Part 1: Core GCP Infrastructure
Project and Organization Setup
# project_setup.tf
resource "google_project" "project" {
name = "My Project"
project_id = var.project_id
folder_id = var.folder_id
billing_account = var.billing_account_id
labels = {
environment = var.environment
team = var.team_name
}
}
resource "google_project_service" "services" {
for_each = toset([
"compute.googleapis.com",
"container.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudrun.googleapis.com",
"cloudbuild.googleapis.com",
"monitoring.googleapis.com",
"logging.googleapis.com",
"cloudkms.googleapis.com",
"secretmanager.googleapis.com"
])
project = google_project.project.project_id
service = each.key
disable_on_destroy = false
}VPC and Networking
# networking.tf
resource "google_compute_network" "vpc" {
name = "${var.environment}-vpc"
project = var.project_id
auto_create_subnetworks = false
delete_default_routes_on_create = true
mtu = 1500
}
resource "google_compute_subnetwork" "subnets" {
for_each = var.subnets
name = each.key
project = var.project_id
network = google_compute_network.vpc.id
region = each.value.region
ip_cidr_range = each.value.cidr
private_ip_google_access = true
secondary_ip_range = [
for range in each.value.secondary_ranges : {
range_name = range.name
ip_cidr_range = range.cidr
}
]
log_config {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
# Cloud NAT
resource "google_compute_router" "router" {
name = "${var.environment}-router"
project = var.project_id
region = var.region
network = google_compute_network.vpc.id
}
resource "google_compute_router_nat" "nat" {
name = "${var.environment}-nat"
project = var.project_id
router = google_compute_router.router.name
region = var.region
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}Firewall Rules
# firewall.tf
locals {
common_tags = ["allow-internal", var.environment]
}
resource "google_compute_firewall" "internal" {
name = "${var.environment}-allow-internal"
project = var.project_id
network = google_compute_network.vpc.id
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["0-65535"]
}
allow {
protocol = "udp"
ports = ["0-65535"]
}
source_ranges = [
for subnet in google_compute_subnetwork.subnets : subnet.ip_cidr_range
]
target_tags = local.common_tags
}
resource "google_compute_firewall" "iap" {
name = "${var.environment}-allow-iap"
project = var.project_id
network = google_compute_network.vpc.id
allow {
protocol = "tcp"
ports = ["22", "3389"]
}
source_ranges = ["35.235.240.0/20"] # IAP range
target_tags = ["allow-iap"]
}GKE Cluster
# gke.tf
resource "google_container_cluster" "primary" {
name = "${var.environment}-gke-cluster"
project = var.project_id
location = var.region
# Use regional cluster for high availability
node_locations = [
"${var.region}-a",
"${var.region}-b",
"${var.region}-c"
]
network = google_compute_network.vpc.id
subnetwork = google_compute_subnetwork.subnets["gke"].id
# Enable Autopilot or use standard cluster
enable_autopilot = var.enable_autopilot
dynamic "private_cluster_config" {
for_each = var.private_cluster ? [1] : []
content {
enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "172.16.0.0/28"
}
}
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "services"
}
master_authorized_networks_config {
dynamic "cidr_blocks" {
for_each = var.authorized_networks
content {
cidr_block = cidr_blocks.value.cidr
display_name = cidr_blocks.value.name
}
}
}
maintenance_policy {
recurring_window {
start_time = "2022-01-01T00:00:00Z"
end_time = "2022-01-02T00:00:00Z"
recurrence = "FREQ=WEEKLY;BYDAY=SA,SU"
}
}
workload_identity_config {
workload_pool = "${var.project_id}.svc.id.goog"
}
addons_config {
http_load_balancing {
disabled = false
}
horizontal_pod_autoscaling {
disabled = false
}
network_policy_config {
disabled = false
}
gcp_filestore_csi_driver_config {
enabled = true
}
}
}
# Node Pool (if not using Autopilot)
resource "google_container_node_pool" "primary_nodes" {
count = var.enable_autopilot ? 0 : 1
name = "${var.environment}-node-pool"
project = var.project_id
location = var.region
cluster = google_container_cluster.primary.name
node_count = var.node_count
autoscaling {
min_node_count = var.min_nodes
max_node_count = var.max_nodes
}
management {
auto_repair = true
auto_upgrade = true
}
node_config {
machine_type = var.machine_type
disk_size_gb = var.disk_size_gb
disk_type = "pd-ssd"
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
environment = var.environment
}
taint {
key = "dedicated"
value = "special"
effect = "NO_SCHEDULE"
}
workload_metadata_config {
mode = "GKE_METADATA"
}
}
}[Continue to Part 2 with Cloud SQL, Cloud Storage, Load Balancing, and more GCP services?]
Would you like me to continue with the next part covering more GCP services and their Terraform configurations?