This step executes Terraform to create all GCP infrastructure. The process takes 15-25 minutes and provisions:
After completion, you will have a fully provisioned GCP environment ready for Kubernetes workloads.
When you run terraform apply, Terraform:
terraform.tfvarsThe process is mostly automated, but you’ll need to monitor for errors and potentially troubleshoot issues.
From the gcp directory, initialize the working directory:
This command:
Expected output:
Backend initialization errors usually mean:
If you see “Error loading state,” verify your backend configuration in provider.tf.
Before creating anything, preview what Terraform will do:
This shows all resources that will be created, modified, or destroyed. For a fresh deployment, you should see only resource additions (green + symbols).
Key resources in the plan:
Save the plan for audit purposes: bash terraform plan -out=plan.tfplan You can then apply this exact plan with terraform apply plan.tfplan.
This is useful if you need approval before applying.
Review the plan carefully if you see any deletions or modifications. For a
new deployment, there should be no - (destroy) or ~ (modify) symbols. If
you see them, something may be misconfigured.
Once you’ve reviewed the plan, create the resources:
Terraform shows the plan again and asks for confirmation. Type yes to proceed.
Expected duration: 15-25 minutes
Don’t interrupt the process. If you press Ctrl+C or close your terminal,
Terraform may leave resources in a partially created state. If this happens,
just run terraform apply again—it will pick up where it left off.
Your identity lacks permission to create resources. You need:
Editor role on the project (or custom equivalent)Project IAM Admin for creating IAM bindingsSecret Manager Admin for managing secretsMany organizations restrict IAM binding creation. If you can’t get Project IAM Admin, you may need a platform team member to run the deployment or pre-create the required IAM bindings.
You’ve hit a GCP CPU quota. Common limits:
Quota increases can take hours to days. If you’re in a new project, request increases before starting deployment.
GCS bucket names must be globally unique. If you get naming conflicts:
confident_application_name to something uniqueGKE can occasionally take longer than expected. Usually just re-running terraform apply continues where it left off. If it keeps failing:
Organization Policies can block resource creation. Many enterprises have policies that:
gcp.resourceLocations)compute.vmExternalIpAccess)If you get persistent errors, check with your cloud governance team about Organization Policies.
Terraform can’t authenticate to GCP. Verify:
gcloud auth application-default login was rungcloud auth list shows your active accountGOOGLE_APPLICATION_CREDENTIALS is set if using a service account keyThis usually means GKE isn’t fully ready when Helm tries to install charts. Re-running terraform apply typically resolves it.
After successful completion, Terraform displays outputs. Save these—you’ll need them for subsequent steps:
You can always retrieve outputs later by running terraform output in the
same directory with access to the state file.
Here’s what now exists in your GCP project:
n2-standard-4 running system componentsRead the error message carefully. Terraform errors usually indicate exactly what went wrong.
Don’t panic. Terraform is idempotent—you can run apply again and it will continue from where it failed.
Check common causes:
If stuck, don’t destroy and recreate. This can leave orphaned resources. Instead, fix the configuration and re-apply.
Never run terraform destroy unless you intend to delete everything. If
you’re troubleshooting, fix the issue and re-run apply. Destroying and
recreating can lose data and create inconsistent state.
After infrastructure is provisioned, proceed to TLS Certificates to configure HTTPS for your services.