doc/user/content/self-managed-deployments/installation/install-on-gcp.md
Materialize provides a set of modular Terraform modules that can be used to deploy all services required for Materialize to run on Google Cloud. The module is intended to provide a simple set of examples on how to deploy Materialize. It can be used as is or modules can be taken from the example and integrated with existing DevOps tooling.
{{% self-managed/materialize-components-sentence %}} The example on this page deploys a complete Materialize environment on GCP using the modular Terraform setup from this repository.
{{< warning >}}
{{< self-managed/terraform-disclaimer >}}
{{< /warning >}}
This example provisions the following infrastructure:
| Resource | Description |
|---|---|
| VPC Network | Custom VPC with auto-create subnets disabled |
| Subnet | 192.168.0.0/20 primary range with private Google access enabled |
| Secondary Ranges | Pods: 192.168.64.0/18, Services: 192.168.128.0/20 |
| Cloud Router | For NAT and routing configuration |
| Cloud NAT | For outbound internet access from private nodes |
| VPC Peering | Service networking connection for Cloud SQL private access |
| Resource | Description |
|---|---|
| GKE Cluster | Regional cluster with Workload Identity enabled |
| Generic Node Pool | e2-standard-8 machines, autoscaling 2-5 nodes, 50GB disk, for general workloads |
| Materialize Node Pool | n2-highmem-8 machines, autoscaling 2-5 nodes, 100GB disk, 1 local SSD, swap enabled, dedicated taints for Materialize workloads |
| Service Account | GKE service account with workload identity binding |
| Resource | Description |
|---|---|
| Cloud SQL PostgreSQL | Private IP only (no public IP) |
| Tier | db-custom-2-4096 (2 vCPUs, 4GB memory) |
| Database | materialize database with UTF8 charset |
| User | materialize user with auto-generated password |
| Network | Connected via VPC peering for private access |
| Resource | Description |
|---|---|
| Cloud Storage Bucket | Regional bucket for Materialize persistence |
| Access | HMAC keys for S3-compatible access (Workload Identity service account with storage permissions is configured but not currently used by Materialize for GCS access, in future we will remove HMAC keys and support access to GCS either via Workload Identity Federation or via Kubernetes ServiceAccounts that impersonate IAM service accounts) |
| Versioning | Disabled (for testing; enable in production) |
| Resource | Description |
|---|---|
| cert-manager | Certificate management controller for Kubernetes that automates TLS certificate provisioning and renewal |
| Self-signed ClusterIssuer | Provides self-signed TLS certificates for Materialize instance internal communication (balancerd, console). Used by the Materialize instance for secure inter-component communication. |
| Resource | Description |
|---|---|
| Operator | Materialize Kubernetes operator in the materialize namespace |
| Instance | Single Materialize instance in the materialize-environment namespace |
| Load Balancers | GCP Load Balancers for access to Materialize {{< yaml-table data="self_managed/default_ports" >}} |
A Google account with permission to:
{{< yaml-table data="self_managed/license_key" >}}
{{< warning >}}
{{< self-managed/terraform-disclaimer >}}
{{< /warning >}}
{{< tip >}}
The simple example used in this tutorial enables Password
authentication
for the Materialize instance. To use a different authentication method, update
authenticator_kind.
See Authentication for the supported
authentication mechanisms. s {{< /tip >}}
Open a terminal window.
Clone the Materialize Terraform repository and go to the
gcp/examples/simple directory.
git clone https://github.com/MaterializeInc/materialize-terraform-self-managed.git
cd materialize-terraform-self-managed/gcp/examples/simple
Authenticate to GCP with your user account.
gcloud auth login
Find the list of GCP projects:
gcloud projects list
Set your active GCP project, substitute with your <PROJECT_ID>.
gcloud config set project <PROJECT_ID>
Enable the following APIs for your project:
gcloud services enable container.googleapis.com # For creating Kubernetes clusters
gcloud services enable compute.googleapis.com # For creating GKE nodes and other compute resources
gcloud services enable sqladmin.googleapis.com # For creating databases
gcloud services enable cloudresourcemanager.googleapis.com # For managing GCP resources
gcloud services enable servicenetworking.googleapis.com # For private network connections
gcloud services enable iamcredentials.googleapis.com # For security and authentication
gcloud services enable iam.googleapis.com # For managing IAM service accounts and policies
gcloud services enable storage.googleapis.com # For Cloud Storage buckets
Authenticate application default credentials for Terraform
gcloud auth application-default login
Create a terraform.tfvars file and specify the following variables:
| Variable | Description |
|---|---|
project_id | Set to your GCP project ID. |
name_prefix | Set a prefix for all resource names (e.g., simple-demo) as well as your release name for the Operator |
region | Set the GCP region for the deployment (e.g., us-central1). |
license_key | Set to your Materialize license key. |
labels | Set to the labels to apply to resources. |
project_id = "my-gcp-project"
name_prefix = "simple-demo"
region = "us-central1"
license_key = "your-materialize-license-key"
labels = {
environment = "demo"
created_by = "terraform"
}
# internal_load_balancer = false # default = true (internal load balancer). You can set to false = public load balancer.
# ingress_cidr_blocks = ["x.x.x.x/n", ...]
# k8s_apiserver_authorized_networks = ["x.x.x.x/n", ...]
{{% include-from-yaml data="self_managed/installation" name="installation-tfvars-variables-optional" %}}
Initialize the Terraform directory to download the required providers and modules:
terraform init
Apply the Terraform configuration to create the infrastructure.
terraform apply
If you are satisfied with the planned changes, type yes when prompted
to proceed.
From the output, you will need the following field(s) to connect:
console_load_balancer_ip for the Materialize Consolebalancerd_load_balancer_ip to connect PostgreSQL-compatible
clients/drivers.external_login_password_mz_system.terraform output -raw <field_name>
{{< tip >}}
Your shell may show an ending marker (such as %) because the
output did not end with a newline. Do not include the marker when using the value.
{{< /tip >}}
Configure kubectl to connect to your GKE cluster, replacing:
<your-gke-cluster-name> with your cluster name; i.e., the
gke_cluster_name in the Terraform output. For the sample example, your
cluster name has the form <name_prefix>-gke; e.g., simple-demo-gke
<your-region> with your cluster location; i.e., the
gke_cluster_location in the Terraform output. Your
region can also be found in your terraform.tfvars file.
<your-project-id> with your GCP project ID.
# gcloud container clusters get-credentials <your-gke-cluster-name> --region <your-region> --project <your-project-id>
gcloud container clusters get-credentials $(terraform output -raw gke_cluster_name) \
--region $(terraform output -raw gke_cluster_location) \
--project <your-project-id>
You can connect to Materialize via the Materialize Console or PostgreSQL-compatible tools/drivers using the following ports:
{{< yaml-table data="self_managed/default_ports" >}}
{{% include-from-yaml data="self_managed/installation" name="installation-access-methods" %}}
Using the console_load_balancer_ip and external_login_password_mz_system
from the Terraform output, you can connect to Materialize via the Materialize
Console.
To connect to the Materialize Console, open a browser to
https://<console_load_balancer_ip>:8080, substituting your
<console_load_balancer_ip>.
From the terminal, you can type:
open "https://$(terraform output -raw console_load_balancer_ip):8080/materialize"
{{< tip >}}
{{% include-from-yaml data="self_managed/installation" name="install-uses-self-signed-cluster-issuer" %}}
{{< /tip >}}
Log in as mz_system, using external_login_password_mz_system as the
password.
Create new users and log out.
In general, other than the initial login to create new users for new
deployments, avoid using mz_system since mz_system also used by the
Materialize Operator for upgrades and maintenance tasks.
For more information on authentication and authorization for Self-Managed Materialize, see:
Login as one of the created user.
psql{{% include-from-yaml data="self_managed/installation" name="installation-access-methods" %}}
Using the balancerd_load_balancer_ip and external_login_password_mz_system
from the Terraform output, you can connect to Materialize via
PostgreSQL-compatible clients/drivers, such as psql:
To connect using psql, in the connection string, specify:
mz_system as the userbalancerd_load_balancer_ip as the host6875 as the port:psql "postgres://mz_system@$(terraform output -raw balancerd_load_balancer_ip):6875/materialize"
When prompted for the password, enter the
external_login_password_mz_system value.
Create new users and log out.
In general, other than the initial login to create new users for new
deployments, avoid using mz_system since mz_system also used by the
Materialize Operator for upgrades and maintenance tasks.
For more information on authentication and authorization for Self-Managed Materialize, see:
Login as one of the created user.
{{< tip >}}
To reduce cost in your demo environment, you can tweak machine types and database tiers in main.tf.
{{< /tip >}}
You can customize each module independently.
For details on the Terraform modules, see both the top level and GCP specific modules.
For details on recommended instance sizing and configuration, see the GCP deployment guide.
{{< note >}} GCP Storage Authentication Limitation: Materialize currently only supports HMAC key authentication for GCS access (S3-compatible API). While the modules configure both HMAC keys and Workload Identity, Materialize uses HMAC keys for actual storage access. {{< /note >}}
See also:
{{% self-managed/cleanup-cloud %}}