Best practices when working with Google Cloud resources
Stay organized with collections
Save and categorize content based on your preferences.
Best practices for provisioning Google Cloud resources with Terraform, are
integrated into the Cloud Foundation Toolkit modules that
Google maintains. This document reiterates some of these best practices.
This guide is not an introduction to Terraform. For an introduction to using
Terraform with Google Cloud, see
Get started with Terraform.
Bake virtual machine images
In general, we recommend that you bake virtual machine images
using a tool like Packer.
Terraform then only needs to launch machines using the pre-baked images.
If pre-baked images are not available, Terraform can hand off new virtual
machines to a configuration management tool with a provisioner block. We
recommend that you avoid this method and only use it as a
last resort.
To clean up old state associated with the instance, provisioners that require
teardown logic should use a provisioner block with when = destroy.
Terraform should provide VM configuration information to configuration
management with
instance metadata.
Manage Identity and Access Management
When provisioning IAM associations with Terraform, several
different resources are available:
google_*_iam_policy (for example, google_project_iam_policy)
google_*_iam_binding (for example, google_project_iam_binding)
google_*_iam_member (for example, google_project_iam_member)
google_*_iam_policy and google_*_iam_binding create authoritative
IAM associations, where the Terraform resources serve as the only
source of truth for what permissions can be assigned to the relevant resource.
If the permissions change outside of Terraform, Terraform on its next
execution overwrites all permissions to represent the policy as defined in your
configuration. This might make sense for resources that are wholly managed by a
particular Terraform configuration, but it means that roles that are
automatically managed by Google Cloud are removed—potentially disrupting
the functionality of some services.
To prevent this, we recommend using either google_*_iam_member resources
directly or the
IAM module from Google.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide reiterates best practices for provisioning Google Cloud resources with Terraform, as integrated into the Cloud Foundation Toolkit modules.\u003c/p\u003e\n"],["\u003cp\u003eIt's recommended to use pre-baked virtual machine images with tools like Packer, and only utilize Terraform provisioners as a last resort.\u003c/p\u003e\n"],["\u003cp\u003eTerraform should provide VM configuration information to configuration management through instance metadata.\u003c/p\u003e\n"],["\u003cp\u003eWhen managing IAM, using \u003ccode\u003egoogle_*_iam_member\u003c/code\u003e resources or the Google IAM module is preferable to prevent overwriting automatically managed roles.\u003c/p\u003e\n"],["\u003cp\u003eAuthoritative IAM resources like \u003ccode\u003egoogle_*_iam_policy\u003c/code\u003e and \u003ccode\u003egoogle_*_iam_binding\u003c/code\u003e are not ideal for resources that have roles that are automatically managed by Google Cloud.\u003c/p\u003e\n"]]],[],null,["# Best practices when working with Google Cloud resources\n\nBest practices for provisioning Google Cloud resources with Terraform, are\nintegrated into the [Cloud Foundation Toolkit](/foundation-toolkit) modules that\nGoogle maintains. This document reiterates some of these best practices.\n\nThis guide is not an introduction to Terraform. For an introduction to using\nTerraform with Google Cloud, see\n[Get started with Terraform](/docs/terraform/get-started-with-terraform).\n\nBake virtual machine images\n---------------------------\n\nIn general, we recommend that you *bake* virtual machine images\n[using a tool like Packer](/compute/docs/images/image-management-best-practices#automated_baking).\nTerraform then only needs to launch machines using the pre-baked images.\n\nIf pre-baked images are not available, Terraform can hand off new virtual\nmachines to a configuration management tool with a `provisioner` block. We\nrecommend that you avoid this method and only use it as a\n[last resort](https://www.terraform.io/language/resources/provisioners/syntax#provisioners-are-a-last-resort).\nTo clean up old state associated with the instance, provisioners that require\nteardown logic should use a `provisioner` block with `when = destroy`.\n\nTerraform should provide VM configuration information to configuration\nmanagement with\n[instance metadata](/compute/docs/metadata/overview).\n\nManage Identity and Access Management\n-------------------------------------\n\nWhen provisioning IAM associations with Terraform, several\ndifferent resources are available:\n\n- `google_*_iam_policy` (for example, `google_project_iam_policy`)\n- `google_*_iam_binding` (for example, `google_project_iam_binding`)\n- `google_*_iam_member` (for example, `google_project_iam_member`)\n\n`google_*_iam_policy` and `google_*_iam_binding` create *authoritative*\nIAM associations, where the Terraform resources serve as the only\nsource of truth for what permissions can be assigned to the relevant resource.\n\nIf the permissions change outside of Terraform, Terraform on its next\nexecution overwrites all permissions to represent the policy as defined in your\nconfiguration. This might make sense for resources that are wholly managed by a\nparticular Terraform configuration, but it means that roles that are\nautomatically managed by Google Cloud are removed---potentially disrupting\nthe functionality of some services.\n\nTo prevent this, we recommend using either `google_*_iam_member` resources\ndirectly or the\n[IAM module from Google](https://github.com/terraform-google-modules/terraform-google-iam).\n\nWhat's next\n-----------\n\n- Learn about [best practices for version control](/docs/terraform/best-practices/version-control).\n- Learn about [best practices for Terraform operations](/docs/terraform/best-practices/operations)."]]
