Skip to main content

Architecture Diagram

Terraform Structure

SGP’s GCP infrastructure is provisioned in two separate Terraform phases with different privilege levels:
PhaseDirectoryCredentialsScope
Privileged bootstrapprojectsetup/Your personal GCP identityService account, Artifact Registries, API enablement
Deprivileged main infradeployments/<name>/Terraform service account (read from Secret Manager)GKE, Cloud SQL, networking, IAM, secrets
The main infrastructure Terraform reads the service account key directly from Secret Manager — no key file needs to exist on disk during the infrastructure run.

Resources by Type

Compute Resources

ResourceCountPurpose
GKE Cluster1Kubernetes orchestration
System Node Pool (default)1System pods — tainted CriticalAddonsOnly
CPU Node Pool (cpu)1Application workloads
GPU Node Pool (gpu)0–1AI/ML workloads (optional)
Cassandra Node Pool0–1Temporal database (optional)
Bastion Host0–1Private cluster access via IAP (optional)
Default node pool sizing:
PoolMachine TypeMin NodesMax Nodes
System (default)n2-standard-4310
CPU (cpu)n2-standard-16430
GPU (gpu)a2-highgpu-1g00 (disabled by default)
Cassandran2-standard-436
All pools use COS_CONTAINERD image type and are preemptible by default (configurable via node_pool_config.preemptible).

Network Resources

ResourceCountPurpose
VPC Network1Network boundary
Subnetwork1Kubernetes nodes
Secondary IP Ranges2GKE pod and service CIDRs
Cloud DNS Zone1Internal + external name resolution
Global Static IP1Load balancer ingress endpoint
SSL Policy1Minimum TLS 1.2 enforcement
Firewall Rules4–5Traffic control (offline mode)
VPC Peering1Private connectivity to Cloud SQL
Private Route0–1Google APIs access in offline mode

Data & Storage Resources

ResourceCountPurpose
Cloud SQL (PostgreSQL 17)1Main platform database
Cloud SQL (PostgreSQL 17)1Temporal workflow database
GCS Bucket (main)1Platform object storage
GCS Bucket (knowledge base)1KB document storage
GCS Bucket (monitoring)0–1Observability data (optional)
Vertex AI Vector Search Index0–NVector embeddings (optional)
Cloud Firestore0–1Agentex state (optional)
Both Cloud SQL instances are private-only (no public IP) and connected to the VPC via VPC peering. SSL is enforced for all database connections (ENCRYPTED_ONLY).

Security Resources

ResourceCountPurpose
Secret Manager Secrets10+Platform configuration and credentials
Cloud KMS Key Ring + Key0–1Customer Managed Encryption Keys (optional)
Service Account (sgp-<workspace_id>-sa)1Main SGP workload identity SA
Service Account (sgp-<workspace_id>-node-pool-creator)1Node pool creation SA
Service Account (sgp-tf-lp-<name>)1Terraform execution SA (projectsetup)
Workload Identity Pool1GKE pod → GCP SA binding
IAP Tunnel (Bastion)0–1Private cluster access

Artifact Resources (projectsetup phase)

ResourceCountPurpose
Artifact Registry (Docker)1SGP container images
Artifact Registry (Helm)1SGP Helm charts
Both registries are named sgp-<workspace_id>-docker-repository and sgp-<workspace_id>-helm-repository.

Monitoring Resources

ResourceCountPurpose
Cloud Logging1GKE system components, API server, workloads
VPC Flow Logs0–1Network traffic sampling (optional)
GKE Vulnerability Scanning1Basic vulnerability mode enabled by default

Network Architecture

Address Space

VPC: sgp-<workspace_id>-network
└── Subnet: sgp-<workspace_id>-network-kubernetes-subnet
    ├── Primary range:   10.0.0.0/16   (65,536 IPs — GKE nodes)
    ├── Secondary range: 10.2.0.0/16   (65,536 IPs — Kubernetes services)
    └── Secondary range: 10.4.0.0/16   (65,536 IPs — Kubernetes pods)

Cloud SQL VPC Peering:
    └── Reserved range:  /16 block      (managed by service networking)

GKE Control Plane (private):
    └── Master CIDR:     10.5.0.0/28   (configurable via private_gke_master_ipv4_cidr_block)

Traffic Flow

Ingress (External): 
Internet → Global Load Balancer (static IP) → Istio Ingress → Pod
(TLS terminated at load balancer; SSL policy enforces TLS 1.2+)
Database Access: 
GKE Pod → VPC Peering → Cloud SQL (private IP)
(SSL enforced; no public IP on Cloud SQL instances)
Google APIs (offline mode): 
GKE Pod → Private Google Access → Google APIs (199.36.153.4/30)
(Dedicated route; no default internet gateway route created)
Bastion Access: 
Engineer → IAP Tunnel → Bastion VM (e2-micro) → GKE API (private endpoint)

GKE Configuration

Cluster Features

FeatureValue
Datapath providerADVANCED_DATAPATH (eBPF-based)
IP stackDual-stack IPv4/IPv6
Workload IdentityEnabled (<project>.svc.id.goog)
Secret Manager integrationEnabled
Vulnerability scanningBasic mode
Private nodesEnabled (when offline_mode = true)
Private endpointConfigurable (enable_gke_private_endpoint)
Master authorized networksConfigurable per deployment
DNS endpointEnabled (allows external cluster DNS access)

Workload Identity

GKE pods authenticate to GCP services using Workload Identity rather than node-level service account keys. Kubernetes service accounts are bound to GCP service accounts via the workload identity pool: 
<project>.svc.id.goog[<namespace>/<k8s-service-account>]
  → GCP Service Account
    → Secret Manager, GCS, Artifact Registry, etc.
Key bindings provisioned by Terraform:
Kubernetes IdentityGCP Role
sgp-system-manager (system-manager namespace)secretmanager.viewer, secretmanager.secretAccessor
sgp-system-manager-pre-installsecretmanager.viewer, secretmanager.secretAccessor
egp-api-backend (egp namespace)secretmanager.secretAccessor, GCS access via SA impersonation
egp-api-backend-db-setupsecretmanager.secretAccessor
agents (agents namespace)secretmanager.secretAccessor

Secret Manager Secrets

Key secrets provisioned by Terraform:
Secret NameContents
<prefix>-system-manager-configSystem Manager runtime configuration (URLs, workspace ID, cloud provider info)
<prefix>-system-manager-desired-stateInitial desired state (pack list) — managed externally after first apply
<prefix>-saml-config-secretSAML IdP configuration
<prefix>-oidc-config-secretOIDC IdP configuration
terraform-service-account-key-secretTerraform SA private key (used by deployments/ as provider credentials)
The secret_name_prefix variable (typically sgp-<workspace_id>) scopes secrets for deployments in shared GCP projects.

Customer Managed Encryption Keys (CMEK)

When useCustomerManagedEncryptionKey = true, Terraform provisions a Cloud KMS key ring and symmetric encryption key:
ResourceName
Key Ringsgp-<workspace_id>-key-ring
Crypto Keysgp-<workspace_id>-crypto-key
The key is applied to:
  • Cloud SQL instances (both main and Temporal)
  • GCS buckets
CMEK is recommended for production deployments to maintain cryptographic control over data at rest.

Optional Capabilities

Each optional capability provisions dedicated infrastructure:
CapabilityVariableAdditional Resources
AgentexdeployAgentexFirestore, dedicated service account, GCS bucket
CompassdeployCompassCloud SQL database, GCS bucket, service account
Dex (Document Understanding)enable_dexCloud SQL (db-custom-4-15360), GCS bucket, service account
Reductoenable_reductoCloud SQL (db-custom-2-7680), GCS bucket, Vision API key, service account
Model EnginedeployModelEngineVertex AI, additional node pools
Monitoringenable_monitoringGCS bucket, IAM bindings
Cloud Buildenable_cloud_buildGCS bucket, Artifact Registry, service accounts
Vertex AI Searchvertex_ai_indicesVector Search indices and endpoints
LiveKitprovision_livekit_infrastructureGCS bucket (audio), IAM bindings