Infrastructure
Sources of truth
Section titled “Sources of truth”| Layer | Location | Who can change |
|---|---|---|
| GCP (Cloud Run, Postgres, IAM, Secret Manager) | tappass/infra/terraform/ | Ops + 2nd reviewer |
| Cloudflare (DNS, Pages, Access policies, Tunnels) | tappass/infra/cloudflare/ | Ops + 2nd reviewer |
| Kubernetes (on-prem license server) | tappass-platform/deploy/ | On-prem admin |
Naming conventions
Section titled “Naming conventions”- GCP project:
tappass-prod-eu-west1,tappass-staging-eu-west1 - Cloud Run service: matches repo name (
tappass,tappass-assess, …) - Postgres instance:
tappass-<env>-pg - Cloudflare Pages project:
tappass-docs,tappass-docs-internal,tappass-ai(marketing) - Tunnel:
docs-tunnel(legacy — being wound down),ssh-tunnel,tappass-demo, …
Access
Section titled “Access”| System | Admin access via |
|---|---|
| GCP | Google Workspace SSO → IAM role roles/owner (Jens) or least-privilege per-service roles |
| Cloudflare | Email + TOTP; no API tokens outside CI |
| GitHub org | SSO + FIDO2 security keys required for admin |
| 1Password | Single workspace, MFA enforced |
Apply a Terraform change
Section titled “Apply a Terraform change”cd tappass/infra/terraformterraform initterraform plan -out=tfplan# paste the plan into the PR description# after approval:terraform apply tfplanDon’t apply from a laptop for prod — use the GH Actions terraform-apply workflow (requires 2nd reviewer).
Drift detection
Section titled “Drift detection”terraform plan runs nightly via GH Actions. Any drift is posted to #ops.