A comprehensive collection of enterprise-grade Terraform modules for Google Cloud Platform infrastructure provisioning. These modules provide secure, scalable, and production-ready infrastructure components following Google Cloud best practices.
This repository contains modular Terraform configurations designed for a multi-project, multi-environment Google Cloud architecture. The modules work together to create a complete enterprise infrastructure including:
- Multi-project structure with host and service projects
- Private GKE clusters with enterprise security features
- Shared VPC networking with proper segmentation
- Secure bastion hosts for administrative access
- Cloud SQL databases with high availability and backup
- Memorystore Redis for caching and sessions
- VPC Service Controls for data exfiltration protection
- IAM management with least privilege access
| Module | Description | Use Case |
|---|---|---|
terraform-google-svc-projects |
Creates and manages multi-project architecture | Foundation - Host and service projects |
terraform-google-svpc |
Shared VPC with subnets and firewall rules | Networking - Central network management |
terraform-google-gke |
Enterprise GKE cluster with security hardening | Compute - Container orchestration |
terraform-google-bastion |
Secure jump host with audit logging | Security - Administrative access |
terraform-google-cloudsql |
Managed Cloud SQL with HA and backup | Storage - Relational databases |
terraform-google-memorystore |
Redis cluster for caching and sessions | Storage - In-memory data store |
terraform-google-iam |
IAM roles, policies, and service accounts | Security - Identity and access management |
terraform-google-vpc-sc |
VPC Service Controls perimeter | Security - Data exfiltration protection |
-
Google Cloud SDK installed and configured
gcloud auth application-default login gcloud config set project YOUR_PROJECT_ID -
Terraform >= 1.5.0 installed
terraform --version
-
Required APIs enabled in your Google Cloud project:
gcloud services enable \ cloudresourcemanager.googleapis.com \ serviceusage.googleapis.com \ compute.googleapis.com \ container.googleapis.com \ sqladmin.googleapis.com \ redis.googleapis.com \ servicenetworking.googleapis.com \ dns.googleapis.com -
Required Permissions:
roles/resourcemanager.projectCreator(if creating projects)roles/billing.projectManager(for billing association)roles/compute.networkAdminroles/container.clusterAdminroles/cloudsql.admin
# Generate unique suffix for resource naming
resource "random_string" "suffix" {
length = 4
special = false
upper = false
}
# 1. Create multi-project structure
module "projects" {
source = "./terraform-google-svc-projects"
suffix = random_string.suffix.result
billing_account_id = "123456-ABCDEF-123456"
folder_id = "folders/1234567890"
labels = {
environment = "production"
team = "platform"
}
}
# 2. Create shared VPC networking
module "network" {
source = "./terraform-google-svpc"
project_id = module.projects.host_project_id
region = "us-central1"
depends_on = [module.projects]
}
# 3. Create GKE cluster
module "gke" {
source = "./terraform-google-gke"
project_id = module.projects.gke_project_id
region = "us-central1"
network = module.network.vpc_self_link
subnetwork = module.network.subnets["gke"].self_link
depends_on = [module.network]
}
# 4. Create bastion host
module "bastion" {
source = "./terraform-google-bastion"
project_id = module.projects.host_project_id
region = "us-central1"
vpc_name = module.network.vpc_name
subnet_name = module.network.subnets["bastion"].name
authorized_networks = ["10.0.0.0/8"]
depends_on = [module.network]
}
# 5. Create Cloud SQL database
module "database" {
source = "./terraform-google-cloudsql"
project_id = module.projects.data_project_id
instance_name = "main-db"
region = "us-central1"
database_version = "POSTGRES_15"
ip_configuration = {
private_network = module.network.vpc_self_link
ipv4_enabled = false
}
depends_on = [module.network]
}The modules are designed to work together in a specific order:
graph TD
A[terraform-google-svc-projects] --> B[terraform-google-svpc]
A --> C[terraform-google-iam]
B --> D[terraform-google-gke]
B --> E[terraform-google-bastion]
B --> F[terraform-google-cloudsql]
B --> G[terraform-google-memorystore]
A --> H[terraform-google-vpc-sc]
C --> D
C --> E
module "projects" {
source = "./terraform-google-svc-projects"
suffix = "prod"
billing_account_id = var.billing_account_id
folder_id = var.folder_id
# Creates: host-project-prod, gke-project-prod, data-project-prod
}module "network" {
source = "./terraform-google-svpc"
project_id = module.projects.host_project_id
region = "us-central1"
# Creates subnets for GKE, data services, bastion, and management
}module "gke" {
source = "./terraform-google-gke"
project_id = module.projects.gke_project_id
network = module.network.vpc_self_link
subnetwork = module.network.subnets["gke"].self_link
# Private cluster with Workload Identity and encryption
}module "bastion" {
source = "./terraform-google-bastion"
project_id = module.projects.host_project_id
vpc_name = module.network.vpc_name
enable_iap_tunnel = true
ssh_keys = {
"admin" = file("~/.ssh/id_rsa.pub")
}
}- Private GKE clusters with no public IPs
- VPC Service Controls for data exfiltration protection
- Firewall rules with least privilege access
- Shared VPC for centralized network management
- Workload Identity for secure pod authentication
- IAP tunnels for secure bastion access
- Service accounts with minimal required permissions
- IAM best practices enforcement
- Cloud SQL with private IP and SSL enforcement
- Encrypted persistent disks and etcd encryption
- Secrets management with Secret Manager integration
- Audit logging for all administrative actions
- Deletion protection on critical resources
- Binary Authorization for container security
- Shielded GKE nodes with secure boot
- Confidential GKE for memory encryption
# Primary region deployment
module "primary_region" {
source = "./complete-infrastructure"
region = "us-central1"
suffix = "primary"
# ... other config
}
# Secondary region for disaster recovery
module "secondary_region" {
source = "./complete-infrastructure"
region = "us-west2"
suffix = "secondary"
# ... other config
}- GKE monitoring with managed Prometheus
- Cloud SQL query insights and monitoring
- Bastion host access logging and audit trails
- VPC Flow Logs for network traffic analysis
# Enable Cloud Monitoring and Logging APIs
resource "google_project_service" "monitoring" {
for_each = toset([
"monitoring.googleapis.com",
"logging.googleapis.com",
"cloudtrace.googleapis.com",
"clouddebugger.googleapis.com"
])
service = each.value
project = var.project_id
}- Use preemptible nodes for non-critical workloads
- Enable cluster autoscaling to match demand
- Configure vertical pod autoscaling for right-sizing
- Use pd-standard disks for non-performance critical workloads
- Enable disk autoresize with limits
- Configure backup retention policies
- Minimize cross-region traffic with regional deployments
- Use private Google Access to reduce NAT costs
- Configure Cloud CDN for static content
# Development
terraform workspace select dev
terraform plan -var-file="environments/dev.tfvars"
# Staging
terraform workspace select staging
terraform plan -var-file="environments/staging.tfvars"
# Production
terraform workspace select prod
terraform plan -var-file="environments/prod.tfvars"# .github/workflows/terraform.yml
name: 'Terraform'
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
terraform:
name: 'Terraform'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- name: Terraform Plan
run: terraform plan -no-color
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: terraform apply -auto-approve-
API Not Enabled
# Enable required APIs gcloud services enable container.googleapis.com
-
Insufficient Permissions
# Grant required IAM roles gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:email@domain.com" \ --role="roles/container.clusterAdmin"
-
Quota Exceeded
# Check and request quota increases gcloud compute project-info describe --project=PROJECT_ID -
Network Connectivity
# Test bastion connectivity gcloud compute ssh bastion-instance --project=PROJECT_ID --zone=us-central1-a
# Check cluster status
gcloud container clusters describe CLUSTER_NAME --region=REGION
# View instance logs
gcloud compute instances get-serial-port-output INSTANCE_NAME
# Check Cloud SQL connectivity
gcloud sql connect INSTANCE_NAME --user=postgres --database=postgresThis project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow Terraform Style Guide
- Include comprehensive documentation
- Add examples for new modules
- Test changes in isolated environments
- Update README.md for any new features
For questions, issues, or contributions:
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report security vulnerabilities privately
Version: 1.0.0
Terraform Version: >= 1.5
Google Provider Version: >= 5.0
Last Updated: September 2025