This module is a pre-release version and its interface may change. Please review the changelog between each release and create a GitHub issue for any problems or feature requests.
This repository contains a Terraform module for deploying Langfuse - the open-source LLM observability platform - on GCP. This module aims to provide a production-ready, secure, and scalable deployment using managed services whenever possible.
- Enable required APIs on your Google Cloud Account:
- Certificate Manager API
- Cloud DNS API
- Compute Engine API
- Container File System API
- Google Cloud Memorystore for Redis API
- Kubernetes Engine API
- Network Connectivity API
- Service Networking API
- Set up the module with the settings that suit your need. A minimal installation requires a
domain
which is under your control only.
module "langfuse" {
source = "github.com/langfuse/langfuse-terraform-gcp?ref=0.1.2"
domain = "langfuse.example.com"
# Optional use a different name for your installation
# e.g. when using the module multiple times on the same GCP project
name = "langfuse"
# Optional: Configure the VPC
subnetwork_cidr = "10.0.0.0/16"
# Optional: Configure the Langfuse Helm chart version
langfuse_chart_version = "1.2.15"
}
provider "kubernetes" {
host = module.langfuse.cluster_host
cluster_ca_certificate = module.langfuse.cluster_ca_certificate
token = module.langfuse.cluster_token
}
provider "helm" {
kubernetes {
host = module.langfuse.cluster_host
cluster_ca_certificate = module.langfuse.cluster_ca_certificate
token = module.langfuse.cluster_token
}
}
- Apply the DNS zone and the GKE Cluster. This avoids an error around missing dependencies on the kubernetes_manifest.
terraform init
terraform apply --target module.langfuse.google_dns_managed_zone.this --target module.langfuse.google_container_cluster.this
- Set up the Nameserver delegation on your DNS provider. You can find the nameservers using the following command. Replace
langfuse
with your zone name, e.g.langfuse-example-com
.
$ gcloud dns managed-zones describe langfuse --format="get(nameServers)"
- Apply the full stack
terraform apply
- Start using Langfuse by navigating to
https://<domain>
in your browser.
- Getting an
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
error after installation on the HTTPS endpoint.
Since Google Cloud takes a while (~20 Minutes) to provision new certificates, an invalid TLS certificate is presented for a while after initial installation of this module. Please use gcloud compute ssl-certificates list
to check the current provisioning status. If it is still in PROVISIONING
state this issue is expected. E.g.
$ gcloud compute ssl-certificates list
NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS
langfuse MANAGED 2025-04-06T03:41:54.791-07:00 PROVISIONING
<hostname>: PROVISIONING
When the certificate becomes active the ingress controller should pick it up and present a valid TLS certificate:
$ gcloud compute ssl-certificates list
NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME REGION MANAGED_STATUS
langfuse MANAGED 2025-04-06T03:41:54.791-07:00 2025-07-05T03:41:56.000-07:00 ACTIVE
<hostname>: ACTIVE
This module creates a complete Langfuse stack with the following components:
- VPC with public and private subnets
- GKE cluster with node pools
- Cloud SQL PostgreSQL instance
- Cloud Memorystore Redis instance
- Cloud Storage bucket for storage
- TLS certificates and Cloud DNS configuration
- Required IAM roles and firewall rules
- GKE Ingress Controller for ingress
- Filestore CSI Driver for persistent storage
Name | Version |
---|---|
terraform | >= 1.0 |
>= 5.0 | |
google-beta | >= 5.0 |
kubernetes | >= 2.10 |
helm | >= 2.5 |
Name | Version |
---|---|
>= 5.0 | |
google-beta | >= 5.0 |
kubernetes | >= 2.10 |
helm | >= 2.5 |
random | >= 3.0 |
tls | >= 3.0 |
Name | Type |
---|---|
google_container_cluster.langfuse | resource |
google_container_node_pool.default | resource |
google_sql_database_instance.postgres | resource |
google_sql_database.langfuse | resource |
google_sql_user.langfuse | resource |
google_redis_instance.redis | resource |
google_storage_bucket.langfuse | resource |
google_compute_managed_ssl_certificate.cert | resource |
google_dns_managed_zone.zone | resource |
google_dns_record_set.langfuse | resource |
google_service_account.gke | resource |
google_project_iam_member.gke | resource |
google_compute_firewall.gke | resource |
google_compute_firewall.postgres | resource |
google_compute_firewall.redis | resource |
google_compute_network.vpc | resource |
google_compute_subnetwork.subnet | resource |
google_kms_key_ring.langfuse | resource |
google_kms_crypto_key.langfuse | resource |
kubernetes_namespace.langfuse | resource |
kubernetes_secret.langfuse | resource |
helm_release.ingress_nginx | resource |
helm_release.cert_manager | resource |
random_password.database | resource |
tls_private_key.langfuse | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
name | Name to use for or prefix resources with | string | "langfuse" | no |
domain | Domain name used to host langfuse on (e.g., langfuse.company.com) | string | n/a | yes |
use_encryption_key | Wheter or not to use an Encryption key for LLM API credential and integration credential store | bool | true | no |
kubernetes_namespace | Namespace to deploy langfuse to | string | "langfuse" | no |
subnetwork_cidr | CIDR block for Subnetwork | string | "10.0.0.0/16" | no |
database_instance_tier | The machine type to use for the database instance | string | "db-perf-optimized-N-2" | no |
database_instance_edition | The edition to use for the database instance | string | "ENTERPRISE_PLUS" | no |
database_instance_availability_type | The availability type to use for the database instance | string | "REGIONAL" | no |
cache_tier | The service tier of the instance | string | "STANDARD_HA" | no |
cache_memory_size_gb | Redis memory size in GB | number | 1 | no |
deletion_protection | Whether or not to enable deletion_protection on data sensitive resources | bool | true | no |
langfuse_chart_version | Version of the Langfuse Helm chart to deploy | string | "1.2.15" | no |
Name | Description |
---|---|
cluster_name | GKE Cluster Name |
cluster_host | GKE Cluster endpoint |
cluster_ca_certificate | GKE Cluster CA certificate |
cluster_token | GKE Cluster authentication token |
Contributions are welcome! Please feel free to submit a Pull Request. Here are some ways you can contribute:
- Add support for new cloud providers
- Improve existing configurations
- Add monitoring and alerting templates
- Improve documentation
- Report issues
MIT Licensed. See LICENSE for full details.