diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/README.md b/iac-template/terraform-hcl-standard/gcp-cloud/README.md new file mode 100644 index 0000000..61814ed --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/README.md @@ -0,0 +1,14 @@ +# GCP Terraform Baseline Configurations + +This directory mirrors the AWS IaC layout and provides opinionated YAML definitions for +GCP landing zone and workload resources. Each YAML describes the module source, version, +and default inputs that can be rendered into Terraform variables. + +## Layout + +- `config/accounts/` — Organization and project bootstrap configuration. +- `config/resources/` — Reusable module inputs for shared VPC, compute, load balancers, + data stores, and messaging components. + +The files follow the same naming convention as the AWS templates so that pipelines can +select matching stacks per cloud provider without additional mapping logic. diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev-landingzone.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev-landingzone.yaml new file mode 100644 index 0000000..42a7e38 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev-landingzone.yaml @@ -0,0 +1,33 @@ +environment: dev +landing_zone: + organization_id: "123456789012" + billing_account: "AAAAAA-BBBBBB-CCCCCC" + folder_name: platform-dev + audit_project_id: xcontrol-dev-audit + monitoring_project_id: xcontrol-dev-monitor + log_export: + bucket_name: xcontrol-dev-audit-logs + retention_days: 365 + location: US + security_baseline: + enable_config: true + enable_security_command_center: true + enable_vpc_sc: true + default_shielded_vm: true + iam: + groups: + - name: platform-admins@xcontrol.dev + roles: + - roles/resourcemanager.folderAdmin + - roles/billing.user + - name: secops@xcontrol.dev + roles: + - roles/logging.admin + - roles/securitycenter.admin + billing_export: + dataset_id: dev_billing + project_id: xcontrol-dev-monitor +labels: + environment: dev + owner: platform + cost_center: shared-services diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev.yaml new file mode 100644 index 0000000..ca65859 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/dev.yaml @@ -0,0 +1,36 @@ +environment: dev +project: + id: xcontrol-dev-apps + name: XControl Dev Applications + billing_account: "AAAAAA-BBBBBB-CCCCCC" + parent: + type: folder + id: "folders/345678901234" + labels: + environment: dev + owner: app-team +networking: + shared_vpc_host: dev-shared-vpc + subnetwork: dev-apps-a + region: us-central1 +service_accounts: + - name: terraform-runner + description: CI/CD pipeline principal + roles: + - roles/editor + - roles/iam.serviceAccountUser + - name: runtime + description: Workload identity for application services + roles: + - roles/logging.logWriter + - roles/monitoring.metricWriter + - roles/storage.objectViewer +artifact_registry: + repository_id: dev-containers + location: us-central1 + formats: + - docker + - generic +toggles: + enable_kms: true + enable_secret_manager: true diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/cloud-sql/sql.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/cloud-sql/sql.yaml new file mode 100644 index 0000000..fddaba7 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/cloud-sql/sql.yaml @@ -0,0 +1,37 @@ +service: cloud_sql +environment: dev +module: + name: postgres + source: terraform-google-modules/sql-db/google + version: "~> 13.0" +inputs: + project_id: xcontrol-dev-data + region: us-central1 + database_version: POSTGRES_14 + tier: db-custom-2-4096 + availability_type: REGIONAL + deletion_protection: true + storage_auto_resize: true + backup_configuration: + enabled: true + point_in_time_recovery_enabled: true + backup_retention_settings: + retained_backups: 7 + retention_unit: COUNT + ip_configuration: + ipv4_enabled: false + private_network: dev-shared-vpc + require_ssl: true + user: + name: app_owner + password_secret: projects/xcontrol-dev-data/secrets/sql-app-owner + database: + name: app_db + charset: UTF8 + collation: en_US.UTF8 + maintenance_window: + day: 7 + hour: 22 +labels: + environment: dev + owner: data-team diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/compute-engine/dev.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/compute-engine/dev.yaml new file mode 100644 index 0000000..ab6a5c7 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/compute-engine/dev.yaml @@ -0,0 +1,39 @@ +service: compute_engine +environment: dev +module: + name: compute-mig + source: terraform-google-modules/vm/google//modules/mig + version: "~> 13.0" +inputs: + project_id: xcontrol-dev-apps + region: us-central1 + target_size: 2 + instance_template: + machine_type: e2-standard-4 + source_image_family: debian-12 + disk_size_gb: 50 + disk_type: pd-balanced + service_account_email: runtime@xcontrol-dev-apps.iam.gserviceaccount.com + tags: + - web + - internal + metadata: + enable-oslogin: "TRUE" + labels: + tier: web + autoscaler: + min_replicas: 2 + max_replicas: 6 + cooldown_period: 120 + cpu_utilization_target: 0.65 + network: + network: dev-shared-vpc + subnetwork: dev-apps-a + create_firewall_rules: false + health_check: + type: HTTP + port: 8080 + request_path: /healthz +labels: + environment: dev + owner: app-team diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/http-lb/lb.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/http-lb/lb.yaml new file mode 100644 index 0000000..2222248 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/http-lb/lb.yaml @@ -0,0 +1,37 @@ +service: http_load_balancer +environment: dev +module: + name: global-http-lb + source: terraform-google-modules/lb-http/google + version: "~> 9.0" +inputs: + project: xcontrol-dev-network + name: dev-http + address: dev-http-lb + ssl: + managed_certificates: + - dev-apps.xcontrol.dev + backends: + - group: web-mig + port: 8080 + health_check: + type: HTTP + check_interval_sec: 10 + healthy_threshold: 3 + unhealthy_threshold: 3 + timeout_sec: 5 + request_path: /healthz + url_map: + default_service: web-mig + host_rules: + - hosts: ["*.xcontrol.dev"] + path_matcher: web + path_matchers: + - name: web + default_service: web-mig + path_rules: + - paths: ["/api/*"] + service: web-mig +labels: + environment: dev + owner: platform diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/memorystore/redis.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/memorystore/redis.yaml new file mode 100644 index 0000000..c6e5d9e --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/memorystore/redis.yaml @@ -0,0 +1,25 @@ +service: memorystore_redis +environment: dev +module: + name: redis-ha + source: terraform-google-modules/memorystore/google + version: "~> 8.0" +inputs: + project: xcontrol-dev-data + region: us-central1 + name: dev-cache + tier: STANDARD_HA + memory_size_gb: 8 + redis_version: REDIS_7_0 + transit_encryption_mode: SERVER_AUTHENTICATION + authorized_network: dev-shared-vpc + connect_mode: PRIVATE_SERVICE_ACCESS + maintenance_policy: + weekly_maintenance_window: + day: FRIDAY + start_time: + hours: 22 + minutes: 0 +labels: + environment: dev + owner: data-team diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/network-lb/lb.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/network-lb/lb.yaml new file mode 100644 index 0000000..1046956 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/network-lb/lb.yaml @@ -0,0 +1,26 @@ +service: network_load_balancer +environment: dev +module: + name: internal-tcp-lb + source: terraform-google-modules/lb/google + version: "~> 5.0" +inputs: + project: xcontrol-dev-network + region: us-central1 + name: dev-internal + protocol: TCP + port_range: "5432" + network: dev-shared-vpc + subnetwork: dev-apps-a + backend: + group: web-mig + health_check: + check_interval_sec: 10 + timeout_sec: 5 + healthy_threshold: 3 + unhealthy_threshold: 3 + tcp_health_check: + port: 5432 +labels: + environment: dev + owner: platform diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/pubsub/topic.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/pubsub/topic.yaml new file mode 100644 index 0000000..0c0c4ea --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/pubsub/topic.yaml @@ -0,0 +1,24 @@ +service: pubsub +environment: dev +module: + name: messaging + source: git::https://github.com/terraform-google-modules/terraform-google-pubsub.git + version: v7.1.0 +inputs: + project_id: xcontrol-dev-apps + topic: dev-events + message_retention_duration: 604800s + schema: + type: AVRO + definition_file: schemas/dev-events.avsc + subscriptions: + - name: dev-events-primary + push_endpoint: https://events.dev.xcontrol.dev/push + ack_deadline_seconds: 20 + enable_message_ordering: true + retry_policy: + minimum_backoff: 10s + maximum_backoff: 300s +labels: + environment: dev + owner: platform diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/storage/bucket.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/storage/bucket.yaml new file mode 100644 index 0000000..cee32eb --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/storage/bucket.yaml @@ -0,0 +1,33 @@ +service: cloud_storage +environment: dev +module: + name: artifact-bucket + source: terraform-google-modules/cloud-storage/google + version: "~> 4.0" +inputs: + project_id: xcontrol-dev-apps + name: xcontrol-dev-artifacts + location: US + versioning: true + storage_class: STANDARD + uniform_bucket_level_access: true + encryption: + default_kms_key_name: projects/xcontrol-dev-security/locations/us/keyRings/app/cryptoKeys/storage + lifecycle_rules: + - action: + type: Delete + condition: + age: 30 + - action: + type: SetStorageClass + storage_class: NEARLINE + condition: + age: 90 + retention_policy: + retention_period: 2592000 + logging: + log_bucket: xcontrol-dev-audit-logs + log_object_prefix: storage +labels: + environment: dev + owner: app-team diff --git a/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/vpc/dev.yaml b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/vpc/dev.yaml new file mode 100644 index 0000000..a0a5589 --- /dev/null +++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/resources/vpc/dev.yaml @@ -0,0 +1,44 @@ +service: network +environment: dev +module: + name: shared-vpc + source: terraform-google-modules/network/google + version: "~> 9.1" +inputs: + project_id: xcontrol-dev-network + network_name: dev-shared-vpc + routing_mode: REGIONAL + delete_default_routes_on_create: true + subnets: + - name: dev-apps-a + ip_cidr_range: 10.20.0.0/20 + region: us-central1 + secondary_ip_ranges: + pods: 10.100.0.0/18 + services: 10.110.0.0/20 + - name: dev-apps-b + ip_cidr_range: 10.20.16.0/20 + region: us-east1 + firewall_rules: + ssh_jump: + description: Allow SSH from bastion + priority: 1000 + direction: INGRESS + ranges: ["10.0.0.0/8"] + target_tags: ["bastion"] + allow: + - protocol: tcp + ports: ["22"] + health_checks: + description: Allow Google health checkers + priority: 1001 + direction: INGRESS + ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + allow: + - protocol: tcp + ports: ["80", "443"] +labels: + environment: dev + owner: platform