Dify on Google Cloud - Terraform Deployment

This Terraform code deploys Dify on Google Cloud Platform (GCP).

It uses the Dify Community Edition with focus on the following principles:

• Follow Dify Community Edition upgrades.
• Minimize modifications to the Dify Community Edition codebase.
• Use managed services for database, file storage and cache.

Table of Contents

• Dify on Google Cloud - Terraform Deployment
  • Table of Contents
  • Components
  • Architecture Overview
  • Cost Estimation
  • Prerequisites
  • Quick Start
    • Prepare Variables File
    • Deploy
    • After Deployment
  • Detailed Configuration
    • SSL Certificate Setup
      • Option 1: Google-Managed SSL Certificate Recommended
      • Option 2: Self-Signed Certificate
    • Identity-Aware Proxy IAP Configuration
    • Additional Sandbox Packages
  • Dify Deployment
    • Upgrade Strategy
  • Troubleshooting
    • Verify SSL Certificate Provisioning
    • Check startup script log
    • Check Dify logs
  • Resource Cleanup

Components

This Terraform code creates the following resources:

• Network

  • VPC network and subnet
  • Private Service Access (for Cloud SQL)
  • Firewall rules
  • Static external IP address (for Load Balancer)

• Database

  • Cloud SQL (PostgreSQL) - Main database
  • Cloud SQL (PostgreSQL with pgvector) - Vector database

• Storage

  • Filestore - For file uploads and plugin assets

• Cache

  • Memorystore for Redis - For caching and session storage

• Compute

  • Managed Instance Group
  • Custom startup script to install and run Dify

• Load Balancer

  • HTTPS Load Balancer
  • SSL certificates (managed or self-signed)

• IAM

  • Service account for Dify
  • Automatic granting of required permissions

Architecture Overview

graph TB
    subgraph Internet["Internet"]
        User[User]
    end

    subgraph GCP["Google Cloud Platform"]
        subgraph DNS["DNS (Optional)"]
            Domain[Domain Name]
        end

        LB_IP[Static Global IP]

        subgraph LB["Load Balancer"]
            HTTPS[HTTPS Forwarding Rule<br/>Port: 443]
            SSL[SSL Certificate<br/>Google-managed or Self-signed]
            Backend[Backend Service]
            HC[Health Check<br/>/console/api/ping]
        end

        subgraph VPC["VPC Network"]
            subgraph Subnet["Subnet"]
                subgraph MIG["Managed Instance Group"]
                    Instance[Compute Instance<br/>Ubuntu 22.04<br/>Docker + Dify]
                end

                subgraph Storage["Storage"]
                    FS[Filestore<br/>NFS Share]
                end
            end
        end

        subgraph GoogleManaged["Google-Managed VPC"]
            subgraph Database["Cloud SQL Instances"]
                SQL1[Cloud SQL PostgreSQL<br/>Main DB]
                SQL2[Cloud SQL PostgreSQL<br/>pgvector DB]
            end

            subgraph Cache["Memorystore"]
                REDIS[Redis Instance<br/>Cache & Sessions]
            end
        end
    end

    User -->|HTTPS| Domain
    Domain -->|DNS Resolution| LB_IP
    User -->|HTTPS| LB_IP
    LB_IP --> HTTPS
    HTTPS --> SSL
    SSL --> Backend
    Backend -->|HTTP:80| MIG
    HC -->|Health Check| Instance

    Instance -->|NFS Mount| FS
    Instance -->|Private IP<br/>via VPC Peering| SQL1
    Instance -->|Private IP<br/>via VPC Peering| SQL2
    Instance -->|Private IP<br/>via VPC Peering| REDIS

    style User fill:#e1f5ff
    style LB fill:#fff4e6
    style VPC fill:#f0f9ff
    style MIG fill:#e8f5e9
    style Database fill:#fce4ec
    style Cache fill:#e3f2fd
    style GoogleManaged fill:#f5f5f5
    style Storage fill:#fff9c4

Loading

Cost Estimation

Prerequisites

1. Google Cloud SDK: gcloud command installed
2. Terraform: Version 1.0 or higher
3. GCP Project: Active GCP project
4. Authentication Setup:

   gcloud init
   gcloud auth application-default login

5. Enable Required APIs:

   gcloud services enable cloudresourcemanager.googleapis.com
   gcloud services enable compute.googleapis.com
   gcloud services enable file.googleapis.com
   gcloud services enable iamcredentials.googleapis.com
   gcloud services enable redis.googleapis.com
   gcloud services enable servicenetworking.googleapis.com
   gcloud services enable sqladmin.googleapis.com
   
   # Optional: Enable if using Identity-Aware Proxy
   gcloud services enable iap.googleapis.com

Quick Start

Prepare Variables File

cp terraform.tfvars.example terraform.tfvars

Edit terraform.tfvars and set at least the following values:

project_id = "your-gcp-project-id"

# Dify version to be deployed
dify_version = "1.13.0"

# If you have a domain name (recommended)
domain_name = "dify.example.com"

# Or use self-signed certificate
# domain_name     = ""
# ssl_certificate = file("certificate.pem")
# ssl_private_key = file("private-key.pem")

Deploy

# Initialize
terraform init

# Review plan
terraform plan

# Execute deployment
terraform apply

After Deployment

# Check admin password
terraform output -raw initial_password

# Access via browser
# https://<load_balancer_ip> or https://your-domain.com

Detailed Configuration

SSL Certificate Setup

Option 1: Google-Managed SSL Certificate (Recommended)

domain_name = "dify.example.com"

Configure DNS record:

A    dify.example.com    <LOAD_BALANCER_IP>

Certificate provisioning can take up to 15 minutes.

Option 2: Self-Signed Certificate

# Generate certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout private-key.pem -out certificate.pem \
  -subj "/C=JP/ST=Tokyo/L=Tokyo/O=Dify/CN=dify.local"

domain_name     = ""
ssl_certificate = file("certificate.pem")
ssl_private_key = file("private-key.pem")

Identity-Aware Proxy (IAP) Configuration

Identity-Aware Proxy (IAP) adds Google authentication to your application, ensuring only authorized users can access it.

Enable IAP

1. Create OAuth 2.0 Credentials:

   • Go to GCP Console > APIs & Services > Credentials
   • Click "Create Credentials" > "OAuth client ID"
   • Application type: "Web application"
   • Add authorized redirect URI: https://iap.googleapis.com/v1/oauth/clientIds/<CLIENT_ID>:handleRedirect
   • Save the Client ID and Client Secret

2. Enable IAP API:

   gcloud services enable iap.googleapis.com

3. Configure terraform.tfvars:

   iap_enabled              = true
   iap_oauth_client_id      = "123456789-abc.apps.googleusercontent.com"
   iap_oauth_client_secret  = "your-client-secret"
   iap_members = [
     "user:admin@example.com",
     "group:developers@example.com",
     "domain:example.com"
   ]

4. Apply Configuration:

   terraform apply

IAP Member Format

• Individual user: user:email@example.com
• Google Group: group:groupname@example.com
• Domain: domain:example.com (all users in the domain)
• Service account: serviceAccount:name@project.iam.gserviceaccount.com

Testing IAP

After deployment, accessing your application will require users to:

1. Sign in with their Google account
2. Be granted access if they are in the iap_members list

Additional Sandbox Packages

If you want to add packages to sandbox, write packages into python-requirements.txt.

Note

dify-sandbox restricts system calls by default. When you add packages into requirements.txt, all system calls are enabled by ./assets/sandbox/config.yaml. Please refer to this document.

Dify Deployment

When Terraform is applied,

1. Dify source code (of the specified version) is automatically downloaded to /opt/dify-<version>.
2. Update Dify environment variables by startup-script.sh.
3. Start Dify application.

Upgrade Strategy

Check Dify Release Note and Update startup-script.sh if needed.

dify_version = "1.13.x"  # Specify new version tag

terraform apply  # Apply upgrade

When Terraform is applied,

1. Remove the old VM first. So the service will be temporarily unavailable during the upgrade.
2. Deploy the new VM with the migration process.

Upgrade can take up to 15 minutes.

Troubleshooting

Verify SSL Certificate Provisioning

# Check certificate status
gcloud compute ssl-certificates list
gcloud compute ssl-certificates describe dify-ssl-cert --global

Check startup script log

Access VM via ssh and check logs.

tail -f /var/log/startup-script.log

Check Dify logs

Access VM via ssh and check logs.

sudo su - ubuntu
cd /opt/dify-<version>/docker
docker compose ps
docker compose logs -f

Resource Cleanup

# Delete all resources
terraform destroy

# If you get errors due to deletion protection, delete from the console

# Delete all resources
terraform destroy