Configuration
Overview
This step configures all the variables that Terraform uses to provision your infrastructure. You will:
- Copy an environment template (staging or production)
- Configure VPC settings (new or existing VPC)
- Set GKE node sizing and scaling parameters
- Configure Cloud SQL for PostgreSQL settings
- Provide domain URLs and authentication secrets
- Set up ECR cross-account access credentials
- Configure the Terraform state backend
After completing this page, your terraform.tfvars file will contain all values needed to provision infrastructure.
How Terraform configuration works
Terraform uses variables to customize deployments. Instead of editing the Terraform code directly, you provide values in a terraform.tfvars file. This keeps your configuration separate from the code, making updates easier.
The repository includes template files with sensible defaults. You copy a template and fill in your specific values.
Setup
Navigate to the GCP Terraform directory:
Copy the appropriate environment template:
What’s the difference? Both templates use the same default instance sizes.
The key differences are the environment name (stage vs prod), which affects
resource naming. You can adjust all values after copying.
Open terraform.tfvars in your editor. The following sections explain each variable group.
Environment identification
These variables name and identify your deployment:
Region selection matters. Choose a region close to your users and compliant with your data residency requirements. Once deployed, you cannot easily change regions—it requires a full redeployment.
Organization region restrictions: Some organizations only allow deployments in specific regions (via Org Policy gcp.resourceLocations). Verify your region is approved before proceeding.
VPC configuration
Option A: Create a new VPC (recommended)
If you’re creating a new VPC, configure the address spaces:
CIDR conflicts cause connectivity failures. If your corporate network uses the same IP range (e.g., 10.0.x.x), you’ll have problems connecting via VPN. Common conflict-free alternatives:
172.16.0.0/16(172.16.x.x)192.168.0.0/16(192.168.x.x)10.100.0.0/16(10.100.x.x)
Check with your network team before choosing.
Option B: Use an existing VPC
If deploying into an existing VPC, disable VPC creation and provide the existing resource IDs:
Using an existing VPC requires coordination with your network team. You need:
- Subnet IDs with available IP addresses and secondary ranges for pods/services
- An existing Private Service Access allocation for Cloud SQL
- Firewall rules that don’t block required traffic
- Cloud NAT or outbound internet access for pulling images
Many existing VPCs have restrictive firewall rules or missing Cloud NAT configurations that will cause deployment failures.
GKE node configuration
These settings control the VMs that run your Kubernetes workloads:
Recommended sizes:
GKE also creates a fixed system pool with 2x n2-standard-4 nodes for
Kubernetes system components. This is separate from the worker pool configured
above.
GCP CPU quotas can block deployment. GCP projects have default limits on how many CPUs you can run per VM family per region.
Check your quotas: GCP Console → IAM & Admin → Quotas → Filter by “N2 CPUs” in your region
Request an increase if your limit is below: (system_nodes × 4) + (desired_worker_nodes × vCPUs per node)
Database configuration
Cloud SQL for PostgreSQL settings:
Generate a strong database password. Use openssl rand -base64 24 to create a secure
random password. This value is stored in Google Secret Manager by Terraform. Do not commit
it to version control.
Regional HA is enabled by default. This creates a standby replica in a different zone for automatic failover. Disable it for development/testing environments to reduce costs.
Domain and URL configuration
The subdomain must be the root domain, not a subdomain.
Correct: confident_subdomain = "acme.com"
Wrong: confident_subdomain = "confidentai.acme.com"
Authentication cookies are set on the subdomain and must be accessible by both frontend and backend. If you use the full subdomain, cookies won’t work correctly.
Authentication secrets
Trusted origins must include the protocol. Use
https://app.yourdomain.com not app.yourdomain.com. Missing protocol causes
authentication to fail silently.
External services
OpenAI API key requires sufficient quota. Evaluations can consume significant tokens. Ensure your OpenAI account has appropriate rate limits and spending caps configured.
Resource naming
These variables control internal naming conventions for GCP resources. The defaults are suitable for most deployments:
GKE access configuration
Public GKE is only recommended for testing. Setting confident_public_gke = true makes the GKE API server and ingress accessible from the internet. Never use this in production.
Storage configuration
Bucket names are constructed as <application_name>-<environment>-<suffix> (e.g., confidentai-stage-testcases).
ClickHouse configuration
ClickHouse serves as the analytics database, deployed via the ClickHouse Operator on GKE:
Do not change confident_clickhouse_user from default. The ClickHouse Operator expects this
username. Changing it will cause connectivity failures.
ClickHouse backup
A GCS bucket is created for ClickHouse backups:
Backup lifecycle policy: Terraform configures a lifecycle policy that automatically deletes ClickHouse backup objects older than 30 days and snapshots older than 7 days.
ECR cross-account access
These credentials allow your GKE cluster to pull Confident AI container images from AWS ECR:
These values are provided by your Confident AI representative. Don’t modify them unless instructed.
Terraform state backend
Terraform tracks what resources it created in a “state file.” This should be stored remotely so multiple team members can collaborate and state isn’t lost.
Edit provider.tf to configure your GCS backend:
If the bucket doesn’t exist, create it:
Your organization may have existing Terraform state infrastructure. Many companies have:
- Centralized state buckets managed by a platform team
- Required naming conventions
- Required encryption settings (CMEK)
- Org Policy requirements on GCS buckets
Check with your infrastructure team before creating a new bucket.
Never delete or modify the state file manually. Terraform state tracks the mapping between your configuration and real GCP resources. Corrupting it can cause Terraform to lose track of resources, leading to orphaned infrastructure or accidental deletions.
Security review checklist
Before proceeding, verify these security considerations:
-
terraform.tfvarsis in.gitignore(never commit secrets) - State bucket has versioning enabled (for recovery from mistakes)
- State bucket is encrypted at rest (default with Google-managed keys)
- Identity used has least-privilege permissions
- CIDR blocks don’t conflict with corporate network
- OpenAI API key has appropriate spending limits
Next steps
Once configuration is complete, proceed to Provisioning to create the GCP infrastructure.