Terraform Modules Reference¶
All modules live in infrastructure-management/modules/. They are called from infrastructure-management/projects/orofi-{env}/.
Module Index¶
| Module | Path | Purpose |
|---|---|---|
| k8s | modules/k8s/ |
GKE cluster provisioning |
| network | modules/network/ |
VPC, subnets, firewall, NAT, static IPs |
| datastore | modules/datastore/ |
Cloud SQL MySQL instance |
| redis | modules/redis/ |
Cloud Memorystore Redis |
| artifacts | modules/artifacts/ |
Artifact Registry repositories |
| secretmanager | modules/secretmanager/ |
GCP Secret Manager secrets |
| secretmanager-version | modules/secretmanager-version/ |
Secret version management |
| service-accounts | modules/service-accounts/ |
GCP SAs + IAM + Workload Identity |
| helm | modules/helm/ |
Helm releases (Istio, cert-manager, ArgoCD) |
| dns | modules/dns/ |
Cloud DNS records |
| buckets | modules/buckets/ |
GCS buckets |
| users-access | modules/users-access/ |
User IAM bindings |
| cert-monitor | modules/cert-monitor/ |
Certificate monitoring |
| kms | modules/kms/ |
Cloud KMS key rings and keys |
| cloudsql-root-password | modules/cloudsql-root-password/ |
Auto-generate root password |
| cloudsql-microservice-credentials | modules/cloudsql-microservice-credentials/ |
Per-service DB users + secrets |
k8s¶
Path: infrastructure-management/modules/k8s/
Provisions a GKE zonal cluster with autoscaling, Workload Identity, and configurable control plane access.
Key Inputs¶
| Input | Type | Description | Default |
|---|---|---|---|
project_id |
string | GCP project ID | required |
name |
string | Cluster name | required |
region |
string | GCP region | required |
zone |
string | GCP zone | required |
node_count |
number | Initial node count | 1 |
min_nodes |
number | Autoscaler minimum | 0 |
max_nodes |
number | Autoscaler maximum | 15 |
network |
string | VPC network name | required |
subnetwork |
string | Subnet name | required |
zero_trust |
bool | Restrict master control plane access | false |
trusted_ips |
list(string) | IP ranges for master access | [] |
Usage Example¶
# infrastructure-management/projects/orofi-dev/k8s.tf
module "k8s" {
source = "../../modules/k8s"
project_id = local.project_id # orofi-dev-cloud
name = "${local.project_id}-${local.env}-k8s-cluster"
region = local.region # us-central1
zone = local.zone # us-central1-a
node_count = 1
min_nodes = 0
max_nodes = 15
network = module.network.vpc_name
subnetwork = module.network.subnet_name
zero_trust = true
trusted_ips = ["35.226.57.140/32", "10.0.0.0/8", "11.0.0.0/16"]
}
network¶
Path: infrastructure-management/modules/network/
Creates VPC, subnet, Cloud Router, Cloud NAT, optional zero-trust firewall rules, and a static IP for the ingress load balancer.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
env |
string | Environment name |
region |
string | GCP region |
cidr |
string | VPC CIDR block (e.g., 10.0.0.0/16) |
zero_trust |
bool | Enable deny-all + allow-trusted firewall rules |
trusted_ips |
list(string) | IPs to allow when zero_trust is true |
Key Outputs¶
| Output | Description |
|---|---|
vpc_name |
VPC network name |
subnet_name |
Subnet name |
ingress_static_ip |
Static IP for Istio IngressGateway |
datastore¶
Path: infrastructure-management/modules/datastore/
Creates a Cloud SQL MySQL 8.0 instance with configurable tier, disk, availability type, backup settings, and private network.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
env |
string | Environment name (used in instance name) |
tier |
string | Machine type (e.g., db-f1-micro, db-n1-standard-1) |
availability_type |
string | ZONAL or REGIONAL |
disk_type |
string | PD_HDD or PD_SSD |
disk_size |
number | Disk size in GB |
network |
string | VPC network self-link |
backup_retention |
number | Number of backups to retain |
psc_enabled |
bool | Enable Private Service Connect |
redis¶
Path: infrastructure-management/modules/redis/
Creates a Cloud Memorystore Redis instance.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
env |
string | Environment name |
region |
string | GCP region |
tier |
string | STANDARD_HA or BASIC |
memory_size_gb |
number | Memory in GB |
replica_count |
number | Number of read replicas |
auth_enabled |
bool | Enable Redis AUTH |
persistence_mode |
string | RDB or AOF |
rdb_snapshot_period |
string | Snapshot frequency (e.g., SIX_HOURS) |
artifacts¶
Path: infrastructure-management/modules/artifacts/
Creates Artifact Registry repositories for Docker images and Maven packages.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
region |
string | Repository region |
repository_id |
string | Repository name |
format |
string | DOCKER or MAVEN |
secretmanager¶
Path: infrastructure-management/modules/secretmanager/
Creates a GCP Secret Manager secret (without a version/value — value is added separately or out-of-band).
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
secret_id |
string | Secret name (e.g., dev-microservice-identity-secret) |
replication |
string | Replication policy |
secretmanager-version¶
Path: infrastructure-management/modules/secretmanager-version/
Adds a version to an existing Secret Manager secret. Used when a secret value is known at Terraform apply time.
service-accounts¶
Path: infrastructure-management/modules/service-accounts/
The most complex module. Creates a GCP service account, grants IAM roles, creates Workload Identity binding, and grants secretmanager.secretAccessor on specified secrets.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
project_id |
string | GCP project ID |
name |
string | Service account name (e.g., microservice-identity) |
display_name |
string | Human-readable name |
k8s_namespace |
string | Kubernetes namespace for Workload Identity binding |
k8s_sa_name |
string | Kubernetes ServiceAccount name |
iam_roles |
list(string) | GCP IAM roles to grant (e.g., ["roles/storage.admin"]) |
secret_ids |
list(string) | Secret Manager secret IDs to grant secretAccessor on |
Usage Example¶
module "microservice_identity_sa" {
source = "../../modules/service-accounts"
project_id = local.project_id
name = "microservice-identity"
display_name = "Microservice Identity SA"
k8s_namespace = "microservice-identity"
k8s_sa_name = "microservice-identity-sa"
iam_roles = ["roles/storage.admin"]
secret_ids = [
"stage-microservice-identity-secret",
"stage-microservice-identity-db-connection",
"stage-shared-microservice-secrets",
"stage-redis-auth-password",
"stage-firebase-secret",
]
}
helm¶
Path: infrastructure-management/modules/helm/
Deploys core Kubernetes components via Helm:
- istio-base, istio-istiod, istio-ingressgateway, istio-egressgateway (Istio v1.24.2)
- cert-manager
- argocd
- AppsIngress/ — oro-gateway Gateway resource and ArgoCD VirtualService
This module is applied once per cluster, during initial cluster setup.
dns¶
Path: infrastructure-management/modules/dns/
Creates Cloud DNS A records in the shared orofi-cloud project.
Key Inputs¶
| Input | Type | Description |
|---|---|---|
dns_project_id |
string | GCP project hosting Cloud DNS (typically orofi-cloud) |
zone_name |
string | Cloud DNS zone (e.g., dev-orofi-xyz) |
records |
map(string) | Map of hostname → IP address |
buckets¶
Path: infrastructure-management/modules/buckets/
Creates GCS buckets used for imports/exports by microservices.
users-access¶
Path: infrastructure-management/modules/users-access/
Grants IAM bindings to human users (engineers) on GCP projects and resources.
cert-monitor¶
Path: infrastructure-management/modules/cert-monitor/
A Python-based certificate monitoring script that checks certificate expiry and sends alerts. Built and pushed to Artifact Registry as a Docker image via the infra Bitbucket pipeline.
The script (modules/cert-monitor/scripts/monitor.py) is linted in every PR pipeline run.
kms¶
Path: infrastructure-management/modules/kms/
Creates Cloud KMS key rings and cryptographic keys. Used exclusively by microservice-identity for data encryption.
Key Resources Created¶
# Key ring
resource "google_kms_key_ring" "ring" {
name = "identity-microservice-{env}"
location = var.region # us-central1
}
# Encryption key
resource "google_kms_crypto_key" "data_encryption" {
name = "data-encryption-key-v2"
key_ring = google_kms_key_ring.ring.id
}
# HMAC search key
resource "google_kms_crypto_key" "hmac_search" {
name = "data-hmac-search-key-v2"
key_ring = google_kms_key_ring.ring.id
}
cloudsql-root-password¶
Path: infrastructure-management/modules/cloudsql-root-password/
Generates a random root password for Cloud SQL, sets it on the instance, and stores it in Secret Manager as {env}-cloudsql-root-password.
cloudsql-microservice-credentials¶
Path: infrastructure-management/modules/cloudsql-microservice-credentials/
Creates a complete per-microservice database identity: 1. MySQL user on the Cloud SQL instance 2. Secret in GCP Secret Manager with the connection string 3. IAM binding for the microservice SA to read the secret
Usage Example¶
module "microservice_identity_db_credentials" {
source = "../../modules/cloudsql-microservice-credentials"
project_id = local.project_id
env = local.env
instance_name = module.datastore.instance_name
service_name = "microservice-identity"
database_name = "db_microservice_identity"
db_host = "microservice-identity-db.${local.env}.orofi.xyz"
}