Add GCP Terraform config templates (#769)

iac-template/terraform-hcl-standard/gcp-cloud/README.md

@@ -0,0 +1,14 @@
+# GCP Terraform Baseline Configurations
+
+This directory mirrors the AWS IaC layout and provides opinionated YAML definitions for
+GCP landing zone and workload resources. Each YAML describes the module source, version,
+and default inputs that can be rendered into Terraform variables.
+
+## Layout
+
+- `config/accounts/` — Organization and project bootstrap configuration.
+- `config/resources/` — Reusable module inputs for shared VPC, compute, load balancers,
+  data stores, and messaging components.
+
+The files follow the same naming convention as the AWS templates so that pipelines can
+select matching stacks per cloud provider without additional mapping logic.

iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev-landingzone.yaml

@@ -0,0 +1,33 @@
+environment: dev
+landing_zone:
+  organization_id: "123456789012"
+  billing_account: "AAAAAA-BBBBBB-CCCCCC"
+  folder_name: platform-dev
+  audit_project_id: xcontrol-dev-audit
+  monitoring_project_id: xcontrol-dev-monitor
+  log_export:
+    bucket_name: xcontrol-dev-audit-logs
+    retention_days: 365
+    location: US
+  security_baseline:
+    enable_config: true
+    enable_security_command_center: true
+    enable_vpc_sc: true
+    default_shielded_vm: true
+  iam:
+    groups:
+      - name: platform-admins@xcontrol.dev
+        roles:
+          - roles/resourcemanager.folderAdmin
+          - roles/billing.user
+      - name: secops@xcontrol.dev
+        roles:
+          - roles/logging.admin
+          - roles/securitycenter.admin
+  billing_export:
+    dataset_id: dev_billing
+    project_id: xcontrol-dev-monitor
+labels:
+  environment: dev
+  owner: platform
+  cost_center: shared-services

iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev.yaml

@@ -0,0 +1,36 @@
+environment: dev
+project:
+  id: xcontrol-dev-apps
+  name: XControl Dev Applications
+  billing_account: "AAAAAA-BBBBBB-CCCCCC"
+  parent:
+    type: folder
+    id: "folders/345678901234"
+  labels:
+    environment: dev
+    owner: app-team
+networking:
+  shared_vpc_host: dev-shared-vpc
+  subnetwork: dev-apps-a
+  region: us-central1
+service_accounts:
+  - name: terraform-runner
+    description: CI/CD pipeline principal
+    roles:
+      - roles/editor
+      - roles/iam.serviceAccountUser
+  - name: runtime
+    description: Workload identity for application services
+    roles:
+      - roles/logging.logWriter
+      - roles/monitoring.metricWriter
+      - roles/storage.objectViewer
+artifact_registry:
+  repository_id: dev-containers
+  location: us-central1
+  formats:
+    - docker
+    - generic
+toggles:
+  enable_kms: true
+  enable_secret_manager: true

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/cloud-sql/sql.yaml

@@ -0,0 +1,37 @@
+service: cloud_sql
+environment: dev
+module:
+  name: postgres
+  source: terraform-google-modules/sql-db/google
+  version: "~> 13.0"
+inputs:
+  project_id: xcontrol-dev-data
+  region: us-central1
+  database_version: POSTGRES_14
+  tier: db-custom-2-4096
+  availability_type: REGIONAL
+  deletion_protection: true
+  storage_auto_resize: true
+  backup_configuration:
+    enabled: true
+    point_in_time_recovery_enabled: true
+    backup_retention_settings:
+      retained_backups: 7
+      retention_unit: COUNT
+  ip_configuration:
+    ipv4_enabled: false
+    private_network: dev-shared-vpc
+    require_ssl: true
+  user:
+    name: app_owner
+    password_secret: projects/xcontrol-dev-data/secrets/sql-app-owner
+  database:
+    name: app_db
+    charset: UTF8
+    collation: en_US.UTF8
+  maintenance_window:
+    day: 7
+    hour: 22
+labels:
+  environment: dev
+  owner: data-team

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/compute-engine/dev.yaml

@@ -0,0 +1,39 @@
+service: compute_engine
+environment: dev
+module:
+  name: compute-mig
+  source: terraform-google-modules/vm/google//modules/mig
+  version: "~> 13.0"
+inputs:
+  project_id: xcontrol-dev-apps
+  region: us-central1
+  target_size: 2
+  instance_template:
+    machine_type: e2-standard-4
+    source_image_family: debian-12
+    disk_size_gb: 50
+    disk_type: pd-balanced
+    service_account_email: runtime@xcontrol-dev-apps.iam.gserviceaccount.com
+    tags:
+      - web
+      - internal
+    metadata:
+      enable-oslogin: "TRUE"
+    labels:
+      tier: web
+  autoscaler:
+    min_replicas: 2
+    max_replicas: 6
+    cooldown_period: 120
+    cpu_utilization_target: 0.65
+  network:
+    network: dev-shared-vpc
+    subnetwork: dev-apps-a
+    create_firewall_rules: false
+  health_check:
+    type: HTTP
+    port: 8080
+    request_path: /healthz
+labels:
+  environment: dev
+  owner: app-team

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/http-lb/lb.yaml

@@ -0,0 +1,37 @@
+service: http_load_balancer
+environment: dev
+module:
+  name: global-http-lb
+  source: terraform-google-modules/lb-http/google
+  version: "~> 9.0"
+inputs:
+  project: xcontrol-dev-network
+  name: dev-http
+  address: dev-http-lb
+  ssl:
+    managed_certificates:
+      - dev-apps.xcontrol.dev
+  backends:
+    - group: web-mig
+      port: 8080
+      health_check:
+        type: HTTP
+        check_interval_sec: 10
+        healthy_threshold: 3
+        unhealthy_threshold: 3
+        timeout_sec: 5
+        request_path: /healthz
+  url_map:
+    default_service: web-mig
+    host_rules:
+      - hosts: ["*.xcontrol.dev"]
+        path_matcher: web
+    path_matchers:
+      - name: web
+        default_service: web-mig
+        path_rules:
+          - paths: ["/api/*"]
+            service: web-mig
+labels:
+  environment: dev
+  owner: platform

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/memorystore/redis.yaml

@@ -0,0 +1,25 @@
+service: memorystore_redis
+environment: dev
+module:
+  name: redis-ha
+  source: terraform-google-modules/memorystore/google
+  version: "~> 8.0"
+inputs:
+  project: xcontrol-dev-data
+  region: us-central1
+  name: dev-cache
+  tier: STANDARD_HA
+  memory_size_gb: 8
+  redis_version: REDIS_7_0
+  transit_encryption_mode: SERVER_AUTHENTICATION
+  authorized_network: dev-shared-vpc
+  connect_mode: PRIVATE_SERVICE_ACCESS
+  maintenance_policy:
+    weekly_maintenance_window:
+      day: FRIDAY
+      start_time:
+        hours: 22
+        minutes: 0
+labels:
+  environment: dev
+  owner: data-team

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/network-lb/lb.yaml

@@ -0,0 +1,26 @@
+service: network_load_balancer
+environment: dev
+module:
+  name: internal-tcp-lb
+  source: terraform-google-modules/lb/google
+  version: "~> 5.0"
+inputs:
+  project: xcontrol-dev-network
+  region: us-central1
+  name: dev-internal
+  protocol: TCP
+  port_range: "5432"
+  network: dev-shared-vpc
+  subnetwork: dev-apps-a
+  backend:
+    group: web-mig
+    health_check:
+      check_interval_sec: 10
+      timeout_sec: 5
+      healthy_threshold: 3
+      unhealthy_threshold: 3
+      tcp_health_check:
+        port: 5432
+labels:
+  environment: dev
+  owner: platform

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/pubsub/topic.yaml

@@ -0,0 +1,24 @@
+service: pubsub
+environment: dev
+module:
+  name: messaging
+  source: git::https://github.com/terraform-google-modules/terraform-google-pubsub.git
+  version: v7.1.0
+inputs:
+  project_id: xcontrol-dev-apps
+  topic: dev-events
+  message_retention_duration: 604800s
+  schema:
+    type: AVRO
+    definition_file: schemas/dev-events.avsc
+  subscriptions:
+    - name: dev-events-primary
+      push_endpoint: https://events.dev.xcontrol.dev/push
+      ack_deadline_seconds: 20
+      enable_message_ordering: true
+      retry_policy:
+        minimum_backoff: 10s
+        maximum_backoff: 300s
+labels:
+  environment: dev
+  owner: platform

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/storage/bucket.yaml

@@ -0,0 +1,33 @@
+service: cloud_storage
+environment: dev
+module:
+  name: artifact-bucket
+  source: terraform-google-modules/cloud-storage/google
+  version: "~> 4.0"
+inputs:
+  project_id: xcontrol-dev-apps
+  name: xcontrol-dev-artifacts
+  location: US
+  versioning: true
+  storage_class: STANDARD
+  uniform_bucket_level_access: true
+  encryption:
+    default_kms_key_name: projects/xcontrol-dev-security/locations/us/keyRings/app/cryptoKeys/storage
+  lifecycle_rules:
+    - action:
+        type: Delete
+      condition:
+        age: 30
+    - action:
+        type: SetStorageClass
+        storage_class: NEARLINE
+      condition:
+        age: 90
+  retention_policy:
+    retention_period: 2592000
+  logging:
+    log_bucket: xcontrol-dev-audit-logs
+    log_object_prefix: storage
+labels:
+  environment: dev
+  owner: app-team

iac-template/terraform-hcl-standard/gcp-cloud/config/resources/vpc/dev.yaml

@@ -0,0 +1,44 @@
+service: network
+environment: dev
+module:
+  name: shared-vpc
+  source: terraform-google-modules/network/google
+  version: "~> 9.1"
+inputs:
+  project_id: xcontrol-dev-network
+  network_name: dev-shared-vpc
+  routing_mode: REGIONAL
+  delete_default_routes_on_create: true
+  subnets:
+    - name: dev-apps-a
+      ip_cidr_range: 10.20.0.0/20
+      region: us-central1
+      secondary_ip_ranges:
+        pods: 10.100.0.0/18
+        services: 10.110.0.0/20
+    - name: dev-apps-b
+      ip_cidr_range: 10.20.16.0/20
+      region: us-east1
+  firewall_rules:
+    ssh_jump:
+      description: Allow SSH from bastion
+      priority: 1000
+      direction: INGRESS
+      ranges: ["10.0.0.0/8"]
+      target_tags: ["bastion"]
+      allow:
+        - protocol: tcp
+          ports: ["22"]
+    health_checks:
+      description: Allow Google health checkers
+      priority: 1001
+      direction: INGRESS
+      ranges:
+        - 35.191.0.0/16
+        - 130.211.0.0/22
+      allow:
+        - protocol: tcp
+          ports: ["80", "443"]
+labels:
+  environment: dev
+  owner: platform