Google Cloud
The Onehouse infrastructure deployment follows two steps:
- Onehouse Customer Stack — Deploys the IAM service accounts and permissions that allow Onehouse to operate the platform. Deployed using Terraform.
- Onehouse Kubernetes Deployment — Uses the service accounts provisioned in the Customer Stack to deploy the Onehouse dataplane GKE cluster. This starts automatically after step 1.
Step 1: Deploy the Customer Stack
In the Onehouse UI, click Link Cloud Provider and provide your GCP project ID, project number, VPC name, subnet name, and secondary range names for pods and services.
Set Up the Terraform Stack
Create a directory with the following structure:
my-terraform-project/
├── main.tf
└── backend.tf
backend.tf
To use a custom GCS bucket for Terraform state instead of onehouse-customer-bucket-<REQUEST_ID_PREFIX>, update the bucket field.
terraform {
required_version = "1.11.0"
required_providers {
google = {
version = "5.34.0"
}
}
backend "gcs" {
bucket = "onehouse-customer-bucket-${REQUEST_ID_PREFIX}"
prefix = "terraform/preboarding"
}
}
provider "google" {
project = "${PROJECT_ID}"
}
main.tf
Update TERRAFORM_MODULE_VERSION:
module "customer-stack" {
source = "app.terraform.io/Onehouse/customer-stack/gcp"
version = "${TERRAFORM_MODULE_VERSION}"
# insert required variables here
}
The latest stable GCP customer stack version is 1.0.9. See the Changelog below for recent changes.
Terraform Variables
| Variable | Description | Default |
|---|---|---|
| projectId | [Required] Your GCP project ID | |
| projectNumber | [Required] Your GCP project number. Run gcloud projects describe <PROJECT_ID> to retrieve. | |
| requestId | [Required] Your Onehouse request ID | |
| environment | [Required] Onehouse environment. Value: production | |
| gcsBucketNames | [Required] GCS bucket names for Onehouse access. onehouse-customer-bucket-<REQUEST_ID_PREFIX> is always included by default. | [] |
| gcsDataLoad | Enable to load existing data (JSON, CSV, Parquet) from GCS. Grants Pub/Sub permissions. | { enabled: false } |
| bigquerySync | Enable to sync to BigQuery | { enabled: false } |
| dataprocMetastoreSync | Enable to sync to Dataproc Metastore | { enabled: false } |
| secretManagerConfig.credentialsManagementType | OMS (Onehouse managed secrets) or BYOS (bring your own secret — recommended). BYOS secrets must be prefixed with onehouse-. | OMS |
| gsmp | Enable mounting Onehouse secrets directly from GCP Secret Manager | { enabled: false } |
| privateServiceConnect | Route all control plane traffic over Private Service Connect (stays on Google's network). Requires vpcName and subnetCidr. | { enabled: false } |
Run Terraform Stack
Authenticate and run:
terraform init --reconfigure
terraform plan
terraform apply
For a brand-new GCP project, enable the Cloud Resource Manager API first:
gcloud services enable cloudresourcemanager.googleapis.com --project=<PROJECT_ID>
Once Terraform completes, a service account key file onehouse-customer-core-sa-<REQUEST_ID_PREFIX>.json is created locally. Upload this file in the Onehouse UI to complete the linking step.
Step 2: Kubernetes Cluster Deployment
The Onehouse dataplane GKE cluster creation starts automatically after the service account key is uploaded. Once finished, the wizard closes and you will see one entry in Connections > Cloud Accounts.
This step takes approximately 20–30 minutes. If it fails, you can safely retry from the beginning or contact support.
Changelog
Recent GCP customer stack releases. Pin the version in your main.tf to a specific release; bump the version and re-run terraform apply to upgrade.
| Version | Highlights |
|---|---|
1.0.9 (current) | Switched to the GCP-managed roles/managedkafka.client role for Managed Kafka access and removed the now-redundant custom Kafka permissions from the node service account. |
1.0.8 | Added managedkafka operations and locations permissions to the GKE node service account. |
1.0.7 | Added schema registry, Kafka cluster, and workload identity permissions to the GKE node service account. |
1.0.6 | Role IDs now include a random hex suffix to avoid collisions when a stack is re-created. |
1.0.5 | Added Kafka ingestion permissions to the node service account. |