Designed and provisioned end-to-end GCP infrastructure as code using OpenTofu and Terragrunt (Terraform-compatible) for PT Synapsis Sinergi Digital's production environment.
Architecture
The network topology spans three VPCs with bidirectional peering:
- Database VPC — isolated network for Cloud SQL and database workloads
- App VPC — hosts the application GKE cluster with private nodes
- Ingress-Egress VPC — handles inbound/outbound traffic, houses the NAT gateway and the site-to-site VPN tunnel to on-premise infrastructure
GKE Clusters
Three separate clusters were provisioned (app, db, dms), each with:
- Private nodes (no public IPs on node VMs)
- Workload Identity for secure, keyless service account access
- Shielded Nodes for supply-chain security
- GCP Managed Prometheus + Cloud Logging for observability
Compute and Access
GCE instances handle specific roles: NAT gateway, GitLab Runner, FleetDM, Flipt, Mikrotik CHR, and a Yocto build host. All SSH access is brokered through Cloud IAP — no public IP exposure on any instance.
Secrets and Key Management
Google KMS is used to auto-unseal HashiCorp Vault on startup, eliminating manual unseal operations.
Site-to-Site VPN
A dedicated VPN tunnel connects the Ingress-Egress VPC to the on-premise Proxmox/Ceph HCI environment, enabling hybrid workload placement without exposing internal services to the public internet.