GCP Infrastructure (Terraform)

All GCP infrastructure is managed by Terraform in the infra/ directory at the repo root.

Structure

infra/
├── main.tf              # Module wiring
├── variables.tf         # Shared variables and locals
├── outputs.tf           # Root-level outputs
├── iam.tf               # Project-level IAM (engineering groups)
├── terraform.tf         # Provider config (google, google-beta, 1password, grafana)
├── terraform.tfvars     # Local variable overrides (gitignored)
├── artifacts/           # Artifact Registry (multi-region Docker repo + cleanup)
├── firebase/            # Firebase project, web/iOS/Android apps, Identity Platform
├── github-actions/      # Workload Identity Federation for keyless CI/CD
├── grafana/             # Grafana Cloud dashboards, alerting, Slack notifications
├── play-store/          # Google Play Store service account for EAS Submit
├── state-bucket/        # Terraform state bucket IAM
└── vapi/                # GCS buckets + service account for Voice API

Workspaces

Terraform workspaces map to GCP projects:

Workspace	GCP Project
dev	tell-ia-dev
staging	tell-ia-staging
production	tell-ia-production

All resource naming is environment-suffixed automatically (e.g., tellia-play-store-dev).

Getting Started

Prerequisites

• Terraform >= 1.0
• GCP CLI authenticated: gcloud auth application-default login
• OP_SERVICE_ACCOUNT_TOKEN env var set (1Password provider, required even for terraform init)

Commands

cd infra
terraform init                     # Initialize (registers modules + providers)
terraform workspace select dev     # Switch environment
terraform plan                     # Preview changes
terraform apply                    # Apply changes

Modules

artifacts/

Artifact Registry with multi-region Docker repo and automated cleanup policies. Stores CI/CD images including the Firebase Auth emulator.

firebase/

Firebase project setup, web/iOS/Android app registration, and Identity Platform (Firebase Auth) config with email/password sign-in. Stores Firebase config values in 1Password.

github-actions/

Workload Identity Federation (OIDC) for keyless GitHub Actions authentication with GCP. No service account keys needed — uses OIDC tokens. Config stored in 1Password.

grafana/

Grafana Cloud dashboards and alerting rules for backend monitoring. Environment-specific alert thresholds with Slack notifications.

play-store/

Google Play Store API access for automated app submissions via EAS Submit. Creates a GCP service account, generates a JSON key, and stores it in 1Password.

IMPORTANT

After terraform apply, the service account must be manually invited in Google Play Console > Users and permissions with release permissions. See Mobile Build & Submit for the full workflow.

vapi/

GCS buckets and service accounts for Voice API integrations. Includes HMAC keys for S3-compatible access.

state-bucket/

IAM configuration for the Terraform state GCS bucket.

Secrets Management

All secrets are stored in 1Password via the Terraform 1Password provider — not in tfvars, CI secrets, or the repo. Each module that produces credentials creates a 1Password item with:

• The credential values
• Setup instructions
• Environment and domain tags for easy filtering

IAM Structure

Project-level IAM is defined in iam.tf:

Group	Dev	Staging	Production
engineering-leads@tell-ia.com	Owner	Owner	Owner
engineering@tell-ia.com	Owner	Viewer	Viewer
engineering-contractors@	Owner	No access	No access

CI/CD

• Plan: Runs on PRs to main/staging/production (.github/workflows/terraform-plan.yml)
• Apply: Runs on push to main/staging/production (.github/workflows/terraform-apply.yml)

Reference

• Terraform GCP Provider Docs
• Google Cloud IAM Docs
• 1Password Terraform Provider