{"id":30886870,"url":"https://github.com/cloudon-one/gcp-terraform-modules","last_synced_at":"2026-02-12T06:33:03.860Z","repository":{"id":313502209,"uuid":"1051644702","full_name":"cloudon-one/gcp-terraform-modules","owner":"cloudon-one","description":"Opinionated GCP Terraform iaC modules for landing zone implementation","archived":false,"fork":false,"pushed_at":"2025-09-06T12:51:26.000Z","size":88,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-06T14:37:48.187Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-06T12:35:57.000Z","updated_at":"2025-09-06T12:51:29.000Z","dependencies_parsed_at":"2025-09-06T14:37:49.456Z","dependency_job_id":"7f7c592d-4be0-41ab-96f6-5891f5888ebf","html_url":"https://github.com/cloudon-one/gcp-terraform-modules","commit_stats":null,"previous_names":["cloudon-one/gcp-terraform-modules"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/cloudon-one/gcp-terraform-modules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgcp-terraform-modules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgcp-terraform-modules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgcp-terraform-modules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgcp-terraform-modules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/gcp-terraform-modules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgcp-terraform-modules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29360644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T01:03:07.613Z","status":"online","status_checked_at":"2026-02-12T02:00:06.911Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-08T13:51:59.646Z","updated_at":"2026-02-12T06:33:03.844Z","avatar_url":"https://github.com/cloudon-one.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GCP Terraform Modules\n\nA comprehensive collection of enterprise-grade Terraform modules for Google Cloud Platform infrastructure provisioning. These modules provide secure, scalable, and production-ready infrastructure components following Google Cloud best practices.\n\n## 🏗️ Architecture Overview\n\nThis repository contains modular Terraform configurations designed for a multi-project, multi-environment Google Cloud architecture. The modules work together to create a complete enterprise infrastructure including:\n\n- **Multi-project structure** with host and service projects\n- **Private GKE clusters** with enterprise security features\n- **Shared VPC networking** with proper segmentation\n- **Secure bastion hosts** for administrative access\n- **Cloud SQL databases** with high availability and backup\n- **Memorystore Redis** for caching and sessions\n- **VPC Service Controls** for data exfiltration protection\n- **IAM management** with least privilege access\n\n## 📁 Module Overview\n\n| Module | Description | Use Case |\n|--------|-------------|----------|\n| [`terraform-google-svc-projects`](./terraform-google-svc-projects/) | Creates and manages multi-project architecture | Foundation - Host and service projects |\n| [`terraform-google-svpc`](./terraform-google-svpc/) | Shared VPC with subnets and firewall rules | Networking - Central network management |\n| [`terraform-google-gke`](./terraform-google-gke/) | Enterprise GKE cluster with security hardening | Compute - Container orchestration |\n| [`terraform-google-bastion`](./terraform-google-bastion/) | Secure jump host with audit logging | Security - Administrative access |\n| [`terraform-google-cloudsql`](./terraform-google-cloudsql/) | Managed Cloud SQL with HA and backup | Storage - Relational databases |\n| [`terraform-google-memorystore`](./terraform-google-memorystore/) | Redis cluster for caching and sessions | Storage - In-memory data store |\n| [`terraform-google-iam`](./terraform-google-iam/) | IAM roles, policies, and service accounts | Security - Identity and access management |\n| [`terraform-google-vpc-sc`](./terraform-google-vpc-sc/) | VPC Service Controls perimeter | Security - Data exfiltration protection |\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n1. **Google Cloud SDK** installed and configured\n\n   ```bash\n   gcloud auth application-default login\n   gcloud config set project YOUR_PROJECT_ID\n   ```\n\n2. **Terraform** \u003e= 1.5.0 installed\n\n   ```bash\n   terraform --version\n   ```\n\n3. **Required APIs** enabled in your Google Cloud project:\n\n   ```bash\n   gcloud services enable \\\n     cloudresourcemanager.googleapis.com \\\n     serviceusage.googleapis.com \\\n     compute.googleapis.com \\\n     container.googleapis.com \\\n     sqladmin.googleapis.com \\\n     redis.googleapis.com \\\n     servicenetworking.googleapis.com \\\n     dns.googleapis.com\n   ```\n\n4. **Required Permissions**:\n   - `roles/resourcemanager.projectCreator` (if creating projects)\n   - `roles/billing.projectManager` (for billing association)\n   - `roles/compute.networkAdmin`\n   - `roles/container.clusterAdmin`\n   - `roles/cloudsql.admin`\n\n### Basic Deployment\n\n```hcl\n# Generate unique suffix for resource naming\nresource \"random_string\" \"suffix\" {\n  length  = 4\n  special = false\n  upper   = false\n}\n\n# 1. Create multi-project structure\nmodule \"projects\" {\n  source = \"./terraform-google-svc-projects\"\n\n  suffix             = random_string.suffix.result\n  billing_account_id = \"123456-ABCDEF-123456\"\n  folder_id          = \"folders/1234567890\"\n  \n  labels = {\n    environment = \"production\"\n    team        = \"platform\"\n  }\n}\n\n# 2. Create shared VPC networking\nmodule \"network\" {\n  source = \"./terraform-google-svpc\"\n  \n  project_id = module.projects.host_project_id\n  region     = \"us-central1\"\n  \n  depends_on = [module.projects]\n}\n\n# 3. Create GKE cluster\nmodule \"gke\" {\n  source = \"./terraform-google-gke\"\n  \n  project_id = module.projects.gke_project_id\n  region     = \"us-central1\"\n  network    = module.network.vpc_self_link\n  subnetwork = module.network.subnets[\"gke\"].self_link\n  \n  depends_on = [module.network]\n}\n\n# 4. Create bastion host\nmodule \"bastion\" {\n  source = \"./terraform-google-bastion\"\n  \n  project_id  = module.projects.host_project_id\n  region      = \"us-central1\"\n  vpc_name    = module.network.vpc_name\n  subnet_name = module.network.subnets[\"bastion\"].name\n  \n  authorized_networks = [\"10.0.0.0/8\"]\n  \n  depends_on = [module.network]\n}\n\n# 5. Create Cloud SQL database\nmodule \"database\" {\n  source = \"./terraform-google-cloudsql\"\n  \n  project_id      = module.projects.data_project_id\n  instance_name   = \"main-db\"\n  region          = \"us-central1\"\n  database_version = \"POSTGRES_15\"\n  \n  ip_configuration = {\n    private_network = module.network.vpc_self_link\n    ipv4_enabled    = false\n  }\n  \n  depends_on = [module.network]\n}\n```\n\n## 📋 Module Dependencies\n\nThe modules are designed to work together in a specific order:\n\n```mermaid\ngraph TD\n    A[terraform-google-svc-projects] --\u003e B[terraform-google-svpc]\n    A --\u003e C[terraform-google-iam]\n    B --\u003e D[terraform-google-gke]\n    B --\u003e E[terraform-google-bastion]\n    B --\u003e F[terraform-google-cloudsql]\n    B --\u003e G[terraform-google-memorystore]\n    A --\u003e H[terraform-google-vpc-sc]\n    C --\u003e D\n    C --\u003e E\n```\n\n## 🔧 Individual Module Usage\n\n### Multi-Project Setup\n\n```hcl\nmodule \"projects\" {\n  source = \"./terraform-google-svc-projects\"\n  \n  suffix             = \"prod\"\n  billing_account_id = var.billing_account_id\n  folder_id          = var.folder_id\n  \n  # Creates: host-project-prod, gke-project-prod, data-project-prod\n}\n```\n\n### Shared VPC Networking\n\n```hcl\nmodule \"network\" {\n  source = \"./terraform-google-svpc\"\n  \n  project_id = module.projects.host_project_id\n  region     = \"us-central1\"\n  \n  # Creates subnets for GKE, data services, bastion, and management\n}\n```\n\n### Secure GKE Cluster\n\n```hcl\nmodule \"gke\" {\n  source = \"./terraform-google-gke\"\n  \n  project_id = module.projects.gke_project_id\n  network    = module.network.vpc_self_link\n  subnetwork = module.network.subnets[\"gke\"].self_link\n  \n  # Private cluster with Workload Identity and encryption\n}\n```\n\n### Bastion Host\n\n```hcl\nmodule \"bastion\" {\n  source = \"./terraform-google-bastion\"\n  \n  project_id = module.projects.host_project_id\n  vpc_name   = module.network.vpc_name\n  \n  enable_iap_tunnel = true\n  ssh_keys = {\n    \"admin\" = file(\"~/.ssh/id_rsa.pub\")\n  }\n}\n```\n\n## 🔒 Security Features\n\n### Network Security\n\n- **Private GKE clusters** with no public IPs\n- **VPC Service Controls** for data exfiltration protection\n- **Firewall rules** with least privilege access\n- **Shared VPC** for centralized network management\n\n### Identity \u0026 Access\n\n- **Workload Identity** for secure pod authentication\n- **IAP tunnels** for secure bastion access\n- **Service accounts** with minimal required permissions\n- **IAM best practices** enforcement\n\n### Data Protection\n\n- **Cloud SQL** with private IP and SSL enforcement\n- **Encrypted persistent disks** and etcd encryption\n- **Secrets management** with Secret Manager integration\n- **Audit logging** for all administrative actions\n\n### Compliance\n\n- **Deletion protection** on critical resources\n- **Binary Authorization** for container security\n- **Shielded GKE nodes** with secure boot\n- **Confidential GKE** for memory encryption\n\n## 🌍 Multi-Region Deployment\n\n```hcl\n# Primary region deployment\nmodule \"primary_region\" {\n  source = \"./complete-infrastructure\"\n  \n  region = \"us-central1\"\n  suffix = \"primary\"\n  # ... other config\n}\n\n# Secondary region for disaster recovery\nmodule \"secondary_region\" {\n  source = \"./complete-infrastructure\"\n  \n  region = \"us-west2\"\n  suffix = \"secondary\"\n  # ... other config\n}\n```\n\n## 📊 Monitoring \u0026 Observability\n\n### Built-in Monitoring\n\n- **GKE monitoring** with managed Prometheus\n- **Cloud SQL** query insights and monitoring\n- **Bastion host** access logging and audit trails\n- **VPC Flow Logs** for network traffic analysis\n\n### Recommended Additional Setup\n\n```hcl\n# Enable Cloud Monitoring and Logging APIs\nresource \"google_project_service\" \"monitoring\" {\n  for_each = toset([\n    \"monitoring.googleapis.com\",\n    \"logging.googleapis.com\",\n    \"cloudtrace.googleapis.com\",\n    \"clouddebugger.googleapis.com\"\n  ])\n  \n  service = each.value\n  project = var.project_id\n}\n```\n\n## 💰 Cost Optimization\n\n### Compute Optimization\n\n- Use **preemptible nodes** for non-critical workloads\n- Enable **cluster autoscaling** to match demand\n- Configure **vertical pod autoscaling** for right-sizing\n\n### Storage Optimization\n\n- Use **pd-standard** disks for non-performance critical workloads\n- Enable **disk autoresize** with limits\n- Configure **backup retention** policies\n\n### Networking\n\n- Minimize **cross-region traffic** with regional deployments\n- Use **private Google Access** to reduce NAT costs\n- Configure **Cloud CDN** for static content\n\n## 🔄 Deployment Patterns\n\n### Environment Promotion\n\n```bash\n# Development\nterraform workspace select dev\nterraform plan -var-file=\"environments/dev.tfvars\"\n\n# Staging  \nterraform workspace select staging\nterraform plan -var-file=\"environments/staging.tfvars\"\n\n# Production\nterraform workspace select prod\nterraform plan -var-file=\"environments/prod.tfvars\"\n```\n\n### GitOps Integration\n\n```yaml\n# .github/workflows/terraform.yml\nname: 'Terraform'\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  terraform:\n    name: 'Terraform'\n    runs-on: ubuntu-latest\n    \n    steps:\n    - uses: actions/checkout@v3\n    - uses: hashicorp/setup-terraform@v2\n      \n    - name: Terraform Plan\n      run: terraform plan -no-color\n      \n    - name: Terraform Apply\n      if: github.ref == 'refs/heads/main'\n      run: terraform apply -auto-approve\n```\n\n## 🛠️ Troubleshooting\n\n### Common Issues\n\n1. **API Not Enabled**\n\n   ```bash\n   # Enable required APIs\n   gcloud services enable container.googleapis.com\n   ```\n\n2. **Insufficient Permissions**\n\n   ```bash\n   # Grant required IAM roles\n   gcloud projects add-iam-policy-binding PROJECT_ID \\\n     --member=\"user:email@domain.com\" \\\n     --role=\"roles/container.clusterAdmin\"\n   ```\n\n3. **Quota Exceeded**\n\n   ```bash\n   # Check and request quota increases\n   gcloud compute project-info describe --project=PROJECT_ID\n   ```\n\n4. **Network Connectivity**\n\n   ```bash\n   # Test bastion connectivity\n   gcloud compute ssh bastion-instance --project=PROJECT_ID --zone=us-central1-a\n   ```\n\n### Debug Commands\n\n```bash\n# Check cluster status\ngcloud container clusters describe CLUSTER_NAME --region=REGION\n\n# View instance logs\ngcloud compute instances get-serial-port-output INSTANCE_NAME\n\n# Check Cloud SQL connectivity\ngcloud sql connect INSTANCE_NAME --user=postgres --database=postgres\n```\n\n## 📚 Additional Resources\n\n### Documentation\n\n- [Google Cloud Architecture Center](https://cloud.google.com/architecture)\n- [GKE Security Best Practices](https://cloud.google.com/kubernetes-engine/docs/security-best-practices)\n- [Terraform Google Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)\n\n### Training\n\n- [Google Cloud Professional Cloud Architect](https://cloud.google.com/certification/cloud-architect)\n- [Terraform Associate Certification](https://www.hashicorp.com/certification/terraform-associate)\n\n### Community\n\n- [Google Cloud Slack Community](https://googlecloud-community.slack.com/)\n- [Terraform Community](https://discuss.hashicorp.com/c/terraform-core/)\n\n## 📄 License\n\nThis project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.\n\n## 🤝 Contributing\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -m 'Add amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n\n### Development Guidelines\n\n- Follow [Terraform Style Guide](https://www.terraform.io/docs/language/style.html)\n- Include comprehensive documentation\n- Add examples for new modules\n- Test changes in isolated environments\n- Update README.md for any new features\n\n## 📞 Support\n\nFor questions, issues, or contributions:\n\n- **Issues**: [GitHub Issues](https://github.com/your-org/gcp-terraform-modules/issues)\n- **Discussions**: [GitHub Discussions](https://github.com/your-org/gcp-terraform-modules/discussions)\n- **Security**: Report security vulnerabilities privately\n\n---\n\n**Version**: 1.0.0  \n**Terraform Version**: \u003e= 1.5  \n**Google Provider Version**: \u003e= 5.0  \n**Last Updated**: September 2025","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fgcp-terraform-modules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Fgcp-terraform-modules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fgcp-terraform-modules/lists"}