QuantumDev Labs

GCP Cloud Run Production Stack

Opinionated Terraform module: Cloud Run + Cloud SQL (private IP) + VPC + Secret Manager + scoped IAM + uptime checks. Production-shaped on day one. One terraform apply.

$79
  • One terraform apply — full production stack from a blank GCP project
  • Cloud Run v2 + Cloud SQL Postgres 16 wired over private IP (no public DB surface)
  • VPC + Cloud NAT + private services peering + Serverless VPC connector
  • Secret Manager: DB password and connection URL mounted as env, never in code
  • Scoped runtime IAM service account — least-privilege from the start
  • Cloud Logging by default, optional uptime check + email alert
  • GitHub Actions deploy via Workload Identity Federation (no JSON keys)
  • Commercial license, source included, ~470 lines of readable HCL

What you get

A single Terraform configuration that provisions a production-shaped Cloud Run stack on GCP. Clone, set project_id and a name, run terraform apply. Twelve minutes later you have:

  • A Cloud Run v2 service running your container, autoscaling 0→10 (configurable)
  • A Cloud SQL Postgres 16 instance reachable only over private IP — no public surface to lock down
  • A real VPC with Cloud NAT for egress, private services peering for Cloud SQL, and a Serverless VPC connector wired into Cloud Run
  • Secret Manager holding the generated DB password and the full Postgres connection URL, mounted into the container as DATABASE_URL
  • A runtime service account scoped to exactly what Cloud Run needs: cloudsql.client, logging.logWriter, monitoring.metricWriter, plus per-secret secretmanager.secretAccessor
  • An uptime check + optional email alert
  • A GitHub Actions workflow that deploys from main using Workload Identity Federation — no service account keys to leak

Why this exists

Most Terraform examples online are toys: public Cloud SQL, default VPCs, service accounts with roles/owner, secrets in env. They look fine in a tutorial. They are not what you want serving paying customers.

This is the stack I actually run. It’s the shape — VPC-isolated database, secrets out of environment variables, IAM scoped to specific resources — that you’d otherwise spend a week assembling from twelve scattered Hashicorp examples and three blog posts that are subtly wrong.

What it costs to run

Defaults are dev-tier, ~$25–35/month at idle:

  • Cloud SQL db-f1-micro + 10GB SSD: ~$10/mo
  • Serverless VPC connector: ~$8/mo
  • Cloud NAT: ~$1.50/mo
  • Cloud Run: scales to zero, ~$0 idle

Production sizing is one variable change away. The module exposes db_tier, min_instances, max_instances, cpu, memory as inputs.

What’s in the box

  • Full Terraform source (root module, 11 .tf files, ~470 lines)
  • Runnable examples/basic/ with terraform.tfvars.example
  • GitHub Actions deploy workflow
  • README with quickstart, IAM requirements, security notes
  • Commercial license (one purchaser, unlimited internal use, no redistribution)

Delivered as a zip via Lemon Squeezy email after purchase.