Google Cloud
Security
intermediate
Secret-Hardened Application — Google Cloud Architecture Template
An application whose credentials live only in Secret Manager, encrypted with customer-managed KMS keys and fully audit-logged.
Why this architecture works
- No secret ever appears in code, images, or environment files — everything resolves at runtime.
- CMEK on Secret Manager and Cloud SQL keeps key custody with you, enabling crypto-shredding.
- Secret versions support instant rotation and rollback without redeploying the app.
- Every secret access is audit-logged, making credential misuse detectable.
- IAM secret-accessor roles are granted per secret, not project-wide.
What's inside (8 resources)
HTTPS LB
gcp-cloud-load-balancing
CMEK Keys
gcp-kms
Application
gcp-cloud-run
Secret Manager
gcp-secret-manager
Encrypted Cloud SQL
gcp-cloud-sql
Access Audit Logs
gcp-logging
Secret Accessor IAM
gcp-iam
Cloud Monitoring
gcp-monitoring
From template to running infrastructure
- Open this template in the CloudForge visual designer (free account, no credit card).
- Customize resources, names, and connections on the drag-and-drop canvas — or ask Vani, the AI architect, to adapt it.
- Generate production-ready Terraform or Pulumi in one click.
- Review the plan diff and security scan, then deploy with human approval.