	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Terraform and IaC > Terraform on GCP > Provisioning GCP Resources with Terraform

Provisioning GCP Resources with Terraform

Author: Venkata Sudhakar

Google Cloud Platform (GCP) is one of the most popular targets for enterprise cloud migrations. Terraform with the hashicorp/google provider gives you a consistent, versioned, repeatable way to provision GCP resources across dev, staging and production environments. Rather than clicking through the GCP console (which is hard to audit and impossible to replicate exactly), all infrastructure is defined as code, reviewed in pull requests, and applied through a CI/CD pipeline. This section covers the three most commonly needed GCP resources in data migration and AI workloads: GCS buckets, Cloud SQL, and GKE clusters.

The Google provider authenticates using Application Default Credentials (ADC). In development, run gcloud auth application-default login. In CI/CD pipelines or GKE, use a service account key JSON file or Workload Identity. Setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of a service account key file is the most common approach for automated pipelines. Always grant the service account only the minimum IAM roles it needs - typically roles/storage.admin for GCS, roles/cloudsql.admin for Cloud SQL, and roles/container.admin for GKE.

The below example shows a complete Terraform configuration provisioning three foundational GCP resources: a GCS bucket for data lake storage, a Cloud SQL PostgreSQL instance, and a GKE Autopilot cluster.

# main.tf - Provisioning core GCP data infrastructure

terraform {
  required_providers {
    google = { source = "hashicorp/google", version = "~> 5.0" }
  }
  backend "gcs" {
    bucket = "my-terraform-state"
    prefix = "gcp-infra/state"
  }
}

provider "google" {
  project = var.project_id
  region  = var.region
}

variable "project_id" { type = string }
variable "region"     { type = string; default = "us-central1" }
variable "environment" { type = string; default = "dev" }

locals {
  prefix = "${var.project_id}-${var.environment}"
  labels = { environment = var.environment, managed_by = "terraform" }
}

# ---- 1. GCS Data Lake Bucket ----
resource "google_storage_bucket" "data_lake" {
  name          = "${local.prefix}-data-lake"
  location      = var.region
  storage_class = "STANDARD"
  force_destroy = var.environment != "prod"

versioning { enabled = true }

lifecycle_rule {
    condition  { age = 90 }
    action     { type = "SetStorageClass"; storage_class = "NEARLINE" }
  }
  lifecycle_rule {
    condition  { age = 365 }
    action     { type = "SetStorageClass"; storage_class = "COLDLINE" }
  }

labels = local.labels
}

# ---- 2. Cloud SQL PostgreSQL Instance ----
resource "google_sql_database_instance" "postgres" {
  name             = "${local.prefix}-postgres"
  database_version = "POSTGRES_15"
  region           = var.region
  deletion_protection = var.environment == "prod"

settings {
    tier              = var.environment == "prod" ? "db-custom-4-15360" : "db-f1-micro"
    availability_type = var.environment == "prod" ? "REGIONAL" : "ZONAL"
    disk_size         = var.environment == "prod" ? 100 : 10
    disk_autoresize   = true

backup_configuration {
      enabled                        = true
      point_in_time_recovery_enabled = var.environment == "prod"
      start_time                     = "03:00"
    }

ip_configuration {
      ipv4_enabled    = false
      private_network = google_compute_network.vpc.id
    }

insights_config { query_insights_enabled = true }
  }
}

resource "google_sql_database" "appdb" {
  name     = "appdb"
  instance = google_sql_database_instance.postgres.name
}

# ---- 3. GKE Autopilot Cluster ----
resource "google_container_cluster" "gke" {
  name             = "${local.prefix}-gke"
  location         = var.region
  enable_autopilot = true

network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

release_channel { channel = "REGULAR" }

workload_identity_config {
    workload_pool = "${var.project_id}.svc.id.goog"
  }
}

# VPC (required for private Cloud SQL)
resource "google_compute_network" "vpc" {
  name                    = "${local.prefix}-vpc"
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "subnet" {
  name          = "${local.prefix}-subnet"
  ip_cidr_range = "10.0.0.0/24"
  network       = google_compute_network.vpc.id
  region        = var.region
}

It gives the following output,

Terraform will perform the following actions:

  + google_compute_network.vpc
  + google_compute_subnetwork.subnet
  + google_storage_bucket.data_lake
  + google_sql_database_instance.postgres
  + google_sql_database.appdb
  + google_container_cluster.gke

Plan: 6 to add, 0 to change, 0 to destroy.

Do you want to perform these actions? yes

google_compute_network.vpc: Creating...         [3s]
google_compute_subnetwork.subnet: Creating...   [8s]
google_storage_bucket.data_lake: Creating...    [2s]
google_sql_database_instance.postgres: Creating... [5m30s - Cloud SQL takes a few minutes]
google_container_cluster.gke: Creating...       [3m15s - GKE Autopilot provisioning]
google_sql_database.appdb: Creating...          [3s]

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

Outputs:
bucket_name         = "my-gcp-project-dev-data-lake"
sql_connection_name = "my-gcp-project:us-central1:my-gcp-project-dev-postgres"
gke_kubeconfig_command = "gcloud container clusters get-credentials my-gcp-project-dev-gke --region us-central1 --project my-gcp-project"

Production hardening tips for GCP Terraform:

deletion_protection = true on Cloud SQL and GKE clusters in production - this prevents terraform destroy from accidentally deleting live databases. Enable VPC-native clusters for GKE to get native Pod IP addresses from the subnet CIDR, which simplifies network policy and firewall rules. Use google_secret_manager_secret to store the Cloud SQL password rather than putting it in terraform.tfvars, and reference it with data.google_secret_manager_secret_version. Remote state locking in GCS with a bucket that has versioning enabled ensures your terraform.tfstate is never corrupted by concurrent applies.

Send your comments, suggestions or queries regarding this site to [email protected].