{"id":29416332,"url":"https://github.com/cloudon-one/fintech-production-ready-infra","last_synced_at":"2025-07-11T19:02:57.536Z","repository":{"id":303292946,"uuid":"1012400849","full_name":"cloudon-one/fintech-production-ready-infra","owner":"cloudon-one","description":"GCP based production-ready infra for fintech services","archived":false,"fork":false,"pushed_at":"2025-07-06T20:08:12.000Z","size":506,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-06T21:24:41.529Z","etag":null,"topics":["fintech-design","gcp","terraform"],"latest_commit_sha":null,"homepage":"https://cloudon-one.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-02T09:22:49.000Z","updated_at":"2025-07-06T20:08:15.000Z","dependencies_parsed_at":"2025-07-06T21:34:50.989Z","dependency_job_id":null,"html_url":"https://github.com/cloudon-one/fintech-production-ready-infra","commit_stats":null,"previous_names":["cloudon-one/fintech-production-ready-infra"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloudon-one/fintech-production-ready-infra","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Ffintech-production-ready-infra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Ffintech-production-ready-infra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Ffintech-production-ready-infra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Ffintech-production-ready-infra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/fintech-production-ready-infra/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Ffintech-production-ready-infra/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264878580,"owners_count":23677451,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fintech-design","gcp","terraform"],"created_at":"2025-07-11T19:02:56.782Z","updated_at":"2025-07-11T19:02:57.458Z","avatar_url":"https://github.com/cloudon-one.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fintech GCP Production-Ready IaC Infrastructure\n\nThis repository contains Terraform configuration for deploying a multi-project GCP infrastructure with shared VPC, GKE, SQL, data services, bastion host, and comprehensive IAM management as per the fintech production architecture.\n\n## 🏗️ Architecture Overview\n\nThe infrastructure consists of:\n\n- **Host Project**: Shared VPC host project (`fintech-prod-host-project`)\n- **GKE Project**: Service project for GKE workloads (`fintech-prod-gke-project`)\n- **Data Project**: Service project for data services and Cloud SQL (`fintech-prod-data-project`)\n\n### Network Architecture\n\n#### GKE VPC (10.60.0.0/16)\n\n- **Nodes Subnet**: 10.60.4.0/22\n- **Control Plane**: 10.60.1.0/28\n- **Proxy Subnet**: 10.60.0.0/24 (Reserved for regional ILB)\n- **Pod Secondary Range**: 10.60.128.0/17\n- **Service Secondary Range**: 10.60.8.0/22\n\n#### Data VPC (10.61.0.0/16)\n\n- **Data Services Subnet**: 10.61.4.0/22\n- **Proxy Subnet**: 10.61.0.0/24 (Reserved for regional ILB)\n\n#### Service Network Segments for Google Private Connection\n\n- **fintech-prod-private-sql**: 10.61.1.0/24\n- **fintech-prod-private-sql-replica**: 10.61.2.0/24\n- **fintech-prod-private-redis**: 10.61.12.0/24\n\n#### Managed Airflow (Cloud Composer)\n\n- **Composer Pods Secondary Range**: 10.61.128.0/17\n- **Composer Services Secondary Range**: 10.61.8.0/22\n\n#### Bastion Host Network Configuration\n\n- **Primary Interface**: Connected to GKE VPC (10.60.0.0/16) - gke-subnet\n- **Secondary Interface**: Connected to Data VPC (10.61.0.0/16) - data-subnet\n- **IP Forwarding**: Enabled for multi-VPC routing\n- **IAP Tunnel**: Secure access via Google's IAP range (35.235.240.0/20)\n\n## 📁 Project Structure\n\nThis project uses a **modular Terraform architecture** organized into service-specific directories:\n\n```\n├── api\n│   └── api.yaml\n├── docs\n│   ├── GKE HLD.png\n│   ├── SVPC.png\n│   ├── VPC SC.png\n│   ├── gke-lld.md\n│   └── vpc-lld.md\n├── modules\n│   ├── terraform-google-bastion\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── startup-script.sh\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   ├── terraform-google-cloudsql\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   ├── terraform-google-gke\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   └── variables.tf\n│   ├── terraform-google-iam\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   ├── terraform-google-memorystore\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   ├── terraform-google-svc-projects\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   ├── terraform-google-svpc\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── variables.tf\n│   │   └── versions.tf\n│   └── terraform-google-vpc-sc\n│       ├── main.tf\n│       ├── outputs.tf\n│       ├── README.md\n│       └── variables.tf\n├── net-bastion\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── README.md\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n├── net-iam\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n├── net-svpc\n│   ├── backend.tf\n│   ├── locals.tf\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── provider.tf\n│   ├── proxy\n│   │   ├── app-routing-config.md\n│   │   ├── connection-test.sh\n│   │   ├── create-proxy-vm.sh\n│   │   ├── setup-proxy-fw.sh\n│   │   ├── setup-proxy-svc.sh\n│   │   ├── setup-proxy-vm.sh\n│   │   └── troubleshoot.md\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n├── README.md\n├── svc-gke\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── network-policies\n│   │   ├── backend.tf\n│   │   ├── main.tf\n│   │   ├── modules\n│   │   │   ├── api\n│   │   │   │   └── main.tf\n│   │   │   ├── backend\n│   │   │   │   └── main.tf\n│   │   │   ├── database\n│   │   │   │   └── main.tf\n│   │   │   ├── default\n│   │   │   │   └── main.tf\n│   │   │   ├── default-deny\n│   │   │   │   └── main.tf\n│   │   │   ├── frontend\n│   │   │   │   └── main.tf\n│   │   │   ├── monitoring\n│   │   │   │   └── main.tf\n│   │   │   └── production\n│   │   │       └── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── test-network-policies.sh\n│   │   └── variables.tf\n│   ├── outputs.tf\n│   ├── pod-security-standards\n│   │   ├── backend.tf\n│   │   ├── main.tf\n│   │   ├── outputs.tf\n│   │   ├── README.md\n│   │   ├── terraform.tfvars\n│   │   └── variables.tf\n│   ├── rbac\n│   │   ├── iam-bindings\n│   │   │   ├── backend.tf\n│   │   │   ├── main.tf\n│   │   │   ├── submodules\n│   │   │   │   └── kubernetes-prod-binding\n│   │   │   │       └── main.tf\n│   │   │   └── versions.tf\n│   │   ├── iam-roles\n│   │   │   ├── backend.tf\n│   │   │   ├── main.tf\n│   │   │   ├── submodules\n│   │   │   │   ├── google-prod\n│   │   │   │   │   └── main.tf\n│   │   │   │   └── kubernetes-prod\n│   │   │   │       └── main.tf\n│   │   │   └── versions.tf\n│   │   └── README.md\n│   ├── README.md\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n├── svc-projects\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── terraform.tfvars\n│   └── variables.tf\n├── svc-redis\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── README.md\n│   ├── variables.tf\n│   └── versions.tf\n├── svc-sql\n│   ├── backend.tf\n│   ├── cert\n│   │   ├── client-cert.pem\n│   │   ├── client-key.pem\n│   │   ├── server-ca .pem\n│   │   └── sql-admin.json\n│   ├── main.tf\n│   ├── outputs.tf\n│   ├── README.md\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n├── svc-vpcsc\n│   ├── backend.tf\n│   ├── main.tf\n│   ├── provider.tf\n│   ├── terraform.tfvars\n│   ├── variables.tf\n│   └── versions.tf\n```\n\n### Architecture Benefits\n\n- **Service Isolation**: Each service has its own directory and state\n- **Modular Design**: Reusable modules for common patterns\n- **Clear Dependencies**: Services depend on outputs from other services\n- **Easy Maintenance**: Update specific services independently\n- **Team Collaboration**: Different teams can work on different services\n- **Security-First**: Bastion host and comprehensive IAM management\n- **Access Control**: Multiple secure access methods (IAP, OS Login, SSH)\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n- Terraform \u003e= 1.5.0\n- Google Cloud SDK \u003e= 524.0.0\n- `jq` for JSON processing\n- Appropriate GCP permissions:\n  - **Billing Account**: `roles/billing.projectManager` on billing account\n  - **Folder**: Project creation permissions in target folder\n  - **APIs**: Enable required APIs in projects\n\n### 1. Clone and Setup\n\n```bash\ngit clone https://github.com/cloudon-one/fintech-production-ready-infra.git\ncd fintech-production-ready-infra\n```\n\n### 2. Check Prerequisites\n\n```bash\nterraform version\ngcloud version\njq --version\n```\n\n### 3. Initialize Infrastructure\n\n```bash\ncd svc-projects \u0026\u0026 terraform init\ncd ../net-svcp \u0026\u0026 terraform init\ncd ../net-iam \u0026\u0026 terraform init\ncd ../net-bastion \u0026\u0026 terraform init\ncd ../svc-gke \u0026\u0026 terraform init\ncd ../svc-sql \u0026\u0026 terraform init\ncd ../svc-redis \u0026\u0026 terraform init\ncd ../svc-vpcsc \u0026\u0026 terraform init\n```\n\n### 4. Development Workflow\n\n```bash\nterraform fmt -recursive\nterraform validate\nterraform plan -out=tfplan\nterraform apply tfplan\n```\n\n### 5. Deploy Infrastructure\n\n⚠️ **CRITICAL**: Infrastructure must be deployed in this exact order due to dependencies:\n\n#### 🎯 Deployment Sequence\n\n1. **svc-projects** → Creates all GCP projects with random suffixes\n2. **net-svcp** → Creates shared VPC networks (requires project IDs from step 1)\n3. **net-iam** → Creates IAM resources (requires projects from step 1)\n4. **net-bastion** → Creates secure bastion host (requires VPC from step 2 and IAM from step 3)\n5. **svc-gke** → Creates GKE cluster (requires VPC from step 2 and IAM from step 3)\n6. **svc-sql** → Creates Cloud SQL instances in data project (requires network from step 2)\n7. **svc-redis** → Creates Redis instances in data project (requires network from step 2)\n9. **svc-vpcsc** → Creates VPC Service Controls (requires all projects)\n\n#### 🚀 Deployment Commands\n\n```bash\ncd svc-projects \u0026\u0026 terraform apply -auto-approve\ncd ../net-svcp  \u0026\u0026 terraform apply -auto-approve\ncd ../net-iam   \u0026\u0026 terraform apply -auto-approve\ncd ../net-bastion \u0026\u0026 terraform apply -auto-approve\ncd ../svc-gke   \u0026\u0026 terraform apply -auto-approve\ncd ../svc-sql   \u0026\u0026 terraform apply -auto-approve\ncd ../svc-redis \u0026\u0026 terraform apply -auto-approve\ncd ../svc-vpcsc \u0026\u0026 terraform apply -auto-approve\n```\n\n#### 📋 Status Checking\n\n```bash\ncd svc-projects \u0026\u0026 terraform show\ncd ../net-svpc  \u0026\u0026 terraform show\ncd ../net-iam   \u0026\u0026 terraform show\ncd ../net-bastion \u0026\u0026 terraform show\ncd ../svc-gke   \u0026\u0026 terraform show\ncd ../svc-sql   \u0026\u0026 terraform show\ncd ../svc-redis \u0026\u0026 terraform show\ncd ../svc-vpcsc \u0026\u0026 terraform show\n```\n\n## 📋 Service Dependencies\n\n⚠️ **DEPLOYMENT ORDER REQUIREMENTS:**\n\n1. **svc-projects** → Creates GCP projects (no dependencies)\n   - Creates host, GKE, and data projects with random suffixes\n   - Enables required APIs for each project\n   - Must be deployed first\n\n2. **net-svcp** → Creates network infrastructure (requires projects)\n   - Creates shared VPC networks in host project\n   - Configures subnets, NAT, firewall rules, VPC peering\n   - Requires project IDs from step 1\n\n3. **net-iam** → Creates IAM resources (requires projects)\n   - Creates service accounts for GKE, Cloud SQL, and bastion\n   - Configures Workload Identity for GKE\n   - Sets up OS Login and IAP tunnel permissions\n   - Requires project IDs from step 1\n\n4. **net-bastion** → Creates secure bastion host (requires network and IAM)\n   - Creates secured jump host for accessing private resources\n   - Configures IAP tunnel access and SSH security\n   - Requires VPC from step 2 and IAM from step 3\n   - Optional: Can be skipped if bastion not needed\n\n5. **svc-gke** → Creates GKE cluster (requires network and IAM)\n   - Creates private GKE cluster in service project\n   - Uses VPC and subnets from step 2\n   - Uses service accounts from step 3\n   - Optional: Can be skipped if GKE not needed\n\n6. **svc-sql** → Creates Cloud SQL instances (requires network)\n   - Creates MySQL and PostgreSQL instances in data project\n   - Uses VPC network from step 2\n   - Optional: Can be skipped if Cloud SQL not needed\n\n7. **svc-redis** → Creates Redis instances in data project (requires network from step 2)\n   - Optional: Can be skipped if Redis not needed\n\n8. **svc-vpcsc** → Creates VPC Service Controls (requires all projects)\n   - Configures VPC Service Controls for enhanced security\n   - Requires all projects from previous steps\n   - Optional: Can be skipped if VPC-SC not needed\n\n## 🏭 Modules\n\nThis infrastructure uses modular Terraform design:\n\n### Core Modules\n\n- **`terraform-google-svpc`**: Shared VPC networks, subnets, NAT, firewall rules, VPC peering, DNS\n- **`terraform-google-gke`**: Private GKE cluster with advanced security features and Workload Identity\n- **`terraform-google-cloudsql`**: Cloud SQL instances with high availability, backup, and monitoring\n- **`terraform-google-memorystore`**: Redis instances with private network, TLS encryption, and persistence\n- **`terraform-google-svc-projects`**: GCP project creation, API enablement, and service account management\n- **`terraform-google-vpc-sc`**: VPC Service Controls for enhanced security perimeter\n- **`terraform-google-bastion`**: Secure bastion host with IAP tunnel support, SSH security, and monitoring\n- **`terraform-google-iam`**: Comprehensive IAM management for GKE, Cloud SQL, OS Login, and IAP tunnel access\n\n### Module Benefits\n\n- **Reusability**: Use across multiple environments\n- **Consistency**: Standardized resource creation\n- **Testing**: Isolated testing of components\n- **Maintenance**: Centralized updates and bug fixes\n- **Security**: Built-in security best practices\n\n## 🔧 Configuration\n\n### Key Variables\n\n| Variable | Description | Default | Required |\n|----------|-------------|---------|----------|\n| `billing_account_id` | GCP Billing Account ID (format: XXXXXX-XXXXXX-XXXXXX) | - | ✅ |\n| `folder_id` | GCP Organization Folder ID | `1234567890` | ✅ |\n| `region` | Target region for all resources | `europe-central2` | ✅ |\n| `enable_flow_logs` | Enable VPC flow logs for monitoring | `true` | - |\n| `enable_private_google_access` | Enable Private Google Access for subnets | `true` | - |\n| `enable_shared_vpc` | Enable Shared VPC configuration | `true` | - |\n| `host_project_name` | Name of the host project | `fintech-prod-host-project` | ✅ |\n| `gke_project_name` | Name of the GKE service project | `fintech-prod-gke-project` | ✅ |\n| `data_project_name` | Name of the data service project | `fintech-prod-data-project` | ✅ |\n\n### Service-Specific Configuration\n\nEach service directory contains its own `terraform.tfvars` file:\n\n- **`svc-projects/terraform.tfvars`**: Project creation settings (billing, folder, names)\n- **`net-svcp/terraform.tfvars`**: Network and VPC configuration (subnets, firewall, DNS)\n- **`net-iam/terraform.tfvars`**: IAM configuration (service accounts, roles, users)\n- **`net-bastion/terraform.tfvars`**: Bastion host configuration (security, access, networking)\n- **`svc-gke/terraform.tfvars`**: GKE cluster settings (node pools, security, networking)\n- **`svc-sql/terraform.tfvars`**: Cloud SQL instances configuration (databases, users, replicas)\n- **`svc-redis/terraform.tfvars`**: Redis instances configuration (memory, persistence, networking)\n- **`svc-vpcsc/terraform.tfvars`**: VPC Service Controls configuration\n\n⚠️ **Important**: After deploying `svc-projects`, update `net-svcp/terraform.tfvars` with the actual project ID (includes random suffix).\n\n## 📝 Operations\n\n### Development Workflow\n\n```bash\nterraform fmt -recursive\nterraform validate\nterraform plan -out=tfplan\nterraform apply tfplan\nterraform destroy\n```\n\n### Service-Specific Operations\n\n```bash\ncd svc-projects \u0026\u0026 terraform init\ncd ../net-svcp  \u0026\u0026 terraform init\ncd ../net-iam   \u0026\u0026 terraform init\ncd ../net-bastion \u0026\u0026 terraform init\ncd ../svc-gke   \u0026\u0026 terraform init\ncd ../svc-sql   \u0026\u0026 terraform init\ncd ../svc-redis \u0026\u0026 terraform init\ncd ../svc-vpcsc \u0026\u0026 terraform init\n\ncd svc-projects \u0026\u0026 terraform apply -auto-approve\ncd ../net-svcp  \u0026\u0026 terraform apply -auto-approve\ncd ../net-iam   \u0026\u0026 terraform apply -auto-approve\ncd ../net-bastion \u0026\u0026 terraform apply -auto-approve\ncd ../svc-gke   \u0026\u0026 terraform apply -auto-approve\ncd ../svc-sql   \u0026\u0026 terraform apply -auto-approve\ncd ../svc-redis \u0026\u0026 terraform apply -auto-approve\ncd ../svc-vpcsc \u0026\u0026 terraform apply -auto-approve\n```\n\n### Remote State Management\n\nEach service maintains its own remote state:\n\n- **Backend**: Google Cloud Storage\n- **State Files**: Isolated per service\n- **Locking**: Prevents concurrent modifications\n- **Encryption**: State files are encrypted at rest\n\n## 🗄️ Cloud SQL Infrastructure\n\n### Database Instances\n\nThe Cloud SQL service (`svc-sql`) provides database instances deployed in the **data project**:\n\n#### PostgreSQL Analytics Database\n\n- **Version**: PostgreSQL 16\n- **Availability**: Regional (high availability)\n- **Databases**: `fintech_analytics`, `fintech_reporting`\n- **Users**: `analytics_user`, `reporting_user`\n- **Read Replicas**: Cross-region replica in europe-west1\n- **Features**: Query insights, performance monitoring, maintenance windows\n\n### Security Features\n\n- **Private IP**: All instances use private IP addresses\n- **VPC Integration**: Connected to fintech data VPC\n- **SSL/TLS Enforcement**: All connections require SSL/TLS\n- **Authorized Networks**: Restricted access to specific IP ranges\n- **Deletion Protection**: Prevents accidental deletion\n- **Backup Retention**: 7-day backup retention with point-in-time recovery\n\n### Connection Information\n\n```bash\n# PostgreSQL connection\npsql -h \u003cprivate_ip\u003e -U analytics_user -d fintech_analytics\n\n# Cloud SQL Proxy\ncloud_sql_proxy -instances=\u003cconnection_name\u003e=tcp:5432\n```\n\n## 🗄️ Redis Infrastructure\n\n### Redis Instances\n\nThe Redis service (`svc-redis`) provides Redis instances deployed in the **data project**:\n\n#### Redis Cache Instance\n\n- **Version**: Redis 7.0\n- **Availability**: Regional (high availability)\n- **Memory**: 1GB (configurable)\n- **Features**: TLS encryption, persistence, maintenance windows\n- **Private Network**: Connected to fintech data VPC (10.61.5.0/24)\n- **Authentication**: AUTH enabled for secure access\n\n### Security Features\n\n- **Private IP**: All instances use private IP addresses\n- **VPC Integration**: Connected to fintech data VPC\n- **TLS Encryption**: All connections require TLS encryption\n- **Authentication**: Redis AUTH enabled for access control\n- **Deletion Protection**: Prevents accidental deletion\n- **Persistence**: RDB snapshots enabled for data durability\n\n### Connection Information\n\n```bash\n# Redis connection with TLS\nredis-cli -h \u003cprivate_ip\u003e -p 6379 --tls --cert \u003ccert_file\u003e --key \u003ckey_file\u003e -a \u003cpassword\u003e\n\n# Redis connection without TLS (internal network)\nredis-cli -h \u003cprivate_ip\u003e -p 6379 -a \u003cpassword\u003e\n```\n\n## 🔐 Bastion Host Infrastructure\n\n### Secure Access Gateway\n\nThe bastion host (`net-bastion`) provides secure access to private resources:\n\n#### Features\n\n- **IAP Tunnel Support**: Secure access without public IP exposure\n- **SSH Security**: Key-based authentication, fail2ban protection\n- **OS Login Integration**: Centralized SSH access management via IAM\n- **HTTPS Proxy**: Controlled internet access for internal resources\n- **Monitoring**: Comprehensive logging and audit trails\n- **Pre-installed Tools**: gcloud, kubectl, and other management tools\n- **Multi-VPC Access**: Connected to both GKE and Data VPCs with IP forwarding enabled for comprehensive resource access\n\n#### Network Architecture\n\nThe bastion host is deployed with multiple network interfaces for secure access to all VPCs:\n\n- **Primary Interface**: Connected to GKE VPC (10.60.0.0/16) via gke-subnet\n- **Secondary Interface**: Connected to Data VPC (10.61.0.0/16) via data-subnet\n- **IP Forwarding**: Enabled to allow routing between VPCs\n- **IAP Access**: Secure tunnel access from Google's IAP range (35.235.240.0/20)\n- **Proxy Access**: Internal networks can use HTTPS proxy for internet access\n\n#### Access Methods\n\n1. **IAP Tunnel (Recommended)**:\n\n   ```bash\n   gcloud compute start-iap-tunnel fintech-prod-bastion 22 \\\n     --local-host-port=localhost:2222 \\\n     --zone=europe-central2-a \\\n     --project=fintech-prod-host-project-8hhr\n   ssh -p 2222 user@localhost\n   ```\n\n2. **Direct SSH** (if authorized networks configured):\n\n   ```bash\n   gcloud compute ssh fintech-prod-bastion \\\n     --zone=europe-central2-a \\\n     --project=fintech-prod-host-project\n   ```\n\n3. **OS Login** (IAM-based access):\n   ```bash\n   gcloud compute ssh [USERNAME]@fintech-prod-bastion \\\n     --project=fintech-prod-host-project \\\n     --zone=europe-central2-a\n   ```\n\n#### GKE Cluster Access\n\nFrom the bastion host, you can securely manage GKE clusters:\n\n```bash\ngcloud container clusters get-credentials fintech-prod-gke cluster --location europe-central2\nkubectl get nodes\nkubectl get pods --all-namespaces\n```\n\n## 📊 Outputs\n\nEach service provides relevant outputs for other services:\n\n### svc-projects outputs\n\n- `host_project_id`, `gke_project_id`, `data_project_id` (with random suffixes)\n- `gke_project_number`, `data_project_number`\n- Service account emails for default compute accounts\n\n### net-svpc outputs\n\n- `host_project_id` (validated from input)\n- `gke_network_id`, `gke_subnet_id`, `data_network_id`\n- `gke_pods_secondary_range_name`, `gke_services_secondary_range_name`\n- Network CIDR blocks and subnet details\n- DNS zone information\n\n### net-iam outputs\n\n- `gke_workload_identity_service_accounts`: GKE workload identity service account emails\n- `cloudsql_admin_service_account_email`: Cloud SQL admin service account email\n- `gke_service_account_email`: GKE service account email\n- `iap_tunnel_users`: List of users with IAP Tunnel access\n\n### net-bastion outputs\n\n- `bastion_instance_name`, `bastion_instance_id`\n- `bastion_external_ip`, `bastion_internal_ip`\n- `bastion_service_account_email`\n- `bastion_ssh_command`, `bastion_iap_command`\n- `bastion_router_name`, `bastion_nat_name`\n\n### svc-gke outputs\n\n- `cluster_name`, `cluster_endpoint`\n- `cluster_ca_certificate`\n- Node pool information\n\n### svc-sql outputs\n\n- `cloudsql_instances`: Map of Cloud SQL instances with connection details\n- `cloudsql_private_ips`: Private IP addresses for database connections\n- `cloudsql_databases`: Map of all databases across instances\n- `cloudsql_users`: Map of all users across instances\n- `cloudsql_read_replicas`: Map of read replicas for scalability\n\n### svc-redis outputs\n\n- Redis instance details\n\n### svc-vpcsc outputs:\n\n- Access policy ID and details\n- Service perimeter configuration\n\n## 🔐 Security\n\n### Network Security\n\n- **Private GKE Cluster**: No public endpoints\n- **Private Cloud SQL**: All databases use private IP addresses\n- **VPC Peering**: Secure inter-VPC communication\n- **Firewall Rules**: Least privilege access\n- **IAP Access**: OAuth-based authentication\n- **Private Google Access**: No external IPs needed\n- **Bastion Host**: Secure jump host with IAP tunnel support\n\n### Database Security\n\n- **SSL/TLS Enforcement**: All database connections encrypted\n- **Private Network**: Databases only accessible via VPC\n- **User Management**: Database-level access control\n- **Backup Encryption**: Automated backups are encrypted\n- **Deletion Protection**: Prevents accidental database deletion\n\n### IAM Security\n\n- **Service Account Isolation**: Dedicated SAs per service\n- **Workload Identity**: Secure pod-to-GCP authentication  \n- **Shared VPC Permissions**: Minimal required permissions\n- **Project Separation**: Resource isolation by project\n- **OS Login**: Centralized SSH access management\n- **IAP Tunnel**: Secure access without public IP exposure\n\n### Bastion Security\n\n- **Key-based Authentication**: SSH keys only, no passwords\n- **Fail2ban Protection**: Automatic brute force attack prevention\n- **Audit Logging**: Complete activity audit trail\n- **Network Restrictions**: Firewall rules limit access to authorized networks\n- **Automatic Updates**: Unattended security updates\n- **Deletion Protection**: Prevents accidental bastion deletion\n\n## 🎯 Best Practices\n\nThis configuration follows Terraform and GCP best practices:\n\n- **Remote State**: GCS backend with locking\n- **Module Design**: Reusable, composable modules\n- **Service Isolation**: Separate state files per service\n- **Variable Validation**: Input validation with meaningful errors\n- **Resource Naming**: Consistent naming conventions\n- **Security**: Defense in depth, least privilege\n- **Documentation**: Comprehensive inline and external docs\n- **Access Control**: Multiple secure access methods\n- **Monitoring**: Comprehensive logging and audit trails\n\n## 🚨 Troubleshooting\n\n### Common Issues\n\n1. **Billing Account Permissions**\n\n   ```bash\n   # Error: missing permission billing.resourceAssociations.create\n   # Grant Project Billing Manager role on billing account:\n   gcloud beta billing accounts add-iam-policy-binding BILLING_ACCOUNT_ID \\\n     --member=\"user:EMAIL\" --role=\"roles/billing.projectManager\"\n   ```\n\n2. **Project ID Dependencies**\n\n   ```bash\n   # After deploying svc-projects, update net-svcp configuration:\n   # Manually update net-svcp/terraform.tfvars with actual project ID\n   ```\n\n3. **State Lock Conflicts**\n\n   ```bash\n   # Using Terraform directly\n   terraform force-unlock \u003clock-id\u003e\n   ```\n\n4. **Module Not Found**\n\n   ```bash\n   terraform get -update\n   terraform init -upgrade\n   ```\n\n5. **API Not Enabled**: APIs are automatically enabled during project creation\n\n6. **Deployment Order Issues**\n\n   ```bash\n   # Ensure correct deployment order:\n   # 1. svc-projects\n   # 2. net-svcp\n   # 3. net-iam\n   # 4. net-bastion\n   # 5. svc-gke\n   # 6. svc-sql\n   # 7. svc-redis\n   # 8. svc-vpcsc\n   ```\n\n7. **Database Connection Issues**\n\n   ```bash\n   # Check firewall rules\n   gcloud compute firewall-rules list --filter=\"name=allow-cloudsql-access\"\n\n   # Verify network connectivity\n   gcloud compute instances describe \u003cinstance-name\u003e --zone=\u003czone\u003e\n   ```\n\n8. **Bastion Access Issues**\n\n   ```bash\n   # Check IAP tunnel status\n   gcloud compute start-iap-tunnel fintech-prod-bastion 22 \\\n     --local-host-port=localhost:2222 \\\n     --zone=europe-central2-a \\\n     --project=fintech-prod-host-project-8hhr\n\n   # Verify bastion instance status\n   gcloud compute instances describe fintech-prod-bastion \\\n     --zone=europe-central2-a \\\n     --project=fintech-prod-host-project-8hhr\n\n   # Check bastion service account permissions\n   gcloud projects get-iam-policy fintech-prod-host-project-8hhr \\\n     --flatten=\"bindings[].members\" \\\n     --format=\"table(bindings.role)\" \\\n     --filter=\"bindings.members:bastion-prod-host@fintech-prod-host-project.iam.gserviceaccount.com\"\n\n   # Test network connectivity from bastion\n   gcloud compute ssh fintech-prod-bastion \\\n     --zone=europe-central2-a \\\n     --project=fintech-prod-host-project-8hhr \\\n     --command=\"ping -c 3 10.60.4.1\"\n   ```\n\n9. **Configuration Issues**\n\n   ```bash\n   # Validate configuration\n   terraform validate\n   \n   # Check infrastructure status\n   terraform show\n   ```\n\n### Debug Mode\n\n```bash\nexport TF_LOG=DEBUG\nterraform plan\n```\n\n### Support Resources\n\n- [GCP Documentation](https://cloud.google.com/docs)\n- [Terraform GCP Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)\n- [Project Documentation](docs/)\n- [Bastion Host Manual](net-bastion/README.md)\n\n## 🔄 Maintenance\n\n### Regular Tasks\n\n1. **Provider Updates**: Update provider versions quarterly\n2. **Security Reviews**: Monthly firewall and IAM audits  \n3. **Cost Optimization**: Weekly resource usage reviews\n4. **State Backup**: Automated daily state backups\n5. **Documentation**: Keep LLD docs updated\n6. **Bastion Maintenance**: Regular security updates and access reviews\n7. **IAM Reviews**: Quarterly service account and permission audits\n\n### Version Management\n\n```bash\nterraform version\nterraform init -upgrade\nterraform validate\n```\n\n## 📞 Support\n\nFor support and questions:\n\n- Create an issue in this repository\n- Contact the DevOps team\n\n---\n\n**Infrastructure Type**: Multi-Project GCP with Shared VPC, Cloud SQL, VPC Service Controls, Bastion Host, and Comprehensive IAM  \n**Last Updated**: June 2025  \n**Terraform Version**: \u003e= 1.5.0  \n**GCP Provider Version**: \u003e= 5.45.0  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Ffintech-production-ready-infra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Ffintech-production-ready-infra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Ffintech-production-ready-infra/lists"}