Cloud Resources
GCP project layout, Terraform provisioning, service enablement, monitoring alerts, and budget controls.
The Cloud Resources topic covers everything related to GCP project organization and Terraform-managed infrastructure. Trovella runs on three GCP projects with a directory-per-environment Terraform layout, GCS remote state, and Workload Identity Federation for keyless CI/CD authentication.
Topics
Environment Strategy Decision
ADR-016: why three GCP projects, hybrid local/Docker development, and GCP Secret Manager over alternatives. The foundational decision that shapes the entire infrastructure layout.
Project Layout
The three-project structure (trovella-prod, trovella-staging, trovella-shared), what lives in each, and the IAM isolation rationale.
Service Enablement
Which GCP APIs are enabled per project, how they are activated in Terraform, and the disable_on_destroy = false convention.
Terraform Structure
Directory-per-environment layout, module organization, GCS backend configuration, provider versions, and the apply sequence.
Workload Identity Federation
How GitHub Actions authenticates to GCP without service account keys, the OIDC pool/provider setup, and cross-project IAM grants.
Secret Provisioning
How Terraform creates empty Secret Manager shells, how values flow to the VM and CI, and the sync script architecture.
Monitoring and Budgets
Cloud Monitoring alert policies, uptime checks, notification channels, and per-project budget thresholds.
Key Resources by Project
| Project | Resources |
|---|---|
trovella-prod | Cloud SQL, Compute Engine VM, Secret Manager (14 secrets), monitoring alerts, firewall rules |
trovella-staging | Secret Manager (14 secrets); compute deferred to ~Month 2 |
trovella-shared | Terraform state bucket (GCS), Artifact Registry, Workload Identity Federation pool |
Estimated Monthly Cost (Phase 1)
| Resource | Cost |
|---|---|
Compute Engine VM (e2-custom-2-6144) | ~$37/month |
Cloud SQL (db-g1-small, ZONAL) | ~$27/month |
| Secret Manager (14 secrets, low access) | Free tier |
| Artifact Registry (10 images retained) | Free tier |
| Cloud Monitoring (built-in metrics) | Free tier |
| Upstash Redis (external) | Free tier |
| Total | ~$64/month |
Cross-Domain References
- Infrastructure -- Compute -- VM instance details, Docker containers, Caddy reverse proxy, networking
- Infrastructure -- Secrets -- runtime secret management,
.envpatterns, sync scripts - Delivery -- Pipeline -- CI/CD workflow that uses WIF and Artifact Registry
- Data & Storage -- Migrations -- CI Deployment -- Cloud SQL Auth Proxy in CI