Initial Deployment
The sections below cover initial GKE cluster deployment, authentication, and general operations. For DR-specific configuration, refer to previous sections.
Prerequisites
GCP Project with Required APIs Enabled
Enable these APIs in your GCP project:
gcloud services enable \
compute.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudfunctions.googleapis.com \
iap.googleapis.com \
cloudresourcemanager.googleapis.comTools
| Tool | Minimum Version | Purpose |
|---|---|---|
| Terraform | >= 1.1.0 | Infrastructure provisioning |
| gcloud CLI | latest | GCP authentication and cluster access |
| kubectl | >= 1.28 | Kubernetes cluster management |
| helm | >= 3.x | Used internally by Terraform providers |
Authentication
Option A: User Credentials (Local Development)
gcloud auth login
gcloud auth application-default login
gcloud config set project <your-project-id>Option B: Service Account
The Terraform execution identity (user or service account) requires the following IAM roles on the project:
| Role | Purpose |
|---|---|
roles/container.admin
| GKE cluster and node pool management |
roles/storage.admin
| GCS bucket creation and lifecycle management |
roles/iam.securityAdmin
| Service account IAM binding management |
roles/editor
| General resource creation (VPC, firewall, NAT, static IPs) |
roles/dns.admin
| Cloud DNS record management (if using DNS features) |
roles/cloudfunctions.developer
| Cloud Functions (only if using DR failover automation) |
Workload Identity (Pod-to-GCS Authentication)
LogScale pods authenticate to GCS using GKE Workload Identity -- no service account keys are needed. The module configures this automatically:
A GCP service account is bound to the Kubernetes service account via
iam.gke.io/gcp-service-accountannotation.The GCP service account gets
roles/storage.objectUseron the LogScale data bucket and access logs bucket.LogScale is configured with
GCP_STORAGE_WORKLOAD_IDENTITY=true.
If your organization policy blocks service account key creation, you must use Workload Identity with a pre-existing GCP service account:
use_existing_gcp_sa = true
existing_gcp_sa_name = "logscale-sa"Deployment Modes
Mode 1: With Bastion (Private Cluster)
The bastion creates a GCE compute instance inside the VPC with IAP SSH access, tinyproxy on port 8888, and pre-installed tools (kubectl, gcloud, terraform).
# Open an IAP SSH tunnel with port forwarding
gcloud compute ssh <bastion-name> \
--project=<project-id> \
--zone=<zone> \
--tunnel-through-iap \
--ssh-flag="-4 -L8888:localhost:8888 -N -q -f"
# Access GKE through the proxy
HTTPS_PROXY=localhost:8888 kubectl get nodesMode 2: Without Bastion (Authorized Networks)
Standard deployment with public API endpoint and optional authorized network allowlist.
ip_ranges_allowed_to_kubeapi = [
"198.51.100.0/24", # example: your office or VPN egress CIDR
]Terraform Backend Configuration
# backend.tf
terraform {
backend "gcs" {
bucket = "your-tf-state-bucket"
prefix = "logscale/gcp/terraform/tf.state"
}
}Create the state bucket before running terraform init:
gsutil mb -p <project-id> -l <region> gs://your-tf-state-bucket
gsutil versioning set on gs://your-tf-state-bucket