DurianPy-Davao-Python-User-Group · ASPactores · Apr 16, 2026 · Apr 13, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.github/workflows/plan-nonprod.yml b/.github/workflows/plan-nonprod.yml
@@ -26,6 +26,11 @@ jobs:
         with:
           role-to-assume: ${{ vars.NONPROD_OIDC_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION }}
+      - uses: google-github-actions/auth@v3
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ env.TF_VERSION }}

diff --git a/.github/workflows/plan-prod.yml b/.github/workflows/plan-prod.yml
@@ -26,6 +26,11 @@ jobs:
         with:
           role-to-assume: ${{ vars.PROD_OIDC_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION }}
+      - uses: google-github-actions/auth@v3
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ env.TF_VERSION }}

diff --git a/.github/workflows/plan-root.yml b/.github/workflows/plan-root.yml
@@ -26,6 +26,11 @@ jobs:
         with:
           role-to-assume: ${{ vars.ROOT_OIDC_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION }}
+      - uses: google-github-actions/auth@v3
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ env.TF_VERSION }}

diff --git a/.github/workflows/plan-sandbox.yml b/.github/workflows/plan-sandbox.yml
@@ -26,6 +26,11 @@ jobs:
         with:
           role-to-assume: ${{ vars.SANDBOX_OIDC_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION }}
+      - uses: google-github-actions/auth@v3
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ env.TF_VERSION }}

diff --git a/modules/gcp/api/main.tf b/modules/gcp/api/main.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.14.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 7.26.0"
+    }
+  }
+}
+
+resource "google_project_service" "enabled_apis" {
+  for_each = toset(var.gcp_service_list)
+
+  project = var.gcp_project_id
+  service = each.key
+
+  disable_on_destroy = false
+}
diff --git a/modules/gcp/api/outputs.tf b/modules/gcp/api/outputs.tf
@@ -0,0 +1,4 @@
+output "enabled_services" {
+  value       = [for s in google_project_service.enabled_apis : s.service]
+  description = "The list of services that were enabled"
+}
diff --git a/modules/gcp/api/variables.tf b/modules/gcp/api/variables.tf
@@ -0,0 +1,10 @@
+variable "gcp_project_id" {
-variable "gcp_project_id" {
+variable "project_id" {
-variable "gcp_project_id" {
+variable "project_id" {
+  description = "The ID of the project where APIs will be enabled"
+  type        = string
+}
+
+variable "gcp_service_list" {
+  description = "The list of APIs to enable"
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/gcp/budget/main.tf b/modules/gcp/budget/main.tf
@@ -0,0 +1,51 @@
+data "google_billing_account" "account" {
+  display_name = var.billing_account_name
+  open         = true
+}
+
+resource "google_monitoring_notification_channel" "email_devops" {
+  project      = var.project_id
+  display_name = "Budget Alert Email"
+  type         = "email"
+
+  labels = {
+    email_address = var.billing_notification_email
+  }
+}
+
+resource "google_billing_budget" "monthly_limit" {
+  billing_account = data.google_billing_account.account.id
+  display_name    = var.budget_name
+
+  budget_filter {
+    projects = ["projects/${var.project_id}"]
+  }
+
+  amount {
+    specified_amount {
+      currency_code = "USD"
+      units         = tostring(var.limit_amount_usd)
+    }
+  }
+
+  threshold_rules {
+    threshold_percent = 0.5
+  }
+
+  threshold_rules {
+    threshold_percent = 0.9
+  }
+
+  threshold_rules {
+    threshold_percent = 1.0
+    spend_basis       = "FORECASTED_SPEND"
+  }
+
+  all_updates_rule {
+    monitoring_notification_channels = [
+      google_monitoring_notification_channel.email_devops.id
+    ]
+
+    disable_default_iam_recipients = false
+  }
+}
diff --git a/modules/gcp/budget/outputs.tf b/modules/gcp/budget/outputs.tf
@@ -0,0 +1,9 @@
+output "budget_name" {
+  description = "Name of the GCP budget."
+  value       = google_billing_budget.monthly_limit.display_name
+}
+
+output "budget_id" {
+  description = "The GCP budget resource name."
+  value       = google_billing_budget.monthly_limit.name
+}
diff --git a/modules/gcp/budget/variables.tf b/modules/gcp/budget/variables.tf
@@ -0,0 +1,33 @@
+variable "project_id" {
+  description = "The GCP project ID for the budget."
+  type        = string
+}
+
+variable "billing_account_name" {
+  description = "Name of the GCP billing account to create the budget under."
+  type        = string
+  default     = "durianpy-cms"
-  default     = "durianpy-cms"
-  default     = "durianpy-cms"
+}
+
+variable "budget_name" {
+  description = "Name of the GCP budget."
+  type        = string
+  default     = "Monthly Budget"
+}
+
+variable "limit_amount_usd" {
+  description = "Monthly spend limit in USD for the GCP account budget."
+  type        = number
+  default     = 100
+
+  validation {
+    condition     = var.limit_amount_usd > 0 && floor(var.limit_amount_usd) == var.limit_amount_usd
+    error_message = "limit_amount_usd must be a positive whole number."
+  }
+}
+
+variable "billing_notification_email" {
+  description = "Email address for GCP account cost alerts."
+  type        = string
+  default     = "durianpy.davao+devops@gmail.com"
+}
diff --git a/modules/gcp/firestore/main.tf b/modules/gcp/firestore/main.tf
@@ -0,0 +1,20 @@
+resource "google_project_service" "firestore" {
+  project            = var.project_id
+  service            = var.api_service_name
+  disable_on_destroy = false
+}
+
+resource "google_firestore_database" "this" {
+  project                     = var.project_id
+  name                        = var.database_name
+  location_id                 = var.region
+  type                        = var.database_type
+  concurrency_mode            = var.concurrency_mode
+  app_engine_integration_mode = var.app_engine_integration_mode
+  database_edition            = var.database_edition
+
+  mongodb_compatible_data_access_mode = var.mongodb_compatible_data_access_mode
+  delete_protection_state             = var.delete_protection_state
+
+  depends_on = [google_project_service.firestore]
+}
diff --git a/modules/gcp/firestore/outputs.tf b/modules/gcp/firestore/outputs.tf
@@ -0,0 +1,9 @@
+output "firestore_db_id" {
+  description = "The Firestore database resource name."
+  value       = google_firestore_database.this.name
+}
+
+output "firestore_db_project" {
+  description = "The project that owns the Firestore database."
+  value       = google_firestore_database.this.project
+}
diff --git a/modules/gcp/firestore/variables.tf b/modules/gcp/firestore/variables.tf
@@ -0,0 +1,57 @@
+variable "project_id" {
+  description = "The GCP project ID where Firestore will be created."
+  type        = string
+}
+
+variable "region" {
+  description = "The Firestore location ID."
+  type        = string
+}
+
+variable "database_name" {
+  description = "The Firestore database name."
+  type        = string
+  default     = "payloadcms-poc-db"
+}
+
+variable "api_service_name" {
+  description = "The Google API service to enable before creating Firestore."
+  type        = string
+  default     = "firestore.googleapis.com"
+}
+
+variable "database_type" {
+  description = "The Firestore database type."
+  type        = string
+  default     = "FIRESTORE_NATIVE"
+}
+
+variable "concurrency_mode" {
+  description = "The Firestore concurrency mode."
+  type        = string
+  default     = "OPTIMISTIC"
+}
+
+variable "app_engine_integration_mode" {
+  description = "The App Engine integration mode for Firestore."
+  type        = string
+  default     = "DISABLED"
+}
+
+variable "database_edition" {
+  description = "The Firestore database edition."
+  type        = string
+  default     = "ENTERPRISE"
+}
+
+variable "mongodb_compatible_data_access_mode" {
+  description = "MongoDB-compatible data access mode for Firestore."
+  type        = string
+  default     = "DATA_ACCESS_MODE_ENABLED"
+}
+
+variable "delete_protection_state" {
+  description = "Delete protection state for the Firestore database."
+  type        = string
+  default     = "DELETE_PROTECTION_DISABLED"
+}
diff --git a/workspaces/prod/.terraform.lock.hcl b/workspaces/prod/.terraform.lock.hcl
diff --git a/workspaces/prod/backend.tf b/workspaces/prod/backend.tf
@@ -8,11 +8,11 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.0"
+      version = ">= 7.26.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.0"
+      version = ">= 7.26.0"
     }
   }
 

diff --git a/workspaces/prod/main.tf b/workspaces/prod/main.tf
@@ -43,3 +43,37 @@ module "vpc" {
     "10.20.80.0/20",
   ]
 }
+
+module "gcp_project_apis" {
+  source         = "../../modules/gcp/api"
+  gcp_project_id = var.gcp_project_id
+
+  gcp_service_list = [
+    "billingbudgets.googleapis.com",
+    "monitoring.googleapis.com",
+    "iam.googleapis.com",
+    "serviceusage.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "firestore.googleapis.com"
-    "cloudresourcemanager.googleapis.com",
-    "firestore.googleapis.com"
+    "cloudresourcemanager.googleapis.com"
-    "cloudresourcemanager.googleapis.com",
-    "firestore.googleapis.com"
+    "cloudresourcemanager.googleapis.com"
+  ]
+}
+
+module "gcp_budget" {
+  source = "../../modules/gcp/budget"
+
+  project_id                 = var.gcp_project_id
+  budget_name                = "Durianpy Prod GCP Budget"
+  limit_amount_usd           = var.gcp_budget_limit_usd
+  billing_notification_email = var.budget_notification_email
+
+  depends_on = [module.gcp_project_apis]
+}
+
+module "gcp_firestore" {
+  source = "../../modules/gcp/firestore"
+
+  project_id = var.gcp_project_id
+  region     = var.gcp_region
+
+  depends_on = [module.gcp_project_apis]
+}
diff --git a/workspaces/prod/outputs.tf b/workspaces/prod/outputs.tf
@@ -8,6 +8,26 @@
 #   value       = module.gcp_prod.enabled_apis
 # }
 
+output "gcp_project_id" {
+  description = "GCP project ID for production."
+  value       = var.gcp_project_id
+}
+
+output "gcp_enabled_apis" {
+  description = "APIs enabled in the prod GCP project."
+  value       = module.gcp_project_apis.enabled_services
+}
+
+output "gcp_budget_name" {
+  description = "Name of the prod GCP budget."
+  value       = module.gcp_budget.budget_name
+}
+
+output "gcp_firestore_db_id" {
+  description = "ID of the Firestore database in prod."
+  value       = module.gcp_firestore.firestore_db_id
+}
+
 output "github_oidc_role_arn" {
   description = "ARN of the GitHub Actions OIDC IAM role."
   value       = module.github_oidc.role_arn

diff --git a/workspaces/prod/providers.tf b/workspaces/prod/providers.tf
@@ -11,11 +11,8 @@ provider "aws" {
 }
 
 provider "google" {
-  project = var.gcp_project_id
-  region  = var.gcp_region
-}
-
-provider "google-beta" {
-  project = var.gcp_project_id
-  region  = var.gcp_region
+  region                = var.gcp_region
+  project               = var.gcp_project_id
+  user_project_override = true
+  billing_project       = var.gcp_project_id
 }