Infrastructure as Code with Terraform in GCVE

We have seen a lot of Google Cloud VMware Engine over the last few months and for the entire time we have used click-ops to provision new infrastructure, networks and VM’s. Now we are going to the next level and we will be using Terraform to manage our infrastructure as code so that it is version controlled and predictable.

Installing Terraform

The first part of getting this working is installing Terraform on your local machine. Head over to Install Terraform CLI to find the instructions relevant to your operating system. Alternatively, you could also use Google’s Cloud Shell which has it already installed.

Grab the boostrap repo

To get you started on the right path, I have created a boostrap repo that you are free to use. If you wish to expand this repo to other areas of VMware, please submit a pull request and I will consider it.

This repo, if run out of the box, will create:

  • Teir 1 gateway (demo_lb_gateway) with a SNAT IP of
  • Network Segment named demo_10 with CIDR
  • A set of basic firewall rules to allow SSH, RDP, ICMP from RFC1918 addresses
  • A load balancer with two backends in a pool. (The backends don’t actually exist.)

Assuming you have git installed, run the command below: git clone

Walkthrough the code

* This file contains the versions of the terraform providers we will use. If you want to provision vSphere VM’s, add that provider in its own block in this file.

* Our credentials to NSX-T go in here along with any other global variables we need for other providers.

* All IP address definitions, including network CIDR ranges and DHCP server addresses go in this file.

* Any existing data objects you need from NSX-T can be defined within this file for easy reference.

* We define a DHCP server with a server address from the file.

* A firewall with its inbound & outbound ruleset is defined in here. A firewall is generally attached to a single gateway, so if you have multiple gateways and firewalls, split them into seperate files. NSX-T firewalls can also use tags/labels to define to/from addresses, networks and groups. These should be defined in below before being referenced in here.

* A list of our gateway Tier 1 routers. Since we cannot change the Tier 0 router within GCVE, it is simply a data object for us to reference.

* Load balancers are made up of the virtual server and a server pool. A virtual server can be a HTTP-HTTPS redirect, HTTPS or a TCP virtual server. Define them in this file.

* Generally you will need a number of SNAT/No SNAT rules for traffic between internal networks and/or the internet. These are defined in here.

* The firewall can also use policy groups (like tags/labels) the same way as a GCE firewall. Define your policy groups in here and then reference them in the firewall rules file above.

* A list of network segments with all its settings (e.g. DHCP config) should be defined in here.

Update the variables

Open the file and update the NSX Hostname, Username and Password to those of your NSX-T installation.

Now, I do NOT, for one second, condone saving secrets to git! It is not safe, even if your repo is private. Just don’t do it! How you handle secrets is up to you. I use Google Secrets Manager in my projects and have a special makefile that pulls these out on the fly.

Lights, Camera, Action!

Now to the business end! It is time to run a heap of commands to get terraform providers up and running as well as plan and apply the resources.

Run the following commands in order: Initilise terraform. This will install the required provider. terraform init Terraform plan will run through the code and ensure it looks sane and show you the changes terraform believes it needs to make. terraform plan Now to the action part, the apply command will actually go out to your NSX-T installation and create the resources. terraform apply

If you are lazy and don’t want to type ‘yes’ every time you apply some code, simply add -auto-approve to the apply command.