[Feature Request]: Terraform Module - "mcp-gateway-gcp" supporting GKE and Cloud Run

[crivetimihai]

🧭 Epic

Title: Terraform Module – "mcp-gateway-gcp"

---

Goal

Release an official Terraform module (terraform-google-mcpgateway) that deploys a production-ready MCP Gateway on Google Cloud Platform with a single terraform apply.
The module must support both GKE (Google Kubernetes Engine) and Cloud Run targets, ship opinionated defaults, and remain purely optional for users who prefer other deployment approaches.

Registry target: registry.terraform.io/ibm-mcp-gateways/mcpgateway/google

---

🧭 Type of Feature

• Infrastructure-as-Code
• Operator tooling

---

🛠 Module Features & Inputs

Variable	Type / Default	Description
platform	"gke" | "cloudrun" | "none"	GKE Autopilot cluster or fully-managed Cloud Run service.
gateway_version	string (default "latest")	Docker tag to run.
replicas	number (default 2)	Deployment replica count (GKE Deployment or Cloud Run revision min-instances).
db_engine	"cloudsql-postgres" | "spanner" | "sqlite"	Choose Cloud SQL (PostgreSQL), Cloud Spanner, or in-pod SQLite.
enable_redis	bool (default true)	Provision Memorystore (Redis) for rate-limiting & sessions.
custom_domain	string	Managed Certificate + Cloud Load Balancer for HTTPS.
policy_bundle_gcs_uri	string	(optional) gs:// URI for Rego bundle (Policy-as-Code engine).
observability	object	Enable Cloud Logging, Cloud Monitoring dashboards, and Log-Based Alerts.
labels	map(string)	GCP resource labels.

Outputs: HTTPS Load Balancer URL, Cloud Run service URL (when used), Cloud SQL connection name, Service Account emails.

---

🙋‍♂️ User Stories & Acceptance Criteria

Story 1 – Minimal GKE Autopilot Deploy

Scenario: Deploy Gateway on GKE Autopilot
Given gcloud auth is set and project "mcp-demo" selected
When I write:
  module "gateway" {
    source         = "ibm-mcp-gateways/mcpgateway/google"
    platform       = "gke"
    custom_domain  = "api.demo.example.com"
    labels         = { env = "demo", team = "platform" }
  }
And run "terraform apply"
Then https://api.demo.example.com/health returns 200
And GET /version shows gateway_version

Story 2 – Cloud Run with Cloud SQL & Memorystore

Scenario: Cloud Run + Cloud SQL
Given variables platform="cloudrun" db_engine="cloudsql-postgres"
When apply completes
Then a Cloud SQL instance is RUNNABLE
And Cloud Run logs show "Connected to Cloud SQL ✔"

Story 3 – Policy Bundle from Cloud Storage

Scenario: Attach Rego bundle
Given gs://policy-bucket/bundle.tar.gz exists
And policy_bundle_gcs_uri="gs://policy-bucket/bundle.tar.gz"
When service starts
Then gateway logs "Loaded policy bundle (v1)" within 60 s

Story 4 – Destroy Preserves Existing VPC (flag)

Scenario: Keep shared VPC
Given create_vpc=false
When apply then destroy
Then shared VPC "prod-shared-vpc" still exists

---

📐 Reference Architecture (PlantUML)

@startuml
skinparam componentStyle rectangle
package "Google Cloud" {
  [HTTPS Load Balancer] --> [GKE Deployment] : 443
  [HTTPS Load Balancer] --> [Cloud Run Service] : 443
  [GKE Deployment] --> [Cloud SQL]
  [Cloud Run Service] --> [Cloud SQL]
  [GKE Deployment] --> [Memorystore Redis]
  [Cloud Run Service] --> [Memorystore Redis]
}
note left of "HTTPS Load Balancer"
  Optionally fronted
  by Cloud Armor WAF
end note
@enduml

---

📂 Repository Layout

terraform-google-mcpgateway/
├── main.tf
├── variables.tf
├── outputs.tf
├── versions.tf
├── modules/
│   ├── gke/
│   ├── cloudrun/
│   ├── cloudsql/
│   └── redis/
├── examples/
│   ├── gke_minimal/
│   └── cloudrun_full/
└── docs/
    ├── README.md
    ├── advanced.md
    └── architecture.puml

---

📋 Global Acceptance Checklist

• terraform validate, tflint, checkov pass with no high/critical issues.
• Example configs deploy successfully in us-central1; /health returns 200.
• Module published on Terraform Registry with inputs/outputs tables & diagrams.
• CI workflow runs terraform init -backend=false && terraform validate && terraform fmt -check.
• README includes Quick-Start, advanced options, and monthly cost estimate.
• Supports Terraform ≥ 1.6 and Google provider ≥ 5.0.
• Rego bundle fetched from GCS when policy_bundle_gcs_uri is set.
• Cloud Monitoring dashboard JSON & alert policy outputs provided when observability enabled.

---

🔄 Roll-Out Plan

1. Scaffold repo terraform-google-mcpgateway.
2. Implement Cloud Run path; add Cloud SQL & Memorystore sub-modules.
3. Port to GKE Autopilot with node auto-provisioning.
4. Provide fully-worked examples and CI validation.
5. Add Monitoring dashboard (JSON) and Alerting Policy sample.
6. Publish to Terraform Registry; tag v0.1.0.
7. Record demo GIF and cross-link from main MCP Gateway README.

---