Terraform + UpCloud — Overview

OWNER: arjan
ALSO_USED_BY: gerco, thijmen, rutger
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: terraform ~> 1.14.x, upcloud provider ~> 5.0

---

Overview

Terraform is GE's infrastructure-as-code tool for managing UpCloud resources.
UpCloud is GE's ONLY cloud provider — all infrastructure is EU-hosted.
The UpCloud Terraform provider is a verified HashiCorp Technology Partner module
maintained by UpCloudLtd.

---

Why UpCloud

GE chose UpCloud for:

1. EU data sovereignty — European company, EU-only data centres
2. ISO 27001 certified — aligns with GE compliance requirements
3. Free Kubernetes control plane — no EKS/GKE-style control plane fees
4. Zero egress fees — critical for CDN origin pulls and inter-service traffic
5. 100% uptime SLA — covers Public Cloud, Managed K8s, and Managed Databases
6. Fixed pricing — no surprise bills, hourly billing with monthly caps

---

Version Pinning

GE pins both Terraform and the UpCloud provider:

terraform {  
  required_version = "~> 1.14.0"  

  required_providers {  
    upcloud = {  
      source  = "UpCloudLtd/upcloud"  
      version = "~> 5.0"  
    }  
  }  
}  

CHECK: required_version constraint is present in every root module
CHECK: provider version is pinned with ~> (pessimistic constraint)
CHECK: .terraform.lock.hcl is committed to git

IF: upgrading Terraform version
THEN: coordinate with arjan
THEN: test in Zone 1 workspace first
THEN: update this page's GE_STACK_VERSION

---

Authentication

UpCloud provider authenticates via environment variables or token:

# Option 1: Username/password (legacy)  
export UPCLOUD_USERNAME="ge-terraform"  
export UPCLOUD_PASSWORD="from-vault"  

# Option 2: API token (preferred)  
export UPCLOUD_TOKEN="from-vault"  

CHECK: credentials come from Vault, never hardcoded
CHECK: CI/CD uses OIDC or short-lived tokens where possible
READ_ALSO: wiki/docs/stack/github-actions/security.md

---

Workspace Structure

GE uses one Terraform workspace per zone:

Workspace	Zone	Purpose	Owner
dev	1	Development infrastructure	gerco
staging	2	Staging environment	thijmen
production	3	Production environment	rutger

IF: running terraform apply
THEN: verify you are in the correct workspace first
RUN: terraform workspace show

---

GE-Specific Conventions

1. All Terraform state stored in remote backend (never local)
2. One root module per major infrastructure concern
3. Shared modules in modules/ directory
4. All resources tagged with ge.zone and ge.managed-by
5. Destroy protection enabled on all stateful resources
6. terraform plan output reviewed before every apply
7. Zone 3 (production) applies require arjan's approval

---

Cross-References

READ_ALSO: wiki/docs/stack/terraform-upcloud/patterns.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/upcloud-resources.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/pitfalls.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/checklist.md
READ_ALSO: wiki/docs/stack/kubernetes/index.md
READ_ALSO: wiki/docs/stack/bunnynet/index.md