Alex Galotti
Alex Galotti
Connect
Back to Projects

Secure Cloud SQL Deployment with IAM Auth

CI/CD pipeline on GCP using GitHub Actions, Terraform, Cloud Run, and IAM-authenticated Cloud SQL with restricted networking. Delivering fast, consistent deployments with automated security controls.

Tech Stack

GCPTerraformGitHub ActionsCloud RunCloud SQL (IAM Auth)GitHub Advanced Security

Overview

A comprehensive DevSecOps solution that automates secure database deployments on Google Cloud Platform. This project implements IAM-based authentication for Cloud SQL, eliminating the need for database passwords and significantly improving security posture. The entire infrastructure is managed through Infrastructure as Code (Terraform) and deployed via automated CI/CD pipelines.

Challenges

  • Eliminating database password management and reducing attack surface
  • Ensuring secure network connectivity between Cloud Run and Cloud SQL
  • Automating deployments while maintaining security compliance
  • Implementing least-privilege IAM policies for database access
  • Creating reusable Terraform modules for consistent deployments

Solutions

  • Implemented IAM database authentication, removing password-based access entirely
  • Configured private IP networking with VPC peering for secure database connections
  • Built GitHub Actions workflows that automatically test, build, and deploy infrastructure
  • Designed custom IAM roles with minimal required permissions following least-privilege principles
  • Created modular Terraform configurations enabling rapid, consistent provisioning across environments
  • Integrated GitHub Advanced Security to scan for vulnerabilities before deployment

Results

  • Reduced database provisioning time from days to hours through automation
  • Eliminated all password-based database access, improving security posture
  • Achieved 100% infrastructure-as-code coverage with zero manual configuration
  • Enabled consistent deployments across dev, staging, and production environments
  • Blocked 20+ high-risk vulnerabilities pre-production through automated security scanning

Architecture

The architecture leverages Cloud Run for serverless container execution, connected to Cloud SQL via private IP networking. Terraform manages all infrastructure components including VPC networks, Cloud SQL instances, IAM roles, and Cloud Run services. GitHub Actions orchestrates the entire CI/CD pipeline, running security scans, validating Terraform configurations, and deploying changes automatically upon merge to main.