Terraform
Terraform manages the GCP substrate in infra/. See ADR 0012 for the decision rationale and boundary definition.
Ownership Boundary
Terraform owns:
- Enabled GCP APIs
- Service accounts and IAM bindings
- Secret Manager metadata (not secret values)
- Firestore database configuration
- Cloud Storage buckets
- Cloud Build triggers and scheduling
- Discovery Engine resources (Ernest AI)
- Firebase Hosting sites and channels
Firebase CLI owns (invoked by Cloud Build, not manually):
- Hosting deploys (function code, static assets)
- Firestore rules and indexes
- Storage rules
- Remote Config templates
- App Check configuration
File Layout
| File | Responsibility |
|---|---|
main.tf |
Terraform/provider config (GCS backend, google + google-beta) |
variables.tf |
Input variables (project_id, region, environment) |
project.tf |
GCP project setup, Firebase Hosting sites |
auth.tf |
Service accounts, IAM roles, Workload Identity Federation |
iam.tf |
IAM bindings (granular role assignment) |
storage.tf |
Cloud Storage buckets |
firestore.tf |
Firestore database config |
cloudbuild.tf |
Cloud Build triggers, GitHub connection, scheduling |
secrets.tf |
Secret Manager metadata |
discovery-engine.tf |
Vertex AI Search (Ernest AI RAG) |
monitoring.tf |
Cloud Monitoring alerts |
logging.tf |
Cloud Logging config |
build-cache.tf |
Artifact Registry for build cache |
security-scanner.tf |
Container scanning config |
Workflow
cd infra
terraform plan # Preview changes — verify 0 destroys unless intentional
terraform apply # ExecuteAlways commit the .tf changes after applying. Environment-specific values live in prod.tfvars and staging.tfvars.