Terraform blueprints available for Google Cloud

A blueprint is a package of deployable, reusable configuration and policy that implements and documents a specific opinionated solution. For more details see, blueprints overview.

This page provides a list of blueprints/modules that are packaged as Terraform modules and can be used for creating resources for Google Cloud. There are also two end-to-end examples available.

End-to-end blueprints

These end-to-end examples are designed to be forked as a starting point. These examples are not suitable for direct usage in production scenarios:

Example Foundation - Example repository showing how the CFT modules can be composed to build a secure cloud foundation.
CFT Fabric - This repository includes an advanced example designed for prototyping.
Confidential data warehouse
Protecting confidential data in AI

Blueprints/Modules

address - A Terraform module for managing Google Cloud IP addresses.
bastion-host - This module will generate a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs.
- bastion-group
- iap-tunneling
bigquery - This module lets you create opinionated Google Cloud BigQuery datasets and tables.
- authorization
- udf
bootstrap - A module for bootstrapping Terraform usage in a new Google Cloud organization.
- cloudbuild
cloud-datastore - A Terraform module to help you to manage Datastore.
cloud-dns - This module makes it easy to create and manage Cloud DNS public or private zones, and their records.
cloud-nat - This module handles opinionated Cloud NAT creation and configuration.
cloud-operations - This module is a collection of submodules related to Google Cloud's operations suite (Logging and Monitoring).
- agent-policy
cloud-router - Manage a Cloud Router on Google Cloud
- interconnect_attachment
- interface
cloud-run - A Terraform module for deploying apps to Cloud Run, along with an option to map custom domain
cloud-storage - This module makes it easy to create one or more Cloud Storage buckets, and assign basic permissions on them to arbitrary users.
- simple_bucket
composer - A Terraform module for managing Cloud Composer
- create_environment
container-vm - This module simplifies deploying containers on Compute Engine instances.
- cos-coredns
- cos-generic
- cos-mysql
data-fusion - [ALPHA] A Terraform module for managing Cloud Data Fusion
- dataproc_profile
- hub_artifact
- instance
- namespace
- private_network
- wait_healthy
dataflow - This module handles opinionated Dataflow job configuration and deployments.
- dataflow_bucket
datalab - This module will create DataLab instances with support for GPU instances.
- iap_firewall
- instance
- template_files
endpoints-dns
event-function - A Terraform module for responding to logging events with a function
- event-folder-log-entry
- event-project-log-entry
- repository-function
folders - This module helps create several folders under the same parent
forseti - A Terraform module for installing Forseti on Google Cloud
- client
- client_config
- client_gcs
- client_iam
- cloudsql
- on_gke
- real_time_enforcer
- real_time_enforcer_organization_sink
- real_time_enforcer_project_sink
- real_time_enforcer_roles
- rules
- server
- server_config
- server_gcs
- server_iam
gcloud - A module for executing gcloud commands within Terraform.
- kubectl-wrapper
github-actions-runners - [ALPHA] Module to create self-hosted GitHub Actions Runners on Google Cloud
- gh-runner-gke
- gh-runner-mig-container-vm
- gh-runner-mig-vm
gke-gitlab - Installs GitLab on GKE
group - A Terraform module for managing Google Groups
gsuite-export
healthcare - This module handles opinionated Google Cloud Healthcare datasets and stores.
iam - This Terraform module makes it easier to non-destructively manage multiple IAM roles for resources on Google Cloud.
- artifact_registry_iam
- audit_config
- billing_accounts_iam
- custom_role_iam
- folders_iam
- helper
- kms_crypto_keys_iam
- kms_key_rings_iam
- member_iam
- organizations_iam
- projects_iam
- pubsub_subscriptions_iam
- pubsub_topics_iam
- secret_manager_iam
- service_accounts_iam
- storage_buckets_iam
- subnets_iam
jenkins -
- artifact_storage
kms - Simple Cloud Key Management Service module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
kubernetes-engine - A Terraform module for configuring GKE clusters.
- acm
- asm
- auth
- beta-private-cluster
- beta-private-cluster-update-variant
- beta-public-cluster
- beta-public-cluster-update-variant
- binary-authorization
- config-sync
- hub
- k8s-operator-crd-support
- private-cluster
- private-cluster-update-variant
- safer-cluster
- safer-cluster-update-variant
- services
- workload-identity
lb - Modular Regional TCP Load Balancer for Compute Engine using target pool and forwarding rule.
lb-http - Modular Global HTTP Load Balancer for Compute Engine using forwarding rules.
- dynamic_backends
- serverless_negs
lb-internal - Modular Internal Load Balancer for Compute Engine using forwarding rules.
log-export - This module lets you create log exports at the project, folder, or organization level.
- bigquery
- bq-log-alerting
- pubsub
- storage
memorystore - A Terraform module for creating a fully functional Google Memorystore (redis) instance.
- memcache
network - A Terraform module that makes it easy to set up a new VPC Network in Google Cloud.
- fabric-net-firewall
- fabric-net-svpc-access
- firewall-rules
- network-peering
- routes
- routes-beta
- subnets
- subnets-beta
- vpc
- vpc-serverless-connector-beta
- Network telemetry
org-policy - A Terraform module for managing Google Cloud org policies.
- bucket_policy_only
- domain_restricted_sharing
- restrict_vm_external_ips
- skip_default_network
project-factory - Opinionated Google Cloud project creation and configuration with Shared VPC, IAM, APIs, etc.
- app_engine
- budget
- core_project_factory
- fabric-project
- gsuite_enabled
- gsuite_group
- project_services
- quota_manager
- shared_vpc_access
- svpc_service_project
pubsub - This module makes it easy to create Pub/Sub topic and subscriptions associated with the topic.
- cloudiot
sap - This module is a collection of multiple opinionated submodules to deploy SAP Products.
- netweaver
- sap_hana
- sap_hana_ha
- sap_hana_python
scheduled-function - This modules makes it easy to set up a scheduled job to trigger events/run functions.
- project_cleanup
secret -
- gcs-object
- secret-infrastructure
service-accounts - This module allows easy creation of one or more service accounts, and granting them basic roles.
- key-distributor
slo - Create SLOs on Google Cloud from custom Stackdriver metrics. Capability to export SLOs to Google Cloud services and other systems.
- slo-generator
- slo-native
sql-db - Modular Cloud SQL database instance for Terraform.
- mssql
- mysql
- postgresql
- private_service_access
- safer_mysql
startup-scripts - A library of useful startup scripts to embed in VMs created by Terraform
utils - This module provides a way to get the shortnames for a given Google Cloud region.
vault - Modular deployment of Vault on Google Compute Engine with Terraform
- cluster
vm - This is a collection of opinionated submodules that can be used to provision VMs in Google Cloud.
- compute_disk_snapshot
- compute_instance
- instance_template
- mig
- mig_with_percent
- preemptible_and_regular_instance_templates
- umig
vpc-service-controls - This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.
- access_level
- bridge_service_perimeter
- regular_service_perimeter
vpn - A Terraform module for setting up Cloud VPN
- vpn_ha
workflows - A Terraform module for setting up scheduled workflows using Cloud Scheduler or for setting up event-driven workflows using Eventarc.