gem-terraform-fw-rule-create

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

2. (Optional) You can list the active account name with this command:

3. Click Authorize.

4. Your output should now look like this:

Output:

5. (Optional) You can list the project ID with this command:

Output:

Example output:

Overview

This lab guides you through creating a firewall rule in Google Cloud using Terraform. You will learn how to define a firewall rule resource, configure its properties, and apply it to your Google Cloud project. This lab assumes you have a basic understanding of Google Cloud and Terraform.

Task 1. Configure Google Cloud Project

Before you begin, configure your Google Cloud project. This includes setting the project ID, region, and zone. Also, enable the IAM API.

1. Set your Project ID:

   gcloud config set project {{{ project_0.project_id | "PROJECT_ID" }}} Note:
   This command sets your active project.

2. Set your default region to

   gcloud config set compute/region {{{ project_0.default_region | "REGION" }}} Note:
   This command sets your active compute region.

3. Set your default zone to

   gcloud config set compute/zone {{{ project_0.default_zone | "ZONE" }}} Note:
   This command sets your active compute zone.

Task 2. Create a Cloud Storage Bucket for Terraform State

Terraform uses a state file to track the resources it manages. For collaboration and persistence, it's best to store this state file in a remote backend like Google Cloud Storage (GCS).

1. Create a Cloud Storage bucket. Ensure the bucket name is globally unique and prefixed with your project ID:

   gcloud storage buckets create gs://{{{ project_0.project_id | "PROJECT_ID" }}}-tf-state --project={{{ project_0.project_id | "PROJECT_ID" }}} --location={{{ project_0.default_region | "REGION" }}} --uniform-bucket-level-access Note:
   This command creates a Cloud Storage bucket in the specified region to store the Terraform state file.

2. Enable versioning on the GCS bucket:

   gsutil versioning set on gs://{{{ project_0.project_id | "PROJECT_ID" }}}-tf-state Note:
   This enables versioning on the bucket.

Task 3. Defining the Firewall Rule in Terraform

Now, you will define the firewall rule using Terraform's configuration language.

1. Create a new directory for your Terraform configuration files.

   mkdir terraform-firewall && cd $_ Note:
   This creates a new directory and changes the current directory to it.

2. Create a file named firewall.tf and add the following code to define a firewall rule that allows SSH traffic (port 22) to instances with the tag ssh-allowed.

   resource "google_compute_firewall" "allow_ssh" { name = "allow-ssh-from-anywhere" network = "default" project = "{{{ project_0.project_id | "PROJECT_ID" }}}" allow { protocol = "tcp" ports = ["22"] } source_ranges = ["0.0.0.0/0"] target_tags = ["ssh-allowed"] } Note:
   This configuration creates a firewall rule named `allow-ssh-from-anywhere` that allows TCP traffic on port 22 from any source IP address (0.0.0.0/0) to instances tagged with `ssh-allowed`.

3. Create a variables.tf file to define variables used in firewall.tf and main.tf.

   variable "project_id" { type = string default = "{{{ project_0.project_id | "PROJECT_ID" }}}" } variable "bucket_name" { type = string default = "{{{ project_0.project_id | "PROJECT_ID" }}}-tf-state" } variable "region" { type = string default = "{{{ project_0.default_region | "REGION" }}}" } Note:
   This creates variables for the project ID, bucket name, and region.

4. Create an outputs.tf file to output the firewall rule name.

   output "firewall_name" { value = google_compute_firewall.allow_ssh.name } Note:
   This outputs the name of the firewall rule.

Task 4. Applying the Terraform Configuration

Now you will apply the Terraform configuration to create the firewall rule in your Google Cloud project.

1. Run terraform init to enable Terraform.

   terraform init Note:
   This command downloads the Terraform provider for the configuration files.

2. Run terraform plan to preview the changes Terraform will make.

   terraform plan Note:
   This command shows the planned changes without applying them.

3. Run terraform apply to apply the configuration and create the firewall rule.

   terraform apply Note:
   Type `yes` when prompted to confirm the changes.

4. Verify that the firewall rule has been created in the Google Cloud Console.

   Navigate to **VPC network > Firewall** in the Google Cloud Console and verify the existence of the `allow-ssh-from-anywhere` firewall rule. Note:
   This is a manual verification step.

Task 5. Cleaning Up Resources

To avoid incurring unnecessary costs, destroy the resources created in this lab.

1. Run terraform destroy to remove the firewall rule.

   terraform destroy Note:
   Type `yes` when prompted to confirm the destruction.

Congratulations!

You have successfully created and destroyed a firewall rule in Google Cloud using Terraform. You have learned how to define firewall rules as code, manage their properties, and apply them to your Google Cloud project. This approach enables you to automate and manage your infrastructure in a consistent and repeatable manner.

Additional Resources

• Terraform Google Cloud Provider Documentation
• Google Cloud Firewall Rules Documentation

Manual Last Updated Jul 22, 2025

Lab Last Tested Jul 22, 2025