Chapter Two

The Google Provider, Projects & APIs

The GCP bootstrap every other chapter assumes: the provider, the project as the unit of everything, the APIs you must enable first, and the keyless ways to authenticate as you and as your pipeline.

7 topics

You cannot apply anything on Google Cloud without three things the AWS world barely thinks about: a project to own the resources, the right APIs enabled inside it, and credentials the provider can find. This chapter is that bootstrap, and it is the most GCP-native chapter in the course — most of it has no clean AWS analog at all.

It opens with the google provider and its google-beta twin, then plants the project as the unit of billing, quota, and IAM. From there it covers enabling APIs and the propagation race that bites everyone, and the three keyless authentication layers — Application Default Credentials, service-account impersonation, and Workload Identity Federation — that keep static keys off your disk and out of CI. It closes with version constraints and the lock file, so two engineers run identical provider behavior. The running example is the Hatch org, hatch.io, beginning to take shape.

Topics in This Chapter

Topic 08
The Google Provider: google vs google-beta
One provider configured per project/region context, and its google-beta twin for preview surface. How to run both in one config, the quota/billing project knob, and provider-wide default_labels.
ProvidersTooling
Topic 09
Projects, Regions, and Zones
The project as the fundamental unit of billing, quota, and IAM, and the geography around it. Why a GCP VPC is global but its subnets regional, and project id versus number.
Concept
Topic 10
Enabling APIs
Why every API is off by default, google_project_service and the for_each pattern, the enablement race condition and its fix, and the disable_on_destroy footgun in shared projects.
APIsConcept
Topic 11
Authentication and ADC
How the provider finds your identity through Application Default Credentials, why gcloud auth login is not the same as application-default login, and the ladder from key files to federation.
Auth
Topic 12
Service Account Impersonation
Borrowing a service account's permissions through short-lived tokens with no key file. The serviceAccountTokenCreator role that gates it, impersonation chains, and why this beats keys.
Auth
Topic 13
Workload Identity Federation
Keyless CI/CD: an external OIDC token exchanged for a short-lived GCP token. Pools and providers, the attribute condition that pins trust to one repo, and the workloadIdentityUser binding.
AuthCI/CD
Topic 14
Provider Versions and the Lock File
What makes a run reproducible: the pessimistic version constraint on the google provider, the .terraform.lock.hcl that pins exact versions and hashes, and how to upgrade deliberately.
Versioning