[ qdl // catalog · 001 of 001 ]

Production DevOps,
ready in an hour.

Opinionated Terraform stacks for solo builders. One command from blank Google account to live URL — with the security defaults a senior platform engineer would set.

See the Cloud Run stack How it works
~12 min blank account → live URL
CIS v4.0 GCP benchmark aligned
$13–22 monthly idle, dev tier
~/cloud-run-stack — bash
$ curl -L qdl.dev/cloud-run-stack | tar -xz
extracted: 14 files · 712 lines HCL · 3 ADRs · 1 CLAUDE.md
$ cd cloud-run-stack && ./bootstrap.sh install
→ project: qdl-prod-7f3a · billing linked · 27 APIs enabled
→ state bucket: UBLA · public-access-prevention · versioning
→ terraform apply · 47 resources · 11m 24s
✓ Cloud Run v2 https://app-qdl-prod-7f3a.run.app
✓ Cloud SQL Postgres 17 private IP · SSL · IAM auth · CMEK
✓ Secret Manager DATABASE_URL mounted as env
✓ Billing budget $50/mo · alerts at 50/90/100%
✓ GitHub Actions WIF no JSON keys · SHA-pinned
ready. ship something.
→ runs end-to-end. once.
§ 01 Workflow

From blank Google account to live URL.

Four steps. One installer. No manual console-clicking, no copy-pasted IAM bindings, no "oh I forgot to enable that API" loop.

01

Download

Get the zip. 14 files. ~700 lines of HCL. Read every line if you want.

02

Bootstrap

`./bootstrap.sh install`. Four prompts: project name, region, billing, alert email.

03

Apply

State bucket created. APIs enable. `terraform apply` runs. ~12 minutes.

04

Ship

Push to `main`. GitHub Actions deploys via WIF. The URL is live.

§ 02 The hidden cost

Saves you AI tokens, not just dev hours.

The expensive part of an AI-driven Terraform session isn't the writing. It's the debug loop. The 12 failure modes the assistant reliably hits, every time. We document them so the AI stops hitting them.

fail-modes.md — 3 of 12 shown full set ships in product
what the AI writes 
template {
  containers {
    resources {
      cpu_throttling = false
    }
  }
}
what actually works 
template {
  containers {
    resources {
      startup_cpu_boost = true
    }
    cpu_idle = false
  }
}
// why

cpu_throttling is not a Cloud Run v2 field. plan succeeds, change does nothing. The actual knobs are cpu_idle and startup_cpu_boost.

what the AI writes 
vpc_access {
  connector = google_vpc_access_connector.x.id
  egress    = "ALL_TRAFFIC"
}
what actually works 
vpc_access {
  network_interfaces {
    network    = google_compute_network.vpc.id
    subnetwork = google_compute_subnetwork.run.id
  }
  egress = "PRIVATE_RANGES_ONLY"
}
// why

Direct VPC Egress went GA late 2024. Pay-per-use. The Connector pattern still works, but every running solo project pays ~$8/mo for nothing.

what the AI writes 
env {
  name  = "DB_PASSWORD"
  value = var.db_password
}
what actually works 
env {
  name = "DATABASE_URL"
  value_source {
    secret_key_ref {
      secret  = google_secret_manager_secret.db_url.secret_id
      version = "latest"
    }
  }
}
// why

Plain env makes the secret tfstate-readable, plan-output-leaking, and revision-immutable. value_source mounts at runtime from Secret Manager.

§ 03 Trade-off

vs. assembling it from twelve tutorials.

Both ship. One ships secure, scoped, and cost-bounded on day one.

trade-off.tsv n=11 dimensions
Dimension QDL stack Hand-rolled
Time blank-account → live URL ~12 min 3–7 days
CIS GCP Benchmark v4 alignment Default Manual checklist
Direct VPC Egress (vs Connector) Default Tutorials still teach old way
Cloud SQL: private IP, SSL, IAM auth Enforced Often missed
CMEK on SQL + Secret Manager Default Skipped or wrong key scope
Secrets via secret_key_ref Yes Plain env in most examples
Workload Identity Federation deploy Yes JSON keys committed
Billing budget + 50/90/100% alerts Out of box Surprise $400 bill
Agent guardrails (CLAUDE.md, ADRs) Bundled None
AI debug loop tokens burned ~10–30k 200k–500k
Total upfront $129 $0 (then 40+ hrs)
§ 04 Catalog

One product. Built right. More coming.

QDL-001 · available $129
GCP Terraform CIS v4 Cloud Run v2

GCP Cloud Run Production Stack

Cloud Run v2 + Direct VPC Egress + Cloud SQL Postgres 17 (private, SSL, IAM, CMEK) + Secret Manager + scoped IAM + WIF deploy. Bootstrap installer + agent guardrails + 12 documented AI failure modes.

Read the spec
QDL-002 · in design Q3 ’26
GCP Pub/Sub Eventarc

Event-Driven Worker Stack

Same hardening philosophy applied to Cloud Run Jobs + Pub/Sub + Eventarc. Idempotent consumers, dead-letter topics, retry budgets that don't melt your bill.

Notify me
§ 05 FAQ

Questions that come up.

01 Why GCP and not AWS?
Cloud Run v2 + Direct VPC Egress is the cleanest serverless-with-private-DB shape any cloud ships today. AWS Fargate + RDS works, but you write more YAML and pay more for less. We may ship an AWS variant later — this one came first because it's genuinely better for solo builders.
02 Will I outgrow it?
The module exposes db_tier, min_instances, max_instances, cpu, memory as inputs. The shape is the same from $13/mo dev tier to a serious production tier — you change variables, not architecture.
03 What if my AI assistant tries to "improve" it anyway?
The CLAUDE.md / AGENTS.md / .cursor/rules/ files load automatically. They include 22 hard rules and 12 documented anti-patterns with side-by-side wrong/right HCL. The AI sees them at session start; the loops stop.
04 Refunds?
Yes. If it doesn't apply cleanly on a fresh project, full refund within 14 days. We have a `bootstrap.sh check` subcommand specifically because the apply has to work the first time.
05 License?
Commercial. Single purchaser, unlimited internal use across your projects. No redistribution. Source included so you can read every line and customize every variable.
06 What's NOT included?
A web framework. A frontend. Your application code. We give you the production-shaped infrastructure to run whatever you're building. The Hello-World example shows wiring; the rest is yours.
[ next step ]

Ship the boring, expensive part this afternoon.

See the spec Who built this