Configuration

What’s the difference? Both templates use the same default instance sizes. The key differences are the environment name (stage vs prod), which affects resource naming. You can adjust all values after copying.

Region selection matters. Choose a region close to your users and compliant with your data residency requirements. Once deployed, you cannot easily change regions—it requires a full redeployment.

Organization region restrictions: Some organizations only allow deployments in specific regions (via Org Policy gcp.resourceLocations). Verify your region is approved before proceeding.

CIDR conflicts cause connectivity failures. If your corporate network uses the same IP range (e.g., 10.0.x.x), you’ll have problems connecting via VPN. Common conflict-free alternatives:

• 172.16.0.0/16 (172.16.x.x)
• 192.168.0.0/16 (192.168.x.x)
• 10.100.0.0/16 (10.100.x.x)

Check with your network team before choosing.

Using an existing VPC requires coordination with your network team. You need:

• Subnet IDs with available IP addresses and secondary ranges for pods/services
• An existing Private Service Access allocation for Cloud SQL
• Firewall rules that don’t block required traffic
• Cloud NAT or outbound internet access for pulling images

Many existing VPCs have restrictive firewall rules or missing Cloud NAT configurations that will cause deployment failures.

GKE also creates a fixed system pool with 2x n2-standard-4 nodes for Kubernetes system components. This is separate from the worker pool configured above.

GCP CPU quotas can block deployment. GCP projects have default limits on how many CPUs you can run per VM family per region.

Check your quotas: GCP Console → IAM & Admin → Quotas → Filter by “N2 CPUs” in your region

Request an increase if your limit is below: (system_nodes × 4) + (desired_worker_nodes × vCPUs per node)

Generate a strong database password. Use openssl rand -base64 24 to create a secure random password. This value is stored in Google Secret Manager by Terraform. Do not commit it to version control.

Regional HA is enabled by default. This creates a standby replica in a different zone for automatic failover. Disable it for development/testing environments to reduce costs.

The subdomain must be the root domain, not a subdomain.

Correct: confident_subdomain = "acme.com" Wrong: confident_subdomain = "confidentai.acme.com"

Authentication cookies are set on the subdomain and must be accessible by both frontend and backend. If you use the full subdomain, cookies won’t work correctly.

Trusted origins must include the protocol. Use https://app.yourdomain.com not app.yourdomain.com. Missing protocol causes authentication to fail silently.

OpenAI API key requires sufficient quota. Evaluations can consume significant tokens. Ensure your OpenAI account has appropriate rate limits and spending caps configured.

Public GKE is only recommended for testing. Setting confident_public_gke = true makes the GKE API server and ingress accessible from the internet. Never use this in production.

Do not change confident_clickhouse_user from default. The ClickHouse Operator expects this username. Changing it will cause connectivity failures.

Backup lifecycle policy: Terraform configures a lifecycle policy that automatically deletes ClickHouse backup objects older than 30 days and snapshots older than 7 days.

These values are provided by your Confident AI representative. Don’t modify them unless instructed.

Your organization may have existing Terraform state infrastructure. Many companies have:

• Centralized state buckets managed by a platform team
• Required naming conventions
• Required encryption settings (CMEK)
• Org Policy requirements on GCS buckets

Check with your infrastructure team before creating a new bucket.

Never delete or modify the state file manually. Terraform state tracks the mapping between your configuration and real GCP resources. Corrupting it can cause Terraform to lose track of resources, leading to orphaned infrastructure or accidental deletions.