GCP Cloud Run
Production Stack.

What you get

A single Terraform configuration plus a one-command installer that provisions a production-shaped Cloud Run stack on GCP. Unzip, run ./bootstrap.sh install, answer four prompts. Twelve minutes later you have:

• A Cloud Run v2 service running your container, autoscaling 0→10 (configurable), wired into your VPC via Direct VPC Egress — Google’s recommended pattern since GA in late 2024, replacing the legacy Serverless VPC Access Connector (~$8/mo idle floor)
• A Cloud SQL Postgres 17 instance reachable only over private IP — no public surface to lock down
• A real VPC with Cloud NAT for egress and private services peering for Cloud SQL
• Secret Manager holding the generated DB password and the full Postgres connection URL, mounted into the container as DATABASE_URL
• A runtime service account scoped to exactly what Cloud Run needs: cloudsql.client, logging.logWriter, monitoring.metricWriter, plus per-secret secretmanager.secretAccessor
• An uptime check + optional email alert
• A GitHub Actions workflow that deploys from main using Workload Identity Federation — no service account keys to leak

Why this exists

Most Terraform examples online are toys: public Cloud SQL, default VPCs, service accounts with roles/owner, secrets in env, no encryption-key control, deploy workflows that float actions/checkout@v4 (taghi-jackable). They look fine in a tutorial. They are not what you want serving paying customers.

This is the stack I actually run, hardened against the CIS GCP Foundation Benchmark v4.0.0 for the controls that fall inside a project’s blast radius. It’s the shape — VPC-isolated database, SSL-only connections, customer-managed encryption keys, IAM-scoped to specific resources, signed deploy supply chain — that you’d otherwise spend a week assembling from twelve scattered Hashicorp examples and three blog posts that are subtly wrong.

Saves you AI tokens, not just dev hours

If you customize Terraform with Claude Code, Cursor, Codex, or any other AI assistant — this matters. Most of the spend in an AI-driven Terraform session isn’t the writing; it’s the debug loop. The AI hallucinates the cpu_throttling field (silently accepted, does nothing). terraform plan succeeds. The bill arrives next month. You realize. You ask the AI to fix it. It gets it slightly wrong again. Repeat for deletion_policy = "ABANDON", missing enable_private_path_for_google_cloud_services, the legacy VPC Connector pattern, the count vs for_each re-index trap, secrets in plain env blocks, the connection-pool exhaustion math, the WIF attribute_condition that any tutorial omits.

A typical AI-augmented Terraform session against a stack like this — without guardrails — burns 200K–500K tokens chasing failure modes that are reliably hit, not novel.

This product ships with the guardrails:

• CLAUDE.md + AGENTS.md — 22 hard rules, auto-loaded by Claude Code, Codex CLI, GitHub Copilot, Devin, and any agent that respects these conventions. The AI reads them once at session start; it stops suggesting the patterns that would have failed the next plan.
• .cursor/rules/main.mdc — same content, formatted for Cursor’s rule system. alwaysApply: true on every *.tf change.
• 3 ADRs (Architecture Decision Records) for the load-bearing choices — Direct VPC Egress vs Connector, secret env vs volume mounts, allow-unauth default. When the AI is asked “should we change X?”, it has the documented rationale to defer to instead of arguing for the tutorial pattern.
• “What AI assistants get wrong about this stack” — 12 specific failure modes with wrong-vs-right HCL side-by-side, each with a citation to the provider issue or GCP doc that explains why. The AI sees this in context and skips the trial-and-error.

Translation: the AI session that would have taken 2 hours of back-and-forth becomes 10 minutes. The cost of this product gets paid back inside one debugging session you don’t have.

Security-first defaults

• No public surfaces. Cloud SQL has no public IP. There’s nothing to lock down because nothing’s exposed.
• SSL/TLS enforced on Cloud SQL (ssl_mode = "ENCRYPTED_ONLY"). Plaintext connections are rejected.
• IAM database auth enabled — grant DB access by GCP identity, not shared passwords.
• CMEK by default via Cloud KMS, 90-day rotation. ~$0.12/mo. You own the key, you control destruction. Toggle off if your compliance regime doesn’t require it.
• Hardened Postgres flags per CIS: password_encryption = scram-sha-256, connection/disconnection logging, slow-query visibility, lock-wait logging.
• 40-character DB password, generated, stored only in Secret Manager. Never in plan output, never in code.
• Custom VPC with no public surfaces — Cloud SQL private IP only, no permissive default rules. Relies on GCP’s implicit ingress-deny rather than redundant explicit rules that would conflict with future allow rules.
• Supply-chain hardened CI: GitHub Actions pinned to commit SHA, minimum permissions: scope, deploy concurrency, Workload Identity Federation (no JSON keys).
• State bucket created with UBLA + public-access-prevention + versioning.

What it costs to run

Defaults are dev-tier, ~$13–22/month at idle:

• Cloud SQL db-f1-micro + 10GB SSD: ~$10/mo
• Cloud NAT: ~$0/mo idle (Direct VPC Egress with PRIVATE_RANGES_ONLY doesn’t route through NAT)
• Cloud KMS (2 CMEK keys): ~$0.12/mo
• VPC flow logs (50% sample, 5min agg): ~$0.50–$2/mo
• Cloud Run: scales to zero, ~$0 idle (Direct VPC Egress is pay-per-use, not the old ~$8/mo Connector idle tax)

Production sizing is one variable change away. The module exposes db_tier, min_instances, max_instances, cpu, memory as inputs.

Cost guardrails out of the box

Cloud bills sneak up on you. This stack doesn’t.

• Project-level billing budget created automatically. Default $50/mo, configurable. Email alerts at 50%, 90%, 100% of actual spend, plus a 100%-forecasted alert that fires before you hit the cap if your trajectory will overshoot.
• monthly_cost_estimate output — terraform output returns a tier-aware estimate ("~$13–22/month at idle (dev tier defaults)") so you know what you’re signing up for before you raise machine sizes.
• budget_alert_status output — confirms the budget is wired and reports the email it’ll alert on.
• Documented cost-down knobs: which variables to flip when you need to drop $5/mo, and which to raise when you outgrow the dev tier. README walks through both directions.
• bootstrap.sh auto-fills the billing account ID so the budget setup is one prompt (Monthly budget for billing alerts (USD) [50]:), not a console-clicking journey.

If your IAM doesn’t include roles/billing.costsManager on the billing account, set enable_budget_alert = false and the rest of the stack still applies cleanly.

What’s in the box

• Terraform source: root module, 12 .tf files, ~700 lines of readable, commented HCL
• bootstrap.sh — cross-platform installer with check and install subcommands. Handles project creation, billing linkage, API enablement, state bucket (UBLA + public-access-prevention + versioning), and terraform apply end-to-end
• teardown.sh — clean rollback (destroy) or full project deletion (nuke)
• CLAUDE.md + AGENTS.md + .cursor/rules/main.mdc — agent guardrails that auto-load into Claude Code, Cursor, Codex, Copilot, Devin
• 3 ADRs documenting load-bearing decisions in Michael Nygard format
• README with “What AI assistants get wrong” — 12 failure modes with side-by-side HCL
• docs/wif-setup.md — runnable Workload Identity Federation recipe (the attribute_condition line that’s almost always missing in tutorials, present here)
• .pre-commit-config.yaml — terraform fmt, validate, tflint (Google plugin), trivy, checkov, detect-secrets
• Runnable examples/basic/ with terraform.tfvars.example
• GitHub Actions deploy workflow — SHA-pinned actions, minimum permissions:, concurrency-protected
• Commercial license (one purchaser, unlimited internal use, no redistribution)

Delivered as a zip via Lemon Squeezy email after purchase.