Export your Google Cloud resources to Terraform format

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Caution: This feature isn't supported on Windows operating systems.

You've deployed resources in Google Cloud, and now need to manage yourinfrastructure as code (IaC) with Terraform. Google provides a tool that youcan use to generate Terraform code for resources in a project, folder, ororganization.

Roles

To get the permissions that you need to export assets to Terraform, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)
If writing state to an existing bucket (--storage-path=BUCKET):
- Storage Object Creator (roles/storage.objectCreator)
- Storage Object Viewer (roles/storage.objectViewer)
If writing state to a new bucket:Storage Object Viewer (roles/storage.objectViewer)

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Before you begin

Prepare Cloud Shell.
LaunchCloud Shell, and setthe default Google Cloud project where you want to generate Terraform code for thedeployed resources.
You only need to run this command once per project, and you can run it in anydirectory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in aTerraform configuration file.
In Cloud Shell, install the command-line interface (CLI) for Config Connector.
```
gcloud components install config-connector
```
Config Connector lets you use Google Cloud's Terraform bulk-export tool.
If you seeERROR: (gcloud.components.install) You cannot perform this actionbecause the Google Cloud CLI component manager is disabled for thisinstallation, run the following command instead:
```
sudo apt-get install google-cloud-sdk-config-connector
```

Enable the Cloud Asset API.

gcloud services enable cloudasset.googleapis.com

Create a service account to use for this export:

gcloud beta services identity create --service=cloudasset.googleapis.com

Ensure that theCloud Asset ServiceAgent(gcp-sa-cloudasset.iam.gserviceaccount.com) has theroles/servicenetworking.serviceAgent role:

gcloud projects add-iam-policy-bindingPROJECT_ID \  --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com \  --role=roles/servicenetworking.serviceAgent

Ensure that theCloud Asset ServiceAgent(gcp-sa-cloudasset.iam.gserviceaccount.com) has theroles/storage.objectAdmin role:
```
gcloud projects add-iam-policy-bindingPROJECT_ID \  --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com \  --role=roles/storage.objectAdmin
```
Note: To get yourPROJECT_ID andPROJECT_NUMBER, go to theGoogle Cloud console.

Limitations

Some resource types aren't supported for export to Terraform format even though they are supported by the Terraform Google provider. For alist of resource types that are supported for export to Terraform format, runthegcloud beta resource-config list-resource-types command.

Export the entire project configuration to Terraform HCL code

Thegcloud beta resource-config bulk-export --resource-format=terraform command exportsresources configured in the project, folder, ororganization and prints them to the screen inHCL code format.

gcloud beta resource-config bulk-export \  --project=PROJECT_ID \  --resource-format=terraform

Write the output to a directory structure

If you haven't done so already, create the directory where you want tooutput the project's configuration:
```
mkdirOUTPUT_DIRECTORY
```

Export the project's entire configuration to the directory:

gcloud beta resource-config bulk-export \ --path=OUTPUT_DIRECTORY \ --project=PROJECT_ID \ --resource-format=terraform

The--path flag specifies the location to output the HCL code.

After running the command, the HCL code for each resource is output to aseparate.tf file in the following directory structure:

OUTPUT_DIRECTORY/projects/PROJECT_ID/RESOURCE_TYPE

Write the output to a single file

If you don't want to print the output to the screen or create separate.tffiles, you can write all of the output to a single file, as shown in thisexample:

gcloud beta resource-config bulk-export \  --resource-format=terraform \  --project=PROJECT_ID \  >> gcp_resources.tf

Filter the output

Filter the output of the bulk export command by specifying resource types.

List the supported resource types to filter on

For a list of resource types that are supported for export to Terraform format,run thegcloud beta resource-config list-resource-types command:

gcloud beta resource-config list-resource-types

Optionally, write the output to a file:

gcloud beta resource-config list-resource-types >> strings.txt

In the output, the resource type for Compute Engine VMs is listed as:

KRM KIND:ComputeInstance

You can ignore theKRM KIND: prefix.

Export a single resource type

Use a string, such asComputeInstance, to export specific resource types foryour project in HCL code format:

gcloud beta resource-config bulk-export \  --resource-types=RESOURCE_TYPE \  --project=PROJECT_ID \  --resource-format=terraform

The--resource-types flag specifies the resource type to output.

Export multiple resource types

Export VM instances and firewall rules in HCL code format:

gcloud beta resource-config bulk-export \  --resource-types=ComputeFirewall,ComputeInstance \  --project=PROJECT_ID \  --resource-format=terraform

Use a file to specify the resource types to export

Create a directory calledtf-output.
```
cd && mkdir tf-output && cd tf-output
```
Create a file calledtypes.txt, and add a list of resource types. Forexample:
```
ComputeBackendBucketComputeBackendServiceComputeForwardingRule
```

Run thegcloud beta resource-config bulk-export command with the--resource-types-file flag:

gcloud beta resource-config bulk-export \ --resource-types-file=types.txt \ --path=tf-output \ --project=PROJECT_ID \ --resource-format=terraform

If the project doesn't contain any of a particular resource type, the commandsucceeds but nothing is output for that resource type.

Troubleshooting

If you see the following error:

"Permission denied during export. Please ensure the Cloud Asset Inventory API isenabled."

Make sure that you have followed the instructions in theBefore you begin section.

Next steps

Import your Google Cloud resources into Terraformstate.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Export your Google Cloud resources to Terraform format Stay organized with collections Save and categorize content based on your preferences.