diff --git a/README.md b/README.md
index 8cf711e0d..bc9ec79f7 100644
--- a/README.md
+++ b/README.md
@@ -15,12 +15,12 @@
 | [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler)                                           | Manage spot instance lifecyle                                                                    | N/A                 | :heavy_check_mark:  | N/A                 | N/A                 | N/A                 |
 | [aws-calico](https://github.com/aws/eks-charts/tree/master/stable/aws-calico)                                                 | Use calico for network policy                                                                    | N/A                 | :heavy_check_mark:  | N/A                 | N/A                 | N/A                 |
 | [secrets-store-csi-driver-provider-aws](https://github.com/aws/secrets-store-csi-driver-provider-aws) | AWS Secret Store and Parameter store driver for secret store CSI driver | :heavy_check_mark:  | N/A  | N/A  | N/A  | N/A  |
-| [cert-manager](https://github.com/jetstack/cert-manager)                                                                      | automatically generate TLS certificates, supports ACME v2                                        | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :x:                 | N/A                 |
+| [cert-manager](https://github.com/jetstack/cert-manager)                                                                      | automatically generate TLS certificates, supports ACME v2                                        | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | N/A                 |
 | [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler)                                 | scale worker nodes based on workload                                                             | N/A                 | :heavy_check_mark:  | Included            | Included            | Included            |
 | [cni-metrics-helper](https://docs.aws.amazon.com/eks/latest/userguide/cni-metrics-helper.html)                                | Provides cloudwatch metrics for VPC CNI plugins                                                  | N/A                 | :heavy_check_mark:  | N/A                 | N/A                 | N/A                 |
-| [external-dns](https://github.com/kubernetes-incubator/external-dns)                                                          | sync ingress and service records in route53                                                      | :x:                 | :heavy_check_mark:  | :heavy_check_mark:  | :x:                 | :x:                 |
+| [external-dns](https://github.com/kubernetes-incubator/external-dns)                                                          | sync ingress and service records in route53                                                      | :x:                 | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :x:                 |
 | [flux2](https://github.com/fluxcd/flux2)                                                                                      | Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit       | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  |
-| [ingress-nginx](https://github.com/kubernetes/ingress-nginx)                                                                  | processes `Ingress` object and acts as a HTTP/HTTPS proxy (compatible with cert-manager)         | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :x:                 | :x:                 |
+| [ingress-nginx](https://github.com/kubernetes/ingress-nginx)                                                                  | processes `Ingress` object and acts as a HTTP/HTTPS proxy (compatible with cert-manager)         | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :x:                 |
 | [k8gb](https://www.k8gb.io/)                                                                                                  | A cloud native Kubernetes Global Balancer                                                        | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  |
 | [karma](https://github.com/prymitive/karma)                                                                                   | An alertmanager dashboard                                                                        | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  |
 | [keda](https://github.com/kedacore/keda)                                                                                      | Kubernetes Event-driven Autoscaling                                                              | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  | :heavy_check_mark:  |
@@ -50,7 +50,7 @@ Any contribution supporting a new cloud provider is welcomed.
 
 * [AWS](./modules/aws)
 * [Scaleway](./modules/scaleway)
-* [GCP](./modules/gcp)
+* [GCP](./modules/google)
 * [Azure](./modules/azure)
 
 ## Doc generation
diff --git a/modules/google/.terraform-docs.yml b/modules/google/.terraform-docs.yml
new file mode 100644
index 000000000..abb4abb22
--- /dev/null
+++ b/modules/google/.terraform-docs.yml
@@ -0,0 +1,2 @@
+settings:
+  lockfile: false
diff --git a/modules/google/README.md b/modules/google/README.md
index 24f6e674d..bcc3273c2 100644
--- a/modules/google/README.md
+++ b/modules/google/README.md
@@ -7,35 +7,42 @@
 
 Provides various addons that are often used on Kubernetes with Google and GKE.
 
-## Documentation
-
-User guides, feature documentation and examples are available [here](https://github.com/particuleio/tkap/)
-
 ## Terraform docs
 
+Provides various Kubernetes addons that are often used on Kubernetes with GCP
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_flux"></a> [flux](#requirement\_flux) | 1.0.0-rc.5 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | ~> 5.0 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.69 |
 | <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 4.69 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | >= 3 |
 | <a name="requirement_jinja"></a> [jinja](#requirement\_jinja) | ~> 1.15 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 1.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.0, != 2.12 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.70.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.10.1 |
-| <a name="provider_jinja"></a> [jinja](#provider\_jinja) | 1.15.0 |
-| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | 1.14.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.21.1 |
-| <a name="provider_time"></a> [time](#provider\_time) | 0.9.1 |
+| <a name="provider_flux"></a> [flux](#provider\_flux) | 1.0.0-rc.5 |
+| <a name="provider_github"></a> [github](#provider\_github) | ~> 5.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.69 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.0 |
+| <a name="provider_http"></a> [http](#provider\_http) | >= 3 |
+| <a name="provider_jinja"></a> [jinja](#provider\_jinja) | ~> 1.15 |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | ~> 1.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | ~> 2.0, != 2.12 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | ~> 4.0 |
 
 ## Modules
 
@@ -43,19 +50,89 @@ User guides, feature documentation and examples are available [here](https://git
 |------|--------|---------|
 | <a name="module_cert_manager_workload_identity"></a> [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> v26.1.1 |
 | <a name="module_external_dns_workload_identity"></a> [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> v26.1.1 |
+| <a name="module_iam_assumable_sa_kube-prometheus-stack_grafana"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_kube-prometheus-stack_thanos"></a> [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_loki-stack"></a> [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_thanos"></a> [iam\_assumable\_sa\_thanos](#module\_iam\_assumable\_sa\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_thanos-compactor"></a> [iam\_assumable\_sa\_thanos-compactor](#module\_iam\_assumable\_sa\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_thanos-sg"></a> [iam\_assumable\_sa\_thanos-sg](#module\_iam\_assumable\_sa\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_iam_assumable_sa_thanos-storegateway"></a> [iam\_assumable\_sa\_thanos-storegateway](#module\_iam\_assumable\_sa\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 9.0 |
+| <a name="module_kube-prometheus-stack_grafana-iam-member"></a> [kube-prometheus-stack\_grafana-iam-member](#module\_kube-prometheus-stack\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 7.6 |
+| <a name="module_kube-prometheus-stack_kube-prometheus-stack_bucket"></a> [kube-prometheus-stack\_kube-prometheus-stack\_bucket](#module\_kube-prometheus-stack\_kube-prometheus-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 4.0 |
+| <a name="module_kube-prometheus-stack_thanos_bucket_iam"></a> [kube-prometheus-stack\_thanos\_bucket\_iam](#module\_kube-prometheus-stack\_thanos\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 7.6 |
+| <a name="module_kube-prometheus-stack_thanos_kms_bucket"></a> [kube-prometheus-stack\_thanos\_kms\_bucket](#module\_kube-prometheus-stack\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | 2.2.2 |
+| <a name="module_loki-stack_bucket"></a> [loki-stack\_bucket](#module\_loki-stack\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 4.0 |
+| <a name="module_loki-stack_bucket_iam"></a> [loki-stack\_bucket\_iam](#module\_loki-stack\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 7.6 |
+| <a name="module_loki-stack_kms_bucket"></a> [loki-stack\_kms\_bucket](#module\_loki-stack\_kms\_bucket) | terraform-google-modules/kms/google | 2.2.2 |
+| <a name="module_thanos-storegateway_bucket_iam"></a> [thanos-storegateway\_bucket\_iam](#module\_thanos-storegateway\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 7.6 |
+| <a name="module_thanos_bucket"></a> [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 4.0 |
+| <a name="module_thanos_bucket_iam"></a> [thanos\_bucket\_iam](#module\_thanos\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 7.6 |
+| <a name="module_thanos_kms_bucket"></a> [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | 2.2.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/1.0.0-rc.5/docs/resources/bootstrap_git) | resource |
+| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
+| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
 | [google_dns_managed_zone_iam_member.cert_manager_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
 | [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
+| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.ip_masq_agent](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
+| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -63,9 +140,81 @@ User guides, feature documentation and examples are available [here](https://git
 | [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
 | [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
+| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
+| [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [jinja_template.cert-manager_cluster_issuers](https://registry.terraform.io/providers/NikolaLohinski/jinja/latest/docs/data-sources/template) | data source |
 | [kubectl_file_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 | [kubectl_filename_list.ip_masq_agent_manifests](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/filename_list) | data source |
@@ -79,9 +228,12 @@ User guides, feature documentation and examples are available [here](https://git
 | <a name="input_cert-manager-csi-driver"></a> [cert-manager-csi-driver](#input\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |
 | <a name="input_cluster-autoscaler"></a> [cluster-autoscaler](#input\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |
 | <a name="input_cluster-name"></a> [cluster-name](#input\_cluster-name) | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
+| <a name="input_cni-metrics-helper"></a> [cni-metrics-helper](#input\_cni-metrics-helper) | Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values | `any` | `{}` | no |
 | <a name="input_csi-external-snapshotter"></a> [csi-external-snapshotter](#input\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |
 | <a name="input_external-dns"></a> [external-dns](#input\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |
 | <a name="input_flux2"></a> [flux2](#input\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |
+| <a name="input_gke"></a> [gke](#input\_gke) | GKE cluster inputs | `any` | `{}` | no |
+| <a name="input_google"></a> [google](#input\_google) | GCP provider customization | `any` | `{}` | no |
 | <a name="input_helm_defaults"></a> [helm\_defaults](#input\_helm\_defaults) | Customize default Helm behavior | `any` | `{}` | no |
 | <a name="input_ingress-nginx"></a> [ingress-nginx](#input\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
 | <a name="input_ip-masq-agent"></a> [ip-masq-agent](#input\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |
@@ -100,20 +252,31 @@ User guides, feature documentation and examples are available [here](https://git
 | <a name="input_npd"></a> [npd](#input\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
 | <a name="input_priority-class"></a> [priority-class](#input\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |
 | <a name="input_priority-class-ds"></a> [priority-class-ds](#input\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP project id | `string` | `""` | no |
 | <a name="input_prometheus-adapter"></a> [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
 | <a name="input_prometheus-blackbox-exporter"></a> [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
+| <a name="input_prometheus-cloudwatch-exporter"></a> [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
 | <a name="input_promtail"></a> [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_sealed-secrets"></a> [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
 | <a name="input_secrets-store-csi-driver"></a> [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags for Google resources | `map(any)` | `{}` | no |
 | <a name="input_thanos"></a> [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
 | <a name="input_thanos-memcached"></a> [thanos-memcached](#input\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
 | <a name="input_thanos-storegateway"></a> [thanos-storegateway](#input\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
 | <a name="input_thanos-tls-querier"></a> [thanos-tls-querier](#input\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
 | <a name="input_tigera-operator"></a> [tigera-operator](#input\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |
 | <a name="input_traefik"></a> [traefik](#input\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |
+| <a name="input_velero"></a> [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
 | <a name="input_victoria-metrics-k8s-stack"></a> [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_kube-prometheus-stack"></a> [kube-prometheus-stack](#output\_kube-prometheus-stack) | n/a |
+| <a name="output_kube-prometheus-stack_sensitive"></a> [kube-prometheus-stack\_sensitive](#output\_kube-prometheus-stack\_sensitive) | n/a |
+| <a name="output_loki-stack-ca"></a> [loki-stack-ca](#output\_loki-stack-ca) | n/a |
+| <a name="output_promtail-cert"></a> [promtail-cert](#output\_promtail-cert) | n/a |
+| <a name="output_promtail-key"></a> [promtail-key](#output\_promtail-key) | n/a |
+| <a name="output_thanos_ca"></a> [thanos\_ca](#output\_thanos\_ca) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/google/admiralty.tf b/modules/google/admiralty.tf
new file mode 120000
index 000000000..27a4cc80e
--- /dev/null
+++ b/modules/google/admiralty.tf
@@ -0,0 +1 @@
+../../admiralty.tf
\ No newline at end of file
diff --git a/modules/google/cert-manager-csi-driver.tf b/modules/google/cert-manager-csi-driver.tf
new file mode 120000
index 000000000..f308a6d52
--- /dev/null
+++ b/modules/google/cert-manager-csi-driver.tf
@@ -0,0 +1 @@
+../../cert-manager-csi-driver.tf
\ No newline at end of file
diff --git a/modules/google/data.tf b/modules/google/data.tf
new file mode 100644
index 000000000..8ac3c2544
--- /dev/null
+++ b/modules/google/data.tf
@@ -0,0 +1 @@
+data "google_project" "current" {}
diff --git a/modules/google/flux2.tf b/modules/google/flux2.tf
new file mode 120000
index 000000000..0b9241e91
--- /dev/null
+++ b/modules/google/flux2.tf
@@ -0,0 +1 @@
+../../flux2.tf
\ No newline at end of file
diff --git a/modules/google/ingress-nginx.tf b/modules/google/ingress-nginx.tf
new file mode 100644
index 000000000..ac84a99d0
--- /dev/null
+++ b/modules/google/ingress-nginx.tf
@@ -0,0 +1,261 @@
+locals {
+
+  ingress-nginx = merge(
+    local.helm_defaults,
+    {
+      name                   = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
+      chart                  = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].name
+      repository             = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].repository
+      chart_version          = local.helm_dependencies[index(local.helm_dependencies.*.name, "ingress-nginx")].version
+      namespace              = "ingress-nginx"
+      use_nlb                = false
+      enabled                = false
+      default_network_policy = true
+      ingress_cidrs          = ["0.0.0.0/0"]
+      allowed_cidrs          = ["0.0.0.0/0"]
+    },
+    var.ingress-nginx
+  )
+
+  values_ingress-nginx_l4 = <<VALUES
+controller:
+  metrics:
+    enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+    serviceMonitor:
+      enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+  updateStrategy:
+    type: RollingUpdate
+  kind: "DaemonSet"
+  service:
+    annotations:
+      networking.gke.io/load-balancer-type: "Internal"
+    externalTrafficPolicy: "Cluster"
+  publishService:
+    enabled: true
+  config:
+    use-proxy-protocol: "true"
+  priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
+  admissionWebhooks:
+    patch:
+      podAnnotations:
+        linkerd.io/inject: disabled
+VALUES
+
+  values_ingress-nginx_nlb = <<VALUES
+controller:
+  metrics:
+    enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+    serviceMonitor:
+      enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+  updateStrategy:
+    type: RollingUpdate
+  kind: "DaemonSet"
+  service:
+    annotations:
+      cloud.google.com/l4-rbs: "enabled"
+    externalTrafficPolicy: "Local"
+  publishService:
+    enabled: true
+  priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
+  admissionWebhooks:
+    patch:
+      podAnnotations:
+        linkerd.io/inject: disabled
+VALUES
+
+}
+
+resource "kubernetes_namespace" "ingress-nginx" {
+  count = local.ingress-nginx["enabled"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.ingress-nginx["namespace"]
+      "${local.labels_prefix}/component" = "ingress"
+    }
+
+    name = local.ingress-nginx["namespace"]
+  }
+}
+
+resource "helm_release" "ingress-nginx" {
+  count                 = local.ingress-nginx["enabled"] ? 1 : 0
+  repository            = local.ingress-nginx["repository"]
+  name                  = local.ingress-nginx["name"]
+  chart                 = local.ingress-nginx["chart"]
+  version               = local.ingress-nginx["chart_version"]
+  timeout               = local.ingress-nginx["timeout"]
+  force_update          = local.ingress-nginx["force_update"]
+  recreate_pods         = local.ingress-nginx["recreate_pods"]
+  wait                  = local.ingress-nginx["wait"]
+  atomic                = local.ingress-nginx["atomic"]
+  cleanup_on_fail       = local.ingress-nginx["cleanup_on_fail"]
+  dependency_update     = local.ingress-nginx["dependency_update"]
+  disable_crd_hooks     = local.ingress-nginx["disable_crd_hooks"]
+  disable_webhooks      = local.ingress-nginx["disable_webhooks"]
+  render_subchart_notes = local.ingress-nginx["render_subchart_notes"]
+  replace               = local.ingress-nginx["replace"]
+  reset_values          = local.ingress-nginx["reset_values"]
+  reuse_values          = local.ingress-nginx["reuse_values"]
+  skip_crds             = local.ingress-nginx["skip_crds"]
+  verify                = local.ingress-nginx["verify"]
+  values = [
+    local.ingress-nginx["use_nlb"] ? local.values_ingress-nginx_nlb : local.values_ingress-nginx_l4,
+    local.ingress-nginx["extra_values"],
+  ]
+  namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+
+  depends_on = [
+    kubectl_manifest.prometheus-operator_crds
+  ]
+}
+
+resource "kubernetes_network_policy" "ingress-nginx_default_deny" {
+  count = local.ingress-nginx["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_namespace" {
+  count = local.ingress-nginx["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_ingress" {
+  count = local.ingress-nginx["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-ingress"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "app.kubernetes.io/name"
+        operator = "In"
+        values   = ["ingress-nginx"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "80"
+        protocol = "TCP"
+      }
+      ports {
+        port     = "443"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.ingress-nginx["ingress_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_monitoring" {
+  count = local.ingress-nginx["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-monitoring"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      ports {
+        port     = "metrics"
+        protocol = "TCP"
+      }
+
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "monitoring"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
+  count = local.ingress-nginx["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-control-plane"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "app.kubernetes.io/name"
+        operator = "In"
+        values   = ["ingress-nginx"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "8443"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.ingress-nginx["allowed_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/modules/google/k8gb.tf b/modules/google/k8gb.tf
new file mode 120000
index 000000000..9ce3c934b
--- /dev/null
+++ b/modules/google/k8gb.tf
@@ -0,0 +1 @@
+../../k8gb.tf
\ No newline at end of file
diff --git a/modules/google/karma.tf b/modules/google/karma.tf
new file mode 120000
index 000000000..1b7028e0a
--- /dev/null
+++ b/modules/google/karma.tf
@@ -0,0 +1 @@
+../../karma.tf
\ No newline at end of file
diff --git a/modules/google/keda.tf b/modules/google/keda.tf
new file mode 120000
index 000000000..18dcba532
--- /dev/null
+++ b/modules/google/keda.tf
@@ -0,0 +1 @@
+../../keda.tf
\ No newline at end of file
diff --git a/modules/google/kube-prometheus-crd.tf b/modules/google/kube-prometheus-crd.tf
new file mode 120000
index 000000000..9c82310f9
--- /dev/null
+++ b/modules/google/kube-prometheus-crd.tf
@@ -0,0 +1 @@
+../../kube-prometheus-crd.tf
\ No newline at end of file
diff --git a/modules/google/kube-prometheus.tf b/modules/google/kube-prometheus.tf
new file mode 100644
index 000000000..6c39ec24a
--- /dev/null
+++ b/modules/google/kube-prometheus.tf
@@ -0,0 +1,511 @@
+locals {
+  kube-prometheus-stack = merge(
+    local.helm_defaults,
+    {
+      name                                  = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].name
+      chart                                 = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].name
+      repository                            = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].repository
+      chart_version                         = local.helm_dependencies[index(local.helm_dependencies.*.name, "kube-prometheus-stack")].version
+      namespace                             = "monitoring"
+      grafana_service_account_name          = "kube-prometheus-stack-grafana"
+      prometheus_service_account_name       = "kube-prometheus-stack-prometheus"
+      workload_identity_use_existing_k8s_sa = false
+      grafana_create_iam_resources          = false
+      grafana_iam_policy_override           = null
+      thanos_create_iam_resources           = true
+      thanos_iam_policy_override            = null
+      thanos_sidecar_enabled                = false
+      thanos_create_bucket                  = true
+      thanos_bucket                         = "thanos-store-${var.cluster-name}"
+      thanos_bucket_force_destroy           = false
+      thanos_bucket_location                = ""
+      thanos_kms_bucket_location            = ""
+      thanos_store_config                   = null
+      thanos_version                        = "v0.30.0"
+      thanos_service_account                = ""
+      enabled                               = false
+      allowed_cidrs                         = ["0.0.0.0/0"]
+      default_network_policy                = true
+      default_global_requests               = false
+      default_global_limits                 = false
+      manage_crds                           = true
+      cloud_storage_service_account         = ""
+      name_prefix                           = "kube-prometheus-stack"
+    },
+    var.kube-prometheus-stack
+  )
+
+  values_kube-prometheus-stack = <<VALUES
+kubeScheduler:
+  enabled: false
+kubeControllerManager:
+  enabled: false
+kubeEtcd:
+  enabled: false
+grafana:
+  sidecar:
+    dashboards:
+      multicluster:
+        global:
+          enabled: ${local.kube-prometheus-stack["thanos_sidecar_enabled"] ? "true" : "false"}
+  rbac:
+    pspEnabled: false
+  serviceAccount:
+    create: true
+    name: ${local.kube-prometheus-stack["grafana_service_account_name"]}
+    nameTest: ${local.kube-prometheus-stack["grafana_service_account_name"]}-test
+    annotations:
+      iam.gke.io/gcp-service-account: ${module.iam_assumable_sa_kube-prometheus-stack_grafana.gcp_service_account_email}
+  adminPassword: ${join(",", random_string.grafana_password.*.result)}
+  dashboardProviders:
+    dashboardproviders.yaml:
+      apiVersion: 1
+      providers:
+      - name: 'default'
+        orgId: 1
+        folder: ''
+        type: file
+        disableDeletion: false
+        editable: true
+        options:
+          path: /var/lib/grafana/dashboards/default
+prometheus-node-exporter:
+  priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
+prometheus:
+  thanosService:
+    enabled: ${local.thanos["enabled"]}
+  serviceAccount:
+    create: true
+    name: ${local.kube-prometheus-stack["prometheus_service_account_name"]}
+    annotations:
+      iam.gke.io/gcp-service-account: ${module.iam_assumable_sa_kube-prometheus-stack_thanos.gcp_service_account_email}
+  prometheusSpec:
+    priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
+alertmanager:
+  alertmanagerSpec:
+    priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
+prometheusOperator:
+  admissionWebhooks:
+    patch:
+      podAnnotations:
+        linkerd.io/inject: disabled
+VALUES
+
+  values_kps_global_requests = <<VALUES
+grafana:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 200Mi
+prometheus:
+  prometheusSpec:
+    resources:
+      requests:
+        cpu: 50m
+        memory: 1300Mi
+alertmanager:
+  alertmanagerSpec:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 20Mi
+prometheusOperator:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+prometheus-node-exporter:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 20Mi
+kube-state-metrics:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 50Mi
+VALUES
+
+  values_kps_global_limits = <<VALUES
+grafana:
+  resources:
+    limits:
+      cpu: 500m
+      memory: 500Mi
+alertmanager:
+  alertmanagerSpec:
+    resources:
+      limits:
+        cpu: 100m
+        memory: 200Mi
+prometheusOperator:
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+prometheus-node-exporter:
+  resources:
+    limits:
+      cpu: 100m
+      memory: 200Mi
+kube-state-metrics:
+  resources:
+    limits:
+      cpu: 100m
+      memory: 200Mi
+VALUES
+
+  values_dashboard_ingress-nginx = <<VALUES
+grafana:
+  dashboards:
+    default:
+      nginx-ingress:
+        url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
+VALUES
+  values_dashboard_cert-manager  = <<VALUES
+grafana:
+  dashboards:
+    default:
+      cert-manager:
+        gnetId: 11001
+        revision: 1
+        datasource: ${local.kube-prometheus-stack.enabled ? "Prometheus" : local.victoria-metrics-k8s-stack.enabled ? "VictoriaMetrics" : ""}
+VALUES
+
+  values_dashboard_node_exporter = <<VALUES
+grafana:
+  dashboards:
+    default:
+      node-exporter-full:
+        gnetId: 1860
+        revision: 21
+        datasource: ${local.kube-prometheus-stack.enabled ? "Prometheus" : local.victoria-metrics-k8s-stack.enabled ? "VictoriaMetrics" : ""}
+      node-exporter:
+        gnetId: 11074
+        revision: 9
+        datasource: ${local.kube-prometheus-stack.enabled ? "Prometheus" : local.victoria-metrics-k8s-stack.enabled ? "VictoriaMetrics" : ""}
+VALUES
+
+  values_thanos_sidecar = <<VALUES
+prometheus:
+  prometheusSpec:
+    externalLabels:
+      cluster: ${var.cluster-name}
+    thanos:
+      version: "${local.kube-prometheus-stack["thanos_version"]}"
+      objectStorageConfig:
+        key: thanos.yaml
+        name: "${local.kube-prometheus-stack["thanos_bucket"]}-config"
+VALUES
+
+  values_grafana_ds = <<VALUES
+grafana:
+  sidecar:
+    datasources:
+      defaultDatasourceEnabled: false
+  additionalDataSources:
+  - name: Prometheus
+    access: proxy
+    editable: false
+    orgId: 1
+    type: prometheus
+    url: http://${local.thanos["enabled"] ? "${local.thanos["name"]}-query-frontend:9090" : "${local.kube-prometheus-stack["name"]}-prometheus:9090"}
+    version: 1
+    isDefault: true
+VALUES
+
+  values_dashboard_thanos = <<VALUES
+grafana:
+  dashboards:
+    default:
+      thanos-overview:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/overview.json
+      thanos-compact:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/compact.json
+      thanos-query:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/query.json
+      thanos-store:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/store.json
+      thanos-receiver:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/receive.json
+      thanos-sidecar:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/sidecar.json
+      thanos-rule:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/rule.json
+      thanos-replicate:
+        url: https://raw.githubusercontent.com/thanos-io/thanos/master/examples/dashboards/bucket-replicate.json
+VALUES
+
+  thanos_store_config_default = <<VALUES
+type: GCS
+config:
+  bucket: ${local.kube-prometheus-stack["thanos_bucket"]}
+VALUES
+
+  thanos_store_config_computed = local.kube-prometheus-stack["thanos_store_config"] == null ? local.thanos_store_config_default : local.kube-prometheus-stack["thanos_store_config"]
+
+}
+
+module "iam_assumable_sa_kube-prometheus-stack_grafana" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version             = "~> 9.0"
+  namespace           = local.kube-prometheus-stack["namespace"]
+  project_id          = var.project_id
+  name                = local.kube-prometheus-stack["grafana_service_account_name"]
+  use_existing_k8s_sa = local.kube-prometheus-stack["workload_identity_use_existing_k8s_sa"]
+}
+
+module "iam_assumable_sa_kube-prometheus-stack_thanos" {
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = local.kube-prometheus-stack["namespace"]
+  project_id = var.project_id
+  name       = "${local.kube-prometheus-stack["name_prefix"]}-thanos"
+}
+
+resource "kubernetes_secret" "kube-prometheus-stack_thanos" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_sidecar_enabled"] ? 1 : 0
+  metadata {
+    name      = "${local.kube-prometheus-stack["thanos_bucket"]}-config"
+    namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+  }
+
+  data = {
+    "thanos.yaml" = local.thanos_store_config_computed
+  }
+}
+
+module "kube-prometheus-stack_thanos_bucket_iam" {
+  source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
+  version = "~> 7.6"
+
+  mode            = "additive"
+  storage_buckets = [module.kube-prometheus-stack_kube-prometheus-stack_bucket[0].name]
+  bindings = {
+    "roles/storage.objectViewer" = [
+      "serviceAccount:${module.iam_assumable_sa_kube-prometheus-stack_thanos.gcp_service_account_email}"
+    ]
+  }
+}
+
+module "kube-prometheus-stack_grafana-iam-member" {
+  source  = "terraform-google-modules/iam/google//modules/member_iam"
+  version = "~> 7.6"
+
+  service_account_address = module.iam_assumable_sa_kube-prometheus-stack_grafana.gcp_service_account_email
+  project_id              = var.project_id
+  project_roles = [
+    "roles/monitoring.viewer",
+    "roles/logging.viewer",
+    "roles/compute.viewer"
+  ]
+}
+
+module "kube-prometheus-stack_thanos_kms_bucket" {
+  count   = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_create_bucket"] ? 1 : 0
+  source  = "terraform-google-modules/kms/google"
+  version = "2.2.2"
+
+  project_id = var.project_id
+  location   = local.kube-prometheus-stack["thanos_kms_bucket_location"]
+  keyring    = "thanos"
+  keys       = ["thanos"]
+  owners = [
+    "serviceAccount:${local.kube-prometheus-stack["cloud_storage_service_account"]}"
+  ]
+  set_owners_for = [
+    "thanos"
+  ]
+}
+
+module "kube-prometheus-stack_kube-prometheus-stack_bucket" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["thanos_create_bucket"] ? 1 : 0
+
+  source     = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version    = "~> 4.0"
+  project_id = var.project_id
+  location   = local.kube-prometheus-stack["thanos_bucket_location"]
+
+  name = local.kube-prometheus-stack["thanos_bucket"]
+
+  encryption = {
+    default_kms_key_name = module.kube-prometheus-stack_thanos_kms_bucket[0].keys.thanos
+  }
+}
+
+resource "kubernetes_namespace" "kube-prometheus-stack" {
+  count = local.kube-prometheus-stack["enabled"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.kube-prometheus-stack["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.kube-prometheus-stack["namespace"]
+  }
+}
+
+resource "random_string" "grafana_password" {
+  count   = local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"] ? 1 : 0
+  length  = 16
+  special = false
+}
+
+resource "helm_release" "kube-prometheus-stack" {
+  count                 = local.kube-prometheus-stack["enabled"] ? 1 : 0
+  repository            = local.kube-prometheus-stack["repository"]
+  name                  = local.kube-prometheus-stack["name"]
+  chart                 = local.kube-prometheus-stack["chart"]
+  version               = local.kube-prometheus-stack["chart_version"]
+  timeout               = local.kube-prometheus-stack["timeout"]
+  force_update          = local.kube-prometheus-stack["force_update"]
+  recreate_pods         = local.kube-prometheus-stack["recreate_pods"]
+  wait                  = local.kube-prometheus-stack["wait"]
+  atomic                = local.kube-prometheus-stack["atomic"]
+  cleanup_on_fail       = local.kube-prometheus-stack["cleanup_on_fail"]
+  dependency_update     = local.kube-prometheus-stack["dependency_update"]
+  disable_crd_hooks     = local.kube-prometheus-stack["disable_crd_hooks"]
+  disable_webhooks      = local.kube-prometheus-stack["disable_webhooks"]
+  render_subchart_notes = local.kube-prometheus-stack["render_subchart_notes"]
+  replace               = local.kube-prometheus-stack["replace"]
+  reset_values          = local.kube-prometheus-stack["reset_values"]
+  reuse_values          = local.kube-prometheus-stack["reuse_values"]
+  skip_crds             = local.kube-prometheus-stack["skip_crds"]
+  verify                = local.kube-prometheus-stack["verify"]
+  values = compact([
+    local.values_kube-prometheus-stack,
+    local.ingress-nginx["enabled"] ? local.values_dashboard_ingress-nginx : null,
+    local.thanos["enabled"] ? local.values_dashboard_thanos : null,
+    local.values_dashboard_node_exporter,
+    local.kube-prometheus-stack["thanos_sidecar_enabled"] ? local.values_thanos_sidecar : null,
+    local.kube-prometheus-stack["thanos_sidecar_enabled"] ? local.values_grafana_ds : null,
+    local.kube-prometheus-stack["default_global_requests"] ? local.values_kps_global_requests : null,
+    local.kube-prometheus-stack["default_global_limits"] ? local.values_kps_global_limits : null,
+    local.kube-prometheus-stack["extra_values"]
+  ])
+  namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+
+  depends_on = [
+    helm_release.ingress-nginx,
+    kubectl_manifest.prometheus-operator_crds
+  ]
+}
+
+resource "kubernetes_network_policy" "kube-prometheus-stack_default_deny" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "kube-prometheus-stack_allow_namespace" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "kube-prometheus-stack_allow_ingress" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-ingress"
+    namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "ingress"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "kube-prometheus-stack_allow_control_plane" {
+  count = local.kube-prometheus-stack["enabled"] && local.kube-prometheus-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-control-plane"
+    namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "app"
+        operator = "In"
+        values   = ["${local.kube-prometheus-stack["name"]}-operator"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "10250"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.kube-prometheus-stack["allowed_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+output "kube-prometheus-stack" {
+  value = {
+    iam_assumable_sa_kube-prometheus-stack_grafana = module.iam_assumable_sa_kube-prometheus-stack_grafana
+    iam_assumable_sa_kube-prometheus-stack_thanos  = module.iam_assumable_sa_kube-prometheus-stack_thanos
+  }
+}
+
+output "kube-prometheus-stack_sensitive" {
+  value = {
+    grafana_password = element(concat(random_string.grafana_password.*.result, [""]), 0)
+  }
+  sensitive = true
+}
diff --git a/modules/google/linkerd-viz.tf b/modules/google/linkerd-viz.tf
new file mode 120000
index 000000000..0b1ee18d6
--- /dev/null
+++ b/modules/google/linkerd-viz.tf
@@ -0,0 +1 @@
+../../linkerd-viz.tf
\ No newline at end of file
diff --git a/modules/google/linkerd.tf b/modules/google/linkerd.tf
new file mode 120000
index 000000000..d26369938
--- /dev/null
+++ b/modules/google/linkerd.tf
@@ -0,0 +1 @@
+../../linkerd.tf
\ No newline at end of file
diff --git a/modules/google/linkerd2-cni.tf b/modules/google/linkerd2-cni.tf
new file mode 120000
index 000000000..a4217d7c7
--- /dev/null
+++ b/modules/google/linkerd2-cni.tf
@@ -0,0 +1 @@
+../../linkerd2-cni.tf
\ No newline at end of file
diff --git a/modules/google/loki-stack.tf b/modules/google/loki-stack.tf
new file mode 100644
index 000000000..519c42fca
--- /dev/null
+++ b/modules/google/loki-stack.tf
@@ -0,0 +1,352 @@
+locals {
+  loki-stack = merge(
+    local.helm_defaults,
+    {
+      name                   = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].name
+      chart                  = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].name
+      repository             = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].repository
+      chart_version          = local.helm_dependencies[index(local.helm_dependencies.*.name, "loki")].version
+      namespace              = "monitoring"
+      create_iam_resources   = true
+      iam_policy_override    = null
+      create_ns              = false
+      enabled                = false
+      default_network_policy = true
+      create_bucket          = true
+      bucket                 = "loki-store-${var.cluster-name}"
+      bucket_lifecycle_rule  = []
+      bucket_force_destroy   = false
+      bucket_location        = "europe-west1"
+      kms_bucket_location    = "europe-west1"
+      generate_ca            = true
+      trusted_ca_content     = null
+      create_promtail_cert   = true
+      create_grafana_ds_cm   = true
+      name_prefix            = "${var.cluster-name}-loki"
+    },
+    var.loki-stack
+  )
+
+  values_loki-stack = <<-VALUES
+    test:
+      enabled: false
+    monitoring:
+      lokiCanary:
+        enabled: false
+      selfMonitoring:
+        enabled: false
+        grafanaAgent:
+          installOperator: false
+    serviceMonitor:
+      enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+    priorityClassName: ${local.priority-class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
+    serviceAccount:
+      create: false
+    persistence:
+      enabled: true
+    loki:
+      auth_enabled: false
+      compactor:
+        shared_store: gcs
+      storage:
+        bucketNames:
+          chunks: "${local.loki-stack["bucket"]}"
+          ruler: "${local.loki-stack["bucket"]}"
+          admin: "${local.loki-stack["bucket"]}"
+      schemaConfig:
+        configs:
+        - from: 2020-10-24
+          store: boltdb-shipper
+          object_store: gcs
+          schema: v12
+          index:
+            prefix: loki_index_
+            period: 24h
+      storage_config:
+        gcs:
+          bucket_name: "${local.loki-stack["bucket"]}"
+        boltdb_shipper:
+          shared_store: gcs
+    VALUES
+}
+
+module "iam_assumable_sa_loki-stack" {
+  count      = local.loki-stack["enabled"] ? 1 : 0
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = local.loki-stack["namespace"]
+  project_id = var.project_id
+  name       = local.loki-stack["name"]
+}
+
+module "loki-stack_bucket_iam" {
+  count   = local.loki-stack["enabled"] ? 1 : 0
+  source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
+  version = "~> 7.6"
+
+  mode            = "additive"
+  storage_buckets = [local.loki-stack["bucket"]]
+  bindings = {
+    "roles/storage.objectViewer" = [
+      "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
+    ]
+    "roles/storage.objectCreator" = [
+      "serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}"
+    ]
+  }
+}
+
+resource "kubernetes_namespace" "loki-stack" {
+  count = local.loki-stack["enabled"] && local.loki-stack["create_ns"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.loki-stack["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.loki-stack["namespace"]
+  }
+}
+
+resource "kubernetes_config_map" "loki-stack_grafana_ds" {
+  count = local.loki-stack["enabled"] && local.loki-stack["create_grafana_ds_cm"] ? 1 : 0
+  metadata {
+    name      = "${local.loki-stack["name"]}-grafana-ds"
+    namespace = local.loki-stack["namespace"]
+    labels = {
+      grafana_datasource = "1"
+    }
+  }
+
+  data = {
+    "datasource.yml" = <<-VALUES
+      datasources:
+      - access: proxy
+        editable: true
+        isDefault: false
+        name: Loki
+        orgId: 1
+        type: loki
+        url: http://${local.loki-stack["name"]}-gateway
+        version: 1
+      VALUES
+  }
+}
+
+resource "helm_release" "loki-stack" {
+  count                 = local.loki-stack["enabled"] ? 1 : 0
+  repository            = local.loki-stack["repository"]
+  name                  = local.loki-stack["name"]
+  chart                 = local.loki-stack["chart"]
+  version               = local.loki-stack["chart_version"]
+  timeout               = local.loki-stack["timeout"]
+  force_update          = local.loki-stack["force_update"]
+  recreate_pods         = local.loki-stack["recreate_pods"]
+  wait                  = local.loki-stack["wait"]
+  atomic                = local.loki-stack["atomic"]
+  cleanup_on_fail       = local.loki-stack["cleanup_on_fail"]
+  dependency_update     = local.loki-stack["dependency_update"]
+  disable_crd_hooks     = local.loki-stack["disable_crd_hooks"]
+  disable_webhooks      = local.loki-stack["disable_webhooks"]
+  render_subchart_notes = local.loki-stack["render_subchart_notes"]
+  replace               = local.loki-stack["replace"]
+  reset_values          = local.loki-stack["reset_values"]
+  reuse_values          = local.loki-stack["reuse_values"]
+  skip_crds             = local.loki-stack["skip_crds"]
+  verify                = local.loki-stack["verify"]
+  values = [
+    local.values_loki-stack,
+    local.loki-stack["extra_values"]
+  ]
+  namespace = local.loki-stack["create_ns"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack["namespace"]
+
+  depends_on = [
+    kubectl_manifest.prometheus-operator_crds
+  ]
+}
+
+module "loki-stack_kms_bucket" {
+  count   = local.loki-stack["enabled"] && local.loki-stack["create_bucket"] ? 1 : 0
+  source  = "terraform-google-modules/kms/google"
+  version = "2.2.2"
+
+  project_id = var.project_id
+  location   = local.loki-stack["kms_bucket_location"]
+  keyring    = "loki-stack"
+  keys       = ["loki-stack"]
+  owners = [
+    "serviceAccount:${local.loki-stack["cloud_storage_service_account"]}"
+  ]
+  set_owners_for = [
+    "loki-stack"
+  ]
+}
+
+module "loki-stack_bucket" {
+  count = local.loki-stack["enabled"] && local.loki-stack["create_bucket"] ? 1 : 0
+
+  source     = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version    = "~> 4.0"
+  project_id = var.project_id
+  location   = local.loki-stack["bucket_location"]
+
+  name = local.loki-stack["bucket"]
+
+  encryption = {
+    default_kms_key_name = module.loki-stack_kms_bucket[0].keys.loki-stack
+  }
+
+}
+
+resource "tls_private_key" "loki-stack-ca-key" {
+  count       = local.loki-stack["enabled"] && local.loki-stack["generate_ca"] ? 1 : 0
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_self_signed_cert" "loki-stack-ca-cert" {
+  count             = local.loki-stack["enabled"] && local.loki-stack["generate_ca"] ? 1 : 0
+  private_key_pem   = tls_private_key.loki-stack-ca-key[0].private_key_pem
+  is_ca_certificate = true
+
+  subject {
+    common_name  = var.cluster-name
+    organization = var.cluster-name
+  }
+
+  validity_period_hours = 87600
+  early_renewal_hours   = 720
+
+  allowed_uses = [
+    "cert_signing"
+  ]
+}
+
+resource "kubernetes_network_policy" "loki-stack_default_deny" {
+  count = local.loki-stack["create_ns"] && local.loki-stack["enabled"] && local.loki-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "loki-stack_allow_namespace" {
+  count = local.loki-stack["create_ns"] && local.loki-stack["enabled"] && local.loki-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "loki-stack_allow_ingress" {
+  count = local.loki-stack["create_ns"] && local.loki-stack["enabled"] && local.loki-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-ingress"
+    namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "ingress"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_secret" "loki-stack-ca" {
+  count = local.loki-stack["enabled"] && (local.loki-stack["generate_ca"] || local.loki-stack["trusted_ca_content"] != null) ? 1 : 0
+  metadata {
+    name      = "${local.loki-stack["name"]}-ca"
+    namespace = local.loki-stack["create_ns"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack["namespace"]
+  }
+
+  data = {
+    "ca.crt" = local.loki-stack["generate_ca"] ? tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem : local.loki-stack["trusted_ca_content"]
+  }
+}
+
+resource "tls_private_key" "promtail-key" {
+  count       = local.loki-stack["enabled"] && local.loki-stack["generate_ca"] && local.loki-stack["create_promtail_cert"] ? 1 : 0
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_cert_request" "promtail-csr" {
+  count           = local.loki-stack["enabled"] && local.loki-stack["generate_ca"] && local.loki-stack["create_promtail_cert"] ? 1 : 0
+  private_key_pem = tls_private_key.promtail-key[count.index].private_key_pem
+
+  subject {
+    common_name = "promtail"
+  }
+
+  dns_names = [
+    "promtail"
+  ]
+}
+
+resource "tls_locally_signed_cert" "promtail-cert" {
+  count              = local.loki-stack["enabled"] && local.loki-stack["generate_ca"] && local.loki-stack["create_promtail_cert"] ? 1 : 0
+  cert_request_pem   = tls_cert_request.promtail-csr[count.index].cert_request_pem
+  ca_private_key_pem = tls_private_key.loki-stack-ca-key[count.index].private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem
+
+  validity_period_hours = 8760
+  early_renewal_hours   = 720
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "client_auth"
+  ]
+}
+
+output "loki-stack-ca" {
+  value = element(concat(tls_self_signed_cert.loki-stack-ca-cert[*].cert_pem, [""]), 0)
+}
+
+output "promtail-key" {
+  value     = element(concat(tls_private_key.promtail-key[*].private_key_pem, [""]), 0)
+  sensitive = true
+}
+
+output "promtail-cert" {
+  value     = element(concat(tls_locally_signed_cert.promtail-cert[*].cert_pem, [""]), 0)
+  sensitive = true
+}
diff --git a/modules/google/node-problem-detector.tf b/modules/google/node-problem-detector.tf
new file mode 120000
index 000000000..d36454667
--- /dev/null
+++ b/modules/google/node-problem-detector.tf
@@ -0,0 +1 @@
+../../node-problem-detector.tf
\ No newline at end of file
diff --git a/modules/google/prometheus-adapter.tf b/modules/google/prometheus-adapter.tf
new file mode 120000
index 000000000..0763f3b8e
--- /dev/null
+++ b/modules/google/prometheus-adapter.tf
@@ -0,0 +1 @@
+../../prometheus-adapter.tf
\ No newline at end of file
diff --git a/modules/google/promtail.tf b/modules/google/promtail.tf
new file mode 120000
index 000000000..5eb599466
--- /dev/null
+++ b/modules/google/promtail.tf
@@ -0,0 +1 @@
+../../promtail.tf
\ No newline at end of file
diff --git a/modules/google/sealed-secrets.tf b/modules/google/sealed-secrets.tf
new file mode 120000
index 000000000..14c20cffe
--- /dev/null
+++ b/modules/google/sealed-secrets.tf
@@ -0,0 +1 @@
+../../sealed-secrets.tf
\ No newline at end of file
diff --git a/modules/google/secrets-store-csi-driver.tf b/modules/google/secrets-store-csi-driver.tf
new file mode 120000
index 000000000..dcd0fef46
--- /dev/null
+++ b/modules/google/secrets-store-csi-driver.tf
@@ -0,0 +1 @@
+../../secrets-store-csi-driver.tf
\ No newline at end of file
diff --git a/modules/google/templates/cert-manager-cluster-issuers.yaml.tpl b/modules/google/templates/cert-manager-cluster-issuers.yaml.tpl
new file mode 100644
index 000000000..3619a4a25
--- /dev/null
+++ b/modules/google/templates/cert-manager-cluster-issuers.yaml.tpl
@@ -0,0 +1,54 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: '${acme_email}'
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    %{ if acme_dns01_enabled }
+    - dns01:
+        route53:
+          region: '${aws_region}'
+    %{ endif }
+    %{ if acme_http01_enabled }
+    - http01:
+        ingress:
+          class: '${acme_http01_ingress_class}'
+      %{ if acme_dns01_enabled }
+      selector:
+        matchLabels:
+          "use-http01-solver": "true"
+      %{ endif }
+    %{ endif }
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: '${acme_email}'
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    %{ if acme_dns01_enabled }
+    - dns01:
+        route53:
+          region: '${aws_region}'
+    %{ endif }
+    %{ if acme_http01_enabled }
+    - http01:
+        ingress:
+          class: '${acme_http01_ingress_class}'
+      %{ if acme_dns01_enabled }
+      selector:
+        matchLabels:
+          "use-http01-solver": "true"
+      %{ endif }
+    %{ endif }
diff --git a/modules/google/templates/cert-manager-csi-driver.yaml.tpl b/modules/google/templates/cert-manager-csi-driver.yaml.tpl
new file mode 120000
index 000000000..e9a7203f7
--- /dev/null
+++ b/modules/google/templates/cert-manager-csi-driver.yaml.tpl
@@ -0,0 +1 @@
+../../../templates/cert-manager-csi-driver.yaml.tpl
\ No newline at end of file
diff --git a/modules/google/templates/cni-metrics-helper.yaml.tpl b/modules/google/templates/cni-metrics-helper.yaml.tpl
new file mode 100644
index 000000000..173583e14
--- /dev/null
+++ b/modules/google/templates/cni-metrics-helper.yaml.tpl
@@ -0,0 +1,86 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cni-metrics-helper
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cni-metrics-helper
+subjects:
+  - kind: ServiceAccount
+    name: cni-metrics-helper
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cni-metrics-helper
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - pods
+      - pods/proxy
+      - services
+      - resourcequotas
+      - replicationcontrollers
+      - limitranges
+      - persistentvolumeclaims
+      - persistentvolumes
+      - namespaces
+      - endpoints
+    verbs: ["list", "watch", "get"]
+  - apiGroups: ["extensions"]
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+    verbs: ["list", "watch"]
+  - apiGroups: ["apps"]
+    resources:
+      - statefulsets
+    verbs: ["list", "watch"]
+  - apiGroups: ["batch"]
+    resources:
+      - cronjobs
+      - jobs
+    verbs: ["list", "watch"]
+  - apiGroups: ["autoscaling"]
+    resources:
+      - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: cni-metrics-helper
+  namespace: kube-system
+  labels:
+    k8s-app: cni-metrics-helper
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cni-metrics-helper
+  template:
+    metadata:
+      labels:
+        k8s-app: cni-metrics-helper
+    spec:
+      serviceAccountName: cni-metrics-helper
+      containers:
+      - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:${cni-metrics-helper_version}
+        imagePullPolicy: Always
+        name: cni-metrics-helper
+        env:
+          - name: USE_CLOUDWATCH
+            value: "true"
+      priorityClassName: "system-cluster-critical"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cni-metrics-helper
+  namespace: kube-system
+  annotations:
+    eks.amazonaws.com/role-arn: "${cni-metrics-helper_role_arn_irsa}"
diff --git a/modules/google/thanos-memcached.tf b/modules/google/thanos-memcached.tf
new file mode 100644
index 000000000..362d30482
--- /dev/null
+++ b/modules/google/thanos-memcached.tf
@@ -0,0 +1,57 @@
+locals {
+
+  thanos-memcached = merge(
+    local.helm_defaults,
+    {
+      chart         = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].name
+      repository    = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].repository
+      chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "memcached")].version
+      name          = "thanos-memcached"
+      namespace     = local.thanos["namespace"]
+      enabled       = false
+    },
+    var.thanos-memcached
+  )
+
+  values_thanos-memcached = <<-VALUES
+    architecture: "high-availability"
+    replicaCount: 2
+    podAntiAffinityPreset: hard
+    metrics:
+      enabled: ${local.kube-prometheus-stack["enabled"]}
+      serviceMonitor:
+        enabled: ${local.kube-prometheus-stack["enabled"]}
+    VALUES
+}
+
+resource "helm_release" "thanos-memcached" {
+  count                 = local.thanos-memcached["enabled"] ? 1 : 0
+  repository            = local.thanos-memcached["repository"]
+  name                  = local.thanos-memcached["name"]
+  chart                 = local.thanos-memcached["chart"]
+  version               = local.thanos-memcached["chart_version"]
+  timeout               = local.thanos-memcached["timeout"]
+  force_update          = local.thanos-memcached["force_update"]
+  recreate_pods         = local.thanos-memcached["recreate_pods"]
+  wait                  = local.thanos-memcached["wait"]
+  atomic                = local.thanos-memcached["atomic"]
+  cleanup_on_fail       = local.thanos-memcached["cleanup_on_fail"]
+  dependency_update     = local.thanos-memcached["dependency_update"]
+  disable_crd_hooks     = local.thanos-memcached["disable_crd_hooks"]
+  disable_webhooks      = local.thanos-memcached["disable_webhooks"]
+  render_subchart_notes = local.thanos-memcached["render_subchart_notes"]
+  replace               = local.thanos-memcached["replace"]
+  reset_values          = local.thanos-memcached["reset_values"]
+  reuse_values          = local.thanos-memcached["reuse_values"]
+  skip_crds             = local.thanos-memcached["skip_crds"]
+  verify                = local.thanos-memcached["verify"]
+  values = compact([
+    local.values_thanos-memcached,
+    local.thanos-memcached["extra_values"]
+  ])
+  namespace = local.thanos-memcached["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack,
+  ]
+}
diff --git a/modules/google/thanos-storegateway.tf b/modules/google/thanos-storegateway.tf
new file mode 100644
index 000000000..3934a0177
--- /dev/null
+++ b/modules/google/thanos-storegateway.tf
@@ -0,0 +1,114 @@
+locals {
+
+  thanos-storegateway = { for k, v in var.thanos-storegateway : k => merge(
+    local.helm_defaults,
+    {
+      chart                   = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
+      repository              = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
+      chart_version           = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+      name                    = "${local.thanos["name"]}-storegateway-${k}"
+      create_iam_resources    = true
+      iam_policy_override     = null
+      enabled                 = false
+      default_global_requests = false
+      default_global_limits   = false
+      bucket                  = null
+      region                  = null
+      name_prefix             = "${var.cluster-name}-thanos-sg"
+    },
+    v,
+  ) }
+
+  values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(
+    {
+      values = <<-VALUES
+        objstoreConfig:
+          type: GCS
+          config:
+            bucket: ${v["bucket"]}
+            service_account: "${v["name_prefix"]}-thanos-sg"
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
+        query:
+          enabled: false
+        queryFrontend:
+          enabled: false
+        compactor:
+          enabled: false
+        storegateway:
+          replicaCount: 2
+          extraFlags:
+            - --ignore-deletion-marks-delay=24h
+          enabled: true
+          serviceAccount:
+            annotations:
+              eks.amazonaws.com/role-arn: "${v["enabled"] && v["create_iam_resources"] ? module.iam_assumable_sa_thanos-storegateway[k].iam_role_arn : ""}"
+              iam.gke.io/gcp-service-account: "${v["enabled"] && v["create_iam_resources"] ? module.iam_assumable_sa_thanos-storegateway[k].gcp_service_account_name : ""}"
+          pdb:
+            create: true
+            minAvailable: 1
+        VALUES
+    },
+    v,
+  ) }
+}
+
+module "iam_assumable_sa_thanos-storegateway" {
+  for_each   = local.thanos-storegateway
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = each.value["namespace"]
+  project_id = data.google_project.current.id
+  name       = "${each.value["name_prefix"]}-${each.key}"
+}
+
+
+module "thanos-storegateway_bucket_iam" {
+  for_each = local.thanos-storegateway
+  source   = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
+  version  = "~> 7.6"
+
+  mode            = "additive"
+  storage_buckets = [each.value["bucket"]]
+  bindings = {
+    "roles/storage.objectViewer" = [
+      "serviceAccount:${module.iam_assumable_sa_thanos-storegateway["${each.key}"].gcp_service_account_email}"
+    ]
+  }
+}
+
+resource "helm_release" "thanos-storegateway" {
+  for_each              = { for k, v in local.thanos-storegateway : k => v if v["enabled"] }
+  repository            = each.value["repository"]
+  name                  = each.value["name"]
+  chart                 = each.value["chart"]
+  version               = each.value["chart_version"]
+  timeout               = each.value["timeout"]
+  force_update          = each.value["force_update"]
+  recreate_pods         = each.value["recreate_pods"]
+  wait                  = each.value["wait"]
+  atomic                = each.value["atomic"]
+  cleanup_on_fail       = each.value["cleanup_on_fail"]
+  dependency_update     = each.value["dependency_update"]
+  disable_crd_hooks     = each.value["disable_crd_hooks"]
+  disable_webhooks      = each.value["disable_webhooks"]
+  render_subchart_notes = each.value["render_subchart_notes"]
+  replace               = each.value["replace"]
+  reset_values          = each.value["reset_values"]
+  reuse_values          = each.value["reuse_values"]
+  skip_crds             = each.value["skip_crds"]
+  verify                = each.value["verify"]
+  values = compact([
+    local.values_thanos-storegateway[each.key]["values"],
+    each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
+    each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
+    each.value["extra_values"]
+  ])
+  namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack,
+  ]
+}
diff --git a/modules/google/thanos-tls-querier.tf b/modules/google/thanos-tls-querier.tf
new file mode 100644
index 000000000..1d42f7760
--- /dev/null
+++ b/modules/google/thanos-tls-querier.tf
@@ -0,0 +1,162 @@
+locals {
+
+  thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(
+    local.helm_defaults,
+    {
+      chart              = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
+      repository         = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
+      chart_version      = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+      name               = "${local.thanos["name"]}-tls-querier-${k}"
+      enabled            = false
+      generate_cert      = local.thanos["generate_ca"]
+      client_server_name = ""
+      ## This default to Let's encrypt R3 CA
+      grpc_client_tls_ca_pem  = <<-EOV
+        -----BEGIN CERTIFICATE-----
+        MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+        TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+        cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+        WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+        RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+        AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+        R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+        sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+        NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+        Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+        /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+        AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+        Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+        FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+        AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+        Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+        gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+        PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+        ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+        CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+        lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+        avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+        yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+        yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+        hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+        HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+        MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+        nLRbwHOoq7hHwg==
+        -----END CERTIFICATE-----
+        EOV
+      stores                  = []
+      default_global_requests = false
+      default_global_limits   = false
+    },
+    v,
+  ) }
+
+  values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(
+    {
+      values = <<-VALUES
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
+        query:
+          replicaCount: 2
+          extraFlags:
+            - --query.timeout=5m
+            - --query.lookback-delta=15m
+            - --query.replica-label=rule_replica
+          enabled: true
+          dnsDiscovery:
+            enabled: false
+          pdb:
+            create: true
+            minAvailable: 1
+          grpc:
+            client:
+              servername: ${v["client_server_name"]}
+              tls:
+                enabled: ${v["generate_cert"]}
+                key: |
+                  ${indent(10, v["generate_cert"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : "")}
+                cert: |
+                  ${indent(10, v["generate_cert"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : "")}
+                ca: |
+                  ${indent(10, v["generate_cert"] ? v["grpc_client_tls_ca_pem"] : "")}
+          stores: ${jsonencode(v["stores"])}
+        queryFrontend:
+          enabled: false
+        compactor:
+          enabled: false
+        storegateway:
+          enabled: false
+        VALUES
+    },
+    v,
+  ) }
+}
+
+resource "helm_release" "thanos-tls-querier" {
+  for_each              = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] }
+  repository            = each.value["repository"]
+  name                  = each.value["name"]
+  chart                 = each.value["chart"]
+  version               = each.value["chart_version"]
+  timeout               = each.value["timeout"]
+  force_update          = each.value["force_update"]
+  recreate_pods         = each.value["recreate_pods"]
+  wait                  = each.value["wait"]
+  atomic                = each.value["atomic"]
+  cleanup_on_fail       = each.value["cleanup_on_fail"]
+  dependency_update     = each.value["dependency_update"]
+  disable_crd_hooks     = each.value["disable_crd_hooks"]
+  disable_webhooks      = each.value["disable_webhooks"]
+  render_subchart_notes = each.value["render_subchart_notes"]
+  replace               = each.value["replace"]
+  reset_values          = each.value["reset_values"]
+  reuse_values          = each.value["reuse_values"]
+  skip_crds             = each.value["skip_crds"]
+  verify                = each.value["verify"]
+  values = compact([
+    local.values_thanos-tls-querier[each.key]["values"],
+    each.value["default_global_requests"] ? local.values_thanos_global_requests : null,
+    each.value["default_global_limits"] ? local.values_thanos_global_limits : null,
+    each.value["extra_values"]
+  ])
+  namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack,
+  ]
+}
+
+resource "tls_private_key" "thanos-tls-querier-cert-key" {
+  for_each    = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_cert_request" "thanos-tls-querier-cert-csr" {
+  for_each        = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
+  private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem
+
+  subject {
+    common_name = each.key
+  }
+
+  dns_names = [
+    each.key
+  ]
+}
+
+resource "tls_locally_signed_cert" "thanos-tls-querier-cert" {
+  for_each           = { for k, v in local.thanos-tls-querier : k => v if v["enabled"] && v["generate_cert"] }
+  cert_request_pem   = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem
+  ca_private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "client_auth"
+  ]
+}
diff --git a/modules/google/thanos.tf b/modules/google/thanos.tf
new file mode 100644
index 000000000..fc3ca8068
--- /dev/null
+++ b/modules/google/thanos.tf
@@ -0,0 +1,384 @@
+locals {
+
+  thanos = merge(
+    local.helm_defaults,
+    {
+      name                    = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
+      chart                   = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].name
+      repository              = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].repository
+      chart_version           = local.helm_dependencies[index(local.helm_dependencies.*.name, "thanos")].version
+      namespace               = "monitoring"
+      create_iam_resources    = true
+      iam_policy_override     = null
+      create_ns               = false
+      enabled                 = false
+      default_network_policy  = true
+      default_global_requests = false
+      default_global_limits   = false
+      create_bucket           = false
+      bucket                  = "thanos-store-${var.cluster-name}"
+      bucket_force_destroy    = false
+      bucket_location         = "europe-west1"
+      kms_bucket_location     = "europe-west1"
+      generate_ca             = false
+      trusted_ca_content      = null
+      name_prefix             = "gke-thanos"
+    },
+    var.thanos
+  )
+
+  values_thanos = <<-VALUES
+    receive:
+      enabled: false
+      pdb:
+        create: true
+        minAvailable: 1
+      serviceAccount:
+        annotations:
+          iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos.gcp_service_account_email : ""}"
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: ${local.kube-prometheus-stack["enabled"] ? "true" : "false"}
+    query:
+      extraFlags:
+        - --query.timeout=5m
+        - --query.lookback-delta=15m
+        - --query.replica-label=rule_replica
+      replicaCount: 2
+      replicaLabel:
+        - prometheus_replica
+      enabled: true
+      dnsDiscovery:
+        enabled: true
+        sidecarsService: ${local.kube-prometheus-stack["name"]}-thanos-discovery
+        sidecarsNamespace: "${local.kube-prometheus-stack["namespace"]}"
+      pdb:
+        create: true
+        minAvailable: 1
+      stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : "dnssrv+_grpc._tcp.${v["name"]}-query-grpc.${local.thanos["namespace"]}.svc.cluster.local"], [for k, v in local.thanos-storegateway : "dnssrv+_grpc._tcp.${v["name"]}-storegateway.${local.thanos["namespace"]}.svc.cluster.local"]))}
+    queryFrontend:
+      extraFlags:
+        - --query-frontend.compress-responses
+        - --query-range.split-interval=12h
+        - --labels.split-interval=12h
+        - --query-range.max-retries-per-request=10
+        - --labels.max-retries-per-request=10
+        - --query-frontend.log-queries-longer-than=10s
+      replicaCount: 2
+      enabled: true
+      pdb:
+        create: true
+        minAvailable: 1
+    compactor:
+      extraFlags:
+        - --deduplication.replica-label=prometheus_replica
+        - --deduplication.replica-label=rule_replica
+      strategyType: Recreate
+      enabled: true
+      serviceAccount:
+        annotations:
+          iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos-compactor.gcp_service_account_email : ""}"
+    storegateway:
+      extraFlags:
+        - --ignore-deletion-marks-delay=24h
+      replicaCount: 2
+      enabled: true
+      serviceAccount:
+        annotations:
+          iam.gke.io/gcp-service-account: "${local.thanos["enabled"] && local.thanos["create_iam_resources"] ? module.iam_assumable_sa_thanos-sg.gcp_service_account_email : ""}"
+      pdb:
+        create: true
+        minAvailable: 1
+    VALUES
+
+  values_thanos_caching = <<-VALUES
+    queryFrontend:
+      extraFlags:
+        - --query-frontend.compress-responses
+        - --query-range.split-interval=12h
+        - --labels.split-interval=12h
+        - --query-range.max-retries-per-request=10
+        - --labels.max-retries-per-request=10
+        - --query-frontend.log-queries-longer-than=10s
+        - |-
+          --query-range.response-cache-config="config":
+            "addresses":
+            - "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
+            "dns_provider_update_interval": "10s"
+            "max_async_buffer_size": 10000
+            "max_async_concurrency": 20
+            "max_get_multi_batch_size": 0
+            "max_get_multi_concurrency": 100
+            "max_idle_connections": 100
+            "timeout": "500ms"
+          "type": "memcached"
+        - |-
+          --labels.response-cache-config="config":
+            "addresses":
+            - "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
+            "dns_provider_update_interval": "10s"
+            "max_async_buffer_size": 10000
+            "max_async_concurrency": 20
+            "max_get_multi_batch_size": 0
+            "max_get_multi_concurrency": 100
+            "max_idle_connections": 100
+            "timeout": "500ms"
+          "type": "memcached"
+    storegateway:
+      extraFlags:
+        - --ignore-deletion-marks-delay=24h
+        - |-
+          --index-cache.config="config":
+            "addresses":
+            - "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
+            "dns_provider_update_interval": "10s"
+            "max_async_buffer_size": 10000
+            "max_async_concurrency": 20
+            "max_get_multi_batch_size": 0
+            "max_get_multi_concurrency": 100
+            "max_idle_connections": 100
+            "max_item_size": "1MiB"
+            "timeout": "500ms"
+          "type": "memcached"
+        - |-
+          --store.caching-bucket.config="blocks_iter_ttl": "5m"
+          "chunk_object_attrs_ttl": "24h"
+          "chunk_subrange_size": 16000
+          "chunk_subrange_ttl": "24h"
+          "config":
+            "addresses":
+            - "dnssrv+_memcache._tcp.${local.thanos-memcached["name"]}.${local.thanos-memcached["namespace"]}.svc.cluster.local"
+            "dns_provider_update_interval": "10s"
+            "max_async_buffer_size": 10000
+            "max_async_concurrency": 20
+            "max_get_multi_batch_size": 0
+            "max_get_multi_concurrency": 100
+            "max_idle_connections": 100
+            "max_item_size": "1MiB"
+            "timeout": "500ms"
+          "max_chunks_get_range_requests": 3
+          "metafile_content_ttl": "24h"
+          "metafile_doesnt_exist_ttl": "15m"
+          "metafile_exists_ttl": "2h"
+          "metafile_max_size": "1MiB"
+          "type": "memcached"
+    VALUES
+
+
+  values_store_config = <<-VALUES
+    objstoreConfig:
+      type: GCS
+      config:
+        bucket: ${local.thanos["bucket"]}
+    VALUES
+
+  values_thanos_global_requests = <<-VALUES
+    query:
+      resources:
+        requests:
+          cpu: 25m
+          memory: 32Mi
+    queryFrontend:
+      resources:
+        requests:
+          cpu: 25m
+          memory: 32Mi
+    compactor:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 258Mi
+    storegateway:
+      resources:
+        requests:
+          cpu: 25m
+          memory: 64Mi
+    VALUES
+
+  values_thanos_global_limits = <<-VALUES
+    query:
+      resources:
+        limits:
+          memory: 128Mi
+    queryFrontend:
+      resources:
+        limits:
+          memory: 64Mi
+    compactor:
+      resources:
+        limits:
+          memory: 2Gi
+    storegateway:
+      resources:
+        limits:
+          memory: 1Gi
+    VALUES
+}
+
+module "iam_assumable_sa_thanos" {
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = local.thanos["namespace"]
+  project_id = var.project_id
+  name       = local.thanos["name"]
+}
+
+module "iam_assumable_sa_thanos-compactor" {
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = local.thanos["namespace"]
+  project_id = var.project_id
+  name       = "${local.thanos["name"]}-compactor"
+}
+
+module "iam_assumable_sa_thanos-sg" {
+  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  version    = "~> 9.0"
+  namespace  = local.thanos["namespace"]
+  project_id = var.project_id
+  name       = "${local.thanos["name"]}-sg"
+}
+
+module "thanos_bucket" {
+  count = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
+
+  source     = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version    = "~> 4.0"
+  project_id = var.project_id
+  location   = local.thanos["bucket_location"]
+
+  name = local.thanos["bucket"]
+
+  encryption = {
+    default_kms_key_name = module.thanos_kms_bucket[0].keys.thanos
+  }
+
+}
+
+module "thanos_kms_bucket" {
+  count   = local.thanos["enabled"] && local.thanos["create_bucket"] ? 1 : 0
+  source  = "terraform-google-modules/kms/google"
+  version = "2.2.2"
+
+  project_id = var.project_id
+  location   = local.thanos["kms_bucket_location"]
+  keyring    = "thanos"
+  keys       = ["thanos"]
+  owners = [
+    "serviceAccount:${local.thanos["cloud_storage_service_account"]}"
+  ]
+  set_owners_for = [
+    "thanos"
+  ]
+}
+
+module "thanos_bucket_iam" {
+  count   = local.thanos["enabled"] ? 1 : 0
+  source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
+  version = "~> 7.6"
+
+  mode            = "additive"
+  storage_buckets = [local.thanos["bucket"]]
+  bindings = {
+    "roles/storage.objectViewer" = [
+      "serviceAccount:${module.iam_assumable_sa_thanos.gcp_service_account_email}",
+      "serviceAccount:${module.iam_assumable_sa_thanos-compactor.gcp_service_account_email}",
+      "serviceAccount:${module.iam_assumable_sa_thanos-sg.gcp_service_account_email}",
+    ]
+    "roles/storage.objectCreator" = [
+      "serviceAccount:${module.iam_assumable_sa_thanos.gcp_service_account_email}",
+      "serviceAccount:${module.iam_assumable_sa_thanos-compactor.gcp_service_account_email}",
+      "serviceAccount:${module.iam_assumable_sa_thanos-sg.gcp_service_account_email}",
+    ]
+  }
+}
+
+resource "kubernetes_namespace" "thanos" {
+  count = local.thanos["enabled"] && local.thanos["create_ns"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.thanos["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.thanos["namespace"]
+  }
+}
+
+resource "helm_release" "thanos" {
+  count                 = local.thanos["enabled"] ? 1 : 0
+  repository            = local.thanos["repository"]
+  name                  = local.thanos["name"]
+  chart                 = local.thanos["chart"]
+  version               = local.thanos["chart_version"]
+  timeout               = local.thanos["timeout"]
+  force_update          = local.thanos["force_update"]
+  recreate_pods         = local.thanos["recreate_pods"]
+  wait                  = local.thanos["wait"]
+  atomic                = local.thanos["atomic"]
+  cleanup_on_fail       = local.thanos["cleanup_on_fail"]
+  dependency_update     = local.thanos["dependency_update"]
+  disable_crd_hooks     = local.thanos["disable_crd_hooks"]
+  disable_webhooks      = local.thanos["disable_webhooks"]
+  render_subchart_notes = local.thanos["render_subchart_notes"]
+  replace               = local.thanos["replace"]
+  reset_values          = local.thanos["reset_values"]
+  reuse_values          = local.thanos["reuse_values"]
+  skip_crds             = local.thanos["skip_crds"]
+  verify                = local.thanos["verify"]
+  values = compact([
+    local.values_thanos,
+    local.values_store_config,
+    local.thanos["default_global_requests"] ? local.values_thanos_global_requests : null,
+    local.thanos["default_global_limits"] ? local.values_thanos_global_limits : null,
+    local.thanos-memcached["enabled"] ? local.values_thanos_caching : null,
+    local.thanos["extra_values"]
+  ])
+  namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
+
+  depends_on = [
+    helm_release.kube-prometheus-stack,
+    helm_release.thanos-memcached
+  ]
+}
+
+resource "tls_private_key" "thanos-tls-querier-ca-key" {
+  count       = local.thanos["generate_ca"] ? 1 : 0
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+resource "tls_self_signed_cert" "thanos-tls-querier-ca-cert" {
+  count             = local.thanos["generate_ca"] ? 1 : 0
+  private_key_pem   = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem
+  is_ca_certificate = true
+
+  subject {
+    common_name  = var.cluster-name
+    organization = var.cluster-name
+  }
+
+  validity_period_hours = 87600
+
+  allowed_uses = [
+    "cert_signing"
+  ]
+}
+
+resource "kubernetes_secret" "thanos-ca" {
+  count = local.thanos["enabled"] && (local.thanos["generate_ca"] || local.thanos["trusted_ca_content"] != null) ? 1 : 0
+  metadata {
+    name      = "${local.thanos["name"]}-ca"
+    namespace = local.thanos["create_ns"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos["namespace"]
+  }
+
+  data = {
+    "ca.crt" = local.thanos["generate_ca"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos["trusted_ca_content"]
+  }
+}
+
+output "thanos_ca" {
+  value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [""]), 0)
+}
diff --git a/modules/google/traefik.tf b/modules/google/traefik.tf
new file mode 120000
index 000000000..817a38f9d
--- /dev/null
+++ b/modules/google/traefik.tf
@@ -0,0 +1 @@
+../../traefik.tf
\ No newline at end of file
diff --git a/modules/google/variables-google.tf b/modules/google/variables-google.tf
new file mode 100644
index 000000000..64b40e86f
--- /dev/null
+++ b/modules/google/variables-google.tf
@@ -0,0 +1,41 @@
+variable "google" {
+  description = "GCP provider customization"
+  type        = any
+  default     = {}
+}
+
+variable "project_id" {
+  description = "GCP project id"
+  type        = string
+  default     = ""
+}
+
+variable "cni-metrics-helper" {
+  description = "Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values"
+  type        = any
+  default     = {}
+}
+
+variable "gke" {
+  description = "GKE cluster inputs"
+  type        = any
+  default     = {}
+}
+
+variable "prometheus-cloudwatch-exporter" {
+  description = "Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values"
+  type        = any
+  default     = {}
+}
+
+variable "tags" {
+  description = "Map of tags for Google resources"
+  type        = map(any)
+  default     = {}
+}
+
+variable "velero" {
+  description = "Customize velero chart, see `velero.tf` for supported values"
+  type        = any
+  default     = {}
+}
diff --git a/modules/google/versions.tf b/modules/google/versions.tf
index 591bd7087..eda74991d 100644
--- a/modules/google/versions.tf
+++ b/modules/google/versions.tf
@@ -13,5 +13,21 @@ terraform {
       source  = "NikolaLohinski/jinja"
       version = "~> 1.15"
     }
+    flux = {
+      source  = "fluxcd/flux"
+      version = "1.0.0-rc.5"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 3"
+    }
   }
 }
diff --git a/modules/google/victoria-metrics-k8s-stack.tf b/modules/google/victoria-metrics-k8s-stack.tf
new file mode 100644
index 000000000..e2e040464
--- /dev/null
+++ b/modules/google/victoria-metrics-k8s-stack.tf
@@ -0,0 +1,207 @@
+locals {
+  victoria-metrics-k8s-stack = merge(
+    local.helm_defaults,
+    {
+      name                             = local.helm_dependencies[index(local.helm_dependencies.*.name, "victoria-metrics-k8s-stack")].name
+      chart                            = local.helm_dependencies[index(local.helm_dependencies.*.name, "victoria-metrics-k8s-stack")].name
+      repository                       = local.helm_dependencies[index(local.helm_dependencies.*.name, "victoria-metrics-k8s-stack")].repository
+      chart_version                    = local.helm_dependencies[index(local.helm_dependencies.*.name, "victoria-metrics-k8s-stack")].version
+      namespace                        = "monitoring"
+      enabled                          = false
+      allowed_cidrs                    = ["0.0.0.0/0"]
+      default_network_policy           = true
+      install_prometheus_operator_crds = true
+    },
+    var.victoria-metrics-k8s-stack
+  )
+
+  values_victoria-metrics-k8s-stack = <<VALUES
+kubeScheduler:
+  enabled: false
+kubeControllerManager:
+  enabled: false
+kubeEtcd:
+  enabled: false
+kubeProxy:
+  enabled: false
+grafana:
+  adminPassword: ${join(",", random_string.grafana_password.*.result)}
+prometheus-node-exporter:
+  priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
+victoria-metrics-operator:
+  createCRD: false
+  operator:
+    disable_prometheus_converter: false
+    enable_converter_ownership: true
+    useCustomConfigReloader: true
+vmsingle:
+  spec:
+    extraArgs:
+      maxLabelsPerTimeseries: "50"
+vmagent:
+  spec:
+    externalLabels:
+      cluster: ${var.cluster-name}
+    serviceScrapeNamespaceSelector: {}
+    podScrapeNamespaceSelector: {}
+    podScrapeSelector: {}
+    serviceScrapeSelector: {}
+    nodeScrapeSelector: {}
+    nodeScrapeNamespaceSelector: {}
+    staticScrapeSelector: {}
+    staticScrapeNamespaceSelector: {}
+VALUES
+
+}
+
+resource "kubernetes_namespace" "victoria-metrics-k8s-stack" {
+  count = local.victoria-metrics-k8s-stack["enabled"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                               = local.victoria-metrics-k8s-stack["namespace"]
+      "${local.labels_prefix}/component" = "monitoring"
+    }
+
+    name = local.victoria-metrics-k8s-stack["namespace"]
+  }
+}
+
+resource "helm_release" "victoria-metrics-k8s-stack" {
+  count                 = local.victoria-metrics-k8s-stack["enabled"] ? 1 : 0
+  repository            = local.victoria-metrics-k8s-stack["repository"]
+  name                  = local.victoria-metrics-k8s-stack["name"]
+  chart                 = local.victoria-metrics-k8s-stack["chart"]
+  version               = local.victoria-metrics-k8s-stack["chart_version"]
+  timeout               = local.victoria-metrics-k8s-stack["timeout"]
+  force_update          = local.victoria-metrics-k8s-stack["force_update"]
+  recreate_pods         = local.victoria-metrics-k8s-stack["recreate_pods"]
+  wait                  = local.victoria-metrics-k8s-stack["wait"]
+  atomic                = local.victoria-metrics-k8s-stack["atomic"]
+  cleanup_on_fail       = local.victoria-metrics-k8s-stack["cleanup_on_fail"]
+  dependency_update     = local.victoria-metrics-k8s-stack["dependency_update"]
+  disable_crd_hooks     = local.victoria-metrics-k8s-stack["disable_crd_hooks"]
+  disable_webhooks      = local.victoria-metrics-k8s-stack["disable_webhooks"]
+  render_subchart_notes = local.victoria-metrics-k8s-stack["render_subchart_notes"]
+  replace               = local.victoria-metrics-k8s-stack["replace"]
+  reset_values          = local.victoria-metrics-k8s-stack["reset_values"]
+  reuse_values          = local.victoria-metrics-k8s-stack["reuse_values"]
+  skip_crds             = local.victoria-metrics-k8s-stack["skip_crds"]
+  verify                = local.victoria-metrics-k8s-stack["verify"]
+  values = compact([
+    local.values_victoria-metrics-k8s-stack,
+    local.cert-manager["enabled"] ? local.values_dashboard_cert-manager : null,
+    local.ingress-nginx["enabled"] ? local.values_dashboard_ingress-nginx : null,
+    local.values_dashboard_node_exporter,
+    local.victoria-metrics-k8s-stack["extra_values"]
+  ])
+  namespace = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+
+  depends_on = [
+    helm_release.ingress-nginx,
+  ]
+}
+
+resource "kubernetes_network_policy" "victoria-metrics-k8s-stack_default_deny" {
+  count = local.victoria-metrics-k8s-stack["enabled"] && local.victoria-metrics-k8s-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "victoria-metrics-k8s-stack_allow_namespace" {
+  count = local.victoria-metrics-k8s-stack["enabled"] && local.victoria-metrics-k8s-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "victoria-metrics-k8s-stack_allow_ingress" {
+  count = local.victoria-metrics-k8s-stack["enabled"] && local.victoria-metrics-k8s-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]}-allow-ingress"
+    namespace = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "ingress"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "victoria-metrics-k8s-stack_allow_control_plane" {
+  count = local.victoria-metrics-k8s-stack["enabled"] && local.victoria-metrics-k8s-stack["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]}-allow-control-plane"
+    namespace = kubernetes_namespace.victoria-metrics-k8s-stack.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "app"
+        operator = "In"
+        values   = ["${local.victoria-metrics-k8s-stack["name"]}-operator"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "10250"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.victoria-metrics-k8s-stack["allowed_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}