Skip to main content

GCP Stack Baseline

Summary (3–6 bullets)

  • Defines the canonical Google Cloud baseline for production operations.
  • Establishes service naming, IAM/WIF auth model, and runtime identity boundaries.
  • Captures minimum requirements for Cloud Run, BigQuery, Firestore, GCS, and Secret Manager.
  • Provides a single operator checklist before release/cutover.

When to use this (3–6 bullets)

  • Before provisioning a new environment.
  • Before release readiness and production deploy certification.
  • During incident triage when infra/auth scope is unclear.
  • When validating that docs and runtime posture match.

What you’ll walk away with (2–5 bullets)

  • A canonical naming map for active Cloud Run services.
  • A minimum GCP control checklist that must be true before go-live.
  • Direct links to runbooks for Firestore, Secret Manager, and GCS baselines.

Canonical service naming

Use this map as the source of truth:
  • System of Record API: payroll-backend-prod
  • Config Plane API: payroll-pipeline-cbs-api
  • Legacy/compat reference (do not use for new deploy docs): payroll-pipeline-cbs

Required APIs

gcloud services enable \
  run.googleapis.com \
  artifactregistry.googleapis.com \
  cloudbuild.googleapis.com \
  secretmanager.googleapis.com \
  bigquery.googleapis.com \
  firestore.googleapis.com \
  sts.googleapis.com \
  iamcredentials.googleapis.com \
  --project=payroll-bi-gauntlet

Auth and IAM baseline

  • GitHub Actions authentication uses Workload Identity Federation (WIF).
  • CI deploy identity: sa-github-deployer@payroll-bi-gauntlet.iam.gserviceaccount.com
  • Runtime identity: sa-worker@payroll-bi-gauntlet.iam.gserviceaccount.com
  • Deployer must have, at minimum:
    • roles/run.admin
    • roles/iam.serviceAccountUser (on runtime SA)
    • roles/cloudbuild.builds.editor
    • roles/storage.admin
    • roles/artifactregistry.writer
    • roles/serviceusage.serviceUsageConsumer

Cloud Run baseline

  • Region: us-central1
  • Deploy via GitHub Actions WIF workflows.
  • Required runtime env vars:
    • GCP_PROJECT_ID=payroll-bi-gauntlet
    • STAGE=prod
    • GIT_COMMIT_SHA=<sha>
    • ONBOARDING_STORAGE_BUCKET=payroll-bi-gauntlet-onboarding-storage
  • Required secret wiring:
    • JWT_SECRET_KEY=jwt-secret:latest

Data and state baseline

  • BigQuery: contracts and schema expectations are defined in BQ_CONTRACT.
  • Firestore: required for exactly-once coordination/mutex checks on Phase 8S+ paths.
  • GCS: onboarding and staging object paths must use tenant/batch scoped prefixes.
  • Secret Manager: credential material must stay in Secret Manager (tables store refs only).

Release-readiness minimum checklist

  • APIs enabled for runtime and CI paths
  • WIF provider and IAM bindings verified
  • Both Cloud Run services healthy and serving expected revision
  • Firestore preflight passes for both services
  • Secret Manager access verified for runtime SA
  • GCS bucket IAM + lifecycle baseline validated
  • BigQuery contracts and partition-filter rules validated