{"id":708,"date":"2026-04-15T02:52:24","date_gmt":"2026-04-15T02:52:24","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-infrastructure-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-infrastructure-as-code\/"},"modified":"2026-04-15T02:52:24","modified_gmt":"2026-04-15T02:52:24","slug":"google-cloud-infrastructure-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-infrastructure-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-infrastructure-as-code\/","title":{"rendered":"Google Cloud Infrastructure Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Infrastructure as code"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Infrastructure as code<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Infrastructure Manager is Google Cloud\u2019s managed Infrastructure as code<\/strong> service for provisioning and managing Google Cloud resources using Terraform<\/strong> configurations. It provides a Google-managed way to run Terraform \u201cplan\/apply\/destroy\u201d-style workflows as a cloud service, with Google Cloud IAM, logging, and governance wrapped around the deployment lifecycle.<\/p>\n\n\n\n

In simple terms: you write Terraform, store it in a supported source (for example, a Cloud Storage bucket or a Git repository, depending on what your organization standardizes on), and Infrastructure Manager creates and updates your Google Cloud infrastructure in a controlled, auditable way\u2014without you having to run Terraform from a laptop or maintain your own state backend tooling.<\/p>\n\n\n\n

Technically, Infrastructure Manager is a Google Cloud API and control plane that orchestrates Terraform operations against Google Cloud APIs using an execution identity (service account) you choose. It keeps track of deployments, revisions\/operations, and surfaces status and logs via Google Cloud\u2019s operational tooling. This makes Terraform-based provisioning more consistent across teams, especially in regulated environments where you want stronger auditability and least-privilege execution.<\/p>\n\n\n\n

The core problem it solves is the operational friction of running Terraform at scale: coordinating state, permissions, audit logs, repeatable deployments, and consistent execution environments\u2014while integrating tightly with Google Cloud IAM and governance.<\/p>\n\n\n\n

\n

Note on naming and legacy services: Google Cloud historically offered Deployment Manager<\/strong> (a separate, older Infrastructure as code product). Many teams consider Infrastructure Manager the modern, Terraform-aligned approach. Always verify current product lifecycle status and guidance in official docs:\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n<\/blockquote>\n\n\n\n

2. What is Infrastructure Manager?<\/h2>\n\n\n\n

Infrastructure Manager is a Google Cloud service whose official purpose is to deploy and manage Google Cloud infrastructure using Terraform configurations<\/strong>, as a managed service.<\/p>\n\n\n\n

Official purpose (what it\u2019s for)<\/h3>\n\n\n\n
    \n
  • Run Terraform-based infrastructure provisioning as a managed Google Cloud service.<\/li>\n
  • Standardize and audit how infrastructure changes are planned and applied.<\/li>\n
  • Use Google Cloud IAM and service accounts to control who can change infrastructure and what the deployment engine is allowed to do.<\/li>\n<\/ul>\n\n\n\n

    Core capabilities (high level)<\/h3>\n\n\n\n
      \n
    • Create and manage deployments<\/strong> from Terraform configuration sources.<\/li>\n
    • Apply updates by creating new revisions\/operations<\/strong> (terminology can vary\u2014verify exact resource model in docs).<\/li>\n
    • Use an execution service account<\/strong> to perform changes in a controlled, least-privilege way.<\/li>\n
    • Integrate with Google Cloud Logging<\/strong> and Audit Logs<\/strong> for visibility.<\/li>\n<\/ul>\n\n\n\n

      Major components (conceptual)<\/h3>\n\n\n\n
        \n
      • Deployment<\/strong>: A managed \u201cstack\u201d of infrastructure defined by Terraform.<\/li>\n
      • Source<\/strong>: Where Terraform configuration is retrieved from (commonly Cloud Storage; other sources may be supported\u2014verify in official docs).<\/li>\n
      • Execution identity<\/strong>: A service account used by Infrastructure Manager to call Google Cloud APIs via Terraform providers.<\/li>\n
      • Operations\/Revisions<\/strong>: The actions that run (plan\/apply\/delete), their status, and their logs.<\/li>\n<\/ul>\n\n\n\n

        Service type<\/h3>\n\n\n\n
          \n
        • Managed control-plane service (Google Cloud API) that orchestrates Terraform executions.<\/li>\n<\/ul>\n\n\n\n

          Scope (how it\u2019s organized)<\/h3>\n\n\n\n

          Infrastructure Manager resources are typically:\n– Project-scoped<\/strong> (you create deployments in a Google Cloud project).\n– Location-scoped<\/strong> (many Google Cloud control-plane services require a \u201clocation\u201d like a region; Infrastructure Manager commonly uses a location field).\n Verify exact location behavior and supported locations here:\n https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n\n\n\n

          How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n

          Infrastructure Manager sits in the provisioning layer:\n– It uses Terraform to call Google Cloud APIs<\/strong> (Compute Engine, Cloud Storage, IAM, VPC, GKE, etc.).\n– It leverages IAM<\/strong> for authorization and Cloud Audit Logs<\/strong> for governance.\n– It complements CI\/CD (Cloud Build, GitHub Actions, GitLab CI) by providing a managed execution target for Terraform-based deployments, rather than relying on ad-hoc runners.<\/p>\n\n\n\n

          3. Why use Infrastructure Manager?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Standardization<\/strong>: Consistent, repeatable provisioning across teams and environments.<\/li>\n
          • Audit readiness<\/strong>: Centralized record of changes, who initiated them, and what was changed.<\/li>\n
          • Reduced tool sprawl<\/strong>: Less reliance on bespoke Terraform runners, scripts, and manual state handling.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Managed Terraform execution<\/strong>: Avoid \u201cworks on my machine\u201d differences in Terraform runtime environments.<\/li>\n
            • Clear deployment lifecycle<\/strong>: Track deployments and apply changes as managed operations.<\/li>\n
            • Separation of duties<\/strong>: Developers can propose changes; a controlled system identity applies them.<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Operational visibility<\/strong>: Easier to locate logs and diagnose failed runs compared to Terraform on a laptop.<\/li>\n
              • Repeatability<\/strong>: Same workflow for dev\/test\/prod with parameterization and consistent policies.<\/li>\n
              • Safer day-2 changes<\/strong>: Updates are applied as explicit, logged operations.<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Least privilege<\/strong>: Use a dedicated execution service account with only the roles needed for the resources in a deployment.<\/li>\n
                • Central IAM control<\/strong>: Control who can create\/update deployments vs who can approve or run them (depending on how you structure IAM and process).<\/li>\n
                • Audit logs<\/strong>: Integrates with Google Cloud auditability patterns.<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Team scaling<\/strong>: A platform team can offer Infrastructure Manager as a paved road for Terraform-based provisioning.<\/li>\n
                  • Environment scaling<\/strong>: Standard modules and deployments can be rolled out across many projects.<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose it<\/h3>\n\n\n\n

                    Choose Infrastructure Manager when:\n– You are standardizing Terraform for Google Cloud.\n– You want managed execution, consistent identity, and auditable deployment operations.\n– You\u2019re building a platform engineering model with guardrails and repeatable patterns.<\/p>\n\n\n\n

                    When teams should not choose it<\/h3>\n\n\n\n

                    Consider alternatives when:\n– You need Terraform features or workflows not supported by Infrastructure Manager\u2019s current integration model (for example, specific backends, custom plugins, or niche provider behaviors\u2014verify current support).\n– Your organization is already heavily invested in a mature Terraform platform (Terraform Cloud\/Enterprise, self-managed runners with strict controls) and Infrastructure Manager doesn\u2019t add enough value.\n– You require cross-cloud provisioning where the primary control plane must remain outside Google Cloud (Infrastructure Manager is Google Cloud\u2013centric).<\/p>\n\n\n\n

                    4. Where is Infrastructure Manager used?<\/h2>\n\n\n\n

                    Industries<\/h3>\n\n\n\n
                      \n
                    • Financial services and insurance (strong audit and change controls)<\/li>\n
                    • Healthcare and life sciences (compliance and traceability)<\/li>\n
                    • Public sector (governance, least privilege)<\/li>\n
                    • SaaS and tech companies (repeatable environments, multi-project setups)<\/li>\n
                    • Retail and media (fast environment provisioning for campaigns and scaling)<\/li>\n<\/ul>\n\n\n\n

                      Team types<\/h3>\n\n\n\n
                        \n
                      • Platform engineering teams providing \u201cgolden paths\u201d<\/li>\n
                      • DevOps\/SRE teams standardizing infrastructure workflows<\/li>\n
                      • Security engineering teams requiring controlled provisioning identities<\/li>\n
                      • Application teams that need reliable environment creation<\/li>\n<\/ul>\n\n\n\n

                        Workloads<\/h3>\n\n\n\n
                          \n
                        • Networking foundations (VPC, subnets, firewall rules, Cloud NAT\u2014note: NAT has cost)<\/li>\n
                        • Identity foundations (service accounts, IAM bindings)<\/li>\n
                        • Storage (Cloud Storage buckets, IAM policies)<\/li>\n
                        • Compute and runtime (Compute Engine, GKE, Cloud Run\u2014runtime costs apply)<\/li>\n
                        • Data platforms (BigQuery datasets, Pub\/Sub topics\u2014service-specific costs apply)<\/li>\n<\/ul>\n\n\n\n

                          Architectures and contexts<\/h3>\n\n\n\n
                            \n
                          • Multi-project landing zones (shared VPC, centralized logging, security projects)<\/li>\n
                          • Environment-per-branch or environment-per-tenant patterns (with careful quota\/cost controls)<\/li>\n
                          • Standard \u201cblueprints\u201d for product teams<\/li>\n<\/ul>\n\n\n\n

                            Production vs dev\/test usage<\/h3>\n\n\n\n
                              \n
                            • Dev\/test<\/strong>: Use Infrastructure Manager to spin up consistent environments quickly with tight cleanup.<\/li>\n
                            • Production<\/strong>: Use it to enforce repeatable, reviewed changes and strong audit trails, typically with promotion workflows (e.g., apply to dev \u2192 stage \u2192 prod using the same module and different variables).<\/li>\n<\/ul>\n\n\n\n

                              5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                              Below are realistic scenarios where Infrastructure Manager fits well.<\/p>\n\n\n\n

                              1) Project bootstrap (baseline resources)<\/h3>\n\n\n\n
                                \n
                              • Problem<\/strong>: Every new Google Cloud project needs consistent baseline configuration.<\/li>\n
                              • Why it fits<\/strong>: Terraform modules can define baseline IAM, logging sinks, buckets, and network scaffolding.<\/li>\n
                              • Example<\/strong>: Create a \u201cproject baseline\u201d deployment that sets labels, creates a logs bucket\/sink, and configures foundational IAM bindings.<\/li>\n<\/ul>\n\n\n\n

                                2) Standard VPC and subnet provisioning<\/h3>\n\n\n\n
                                  \n
                                • Problem<\/strong>: VPC and subnet creation is error-prone when done manually.<\/li>\n
                                • Why it fits<\/strong>: Terraform code expresses network topology as versioned code.<\/li>\n
                                • Example<\/strong>: A platform team publishes a module that creates a VPC, subnets per region, and firewall rules; app teams consume it via Infrastructure Manager.<\/li>\n<\/ul>\n\n\n\n

                                  3) Repeatable Cloud Storage bucket patterns<\/h3>\n\n\n\n
                                    \n
                                  • Problem<\/strong>: Teams need buckets with consistent settings (uniform access, retention policies, labels).<\/li>\n
                                  • Why it fits<\/strong>: Terraform modules enforce consistent bucket policy patterns.<\/li>\n
                                  • Example<\/strong>: Provision per-team buckets with uniform bucket-level access and standardized IAM bindings.<\/li>\n<\/ul>\n\n\n\n

                                    4) IAM service accounts and role bindings<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: Least-privilege IAM setup is complex and often inconsistent.<\/li>\n
                                    • Why it fits<\/strong>: Terraform expresses IAM as code, enabling reviews and change tracking.<\/li>\n
                                    • Example<\/strong>: Create service accounts for workloads and bind specific roles to specific resource scopes.<\/li>\n<\/ul>\n\n\n\n

                                      5) Shared services in a hub-and-spoke org<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Many projects need shared services (DNS, artifact repos, logging).<\/li>\n
                                      • Why it fits<\/strong>: Central deployments can provision and manage shared resources.<\/li>\n
                                      • Example<\/strong>: A \u201cshared-services\u201d deployment manages Artifact Registry repositories and organization-wide logging exports.<\/li>\n<\/ul>\n\n\n\n

                                        6) Environment provisioning for app teams (dev\/stage\/prod)<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: App teams need consistent infra across environments.<\/li>\n
                                        • Why it fits<\/strong>: Same Terraform module with different variables per environment.<\/li>\n
                                        • Example<\/strong>: One module creates a Cloud Run service, service account, and IAM; separate Infrastructure Manager deployments exist per environment.<\/li>\n<\/ul>\n\n\n\n

                                          7) Disaster recovery (DR) infrastructure setup<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: DR environments are often out of sync with production.<\/li>\n
                                          • Why it fits<\/strong>: Terraform ensures DR resources exist and match desired configuration.<\/li>\n
                                          • Example<\/strong>: A deployment provisions standby networking, minimal compute, and storage replication settings (service-specific).<\/li>\n<\/ul>\n\n\n\n

                                            8) Security baseline enforcement<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Teams forget baseline controls (audit sinks, labels, logging).<\/li>\n
                                            • Why it fits<\/strong>: Infrastructure Manager deployments can serve as \u201cenforced baseline\u201d code.<\/li>\n
                                            • Example<\/strong>: A security deployment ensures required labels exist and logging export sinks are configured.<\/li>\n<\/ul>\n\n\n\n

                                              9) Multi-project rollout of standard modules<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Rolling out changes to dozens of projects is difficult.<\/li>\n
                                              • Why it fits<\/strong>: Reuse modules with consistent variables and controlled execution.<\/li>\n
                                              • Example<\/strong>: A central pipeline triggers Infrastructure Manager applies across multiple projects with project-specific parameters.<\/li>\n<\/ul>\n\n\n\n

                                                10) Migration from manual provisioning to IaC<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: Existing resources are unmanaged; changes are risky.<\/li>\n
                                                • Why it fits<\/strong>: Infrastructure Manager provides a managed workflow to adopt Terraform.\nCaveat<\/strong>: Terraform import workflows may require careful handling\u2014verify Infrastructure Manager\u2019s import support in official docs.<\/li>\n
                                                • Example<\/strong>: Start with a new baseline module for new resources, then progressively import and manage existing ones.<\/li>\n<\/ul>\n\n\n\n

                                                  11) Compliance evidence generation<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: Auditors need proof of controlled change management.<\/li>\n
                                                  • Why it fits<\/strong>: Operations, logs, and deployment history provide evidence trails.<\/li>\n
                                                  • Example<\/strong>: Produce evidence of who triggered an apply, which service account executed it, and the resulting changes.<\/li>\n<\/ul>\n\n\n\n

                                                    12) Internal platform \u201ccatalog\u201d of blueprints<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Teams build custom stacks inconsistently.<\/li>\n
                                                    • Why it fits<\/strong>: Offer a small set of blessed Terraform blueprints and deploy them through Infrastructure Manager.<\/li>\n
                                                    • Example<\/strong>: A \u201cGKE standard cluster\u201d blueprint and \u201cCloud Run standard service\u201d blueprint.<\/li>\n<\/ul>\n\n\n\n

                                                      6. Core Features<\/h2>\n\n\n\n
                                                      \n

                                                      Feature availability can change (GA vs preview, region availability, source integrations). Verify the latest in official docs:\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n<\/blockquote>\n\n\n\n

                                                      Managed Terraform deployments (deployments and lifecycle)<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does<\/strong>: Lets you define deployments that map to Terraform configurations and manage their lifecycle through Google Cloud.<\/li>\n
                                                      • Why it matters<\/strong>: Brings Terraform into a managed, consistent operational model.<\/li>\n
                                                      • Practical benefit<\/strong>: Less drift in how teams run Terraform; fewer \u201csnowflake\u201d workflows.<\/li>\n
                                                      • Caveat<\/strong>: Terraform feature parity depends on the service\u2019s supported workflow (sources, providers, backends). Verify supported Terraform versions and provider behavior.<\/li>\n<\/ul>\n\n\n\n

                                                        Controlled execution identity (service account execution)<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does<\/strong>: Runs provisioning using a designated service account.<\/li>\n
                                                        • Why it matters<\/strong>: Strong security boundary between who requests a deployment and what permissions the deployment engine has.<\/li>\n
                                                        • Practical benefit<\/strong>: Implement least privilege and separation of duties.<\/li>\n
                                                        • Caveat<\/strong>: Misconfigured IAM is the #1 cause of failed applies.<\/li>\n<\/ul>\n\n\n\n

                                                          Integration with IAM and policy controls<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does<\/strong>: Uses Google Cloud IAM for access to create\/update deployments and to control execution permissions.<\/li>\n
                                                          • Why it matters<\/strong>: Central governance, consistent with the rest of Google Cloud.<\/li>\n
                                                          • Practical benefit<\/strong>: Use IAM roles and organization policies to reduce risk.<\/li>\n
                                                          • Caveat<\/strong>: Organization Policy constraints can block resource creation; failures may look like Terraform errors but are policy-related.<\/li>\n<\/ul>\n\n\n\n

                                                            Operational visibility (logs, status, auditability)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Surfaces deployment operations status and logs through Google Cloud operational tooling.<\/li>\n
                                                            • Why it matters<\/strong>: Makes troubleshooting and audits easier than scattered local Terraform logs.<\/li>\n
                                                            • Practical benefit<\/strong>: Centralized observability; easier incident response.<\/li>\n
                                                            • Caveat<\/strong>: Log content can contain sensitive resource identifiers; apply log access controls.<\/li>\n<\/ul>\n\n\n\n

                                                              Source-based configuration (repeatable inputs)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Points deployments at a defined source for Terraform configuration.<\/li>\n
                                                              • Why it matters<\/strong>: Reproducibility\u2014same source + same variables produces the same desired state.<\/li>\n
                                                              • Practical benefit<\/strong>: Promotes GitOps-style workflows and code review.<\/li>\n
                                                              • Caveat<\/strong>: Ensure source integrity and access controls; avoid embedding secrets in Terraform code.<\/li>\n<\/ul>\n\n\n\n

                                                                Revisioned changes (history of applies)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Tracks successive updates as operations\/revisions.<\/li>\n
                                                                • Why it matters<\/strong>: You can see what changed and when.<\/li>\n
                                                                • Practical benefit<\/strong>: Easier rollback decision-making and forensic analysis.<\/li>\n
                                                                • Caveat<\/strong>: Rollback is not always automatic; \u201crollback\u201d in Terraform is typically applying a prior configuration version, not an instant revert.<\/li>\n<\/ul>\n\n\n\n

                                                                  API-first and CLI support<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Manage deployments via API\/CLI (and Console).<\/li>\n
                                                                  • Why it matters<\/strong>: Enables CI\/CD automation and repeatable operational runbooks.<\/li>\n
                                                                  • Practical benefit<\/strong>: Integrate into pipelines and platform tooling.<\/li>\n
                                                                  • Caveat<\/strong>: CLI command groups and flags can change; always check gcloud<\/code> reference for your installed version.<\/li>\n<\/ul>\n\n\n\n

                                                                    7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                    High-level service architecture<\/h3>\n\n\n\n

                                                                    At a high level:\n1. You store Terraform configuration in an approved source.\n2. You create an Infrastructure Manager deployment referencing that source and specifying an execution service account.\n3. Infrastructure Manager runs Terraform operations (plan\/apply\/update\/delete) using Google-managed orchestration.\n4. Terraform provider calls Google Cloud resource APIs to create\/update\/delete resources.\n5. Logs and operation results are accessible through Google Cloud Logging and the Infrastructure Manager API.<\/p>\n\n\n\n

                                                                    Control flow (request\/data\/control planes)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Control plane<\/strong>: Infrastructure Manager API (create deployment, trigger apply, view status).<\/li>\n
                                                                    • Execution plane<\/strong>: Managed Terraform runner invoked by the service (details abstracted).<\/li>\n
                                                                    • Data plane<\/strong>: The resources you provision (VPCs, buckets, clusters, etc.), plus any source artifacts and state storage mechanisms (implementation details vary; verify how Infrastructure Manager stores\/handles state in your chosen workflow).<\/li>\n<\/ul>\n\n\n\n

                                                                      Integrations with related services<\/h3>\n\n\n\n

                                                                      Common integrations (depending on your organization\u2019s workflow):\n– IAM<\/strong>: for controlling who can administer deployments and what the execution identity can do.\n– Cloud Storage<\/strong>: often used for storing Terraform configuration packages (and sometimes state in Terraform workflows; verify Infrastructure Manager\u2019s state handling).\n– Cloud Logging & Cloud Audit Logs<\/strong>: for operational logs and audit records.\n– Cloud Build \/ CI systems<\/strong>: for triggering deployment updates and promoting changes across environments.<\/p>\n\n\n\n

                                                                      Dependency services<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Google Cloud APIs for the resources Terraform will manage (e.g., compute.googleapis.com<\/code>, storage.googleapis.com<\/code>).<\/li>\n
                                                                      • Identity APIs (IAM) and Resource Manager APIs for permissions and project metadata.<\/li>\n<\/ul>\n\n\n\n

                                                                        Security\/authentication model<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Caller authentication<\/strong>: Users or CI systems authenticate to Google Cloud (OAuth, workload identity federation, etc.) and call Infrastructure Manager API.<\/li>\n
                                                                        • Authorization<\/strong>: IAM roles on the project and on Infrastructure Manager resources (deployments).<\/li>\n
                                                                        • Execution<\/strong>: Infrastructure Manager uses the specified service account (execution identity) to run Terraform provider calls to resource APIs.<\/li>\n<\/ul>\n\n\n\n

                                                                          Networking model<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Infrastructure Manager is a control-plane service. The resources it creates can be in your VPCs and subnets as defined by Terraform.<\/li>\n
                                                                          • If your Terraform configuration creates private resources, ensure required networking (subnets, routes, NAT) exists and is modeled in code.<\/li>\n<\/ul>\n\n\n\n

                                                                            Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Use Cloud Audit Logs<\/strong> to see who triggered changes.<\/li>\n
                                                                            • Use Cloud Logging<\/strong> for operation logs; consider log retention and access.<\/li>\n
                                                                            • Apply labels<\/strong> and consistent naming through Terraform to support cost allocation and governance.<\/li>\n<\/ul>\n\n\n\n

                                                                              Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart LR\n  Dev[Engineer \/ CI Pipeline] -->|API\/CLI| IM[Infrastructure Manager API]\n  IM -->|runs Terraform| TF[Managed Terraform Execution]\n  TF -->|calls| GCP[Google Cloud Resource APIs]\n  GCP --> RES[Created Resources\\n(VPC, Buckets, IAM, etc.)]\n  IM --> LOGS[Cloud Logging \/ Audit Logs]\n<\/code><\/pre>\n\n\n\n
                                                                              Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart TB\n  subgraph CI[CI\/CD]\n    PR[Pull Request + Code Review]\n    PIPE[Pipeline (Cloud Build \/ GitHub Actions)]\n  end\n\n  subgraph SRC[Source Control]\n    GIT[Git Repository\\nTerraform Modules]\n    REL[Version Tags \/ Releases]\n  end\n\n  subgraph GOV[Governance]\n    IAM[IAM (Least Privilege)]\n    ORG[Org Policies]\n    AUD[Cloud Audit Logs]\n    LOG[Cloud Logging]\n  end\n\n  subgraph IMPL[Provisioning]\n    IM[Infrastructure Manager\\nDeployments per env\/location]\n    SA[Execution Service Account]\n  end\n\n  subgraph ENVS[Google Cloud Environments]\n    DEV[Dev Project]\n    STG[Stage Project]\n    PRD[Prod Project]\n  end\n\n  PR --> PIPE -->|promote| IM\n  GIT --> REL --> IM\n  IM -->|uses| SA\n  SA -->|Terraform provider calls| DEV\n  SA -->|Terraform provider calls| STG\n  SA -->|Terraform provider calls| PRD\n\n  IAM --> IM\n  ORG --> IM\n  IM --> AUD\n  IM --> LOG\n<\/code><\/pre>\n\n\n\n
                                                                              8. Prerequisites<\/h2>\n\n\n\n
                                                                              Account\/project requirements<\/h3>\n\n\n\n
                                                                                \n
                                                                              • A Google Cloud account and at least one Google Cloud project<\/strong>.<\/li>\n
                                                                              • Billing enabled<\/strong> on the project (some resources you might provision incur costs).<\/li>\n<\/ul>\n\n\n\n
                                                                                Permissions\/IAM roles<\/h3>\n\n\n\n
                                                                                You need two permission sets:\n1. Permissions to manage Infrastructure Manager deployments<\/strong> (admin\/operator roles for the service).\n2. Permissions for the execution service account<\/strong> that will create\/update resources.<\/p>\n\n\n\n
                                                                                Because IAM roles evolve, verify current required roles in official docs. Start here:\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n\n\n\n
                                                                                Practical minimum for the lab in this tutorial (creating a Cloud Storage bucket via Terraform):\n– Your user: permissions to create service accounts, grant IAM roles, create storage buckets for source, and manage Infrastructure Manager deployments.\n– Execution service account: permissions to create and manage the target resources (e.g., roles\/storage.admin<\/code> for bucket creation). Prefer narrower roles in real environments.<\/p>\n\n\n\n
                                                                                Billing requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Infrastructure provisioning may create billable resources (Compute, NAT, GKE nodes, etc.).<\/li>\n
                                                                                • The lab below uses Cloud Storage, which can be very low-cost but not always free (storage and operations pricing applies).<\/li>\n<\/ul>\n\n\n\n
                                                                                  CLI\/SDK\/tools needed<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Cloud Shell<\/strong> (recommended) or local machine with:<\/li>\n
                                                                                  • gcloud<\/code> CLI installed and authenticated<\/li>\n
                                                                                  • gsutil<\/code> available (included with Cloud SDK)<\/li>\n
                                                                                  • Optional: Git client (if you use Git-based sources in your workflow).<\/li>\n<\/ul>\n\n\n\n
                                                                                    Region availability<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Infrastructure Manager uses a location<\/strong> value for deployments in many cases. Supported locations can change.<\/li>\n
                                                                                    • Verify supported locations in docs before standardizing:\n  https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/li>\n<\/ul>\n\n\n\n
                                                                                      Quotas\/limits<\/h3>\n\n\n\n
                                                                                      Potential quota\/limit areas:\n– Infrastructure Manager API quotas (requests, concurrent operations).\n– Terraform-managed resource quotas (e.g., Compute Engine CPUs, IP addresses).\n– Cloud Storage bucket limits and naming constraints (global namespace).<\/p>\n\n\n\n
                                                                                      Always check:\n– Service quotas: https:\/\/cloud.google.com\/docs\/quota\n– Product-specific quotas for resources you deploy.<\/p>\n\n\n\n
                                                                                      Prerequisite services\/APIs<\/h3>\n\n\n\n
                                                                                      You must enable:\n– Infrastructure Manager API (exact API service name can vary; enable it from the Console if unsure).\n– APIs for the resources you provision (e.g., Cloud Storage API).<\/p>\n\n\n\n
                                                                                      9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                      Pricing model (what you pay for)<\/h3>\n\n\n\n
                                                                                      Pricing for Infrastructure Manager can be nuanced because:\n– Some managed control-plane services have no direct cost<\/strong> and you pay only for the resources created.\n– Some services add charges for operations\/executions, storage, or requests.<\/p>\n\n\n\n
                                                                                      To avoid guessing, verify the current pricing model directly in official sources:\n– Infrastructure Manager docs: https:\/\/cloud.google.com\/infrastructure-manager\/docs\n– Google Cloud Pricing: https:\/\/cloud.google.com\/pricing\n– Pricing Calculator: https:\/\/cloud.google.com\/products\/calculator<\/p>\n\n\n\n
                                                                                      If Google provides a dedicated pricing page for Infrastructure Manager in your region\/edition, use that as the primary reference (search within official Google Cloud pricing pages).<\/p>\n\n\n\n
                                                                                      Typical pricing dimensions (what drives cost)<\/h3>\n\n\n\n
                                                                                      Even if Infrastructure Manager itself has minimal direct charges, your total cost is driven by:<\/p>\n\n\n\n
                                                                                        \n
                                                                                      1. \n
                                                                                        Resources provisioned by Terraform<\/strong>\n   – Compute Engine VMs, disks, load balancers\n   – Cloud NAT, VPN, Interconnect\n   – GKE clusters and node pools\n   – BigQuery, Pub\/Sub, Cloud SQL, etc.<\/p>\n<\/li>\n
                                                                                      2. \n
                                                                                        Cloud Storage<\/strong>\n   – If you store Terraform configuration bundles or artifacts in Cloud Storage.\n   – Storage capacity, operations, and network egress (if applicable).<\/p>\n<\/li>\n
                                                                                      3. \n
                                                                                        Logging<\/strong>\n   – Cloud Logging ingestion and retention can generate cost at scale (especially verbose deployment logs).<\/p>\n<\/li>\n
                                                                                      4. \n
                                                                                        Networking \/ data transfer<\/strong>\n   – Cross-region egress, NAT usage, load balancer traffic, etc.\n   – Terraform itself doesn\u2019t transfer much data, but the deployed architecture might.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                        Free tier (if applicable)<\/h3>\n\n\n\n
                                                                                        Cloud Storage and other services have their own free tiers\/always-free usage in some cases, but coverage varies by region and product. Verify current free tier rules:\n– https:\/\/cloud.google.com\/free<\/p>\n\n\n\n
                                                                                        Hidden\/indirect costs to watch<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Cloud NAT<\/strong> is often created in \u201cprivate\u201d architectures and can become a surprise cost driver.<\/li>\n
                                                                                        • Load balancers<\/strong> and public IPs<\/strong> can add fixed and variable charges.<\/li>\n
                                                                                        • Logging volume<\/strong> from frequent applies across many projects can add up.<\/li>\n
                                                                                        • CI\/CD<\/strong> runners and artifact storage costs (if you implement pipelines around Infrastructure Manager).<\/li>\n<\/ul>\n\n\n\n
                                                                                          Cost optimization tips<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Prefer low-cost resources<\/strong> in dev\/test; turn off or destroy after use.<\/li>\n
                                                                                          • Use labels<\/strong> (cost allocation) on all resources through Terraform.<\/li>\n
                                                                                          • Use separate projects per environment to isolate blast radius and cost accounting.<\/li>\n
                                                                                          • Avoid creating expensive always-on resources in tutorials (large VMs, NAT, large clusters).<\/li>\n
                                                                                          • Set log retention and sinks thoughtfully; don\u2019t export everything indefinitely.<\/li>\n<\/ul>\n\n\n\n
                                                                                            Example low-cost starter estimate (qualitative)<\/h3>\n\n\n\n
                                                                                            A starter deployment that only creates:\n– One Cloud Storage bucket\n– A few IAM bindings and service accounts\n\u2026typically incurs minimal cost, largely tied to Cloud Storage usage and operations. Exact cost depends on region, storage class, and request volume\u2014verify in the Cloud Storage pricing page.<\/p>\n\n\n\n
                                                                                            Example production cost considerations<\/h3>\n\n\n\n
                                                                                            In production, Infrastructure Manager often manages:\n– VPC + NAT + load balancers + GKE\/Compute\nThe bulk of cost is almost always in:\n– Compute runtime (nodes\/VMs)\n– Network egress \/ load balancing\n– Logging volume\nInfrastructure Manager becomes an enabler rather than the direct cost center; focus optimization on the deployed architecture.<\/p>\n\n\n\n
                                                                                            10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                            This lab provisions a single Cloud Storage bucket<\/strong> using Terraform executed by Infrastructure Manager<\/strong>. It\u2019s designed to be safe and low-cost.<\/p>\n\n\n\n
                                                                                            Objective<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Enable a basic Infrastructure Manager workflow in a Google Cloud project.<\/li>\n
                                                                                            • Store Terraform configuration in Cloud Storage.<\/li>\n
                                                                                            • Create an Infrastructure Manager deployment to apply the Terraform and create a bucket.<\/li>\n
                                                                                            • Validate and then clean up.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Lab Overview<\/h3>\n\n\n\n
                                                                                              You will:\n1. Prepare your project and tooling.\n2. Create a source bucket to store Terraform config.\n3. Create an execution service account and grant least-privilege permissions.\n4. Upload Terraform configuration to Cloud Storage.\n5. Create and apply an Infrastructure Manager deployment.\n6. Validate the bucket exists.\n7. Update the deployment once (optional).\n8. Clean up (delete deployment and buckets).<\/p>\n\n\n\n
                                                                                              \n
                                                                                              Important: Command groups and flags can evolve. If a command differs in your environment, use:<\/p>\n
                                                                                                \n
                                                                                              • gcloud help<\/code><\/li>\n
                                                                                              • gcloud infra-manager --help<\/code> (or the relevant command group)<\/li>\n
                                                                                              • Official docs: https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Step 1: Set your project and confirm authentication<\/h3>\n\n\n\n
                                                                                                In Cloud Shell<\/strong>, run:<\/p>\n\n\n\n
                                                                                                gcloud auth list\ngcloud config list project\n<\/code><\/pre>\n\n\n\n
                                                                                                Set your project:<\/p>\n\n\n\n
                                                                                                export PROJECT_ID=\"YOUR_PROJECT_ID\"\ngcloud config set project \"${PROJECT_ID}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                Expected outcome<\/strong>\n– gcloud config list project<\/code> shows your target project.<\/p>\n\n\n\n
                                                                                                Verification<\/strong>\n– In the Google Cloud Console, confirm you\u2019re in the right project.<\/p>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Step 2: Enable required APIs<\/h3>\n\n\n\n
                                                                                                Infrastructure Manager requires its API enabled, plus APIs for resources you manage.<\/p>\n\n\n\n
                                                                                                If you know the exact service name for the Infrastructure Manager API in your environment, enable it with gcloud services enable ...<\/code>. If you are not sure, enable it in the Console:<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                • Console \u2192 APIs & Services<\/strong> \u2192 Enable APIs and services<\/strong><\/li>\n
                                                                                                • Search for Infrastructure Manager<\/strong> and enable the API.<\/li>\n
                                                                                                • Also ensure Cloud Storage<\/strong> and IAM<\/strong> APIs are enabled.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Official docs for setup and API enabling:\n– https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– APIs show as enabled in the Console.<\/p>\n\n\n\n
                                                                                                  Common error<\/strong>\n– PERMISSION_DENIED: Permission denied to enable service<\/code>\n  Fix: ask a project owner\/admin to enable APIs or grant you permissions.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 3: Create a Cloud Storage bucket to store Terraform source<\/h3>\n\n\n\n
                                                                                                  Create a globally unique bucket name:<\/p>\n\n\n\n
                                                                                                  export RAND_SUFFIX=\"$(date +%s)\"\nexport TF_SOURCE_BUCKET=\"${PROJECT_ID}-im-src-${RAND_SUFFIX}\"\nexport LOCATION=\"us-central1\"   # choose a region appropriate for you\n<\/code><\/pre>\n\n\n\n
                                                                                                  Create the bucket:<\/p>\n\n\n\n
                                                                                                  gsutil mb -p \"${PROJECT_ID}\" -l \"${LOCATION}\" \"gs:\/\/${TF_SOURCE_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– Bucket is created successfully.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong><\/p>\n\n\n\n
                                                                                                  gsutil ls -b \"gs:\/\/${TF_SOURCE_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 4: Create an execution service account (least privilege)<\/h3>\n\n\n\n
                                                                                                  Create a dedicated service account that Infrastructure Manager will use to apply Terraform.<\/p>\n\n\n\n
                                                                                                  export IM_SA_NAME=\"im-executor\"\nexport IM_SA_EMAIL=\"${IM_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com\"\n\ngcloud iam service-accounts create \"${IM_SA_NAME}\" \\\n  --display-name=\"Infrastructure Manager execution SA\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Grant it permissions to create Cloud Storage buckets<\/strong> in this project:<\/p>\n\n\n\n
                                                                                                  gcloud projects add-iam-policy-binding \"${PROJECT_ID}\" \\\n  --member=\"serviceAccount:${IM_SA_EMAIL}\" \\\n  --role=\"roles\/storage.admin\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Also allow it to read the Terraform source bucket objects. You can do that at the bucket level (recommended) rather than project-wide:<\/p>\n\n\n\n
                                                                                                  gsutil iam ch \\\n  \"serviceAccount:${IM_SA_EMAIL}:objectViewer\" \\\n  \"gs:\/\/${TF_SOURCE_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– IAM bindings are updated without error.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong><\/p>\n\n\n\n
                                                                                                  gcloud iam service-accounts describe \"${IM_SA_EMAIL}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Security note<\/strong>\n– For real environments, avoid broad roles like roles\/storage.admin<\/code> unless necessary. Prefer narrower roles and resource-level bindings. This lab uses Storage Admin for simplicity.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 5: Create Terraform configuration locally in Cloud Shell<\/h3>\n\n\n\n
                                                                                                  Create a working directory:<\/p>\n\n\n\n
                                                                                                  mkdir -p ~\/im-lab\/tf\ncd ~\/im-lab\/tf\n<\/code><\/pre>\n\n\n\n
                                                                                                  Create main.tf<\/code>:<\/p>\n\n\n\n
                                                                                                  terraform {\n  required_version = \">= 1.3.0\"\n  required_providers {\n    google = {\n      source  = \"hashicorp\/google\"\n      version = \">= 4.0\"\n    }\n  }\n}\n\nprovider \"google\" {\n  project = var.project_id\n  region  = var.location\n}\n\nresource \"google_storage_bucket\" \"demo_bucket\" {\n  name                        = var.bucket_name\n  location                    = var.location\n  uniform_bucket_level_access = true\n\n  labels = {\n    managed_by = \"infrastructure-manager\"\n    purpose    = \"tutorial\"\n  }\n}\n<\/code><\/pre>\n\n\n\n
                                                                                                  Create variables.tf<\/code>:<\/p>\n\n\n\n
                                                                                                  variable \"project_id\" {\n  type        = string\n  description = \"Google Cloud project ID\"\n}\n\nvariable \"location\" {\n  type        = string\n  description = \"Bucket location\/region\"\n}\n\nvariable \"bucket_name\" {\n  type        = string\n  description = \"Globally unique bucket name\"\n}\n<\/code><\/pre>\n\n\n\n
                                                                                                  Create outputs.tf<\/code>:<\/p>\n\n\n\n
                                                                                                  output \"bucket_name\" {\n  value = google_storage_bucket.demo_bucket.name\n}\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– You have a minimal Terraform configuration that creates a bucket.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong><\/p>\n\n\n\n
                                                                                                  ls -la\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 6: Upload Terraform configuration to Cloud Storage<\/h3>\n\n\n\n
                                                                                                  Infrastructure Manager commonly uses a packaged source (for example, a ZIP archive in Cloud Storage). Packaging requirements can vary\u2014verify the expected source format in docs.<\/p>\n\n\n\n
                                                                                                  Create an archive:<\/p>\n\n\n\n
                                                                                                  cd ~\/im-lab\nzip -r tf-src.zip tf\n<\/code><\/pre>\n\n\n\n
                                                                                                  Upload it:<\/p>\n\n\n\n
                                                                                                  gsutil cp tf-src.zip \"gs:\/\/${TF_SOURCE_BUCKET}\/sources\/tf-src.zip\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– The archive is present in your source bucket.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong><\/p>\n\n\n\n
                                                                                                  gsutil ls \"gs:\/\/${TF_SOURCE_BUCKET}\/sources\/\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 7: Create an Infrastructure Manager deployment<\/h3>\n\n\n\n
                                                                                                  Choose a deployment name and an Infrastructure Manager location (this may or may not be the same as your bucket location; follow official docs for supported locations):<\/p>\n\n\n\n
                                                                                                  export DEPLOYMENT_NAME=\"im-bucket-lab\"\nexport IM_LOCATION=\"us-central1\"  # verify supported locations for Infrastructure Manager\nexport TARGET_BUCKET=\"${PROJECT_ID}-im-target-${RAND_SUFFIX}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Now create the deployment.<\/p>\n\n\n\n
                                                                                                  Because gcloud<\/code> command syntax can change, use the official docs and gcloud<\/code> help to confirm the exact flags for:\n– Source (GCS object)\n– Execution service account\n– Input variables<\/p>\n\n\n\n
                                                                                                  Start by exploring the command group:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments --help\ngcloud infra-manager deployments create --help\n<\/code><\/pre>\n\n\n\n
                                                                                                  In many environments, the creation flow looks like:\n– Create the deployment pointing to the source\n– Apply it with variables<\/p>\n\n\n\n
                                                                                                  If your gcloud<\/code> supports passing Terraform inputs as variables\/parameters at apply time, run an apply similar to:<\/p>\n\n\n\n
                                                                                                  # Verify exact flags in your environment; adjust accordingly\ngcloud infra-manager deployments create \"${DEPLOYMENT_NAME}\" \\\n  --location=\"${IM_LOCATION}\" \\\n  --service-account=\"projects\/${PROJECT_ID}\/serviceAccounts\/${IM_SA_EMAIL}\" \\\n  --gcs-source=\"gs:\/\/${TF_SOURCE_BUCKET}\/sources\/tf-src.zip\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Then apply\/update with input values (flag names vary by version):<\/p>\n\n\n\n
                                                                                                  # Verify in official docs \/ gcloud help how to pass Terraform variables.\ngcloud infra-manager deployments apply \"${DEPLOYMENT_NAME}\" \\\n  --location=\"${IM_LOCATION}\" \\\n  --inputs=\"project_id=${PROJECT_ID},location=${LOCATION},bucket_name=${TARGET_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  If your environment uses a different flag schema (for example, separate flags for inputs, or a file of inputs), follow the official guidance:\n– https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– Infrastructure Manager starts an operation that runs Terraform to create a Cloud Storage bucket.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong>\nList deployments and describe the deployment:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments list --location=\"${IM_LOCATION}\"\ngcloud infra-manager deployments describe \"${DEPLOYMENT_NAME}\" --location=\"${IM_LOCATION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  You should see a status indicating success once the operation completes (status fields vary).<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 8 (Optional): Update the deployment<\/h3>\n\n\n\n
                                                                                                  A safe update is to change labels (non-destructive). Edit main.tf<\/code> and add an extra label:<\/p>\n\n\n\n
                                                                                                  labels = {\n  managed_by = \"infrastructure-manager\"\n  purpose    = \"tutorial\"\n  env        = \"dev\"\n}\n<\/code><\/pre>\n\n\n\n
                                                                                                  Re-zip and upload:<\/p>\n\n\n\n
                                                                                                  cd ~\/im-lab\nzip -r tf-src.zip tf\ngsutil cp tf-src.zip \"gs:\/\/${TF_SOURCE_BUCKET}\/sources\/tf-src.zip\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Apply again:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments apply \"${DEPLOYMENT_NAME}\" \\\n  --location=\"${IM_LOCATION}\" \\\n  --inputs=\"project_id=${PROJECT_ID},location=${LOCATION},bucket_name=${TARGET_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– A new operation runs and updates the bucket labels.<\/p>\n\n\n\n
                                                                                                  Verification<\/strong><\/p>\n\n\n\n
                                                                                                  gsutil label get \"gs:\/\/${TARGET_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Validation<\/h3>\n\n\n\n
                                                                                                  Confirm the bucket exists:<\/p>\n\n\n\n
                                                                                                  gsutil ls -b \"gs:\/\/${TARGET_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Confirm it has uniform bucket-level access enabled (one way is to inspect bucket metadata):<\/p>\n\n\n\n
                                                                                                  gsutil ls -L -b \"gs:\/\/${TARGET_BUCKET}\" | sed -n '1,120p'\n<\/code><\/pre>\n\n\n\n
                                                                                                  Also validate deployment status in Infrastructure Manager:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments describe \"${DEPLOYMENT_NAME}\" --location=\"${IM_LOCATION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Troubleshooting<\/h3>\n\n\n\n
                                                                                                  Error: PERMISSION_DENIED<\/code> during apply<\/h4>\n\n\n\n
                                                                                                  Cause<\/strong>\n– Execution service account lacks permissions (common).<\/p>\n\n\n\n
                                                                                                  Fix<\/strong>\n– Ensure the execution service account has the correct roles for the resources being created.\n– For this lab, confirm:\n  – Project IAM binding for roles\/storage.admin<\/code>\n  – Source bucket objectViewer binding<\/p>\n\n\n\n
                                                                                                  Error: Bucket name already exists<\/h4>\n\n\n\n
                                                                                                  Cause<\/strong>\n– Cloud Storage bucket names are global.<\/p>\n\n\n\n
                                                                                                  Fix<\/strong>\n– Change TARGET_BUCKET<\/code> to a new globally unique value and re-apply.<\/p>\n\n\n\n
                                                                                                  Error: API not enabled<\/h4>\n\n\n\n
                                                                                                  Cause<\/strong>\n– Required API not enabled (Infrastructure Manager API, Storage API, IAM API).<\/p>\n\n\n\n
                                                                                                  Fix<\/strong>\n– Enable in Console \u2192 APIs & Services.<\/p>\n\n\n\n
                                                                                                  Error: Organization Policy constraint blocks creation<\/h4>\n\n\n\n
                                                                                                  Cause<\/strong>\n– Org policies (e.g., restrictions on bucket locations, public access prevention requirements).<\/p>\n\n\n\n
                                                                                                  Fix<\/strong>\n– Review Organization Policy constraints for the project\/folder\/org and update Terraform configuration accordingly.<\/p>\n\n\n\n
                                                                                                  Error: Deployment location invalid<\/h4>\n\n\n\n
                                                                                                  Cause<\/strong>\n– Infrastructure Manager may support only certain locations.<\/p>\n\n\n\n
                                                                                                  Fix<\/strong>\n– Verify supported locations in official docs and change IM_LOCATION<\/code>.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Cleanup<\/h3>\n\n\n\n
                                                                                                  To avoid ongoing cost and clutter, delete resources after the lab.<\/p>\n\n\n\n
                                                                                                  1) Delete the Infrastructure Manager deployment.<\/p>\n\n\n\n
                                                                                                  Command syntax for deleting and whether it deletes underlying resources can vary. Check:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments delete --help\n<\/code><\/pre>\n\n\n\n
                                                                                                  Then run:<\/p>\n\n\n\n
                                                                                                  gcloud infra-manager deployments delete \"${DEPLOYMENT_NAME}\" \\\n  --location=\"${IM_LOCATION}\" \\\n  --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                  Verify<\/strong> whether the underlying bucket is removed. If it is not automatically deleted, delete it manually:<\/p>\n\n\n\n
                                                                                                  gsutil rm -r \"gs:\/\/${TARGET_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  2) Delete the Terraform source bucket:<\/p>\n\n\n\n
                                                                                                  gsutil rm -r \"gs:\/\/${TF_SOURCE_BUCKET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  3) (Optional) Remove the execution service account if you created it only for the lab:<\/p>\n\n\n\n
                                                                                                  gcloud iam service-accounts delete \"${IM_SA_EMAIL}\" --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome<\/strong>\n– No lab buckets remain, and the deployment is gone.<\/p>\n\n\n\n
                                                                                                  11. Best Practices<\/h2>\n\n\n\n
                                                                                                  Architecture best practices<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Use small, composable modules<\/strong> rather than one huge Terraform root module.<\/li>\n
                                                                                                  • Separate \u201cfoundation\u201d (networking, IAM baseline) from \u201cworkload\u201d (app-specific) deployments.<\/li>\n
                                                                                                  • Prefer multi-project<\/strong> architecture for production (separate dev\/stage\/prod projects) to reduce blast radius.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Use a dedicated execution service account per environment<\/strong> (or per deployment class).<\/li>\n
                                                                                                    • Grant least privilege:<\/li>\n
                                                                                                    • Prefer resource-level IAM (bucket-level) over project-wide roles.<\/li>\n
                                                                                                    • Avoid primitive roles (Owner\/Editor) except in isolated sandboxes.<\/li>\n
                                                                                                    • Restrict who can:<\/li>\n
                                                                                                    • Create deployments<\/li>\n
                                                                                                    • Update sources\/inputs<\/li>\n
                                                                                                    • Trigger applies<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Cost best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Label everything (labels<\/code> in Terraform) for cost allocation and chargeback.<\/li>\n
                                                                                                      • Keep dev\/test deployments small and ephemeral.<\/li>\n
                                                                                                      • Avoid always-on expensive components (NAT, load balancers, large clusters) unless necessary.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Performance best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Keep Terraform state manageable by splitting deployments by domain (network, IAM, app stack).<\/li>\n
                                                                                                        • Avoid frequent full-environment applies if only a subset changes; structure modules accordingly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Reliability best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Treat Terraform code as production code:<\/li>\n
                                                                                                          • code review<\/li>\n
                                                                                                          • version pinning for providers<\/li>\n
                                                                                                          • staged rollouts<\/li>\n
                                                                                                          • Use a promotion process: apply to dev \u2192 stage \u2192 prod using the same module version.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Operations best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Centralize logs:<\/li>\n
                                                                                                            • Ensure deployment operation logs and audit logs are accessible to SRE\/platform teams.<\/li>\n
                                                                                                            • Document runbooks:<\/li>\n
                                                                                                            • common failure modes (IAM, quota, org policy)<\/li>\n
                                                                                                            • rollback approach (re-apply previous version)<\/li>\n
                                                                                                            • Track change history:<\/li>\n
                                                                                                            • tie Infrastructure Manager operations to change requests\/tickets in regulated environments.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Standard naming conventions:<\/li>\n
                                                                                                              • include project, environment, purpose<\/li>\n
                                                                                                              • Standard labels:<\/li>\n
                                                                                                              • env<\/code>, owner<\/code>, cost_center<\/code>, app<\/code>, managed_by<\/code><\/li>\n
                                                                                                              • Consider org policy guardrails:<\/li>\n
                                                                                                              • location restrictions<\/li>\n
                                                                                                              • public access prevention<\/li>\n
                                                                                                              • allowed service account usage<\/li>\n<\/ul>\n\n\n\n
                                                                                                                12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                Identity and access model<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Control-plane access is governed by IAM on the project and Infrastructure Manager resources.<\/li>\n
                                                                                                                • Execution is performed by a service account:<\/li>\n
                                                                                                                • Treat it like a privileged automation identity.<\/li>\n
                                                                                                                • Rotate keys only if you use keys (prefer keyless identities; Infrastructure Manager typically uses service account impersonation rather than long-lived keys).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Encryption<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Google Cloud encrypts data at rest and in transit by default for most managed services.<\/li>\n
                                                                                                                  • If your Terraform sources are in Cloud Storage:<\/li>\n
                                                                                                                  • Use uniform bucket-level access<\/li>\n
                                                                                                                  • Consider CMEK if required by policy (verify compatibility and organizational requirements).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Network exposure<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Infrastructure Manager is a control plane; your deployed resources can be public or private.<\/li>\n
                                                                                                                    • Prevent accidental exposure:<\/li>\n
                                                                                                                    • avoid public IPs by default<\/li>\n
                                                                                                                    • avoid overly permissive firewall rules<\/li>\n
                                                                                                                    • enforce private service access patterns where required<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Secrets handling<\/h3>\n\n\n\n
                                                                                                                      Avoid putting secrets in:\n– Terraform code\n– Terraform variables committed to source control\n– Logs<\/p>\n\n\n\n
                                                                                                                      Recommended patterns:\n– Use Secret Manager for secrets storage and retrieval (integrate through runtime, not in plain text).\n– If Terraform must reference secrets, use secure references and keep state exposure in mind. Review your Terraform\/state handling model carefully (verify Infrastructure Manager\u2019s state storage and access patterns in official docs).<\/p>\n\n\n\n
                                                                                                                      Audit\/logging<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Use Cloud Audit Logs to track:<\/li>\n
                                                                                                                      • Who created\/updated deployments<\/li>\n
                                                                                                                      • Who triggered applies<\/li>\n
                                                                                                                      • Which service account executed changes<\/li>\n
                                                                                                                      • Restrict access to logs if they contain sensitive identifiers.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Compliance considerations<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Enforce code review and approval workflows for production applies.<\/li>\n
                                                                                                                        • Use separate projects\/accounts for separation of duties.<\/li>\n
                                                                                                                        • Document and standardize IAM role assignments for deployment operators.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Common security mistakes<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Using broad roles (Owner\/Editor) for the execution service account.<\/li>\n
                                                                                                                          • Storing secrets in Terraform variables and leaking them through state\/logs.<\/li>\n
                                                                                                                          • Allowing too many people to trigger applies in production.<\/li>\n
                                                                                                                          • Not protecting the Terraform source artifact (anyone who can change source can change infrastructure).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Create a \u201cplatform provisioning\u201d project pattern:<\/li>\n
                                                                                                                            • controlled execution identities<\/li>\n
                                                                                                                            • enforced code review<\/li>\n
                                                                                                                            • centralized logging<\/li>\n
                                                                                                                            • Use organization policies as guardrails.<\/li>\n
                                                                                                                            • Use separate deployments for baseline vs workloads to reduce blast radius.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                              \n
                                                                                                                              These points are common in managed Terraform\/IaC services; verify Infrastructure Manager-specific behaviors in official docs:\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Location constraints<\/strong>: Deployments often require a supported location; not all regions may be available.<\/li>\n
                                                                                                                              • Source packaging requirements<\/strong>: You may need to package Terraform configuration in a specific archive structure.<\/li>\n
                                                                                                                              • Terraform version\/provider support<\/strong>: The service may pin or restrict supported Terraform versions or provider behaviors. Verify supported versions.<\/li>\n
                                                                                                                              • State handling<\/strong>: Understand where state is stored, who can access it, and how it\u2019s protected. This impacts security and operations.<\/li>\n
                                                                                                                              • IAM complexity<\/strong>: Two layers of IAM (caller and execution identity) can be confusing.<\/li>\n
                                                                                                                              • Org policies<\/strong>: Organization Policy constraints can block creates\/updates; troubleshoot by checking policy violations.<\/li>\n
                                                                                                                              • Quota failures<\/strong>: Applies can fail due to resource quotas (CPU, IPs, API rate limits).<\/li>\n
                                                                                                                              • Idempotency expectations<\/strong>: Terraform is declarative, but some resources have non-trivial update semantics (re-creation vs in-place update).<\/li>\n
                                                                                                                              • Deletion semantics<\/strong>: Deleting a deployment may or may not automatically delete underlying resources depending on configuration and service behavior\u2014verify before relying on it.<\/li>\n
                                                                                                                              • Drift management<\/strong>: If humans change resources outside Terraform, expect drift and potentially surprising diffs on next apply.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                How Infrastructure Manager compares<\/h3>\n\n\n\n
                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                Infrastructure Manager (Google Cloud)<\/strong><\/td>\nTerraform-based provisioning with Google-managed orchestration<\/td>\nManaged execution, IAM integration, auditability, consistent deployment model<\/td>\nSupport constraints (versions\/sources), location requirements, requires learning new operational model<\/td>\nYou want managed Terraform operations tightly integrated with Google Cloud governance<\/td>\n<\/tr>\n
                                                                                                                                Terraform CLI + Remote State (self-managed)<\/strong><\/td>\nTeams already skilled with Terraform and want full flexibility<\/td>\nMaximum flexibility; choose any backend; custom tooling<\/td>\nYou must manage runners, credentials, state access, auditing, and standardization<\/td>\nSmall teams or mature DevOps shops with established patterns<\/td>\n<\/tr>\n
                                                                                                                                Terraform Cloud \/ Terraform Enterprise<\/strong><\/td>\nEnterprise Terraform platform across clouds<\/td>\nPolicy-as-code (Sentinel), runs, workspace model, strong governance<\/td>\nAdditional vendor\/platform cost and operations; external platform dependency<\/td>\nMulti-cloud enterprises standardizing Terraform at scale<\/td>\n<\/tr>\n
                                                                                                                                Cloud Build + Terraform in CI<\/strong><\/td>\nSimple pipeline-driven Terraform with minimal new services<\/td>\nFamiliar CI workflow, can be locked down with SA impersonation<\/td>\nStill need state strategy, secrets handling, approvals, and runner hygiene<\/td>\nYou want lightweight automation without a dedicated IaC service<\/td>\n<\/tr>\n
                                                                                                                                Config Connector \/ Config Controller (Google Cloud\/Kubernetes)<\/strong><\/td>\nKubernetes-native resource management (GitOps)<\/td>\nKubernetes reconciliation model, GitOps workflows<\/td>\nNot Terraform; requires Kubernetes control plane; different skills<\/td>\nPlatform teams already all-in on Kubernetes\/GitOps<\/td>\n<\/tr>\n
                                                                                                                                AWS CloudFormation (other cloud)<\/strong><\/td>\nAWS-native IaC<\/td>\nDeep AWS integration<\/td>\nNot for Google Cloud; different ecosystem<\/td>\nOnly if deploying primarily on AWS<\/td>\n<\/tr>\n
                                                                                                                                Azure Resource Manager \/ Bicep (other cloud)<\/strong><\/td>\nAzure-native IaC<\/td>\nDeep Azure integration<\/td>\nNot for Google Cloud<\/td>\nOnly if deploying primarily on Azure<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                Enterprise example: regulated bank landing zone rollout<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Problem<\/strong>: A bank must provision dozens of projects with consistent networking, logging, IAM baselines, and strict audit trails.<\/li>\n
                                                                                                                                • Proposed architecture<\/strong><\/li>\n
                                                                                                                                • A platform team maintains Terraform modules for:
                                                                                                                                    \n
                                                                                                                                  • project baseline (labels, logging sinks)<\/li>\n
                                                                                                                                  • network baseline (VPC\/subnets\/firewalls)<\/li>\n
                                                                                                                                  • security baseline (service accounts, IAM bindings)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                  • Infrastructure Manager deployments exist per environment (dev\/stage\/prod) and per business unit.<\/li>\n
                                                                                                                                  • Execution service accounts are tightly scoped; production applies require change approvals.<\/li>\n
                                                                                                                                  • Why Infrastructure Manager was chosen<\/strong><\/li>\n
                                                                                                                                  • Managed Terraform execution aligned with Google Cloud IAM and audit requirements.<\/li>\n
                                                                                                                                  • Consistent deployment operations and logs for compliance evidence.<\/li>\n
                                                                                                                                  • Expected outcomes<\/strong><\/li>\n
                                                                                                                                  • Faster project provisioning with fewer configuration errors.<\/li>\n
                                                                                                                                  • Clearer audit trails and improved separation of duties.<\/li>\n
                                                                                                                                  • Reduced reliance on local Terraform runs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Startup\/small-team example: standard app environment provisioning<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Problem<\/strong>: A startup wants repeatable dev\/stage\/prod provisioning without building a complex Terraform platform.<\/li>\n
                                                                                                                                    • Proposed architecture<\/strong><\/li>\n
                                                                                                                                    • A small Terraform module creates:
                                                                                                                                        \n
                                                                                                                                      • a Cloud Storage bucket for app assets<\/li>\n
                                                                                                                                      • service account + minimal IAM<\/li>\n
                                                                                                                                      • optional Cloud Run service (future)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                      • Infrastructure Manager manages the deployment per environment.<\/li>\n
                                                                                                                                      • Why Infrastructure Manager was chosen<\/strong><\/li>\n
                                                                                                                                      • Reduces need to manage Terraform runners and state handling manually.<\/li>\n
                                                                                                                                      • Encourages better hygiene (code-based changes, auditable operations) early.<\/li>\n
                                                                                                                                      • Expected outcomes<\/strong><\/li>\n
                                                                                                                                      • Consistent environments and simpler onboarding.<\/li>\n
                                                                                                                                      • Safer changes with visible operation history.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        16. FAQ<\/h2>\n\n\n\n
                                                                                                                                        1) Is Infrastructure Manager the same as Terraform Cloud?<\/strong>\nNo. Terraform Cloud is a HashiCorp-managed platform. Infrastructure Manager is a Google Cloud service that runs Terraform-based deployments within Google Cloud\u2019s control plane and IAM model.<\/p>\n\n\n\n
                                                                                                                                        2) Does Infrastructure Manager replace Terraform CLI?<\/strong>\nIt doesn\u2019t replace Terraform as a tool; it provides a managed way to execute Terraform workflows. You still write Terraform configurations.<\/p>\n\n\n\n
                                                                                                                                        3) Do I still need to manage Terraform state?<\/strong>\nYou must understand how state is handled in your Infrastructure Manager workflow. The service abstracts some details, but state location, access control, and security are still critical. Verify current state behavior in official docs.<\/p>\n\n\n\n
                                                                                                                                        4) Can Infrastructure Manager deploy resources outside Google Cloud?<\/strong>\nInfrastructure Manager is designed for Google Cloud provisioning. Terraform can manage many providers, but Infrastructure Manager support and policy constraints are Google Cloud\u2013centric. Verify cross-provider support before relying on it.<\/p>\n\n\n\n
                                                                                                                                        5) What identity creates the resources? My user account or a service account?<\/strong>\nTypically the execution service account<\/strong> performs resource creation. Your user identity calls the Infrastructure Manager API, but the execution identity needs permissions to create resources.<\/p>\n\n\n\n
                                                                                                                                        6) How do I implement least privilege for the execution service account?<\/strong>\nStart by listing resources the deployment manages, then grant the narrowest roles at the narrowest scope possible (resource-level where available). Avoid broad project-wide roles in production.<\/p>\n\n\n\n
                                                                                                                                        7) How do I promote changes from dev to prod?<\/strong>\nUse versioned Terraform modules and a promotion pipeline. Apply the same module version with environment-specific inputs to dev, then stage, then prod.<\/p>\n\n\n\n
                                                                                                                                        8) Does Infrastructure Manager provide a \u201cplan\u201d preview?<\/strong>\nInfrastructure Manager workflows are Terraform-based; there is typically an equivalent of plan\/apply in managed operations. Verify the exact \u201cpreview\u201d or \u201cplan\u201d support and commands in official docs.<\/p>\n\n\n\n
                                                                                                                                        9) Where do I see logs for failed deployments?<\/strong>\nUse the Infrastructure Manager deployment\/operation details and Cloud Logging. Also consult Cloud Audit Logs to see who triggered actions.<\/p>\n\n\n\n
                                                                                                                                        10) Can I use private modules?<\/strong>\nThis depends on supported sources (Cloud Storage, Git, Artifact Registry, etc.) and access methods. Verify current supported private module workflows in official docs.<\/p>\n\n\n\n
                                                                                                                                        11) How do I handle secrets in Terraform with Infrastructure Manager?<\/strong>\nAvoid plaintext secrets in code and variables. Prefer Secret Manager and runtime injection patterns. Review how Terraform state is stored and who can access it.<\/p>\n\n\n\n
                                                                                                                                        12) What causes the most common failures?<\/strong>\nIAM permission issues, org policy constraints, API not enabled, quotas, and invalid resource parameters.<\/p>\n\n\n\n
                                                                                                                                        13) Can I import existing resources into an Infrastructure Manager deployment?<\/strong>\nTerraform import is a specialized workflow; Infrastructure Manager support may differ from local Terraform. Verify import capabilities and recommended adoption approaches in official docs.<\/p>\n\n\n\n
                                                                                                                                        14) Is Infrastructure Manager suitable for production?<\/strong>\nYes, when you design it with proper IAM, logging, approvals, and module hygiene. Confirm your required features and region support.<\/p>\n\n\n\n
                                                                                                                                        15) How do I prevent accidental deletion of production resources?<\/strong>\nUse strict IAM, change approvals, separate projects, protective org policies, and consider Terraform lifecycle safeguards. Also ensure deletion semantics for deployments are well understood and documented.<\/p>\n\n\n\n
                                                                                                                                        16) How do I structure deployments for a large org?<\/strong>\nSplit by domain (foundation vs workloads), use a module registry pattern, standardize labels, and enforce guardrails with IAM and org policies.<\/p>\n\n\n\n
                                                                                                                                        17) Do I need Cloud Build to use Infrastructure Manager?<\/strong>\nNo. Cloud Build is optional for CI\/CD automation. You can trigger deployments manually via Console\/CLI\/API.<\/p>\n\n\n\n
                                                                                                                                        17. Top Online Resources to Learn Infrastructure Manager<\/h2>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                        Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        Official documentation<\/td>\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs<\/td>\nPrimary reference for concepts, supported workflows, locations, and setup<\/td>\n<\/tr>\n
                                                                                                                                        Official tutorials \/ quickstarts<\/td>\nhttps:\/\/cloud.google.com\/infrastructure-manager\/docs (see Tutorials\/Quickstarts sections)<\/td>\nStep-by-step guides aligned to current product behavior<\/td>\n<\/tr>\n
                                                                                                                                        Google Cloud IAM docs<\/td>\nhttps:\/\/cloud.google.com\/iam\/docs<\/td>\nEssential for securing execution service accounts and access control<\/td>\n<\/tr>\n
                                                                                                                                        Cloud Logging docs<\/td>\nhttps:\/\/cloud.google.com\/logging\/docs<\/td>\nLearn how to find and analyze deployment logs<\/td>\n<\/tr>\n
                                                                                                                                        Cloud Audit Logs docs<\/td>\nhttps:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\nGovernance and compliance auditing of deployment actions<\/td>\n<\/tr>\n
                                                                                                                                        Cloud Storage pricing<\/td>\nhttps:\/\/cloud.google.com\/storage\/pricing<\/td>\nCosts for storing Terraform sources\/artifacts and (potentially) related objects<\/td>\n<\/tr>\n
                                                                                                                                        Google Cloud pricing overview<\/td>\nhttps:\/\/cloud.google.com\/pricing<\/td>\nBroader pricing navigation for services your Terraform will provision<\/td>\n<\/tr>\n
                                                                                                                                        Pricing calculator<\/td>\nhttps:\/\/cloud.google.com\/products\/calculator<\/td>\nEstimate costs for deployed infrastructure<\/td>\n<\/tr>\n
                                                                                                                                        Quotas overview<\/td>\nhttps:\/\/cloud.google.com\/docs\/quota<\/td>\nUnderstand quotas that may block deployments<\/td>\n<\/tr>\n
                                                                                                                                        Google Cloud Architecture Center<\/td>\nhttps:\/\/cloud.google.com\/architecture<\/td>\nReference architectures you can translate into Terraform blueprints<\/td>\n<\/tr>\n
                                                                                                                                        Terraform documentation<\/td>\nhttps:\/\/developer.hashicorp.com\/terraform\/docs<\/td>\nCore Terraform concepts (state, modules, providers) that apply to Infrastructure Manager<\/td>\n<\/tr>\n
                                                                                                                                        Google provider docs (Terraform)<\/td>\nhttps:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs<\/td>\nResource-level Terraform docs for Google Cloud provider behavior<\/td>\n<\/tr>\n
                                                                                                                                        gcloud CLI reference<\/td>\nhttps:\/\/cloud.google.com\/sdk\/gcloud\/reference<\/td>\nVerify current gcloud<\/code> syntax for infrastructure manager commands<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n\n\n
                                                                                                                                        Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        DevOpsSchool.com<\/td>\nBeginners to advanced DevOps\/SRE\/platform engineers<\/td>\nDevOps, CI\/CD, cloud automation, Infrastructure as code, Terraform practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                        ScmGalaxy.com<\/td>\nStudents and working professionals<\/td>\nSCM, DevOps fundamentals, tooling ecosystems<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n
                                                                                                                                        CLoudOpsNow.in<\/td>\nCloud operations and DevOps practitioners<\/td>\nCloudOps, operational readiness, monitoring, automation<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n
                                                                                                                                        SreSchool.com<\/td>\nSREs, platform engineers, operations teams<\/td>\nReliability engineering, operational best practices, incident response<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com<\/td>\n<\/tr>\n
                                                                                                                                        AiOpsSchool.com<\/td>\nOps teams exploring AIOps<\/td>\nAIOps concepts, automation, observability-driven operations<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n\n
                                                                                                                                        Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify offerings)<\/td>\nLearners seeking trainer-led or curated content<\/td>\nhttps:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n
                                                                                                                                        devopstrainer.in<\/td>\nDevOps training (verify course catalog)<\/td>\nIndividuals and teams learning DevOps\/IaC<\/td>\nhttps:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n
                                                                                                                                        devopsfreelancer.com<\/td>\nFreelance DevOps services\/training (verify offerings)<\/td>\nTeams needing short-term coaching or implementation support<\/td>\nhttps:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n
                                                                                                                                        devopssupport.in<\/td>\nDevOps support\/training resources (verify offerings)<\/td>\nOperations teams needing practical help<\/td>\nhttps:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n
                                                                                                                                        Company Name<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        cotocus.com<\/td>\nCloud\/DevOps consulting (verify service catalog)<\/td>\nArchitecture, CI\/CD, IaC implementation, operational readiness<\/td>\nDesigning Terraform module standards; setting up secure execution identities; governance and logging patterns<\/td>\nhttps:\/\/www.cotocus.com<\/td>\n<\/tr>\n
                                                                                                                                        DevOpsSchool.com<\/td>\nDevOps consulting and training (verify offerings)<\/td>\nDevOps transformation, tooling implementation, enablement<\/td>\nBuilding an IaC operating model; CI\/CD integration; team training on Terraform + Google Cloud<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                        DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify service catalog)<\/td>\nDevOps\/IaC advisory, implementation support<\/td>\nInfrastructure as code rollout; pipeline hardening; audit-ready provisioning workflows<\/td>\nhttps:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                        What to learn before Infrastructure Manager<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Google Cloud fundamentals:<\/li>\n
                                                                                                                                        • projects, billing, IAM, service accounts<\/li>\n
                                                                                                                                        • VPC basics and resource hierarchy (org\/folder\/project)<\/li>\n
                                                                                                                                        • Terraform fundamentals:<\/li>\n
                                                                                                                                        • providers, resources, modules, variables, outputs<\/li>\n
                                                                                                                                        • plan\/apply lifecycle<\/li>\n
                                                                                                                                        • state and drift concepts<\/li>\n
                                                                                                                                        • Operational basics:<\/li>\n
                                                                                                                                        • Cloud Logging and Cloud Audit Logs<\/li>\n
                                                                                                                                        • quotas and limits<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          What to learn after Infrastructure Manager<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Terraform module engineering:<\/li>\n
                                                                                                                                          • versioning strategy, module registries, testing<\/li>\n
                                                                                                                                          • Platform engineering patterns:<\/li>\n
                                                                                                                                          • golden paths, templates, guardrails<\/li>\n
                                                                                                                                          • Security engineering for IaC:<\/li>\n
                                                                                                                                          • least privilege at scale, org policies, secret management<\/li>\n
                                                                                                                                          • CI\/CD integration:<\/li>\n
                                                                                                                                          • automated promotion workflows, approvals, policy checks<\/li>\n
                                                                                                                                          • Governance:<\/li>\n
                                                                                                                                          • cost allocation, labeling standards, compliance reporting<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Cloud Engineer<\/li>\n
                                                                                                                                            • DevOps Engineer<\/li>\n
                                                                                                                                            • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                            • Platform Engineer<\/li>\n
                                                                                                                                            • Cloud Security Engineer<\/li>\n
                                                                                                                                            • Solutions Architect<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                              Infrastructure Manager itself typically appears as part of broader Google Cloud skills rather than a standalone certification topic. Consider:\n– Associate Cloud Engineer\n– Professional Cloud Architect\n– Professional DevOps Engineer\nVerify the latest certification blueprints: https:\/\/cloud.google.com\/learn\/certification<\/p>\n\n\n\n
                                                                                                                                              Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Build a \u201cproject baseline\u201d module (labels, IAM, logging sinks) and deploy to a sandbox project.<\/li>\n
                                                                                                                                              • Create a network blueprint (VPC + subnets + firewall rules) with separate dev\/stage\/prod deployments.<\/li>\n
                                                                                                                                              • Implement a CI pipeline that updates an Infrastructure Manager deployment only after code review.<\/li>\n
                                                                                                                                              • Add governance: enforce labels and approved regions using organization policies (in a test org).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Infrastructure as code (IaC)<\/strong>: Managing infrastructure through versioned code rather than manual changes.<\/li>\n
                                                                                                                                                • Terraform<\/strong>: A declarative IaC tool that uses providers to manage infrastructure resources.<\/li>\n
                                                                                                                                                • Provider<\/strong>: Terraform plugin that talks to an API (e.g., the Google Cloud provider).<\/li>\n
                                                                                                                                                • Module<\/strong>: Reusable Terraform package of resources and variables.<\/li>\n
                                                                                                                                                • State<\/strong>: Terraform\u2019s record of managed resources and their attributes, used to compute changes.<\/li>\n
                                                                                                                                                • Drift<\/strong>: When real infrastructure changes outside Terraform, diverging from the desired configuration.<\/li>\n
                                                                                                                                                • Deployment (Infrastructure Manager)<\/strong>: A managed representation of your Terraform-defined infrastructure stack.<\/li>\n
                                                                                                                                                • Execution service account<\/strong>: The service account used by Infrastructure Manager to call Google Cloud APIs to create\/update resources.<\/li>\n
                                                                                                                                                • IAM (Identity and Access Management)<\/strong>: Google Cloud\u2019s access control system for permissions and identities.<\/li>\n
                                                                                                                                                • Cloud Audit Logs<\/strong>: Records of administrative and data access actions in Google Cloud.<\/li>\n
                                                                                                                                                • Cloud Logging<\/strong>: Central service for storing and querying logs across Google Cloud services.<\/li>\n
                                                                                                                                                • Org Policy<\/strong>: Organization-level constraints that restrict what can be created\/changed in Google Cloud.<\/li>\n
                                                                                                                                                • Label<\/strong>: Key\/value metadata applied to resources for organization, filtering, and cost allocation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  23. Summary<\/h2>\n\n\n\n
                                                                                                                                                  Infrastructure Manager is Google Cloud\u2019s managed Infrastructure as code<\/strong> service for deploying and managing Google Cloud resources using Terraform<\/strong>. It matters because it standardizes Terraform execution with Google Cloud IAM, operational logging, and auditable deployment operations\u2014reducing the risks of ad-hoc local runs and inconsistent automation.<\/p>\n\n\n\n
                                                                                                                                                  From an architecture perspective, it fits as a provisioning control plane for Terraform-defined \u201cdeployments,\u201d integrating with IAM (least privilege execution identities), Logging\/Audit Logs (visibility and compliance), and your existing CI\/CD tooling (promotion workflows). Cost is primarily driven by the infrastructure you provision and operational byproducts like logs and storage artifacts; always validate the current pricing model and focus optimization on the deployed resources. Security success depends on tight IAM for the execution service account, strong source controls, and careful secrets handling.<\/p>\n\n\n\n
                                                                                                                                                  Use Infrastructure Manager when you want managed Terraform provisioning aligned to Google Cloud governance. Next step: read the official docs and implement a small blueprint (network + IAM baseline) in a sandbox project, then evolve it into a promoted dev\/stage\/prod workflow.<\/p>\n\n\n\n
                                                                                                                                                  Official docs to continue: https:\/\/cloud.google.com\/infrastructure-manager\/docs<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                  Infrastructure as code<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,61],"tags":[],"class_list":["post-708","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-infrastructure-as-code"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=708"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/708\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}