34

you're going to like you know meet the

03:36

nd 20 so

03:38

so

03:40

as you can see here

03:42

i already have an account created and

03:45

i already have like a

03:47

first project set up for child but i can

03:51

walk you through creating the first

03:53

project and whatever things you'll be

03:55

needing in

03:57

terms of coordinating in terms of your

03:59

local client coordinating with the cloud

04:01

resources which is a service account and

04:03

im access and so on and so forth so

04:06

let's begin

04:08

so once you already have your

04:11

gcp account set up what you do is create

04:15

a project

04:16

i already have it but i will create a

04:19

new one here

04:22

and

04:23

let's call this something like

04:26

dtcde

04:28

whatever you feel like putting

04:31

um

04:32

my project id is dt dtcde

04:36

but i'm going to edit this and put this

04:39

to

04:41

something more unique which generally

04:43

happens so let me refresh this and okay

04:46

now it's set some unique project id for

04:49

myself

04:50

uh you can always customize it but

04:52

please make sure that i'm a unique

04:54

project id um across the entire gcp

04:57

environment

04:58

otherwise it won't

05:00

allow you to do that

05:02

all right so now

05:05

we create this

05:10

and we have a notification here that

05:12

it's creating a project

05:16

perfect now let's

05:19

wait so

05:20

now i'm switching to the project that we

05:23

just created

05:25

and

05:26

what we will do now is

05:28

go to

05:30

im admin

05:33

the service accounts

05:40

okay let's go ahead and create our

05:42

service account um so alexi do you know

05:45

what a sales account is

05:47

not really but

05:49

so i think the way i understood it

05:52

is that a service account is an account

05:54

that you create for a service as the

05:56

name suggests and service could be

05:58

anything

05:59

usually it's a service so it can be your

06:01

data pipeline or your

06:03

i don't know web service or something

06:04

like this but this is a specific project

06:06

that you work on

06:08

um like specific service

06:12

and everything that this service needs

06:15

will be configured here in this service

06:17

account

06:18

so like if a service needs to go to

06:20

cloud storage we will grant access to

06:22

this cloud storage in this service

06:24

account

06:25

and what it lets us

06:28

do is it will give us a

06:30

credentials some credentials and these

06:32

credentials will belong to this server

06:34

and then this server will get access to

06:37

all the things from gcp that we need

06:40

and

06:41

does it sound right

06:43

that is perfect yeah so in in a nutshell

06:46

services a service account is actually

06:48

an account for

06:50

as name suggests services so you

06:53

basically you won't need your owner's

06:56

account or the admin account for the

06:58

resources to interact with each other it

07:01

has restricted or limited permissions so

07:05

let's begin with

07:07

creating it so

07:09

let's um

07:10

call this service account dtcde

07:15

user or anything you would like to keep

07:18

it as

07:20

this does not need to be globally unique

07:22

because this in combination to the email

07:26

address of your project

07:29

will already make it globally unique so

07:31

you do not need to worry

07:33

um description can be anything you want

07:35

to put

07:36

maybe dtcd course something

07:39

so

07:41

let's go to next and let's let's use the

07:43

viewer um role for now but this is only

07:46

to begin with

07:48

all right and this step is not something

07:50

that we need for now but this is uh

07:53

useful if you're setting up production

07:55

environment and

07:57

want to

07:58

have multiple users associated to a

08:01

certain service account which share the

08:03

same level of permissions

08:05

okay and

08:08

let's click done

08:10

and

08:11

as you see here there is

08:13

there are no keys generated yet so what

08:16

we do is like

08:18

go here

08:19

to manage keys

08:22

and then

08:23

create a new key

08:25

let's keep it json so that in case you

08:28

ever want to break you know open the

08:30

file in the text editor and read and

08:32

retrieve your password you can always do

08:34

that

08:35

so

08:36

create it

08:38

and now

08:40

downloads it into your default default

08:43

download directory the other thing you

08:46

need is your sdk

08:48

which is a cli uh the google sdk which

08:51

is a cli tool in for you to interact

08:55

with your cloud services maybe list them

08:58

or maybe even authenticate your

09:01

google application credentials or the

09:02

service account key in order to interact

09:05

with the cloud from your local so so on

09:07

and so forth so in case you want to

09:10

check if your

09:12

gcloud is sdk is already installed then

09:15

you can do a gcloud hyphen v

09:18

and

09:20

you will see it here

09:22

um if you do not have it then i would

09:24

suggest

09:26

this link

09:27

and install it

09:29

from here

09:33

based on your os it will suggest which

09:36

which one you need to like you know

09:39

download and it's a very straightforward

09:40

installation process just follow it

09:42

through not for windows though so for

09:44

windows i prepared like a set of

09:46

instructions that we will include also

09:49

because i had

09:51

some problems doing that so i will

09:54

add a link to windows instructions there

09:57

i had to to try

09:59

multiple options before i finally had

10:01

one that worked

10:03

oh okay wow sorry to hear that

10:06

but yeah i guess

10:08

the google client is not um yet as

10:11

mature as the aws client or many

10:14

comparable providers but it's it's

10:17

getting there so hopefully we would have

10:19

uh like you know more stable client for

10:21

windows as well soon

10:24

cool but yeah thanks alexi for preparing

10:27

that um

10:29

so once you have the sdk installed

10:33

go to

10:34

go back to your instructions and set

10:37

your environment variable

10:40

google applications credentials

10:42

to the downloaded service key service

10:45

account key that you

10:47

have generated

10:49

now that we have our gcloud installed

10:53

we'll go look for our

10:55

service account key that we downloaded

10:58

so in because i'm using a mac os it by

11:02

default downloads into the download

11:04

directory in my home directory

11:07

and

11:08

my project is actually my project id is

11:12

global maxim

11:14

338113

11:16

so

11:17

the key should also be something related

11:21

to that let's search okay now we have it

11:24

there let me check the time stamp again

11:30

yes okay that we just generated

11:34

a few months ago so i am going to

11:43

set the google applications credentials

11:45

uh environment variable which is a

11:49

system um specific or let's say uh

11:53

google cloud specific um environment

11:56

variable for it to for for the for the

11:59

invite basically for the system or

12:01

google to understand that this is your

12:04

application key or the authentication

12:06

key and this is uh with which you have

12:10

to authenticate uh your other resources

12:13

so let me

12:17

set that

12:19

[Music]

12:21

and provide this key as the path

12:28

all right

12:29

and now

12:32

i use this command

12:35

[Music]

12:36

to to authenticate it so that it picks

12:40

up the key from this environment

12:41

variable

12:47

so

12:48

okay

12:49

so what's what what it is saying it what

12:52

it is saying is um

12:54

it was using and uh you know an earlier

12:58

uh default credentials which i had

13:00

already set up for myself uh mostly with

13:02

the owner account and now it's detected

13:05

a new set of keys

13:06

associated with a new project or a new

13:08

service account so

13:10

do i want to replace that so i will

13:13

set yes

13:15

and the next step is i have to

13:17

authenticate it so this will redirect me

13:20

to a browser link

13:21

i just choose my email

13:25

allow it

13:27

and now it says my cloud sdk is

13:30

authenticated with the

13:33

basically my local setup is

13:34

authenticated with the cloud environment

13:36

so

13:36

if you get this too congratulations your

13:39

local is now um able to interact with

13:41

the cloud deployment

13:44

i think this way of authenticating is

13:46

called o

13:47

auth way of authenticating that's not

13:50

the only one i think there is a

13:52

different one i think when i was playing

13:54

with this i came across with

13:56

across another one so i'll also have

13:58

this in the notes so you can check it

14:00

out

14:01

which doesn't involve a browser

14:04

but i think it's uh it's very similar

14:07

okay nice does it refresh the token on

14:10

your yeah i think it doesn't like let's

14:12

say when you do this on

14:14

some instance and you don't have access

14:16

to your browser you cannot actually

14:17

authenticate using all auth

14:20

then there is a different way of doing

14:22

this so i'll include this in notes

14:25

sounds like your sso and aws

14:28

which

14:29

which you refresh the token every time

14:31

in order to log in yeah

14:33

okay nice nice to know that

14:36

so

14:37

okay now we press now that you already

14:40

have your local setup ready

14:43

we proceed to the actual part

14:46

um

14:47

also just to show you this is the

14:50

download link for terraform and based on

14:53

your kind of os you can install it via

14:57

whichever package manager you're using

14:59

for example brew

15:01

or

15:02

choco or anything else

15:06

all right so

15:09

let's move on

15:14

i just want to add that

15:15

installing terraform on windows was

15:17

surprisingly smooth

15:19

so i just needed to unpack the

15:21

executable to a folder in my path

15:24

and that was it so it picked it up and

15:28

it just worked

15:29

so i was surprised

15:31

so usually on windows i need to

15:34

do a lot of googling to figure out how

15:35

to actually make things work

15:38

but this one was very smooth

15:41

nice

15:42

awesome

15:43

so

15:44

all right so what we're going to do with

15:46

this exercise now is create two

15:51

resources in the google environment one

15:53

is the cloud storage and one is uh the

15:56

bigquery warehouse

15:58

and we'll be explaining uh the concept

16:01

of like you know

16:03

those resources in the data sections but

16:06

for now uh

16:08

a cloud storage is actually a bucket in

16:12

in your gcp environment uh where you can

16:15

store the data in a manner of flat files

16:20

so if you've uh seen any local file

16:23

storage with directories and like with

16:25

csvs or jsons in it it it basically is

16:28

just like that

16:30

uh we also refer to it in our course as

16:33

a data lake uh which you will understand

16:36

as we proceed in the course but

16:39

a data lake is where we are going to

16:41

store all the raw data in a more

16:43

organized fashion uh partitioned by uh

16:47

more sensible directories and also

16:50

compressed with uh

16:53

like you know compressed with certain

16:55

file types not only with csvs and jsons

16:58

but also parquet files

17:00

and bigquery is actually

17:02

your google equivalent of data warehouse

17:05

where the data is like uh modeled into a

17:08

more structured format with fact and

17:10

dimension tables and like you know the

17:13

classical data warehouse concepts that

17:15

you may already be familiar with

17:17

all right but we will definitely explain

17:20

more about that in the upcoming lectures

17:22

but let's move on to the rest of the

17:24

setup

17:25

so now that your local is already

17:28

authenticated with the cloud environment

17:30

let's go and add more permissions for

17:34

your service account

17:35

um

17:37

this is the one that we just created

17:40

so

17:41

what we are going to do is uh we will

17:44

try to keep it simple for this tutorial

17:46

but it is not

17:47

advisable for a production environment

17:51

but we will

17:52

add

17:54

in order to create uh the google cloud

17:56

storage we'd add a storage admin

18:00

[Music]

18:03

do you know what this role actually does

18:04

i think it allows

18:06

to

18:07

create

18:09

buckets and then

18:11

create files there right and this is

18:13

what we need so our terraform job

18:15

needs to

18:17

go there to google cloud and create a

18:19

bucket there so right now we're granting

18:21

our service permissions to do that

18:24

that's correct right right right

18:26

so we are granting two kinds of storage

18:29

rules one is uh for

18:32

the bucket itself and the other is for

18:35

the objects within the bucket

18:38

and uh by admin it has it means it has

18:42

all the ownership level positions that

18:44

is create update um

18:47

delete uh write read and

18:50

yeah you know grant access across and so

18:52

on and so forth

18:54

um and in real production we would

18:57

restrict it to a particular

18:59

uh bucket for example right that's

19:01

that's right in in real production you

19:04

would not generally use the like you

19:07

know the self the google provided roles

19:10

the uh what you see here is actually the

19:13

predefined roads created by uh gcp

19:15

themselves in production what you would

19:17

do is actually custom create custom

19:20

roles

19:21

and associate specific permissions

19:24

uh associated to certain resources

19:27

but

19:28

for just for the simplicity of our

19:30

course we will keep it for uh to this

19:32

for now

19:34

yeah i guess it will make sense for it

19:36

to create maybe as

19:38

one service account for terraform which

19:40

will have all the admin roles and then

19:42

for another service for a different

19:44

service for our data pipeline it would

19:46

be a separate service with its own

19:48

permissions right

19:50

yes

19:50

yes that that's actually uh what uh like

19:53

you know the ideal production style is

19:56

uh with most companies so good point

20:00

cool and finally we are also going to

20:04

add a big query

20:07

oops a big query admin

20:10

because we also want to interact with

20:16

[Music]

20:18

bigquery we also need to enable apis so

20:22

what really happens is when the cloud

20:25

when the local environment interacts

20:27

with the cloud environment it does not

20:30

interact directly with the resource it

20:34

basically these apis are the enablers of

20:38

communication

20:40

so one is for the iam itself

20:43

and the other one is for im credentials

20:47

possibly i may have already

20:48

authenticated it but let's see

20:55

and i think it's important to to note

20:57

here that when you open this page you

21:00

have a

21:02

drop down list so for this one yeah so

21:05

at the top you have like a drop down

21:07

list with projects so you need to make

21:08

sure that you select the project for

21:10

which you want to authenticate like this

21:12

this one exactly because sometimes you

21:15

may have multiple projects

21:18

yes

21:19

good point

21:22

um another thing that i wanted to

21:24

mention is um

21:26

uh don't be like you know uh

21:28

worried about this uh currently i think

21:31

you should see only 300 credits in my

21:34

case it's 265 because i already have

21:36

multiple projects and multiple resources

21:38

created in each project so

21:41

i've already used some credits but

21:44

only some of it has been depleted so far

21:46

in like the last two weeks so i think we

21:49

have a lot more left to go

21:52

for you guys to run your experiments on

21:57

so okay once we have the apis enabled um

22:03

this is something that you've already

22:04

done

22:07

this is also something you've already

22:09

done but if your session has expired

22:11

then you can try it again

22:13

and now we begin with the terraform part