GCP Service Enablement
Which GCP APIs are enabled per project, how they are activated in Terraform, and the disable_on_destroy convention.
GCP APIs are disabled by default on new projects. Each API must be explicitly enabled before resources that depend on it can be created. Trovella enables APIs through google_project_service resources in the Terraform modules that need them.
Enabled APIs by Project
trovella-prod
| API | Service ID | Enabled By | Used For |
|---|---|---|---|
| Compute Engine | compute.googleapis.com | modules/compute-vm | VM instance, firewall rules, static IP |
| Identity-Aware Proxy | iap.googleapis.com | modules/compute-vm | Secure SSH tunneling (no public SSH port) |
| Cloud Monitoring | monitoring.googleapis.com | modules/compute-vm | Alert policies, uptime checks, notification channels |
| Cloud SQL Admin | sqladmin.googleapis.com | modules/cloud-sql | Cloud SQL instance management |
| Secret Manager | (enabled manually) | -- | Secret storage and access |
| Cloud Logging | (enabled by default) | -- | Structured log ingestion |
trovella-shared
| API | Service ID | Enabled By | Used For |
|---|---|---|---|
| IAM | iam.googleapis.com | (enabled manually) | WIF pool, service accounts, IAM bindings |
| Artifact Registry | artifactregistry.googleapis.com | (enabled manually) | Docker image storage |
trovella-staging
No APIs explicitly enabled via Terraform yet. Secret Manager was enabled manually when the project was created.
The disable_on_destroy Convention
Every google_project_service resource in the codebase sets disable_on_destroy = false:
resource "google_project_service" "compute" {
project = var.project_id
service = "compute.googleapis.com"
disable_on_destroy = false
}This is a safety measure. By default, Terraform would disable the API when the resource is removed from the configuration. Disabling an API can cascade-delete all resources that depend on it (VMs, databases, firewall rules). Setting disable_on_destroy = false means removing the google_project_service resource from Terraform only removes it from state -- the API stays enabled in GCP.
How APIs Are Declared
APIs are declared in the Terraform module that first needs them, not in a central "project setup" module. The project-services module directory exists in the codebase (infra/modules/project-services/) but is currently empty -- it was created as a placeholder for a centralized API enablement approach that was never implemented.
Instead, each module self-declares its API dependencies:
modules/compute-vm/main.tfenablescompute.googleapis.com,iap.googleapis.com, andmonitoring.googleapis.commodules/cloud-sql/main.tfenablessqladmin.googleapis.com
Resources that depend on these APIs use depends_on to ensure the API is enabled before creation:
resource "google_compute_instance" "main" {
# ...
depends_on = [
google_project_service.compute,
google_project_service.iap,
]
}Adding a New GCP API
When adding a new GCP resource that requires an API not yet enabled:
- Add a
google_project_serviceresource in the module that needs it - Set
disable_on_destroy = false - Add a
depends_onreference from the resource to the service enablement - Run
terraform planto verify the API enablement appears before the resource creation
Do not add it to the empty project-services module. The convention is co-location with the module that uses the API.