These are the core commands and concepts you'll use in every project.
| CLI Command | Purpose |
|---|---|
terraform init |
Initializes the directory, downloading provider plugins. |
terraform validate |
Checks configuration files for syntax errors. |
terraform plan |
Shows what changes will be made to your infrastructure. |
terraform apply |
Applies the changes to create or update infrastructure. |
terraform destroy |
Removes all infrastructure managed by the configuration. |
terraform fmt |
Automatically formats your .tf files for readability. |
terraform import |
Imports existing infrastructure into your Terraform state. |
terraform taint/untaint |
Marks a resource for recreation on the next apply. (Legacy) |
terraform apply -replace |
The modern way to force recreation of a specific resource. |
| Resource | Purpose |
|---|---|
google_project |
Creates and manages a GCP Project. |
google_project_service |
Enables an API within a project (e.g., compute.googleapis.com). |
google_folder |
Creates a folder to organize projects under an organization. |
google_service_account |
Creates a service account for applications. |
google_project_iam_member |
Grants a role to a member at the project level. |
google_folder_iam_member |
Grants a role to a member at the folder level. |
google_organization_iam_member |
Grants a role to a member at the organization level. |
google_billing_account_iam_member |
Manages IAM permissions for a billing account. |
<aside> 🛡️
Cybersecurity Note: Use the IAM resource that grants permissions at the narrowest possible scope. If a user only needs access to one project, use google_project_iam_member, not google_folder_iam_member.
</aside>
| Resource | Purpose |
|---|---|
google_storage_bucket |
Creates a Cloud Storage bucket. Configure the website block for static hosting. |
google_storage_bucket_object |
Uploads a file to a bucket. |
google_storage_bucket_iam_member |
Controls access using modern IAM roles (recommended). |
google_storage_bucket_acl |
Manages legacy Access Control Lists (ACLs). |
google_storage_transfer_job |
Creates a job to transfer data from other sources into GCS. |
<aside> 🛡️
Cybersecurity Note: Always enable uniform_bucket_level_access on your buckets to disable legacy ACLs and simplify permissions. This prevents complex, hard-to-audit access rules.
</aside>
| Resource | Purpose |
|---|---|
google_compute_instance |
Creates a single virtual machine (VM). |
google_compute_disk |
Creates a persistent disk to attach to a VM. |
google_compute_instance_template |
Creates a reusable VM template for creating identical instances. |
google_compute_instance_group_manager |
Manages a group of instances from a template for scaling and high availability. |
google_container_cluster |
Creates a Google Kubernetes Engine (GKE) cluster control plane. |
google_container_node_pool |
Adds a group of worker nodes to a GKE cluster. |
google_cloud_run_v2_service |
Deploys a fully-managed serverless containerized application. |
<aside> 🛡️
Cybersecurity Note: Use service accounts with minimal scopes attached to your compute resources. Avoid using the default compute service account, which often has overly broad permissions.
</aside>
| Resource | Purpose |
|---|---|
google_compute_network |
Creates a Virtual Private Cloud (VPC) network. |
google_compute_subnetwork |
Creates a subnet within your VPC. |
google_compute_firewall |
Creates firewall rules to control traffic to and from VMs. |
google_compute_address |
Reserves a static internal or external IP address. |
google_compute_router / _nat |
Creates a Cloud Router and configures NAT for private instances. |
google_compute_global_forwarding_rule |
The entry point for a Global External HTTP/S Load Balancer. Directs traffic. |
google_compute_target_http_proxy |
Routes requests to a URL map for an HTTP Load Balancer. |
google_compute_url_map |
Defines rules for routing requests to different backend services. |
google_dns_managed_zone |
Creates a DNS zone to hold records for your domain. |
google_dns_record_set |
Creates a DNS record (e.g., A, CNAME, MX) within a zone. |