Google Cloud
The Onehouse infrastructure deployment follows two steps:
- Onehouse Customer Stack — Deploys the IAM service accounts and permissions that allow Onehouse to operate the platform. Deployed using Terraform.
- Onehouse Kubernetes Deployment — Uses the service accounts provisioned in the Customer Stack to deploy the Onehouse dataplane GKE cluster. This starts automatically after step 1.
Step 1: Deploy the Customer Stack
In the Onehouse UI, click Link Cloud Provider and provide your GCP project ID, project number, VPC name, subnet name, and secondary range names for pods and services.
Set Up the Terraform Stack
Create a directory with the following structure:
my-terraform-project/
├── main.tf
└── backend.tf
backend.tf
To use a custom GCS bucket for Terraform state instead of onehouse-customer-bucket-<REQUEST_ID_PREFIX>, update the bucket field.
terraform {
required_version = "1.11.0"
required_providers {
google = {
version = "5.34.0"
}
}
backend "gcs" {
bucket = "onehouse-customer-bucket-${REQUEST_ID_PREFIX}"
prefix = "terraform/preboarding"
}
}
provider "google" {
project = "${PROJECT_ID}"
}
main.tf
Update TERRAFORM_MODULE_VERSION:
module "customer-stack" {
source = "app.terraform.io/Onehouse/customer-stack/gcp"
version = "${TERRAFORM_MODULE_VERSION}"
# insert required variables here
}
Terraform Variables
| Variable | Description | Default |
|---|---|---|
| projectId | [Required] Your GCP project ID | |
| projectNumber | [Required] Your GCP project number. Run gcloud projects describe <PROJECT_ID> to retrieve. | |
| requestId | [Required] Your Onehouse request ID | |
| environment | [Required] Onehouse environment. Value: production | |
| gcsBucketNames | [Required] GCS bucket names for Onehouse access. onehouse-customer-bucket-<REQUEST_ID_PREFIX> is always included by default. | [] |
| gcsDataLoad | Enable to load existing data (JSON, CSV, Parquet) from GCS. Grants Pub/Sub permissions. | { enabled: false } |
| bigquerySync | Enable to sync to BigQuery | { enabled: false } |
| dataprocMetastoreSync | Enable to sync to Dataproc Metastore | { enabled: false } |
| secretManagerConfig.credentialsManagementType | OMS (Onehouse managed secrets) or BYOS (bring your own secret — recommended). BYOS secrets must be prefixed with onehouse-. | OMS |
| gsmp | Enable mounting Onehouse secrets directly from GCP Secret Manager | { enabled: false } |
| privateServiceConnect | Route all control plane traffic over Private Service Connect (stays on Google's network). Requires vpcName and subnetCidr. | { enabled: false } |
Run Terraform Stack
Authenticate and run:
terraform init --reconfigure
terraform plan
terraform apply
For a brand-new GCP project, enable the Cloud Resource Manager API first:
gcloud services enable cloudresourcemanager.googleapis.com --project=<PROJECT_ID>
Once Terraform completes, a service account key file onehouse-customer-core-sa-<REQUEST_ID_PREFIX>.json is created locally. Upload this file in the Onehouse UI to complete the linking step.
Step 2: Kubernetes Cluster Deployment�
The Onehouse dataplane GKE cluster creation starts automatically after the service account key is uploaded. Once finished, the wizard closes and you will see one entry in Connections > Cloud Accounts.
This step takes approximately 20–30 minutes. If it fails, you can safely retry from the beginning or contact support.