Terraform for GCP — Define Your Google Cloud Infrastructure as Code

GCP's resource model differs from AWS in ways that affect your Terraform architecture. Projects are the primary organizational unit (not accounts), IAM bindings are additive (not policy-based), and many services require API enablement before first use. Your Terraform setup needs to handle all of this.

We start by setting up the GCP project structure with Terraform. The google_project_service resource enables APIs declaratively — no more "Error 403: API not enabled" surprises. IAM bindings use google_project_iam_member for additive permissions, avoiding the footgun of google_project_iam_policy which can lock you out of your own project.

State management uses a GCS bucket with object versioning and uniform bucket-level access. We configure a service account specifically for Terraform with minimal permissions, and use Workload Identity Federation for CI/CD authentication — no long-lived service account keys stored in your pipeline.

Networking on GCP uses a shared VPC model that Terraform handles well. We create VPC networks with custom subnets per region, Private Google Access for internal API calls without public IPs, and Cloud NAT for outbound internet access from private instances. Firewall rules use tags rather than security groups, which requires a different mental model from AWS.

GKE Clusters — Autopilot or Standard mode with private nodes, workload identity, network policy, and node auto-provisioning. We configure maintenance windows, release channels, and cluster autoscaling. The cluster module outputs kubeconfig and service account credentials for ArgoCD or Helm deployments.

Cloud Run — Serverless container deployments with custom domains, VPC connectors for database access, concurrency settings, and min/max instance configuration. Traffic splitting for canary deployments is managed via Terraform, enabling gradual rollouts defined in code.

Cloud SQL — PostgreSQL or MySQL with private IP, automated backups, point-in-time recovery, read replicas, and high availability configuration. Connection strings are stored in Secret Manager and referenced by application workloads via Terraform data sources.

Cloud Storage + CDN — Buckets with lifecycle rules, signed URLs for secure access, and Cloud CDN configuration for static asset delivery. We handle the backend bucket and URL map resources that wire everything together.

Every resource follows GCP's recommended labeling conventions for cost allocation and operational visibility.

A complete Terraform setup for your GCP infrastructure:

• Project structure — API enablement, IAM bindings, and organizational policies managed as code
• Networking — VPC, subnets, Cloud NAT, firewall rules, and Private Google Access
• Compute — GKE, Cloud Run, or Compute Engine modules with auto-scaling
• Data — Cloud SQL, Memorystore, and Cloud Storage with backup policies
• Security — Workload Identity, Secret Manager integration, minimal-privilege IAM
• CI/CD — Cloud Build or GitHub Actions pipeline with plan/apply workflow
• State management — GCS backend with versioning and Workload Identity Federation auth