Terraform blueprints available for Google Cloud

A blueprint is a package of deployable, reusable configuration and policy that implements and documents a specific opinionated solution. For more details see, blueprints overview.

This page provides a list of blueprints/modules that are packaged as Terraform modules and can be used for creating resources for Google Cloud. There are also two end-to-end examples available.

End-to-end blueprints

These end-to-end examples are designed to be forked as a starting point. These examples are not suitable for direct usage in production scenarios:

• Example Foundation - Example repository showing how the CFT modules can be composed to build a secure cloud foundation.

• CFT Fabric - This repository includes an advanced example designed for prototyping.

• Confidential data warehouse

• Protecting confidential data in AI

Blueprints/Modules

• address - A Terraform module for managing Google Cloud IP addresses.

• bastion-host - This module will generate a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs.

  • bastion-group
  • iap-tunneling

• bigquery - This module lets you create opinionated Google Cloud BigQuery datasets and tables.

  • authorization
  • udf

• bootstrap - A module for bootstrapping Terraform usage in a new Google Cloud organization.

  • cloudbuild

• cloud-datastore - A Terraform module to help you to manage Datastore.

• cloud-dns - This module makes it easy to create and manage Cloud DNS public or private zones, and their records.

• cloud-nat - This module handles opinionated Cloud NAT creation and configuration.

• cloud-operations - This module is a collection of submodules related to Google Cloud's operations suite (Logging and Monitoring).

  • agent-policy

• cloud-router - Manage a Cloud Router on Google Cloud

  • interconnect_attachment
  • interface

• cloud-run - Terraform Module for deploying apps to Cloud Run, along with an option to map custom domain

• cloud-storage - This module makes it easy to create one or more Cloud Storage buckets, and assign basic permissions on them to arbitrary users.

  • simple_bucket

• composer - Terraform module for managing Cloud Composer

  • create_environment

• container-vm - This module simplifies deploying containers on Compute Engine instances.

  • cos-coredns
  • cos-generic
  • cos-mysql

• data-fusion - [ALPHA] Terraform module for managing Cloud Data Fusion

  • dataproc_profile
  • hub_artifact
  • instance
  • namespace
  • private_network
  • wait_healthy

• dataflow - This module handles opiniated Dataflow job configuration and deployments.

  • dataflow_bucket

• datalab - This module will create DataLab instances with support for GPU instances.

  • iap_firewall
  • instance
  • template_files

• endpoints-dns

• event-function - Terraform module for responding to logging events with a function

  • event-folder-log-entry
  • event-project-log-entry
  • repository-function

• folders - This module helps create several folders under the same parent

• forseti - A Terraform module for installing Forseti on Google Cloud

  • client
  • client_config
  • client_gcs
  • client_iam
  • cloudsql
  • on_gke
  • real_time_enforcer
  • real_time_enforcer_organization_sink
  • real_time_enforcer_project_sink
  • real_time_enforcer_roles
  • rules
  • server
  • server_config
  • server_gcs
  • server_iam

• gcloud - A module for executing gcloud commands within Terraform.

  • kubectl-wrapper

• github-actions-runners - [ALPHA] Module to create self-hosted GitHub Actions Runners on Google Cloud

  • gh-runner-gke
  • gh-runner-mig-container-vm
  • gh-runner-mig-vm

• gke-gitlab - Installs GitLab on GKE

• group - A Terraform module for managing Google Groups

• gsuite-export

• healthcare - This module handles opinionated Google Cloud Healthcare datasets and stores.

• iam - This Terraform module makes it easier to non-destructively manage multiple IAM roles for resources on Google Cloud.

  • artifact_registry_iam
  • audit_config
  • billing_accounts_iam
  • custom_role_iam
  • folders_iam
  • helper
  • kms_crypto_keys_iam
  • kms_key_rings_iam
  • member_iam
  • organizations_iam
  • projects_iam
  • pubsub_subscriptions_iam
  • pubsub_topics_iam
  • secret_manager_iam
  • service_accounts_iam
  • storage_buckets_iam
  • subnets_iam

• jenkins -

  • artifact_storage

• kms - Simple Cloud Key Management Service module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.

• kubernetes-engine - A Terraform module for configuring GKE clusters.

  • acm
  • asm
  • auth
  • beta-private-cluster
  • beta-private-cluster-update-variant
  • beta-public-cluster
  • beta-public-cluster-update-variant
  • binary-authorization
  • config-sync
  • hub
  • k8s-operator-crd-support
  • private-cluster
  • private-cluster-update-variant
  • safer-cluster
  • safer-cluster-update-variant
  • services
  • workload-identity

• lb - Modular Regional TCP Load Balancer for Compute Engine using target pool and forwarding rule.

• lb-http - Modular Global HTTP Load Balancer for Compute Engine using forwarding rules.

  • dynamic_backends
  • serverless_negs

• lb-internal - Modular Internal Load Balancer for Compute Engine using forwarding rules.

• log-export - This module lets you create log exports at the project, folder, or organization level.

  • bigquery
  • bq-log-alerting
  • pubsub
  • storage

• memorystore - A Terraform module for creating a fully functional Google Memorystore (redis) instance.

  • memcache

• network - A Terraform module that makes it easy to set up a new VPC Network in Google Cloud.

  • fabric-net-firewall
  • fabric-net-svpc-access
  • firewall-rules
  • network-peering
  • routes
  • routes-beta
  • subnets
  • subnets-beta
  • vpc
  • vpc-serverless-connector-beta
  • Network telemetry

• org-policy - A Terraform module for managing Google Cloud org policies.

  • bucket_policy_only
  • domain_restricted_sharing
  • restrict_vm_external_ips
  • skip_default_network

• project-factory - Opinionated Google Cloud project creation and configuration with Shared VPC, IAM, APIs, etc.

  • app_engine
  • budget
  • core_project_factory
  • fabric-project
  • gsuite_enabled
  • gsuite_group
  • project_services
  • quota_manager
  • shared_vpc_access
  • svpc_service_project

• pubsub - This module makes it easy to create Pub/Sub topic and subscriptions associated with the topic.

  • cloudiot

• sap - This module is a collection of multiple opinionated submodules to deploy SAP Products.

  • netweaver
  • sap_hana
  • sap_hana_ha
  • sap_hana_python

• scheduled-function - This modules makes it easy to set up a scheduled job to trigger events/run functions.

  • project_cleanup

• secret -

  • gcs-object
  • secret-infrastructure

• service-accounts - This module allows easy creation of one or more service accounts, and granting them basic roles.

  • key-distributor

• slo - Create SLOs on Google Cloud from custom Stackdriver metrics. Capability to export SLOs to Google Cloud services and other systems.

  • slo-generator
  • slo-native

• sql-db - Modular Cloud SQL database instance for Terraform.

  • mssql
  • mysql
  • postgresql
  • private_service_access
  • safer_mysql

• startup-scripts - A library of useful startup scripts to embed in VMs created by Terraform

• utils - This module provides a way to get the shortnames for a given Google Cloud region.

• vault - Modular deployment of Vault on Google Compute Engine with Terraform

  • cluster

• vm - This is a collection of opinionated submodules that can be used to provision VMs in Google Cloud.

  • compute_disk_snapshot
  • compute_instance
  • instance_template
  • mig
  • mig_with_percent
  • preemptible_and_regular_instance_templates
  • umig

• vpc-service-controls - This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.

  • access_level
  • bridge_service_perimeter
  • regular_service_perimeter

• vpn - A Terraform Module for setting up Cloud VPN

  • vpn_ha