☁️ GCP Tooling Guide¶
This page describes how we use Google Cloud Platform (GCP) at Darukaa to manage our infrastructure, deployments, and services.
📦 GCP Projects¶
We currently use a single GCP project for all environments (staging & production), with IAM roles and Cloud Build triggers to manage deployments safely.
🧱 Core Services Used¶
| GCP Service | Purpose |
|---|---|
| Cloud Build | CI/CD pipelines for frontend, backend, and cloud functions |
| Cloud Run | (Optional) For running containerized apps |
| Cloud Functions | Event-based serverless functions |
| Cloud SQL | PostgreSQL database hosting |
| Secret Manager | Store and access API keys, env vars securely |
| Artifact Registry | Docker image registry for backend builds |
| Logging | Centralized log collection and error tracing |
| IAM | Role-based access control |
| Vertex AI | Deploy Custom model for inferencing |
🚀 CI/CD with Cloud Build¶
Each repository (Product, Product_backend, Darukaa.earth) has a cloudbuild.yaml configured.
Workflow¶
- Trigger: GitHub webhook on merge to
main - Build: Install deps, run linter/tests, build artifacts
- Deploy:
- Frontend: deploys to Firebase or GCS
- Backend: deploys to Cloud Run or updates services
- Cloud Functions: deployed via
gcloud functions deploy
✅ Production deploys require manual approval via the Cloud Build UI or GitHub Actions.
🔐 Secret Management¶
Secrets such as API keys, DB credentials, and webhook URLs are stored in GCP Secret Manager.
- Use the format:
ENVIRONMENT_SERVICE_KEY - e.g.,
STAGING_DB_PASSWORD,PROD_SLACK_WEBHOOK - Access them using
gcloud secrets versions access ...or via environment injection in Cloud Build.
Never commit secrets to version control. Always use the Secret Manager.
🗄️ Cloud SQL (PostgreSQL)¶
- We use a single PostgreSQL instance shared across environments.
- Connection via private IP, managed through VPC connector.
- Be mindful of schema changes — coordinate with the team before applying migrations.
🔍 Logs & Debugging¶
Use Cloud Logging to view logs from:
- Cloud Functions
- Backend API (via FastAPI logging)
- Cloud Build steps
To view logs:
- Go to console.cloud.google.com/logs
- Use filters: e.g.,
resource.type="cloud_function"orseverity="ERROR"
👥 IAM Access¶
GCP access is granted based on roles:
| Role | Access Level |
|---|---|
| Viewer | Read-only access to services |
| Developer | Access to deploy builds |
| Admin | Full access including secrets |
Reach out to the Infra lead or Engineering Manager to request access or permissions changes.
🛠️ Helpful Commands¶
# List all secrets
gcloud secrets list
# Access a secret value
gcloud secrets versions access latest --secret=PROD_API_KEY
# Deploy a cloud function
gcloud functions deploy my-function-name --runtime python310 --trigger-http --allow-unauthenticated
# Tail logs for a function
gcloud functions logs read my-function-name