Prerequisites
Before deploying infrastructure, ensure you have the required tools installed and GCP access configured.
Required Tools
1. Google Cloud SDK
Install the gcloud CLI for GCP authentication and management:
# macOS
brew install google-cloud-sdk
# Or download from https://cloud.google.com/sdk/docs/install
Verify installation:
gcloud --version
2. Pulumi CLI
Install Pulumi for infrastructure management:
# macOS
brew install pulumi
# Or use the install script
curl -fsSL https://get.pulumi.com | sh
Verify installation:
pulumi version
3. Node.js and pnpm
The infrastructure code requires Node.js 18+ and pnpm:
# Install Node.js (if not already installed)
brew install node
# Install pnpm
npm install -g pnpm
4. Using setup-tools.sh
Alternatively, run the setup script from the project root:
./setup-tools.sh
This script installs all required tools including gcloud, pulumi, kubectl, and helm.
GCP Project Setup
Required GCP Projects
Create or have access to the following GCP projects:
| Environment | Project ID |
|---|---|
| Development | serko-northsky-dev |
| Testing | serko-northsky-test |
| Production | northsky-473920 |
Required GCP APIs
The following APIs must be enabled in each project:
- Compute Engine API
- Kubernetes Engine API
- Cloud Resource Manager API
- Service Networking API
- Artifact Registry API
- Cloud Storage API
- AlloyDB API
- Memorystore for Redis API
- Secret Manager API
- IAM API
Enable APIs using gcloud:
gcloud services enable \
compute.googleapis.com \
container.googleapis.com \
cloudresourcemanager.googleapis.com \
servicenetworking.googleapis.com \
artifactregistry.googleapis.com \
storage.googleapis.com \
alloydb.googleapis.com \
redis.googleapis.com \
secretmanager.googleapis.com \
iam.googleapis.com \
--project=PROJECT_ID
Service Account Setup
Each environment requires a dedicated service account for Pulumi operations.
1. Create Service Account
Run the setup script for each environment:
cd infra/pulumi
./scripts/setup-account.sh dev
./scripts/setup-account.sh test
./scripts/setup-account.sh prod
This script:
- Creates a service account named
pulumi-infra@PROJECT_ID.iam.gserviceaccount.com - Grants required IAM roles
- Downloads a service account key to
keys/pulumi-{env}-key.json
2. Required IAM Roles
The service account needs these roles:
| Role | Purpose |
|---|---|
roles/compute.admin | Manage VPC, subnets, firewall |
roles/container.admin | Manage GKE clusters |
roles/artifactregistry.admin | Manage container registry |
roles/storage.admin | Manage GCS buckets |
roles/alloydb.admin | Manage AlloyDB instances |
roles/redis.admin | Manage Memorystore |
roles/secretmanager.admin | Manage secrets |
roles/iam.securityAdmin | Manage service accounts |
roles/serviceusage.serviceUsageAdmin | Enable APIs |
3. Service Account Key Storage
Keys are stored in infra/pulumi/keys/ (git-ignored):
keys/
├── pulumi-dev-key.json
├── pulumi-test-key.json
└── pulumi-prod-key.json
Never commit service account keys to version control. The keys/ directory is included in .gitignore.
State Backend Setup
Pulumi state is stored in Google Cloud Storage for team collaboration.
1. Create State Bucket
Run the bootstrap script to create the state bucket:
cd infra/pulumi
./scripts/bootstrap.sh
This creates a GCS bucket named serko-northsky-pulumi-state with:
- Versioning enabled for state history
- Uniform bucket-level access
2. Configure Pulumi Backend
The env.sh script automatically logs into the GCS backend:
source env.sh dev
# Automatically runs: pulumi login gs://serko-northsky-pulumi-state
Initial Stack Setup
After completing prerequisites, initialize the Pulumi stacks:
cd infra/pulumi
# Install dependencies
pnpm install --ignore-workspace
# Initialize each environment stack
source ../env.sh dev && pulumi stack init dev
source ../env.sh test && pulumi stack init test
source ../env.sh prod && pulumi stack init prod
Verification
Verify your setup by running:
cd infra
# Select development environment
source env.sh dev
# Check authentication
gcloud auth list
# Preview infrastructure (should show all resources to create)
cd pulumi
pulumi preview
If the preview runs without authentication errors, you're ready to deploy.