From da4ca7df343d525eff6e4ba3a4eaa98621af8b31 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Mon, 12 Jan 2026 12:07:33 +0530
Subject: [PATCH 1/8] Add Terraform files to deploy Envoy RateLimiter

---
 .../terraform/envoy-ratelimiter/README.md     | 150 ++++++++
 examples/terraform/envoy-ratelimiter/gke.tf   |  38 ++
 .../terraform/envoy-ratelimiter/network.tf    |  25 ++
 .../terraform/envoy-ratelimiter/outputs.tf    |  25 ++
 .../envoy-ratelimiter/prerequisites.tf        |  51 +++
 .../terraform/envoy-ratelimiter/provider.tf   |  44 +++
 .../terraform/envoy-ratelimiter/ratelimit.tf  | 344 ++++++++++++++++++
 .../terraform/envoy-ratelimiter/variables.tf  | 125 +++++++
 8 files changed, 802 insertions(+)
 create mode 100644 examples/terraform/envoy-ratelimiter/README.md
 create mode 100644 examples/terraform/envoy-ratelimiter/gke.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/network.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/outputs.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/prerequisites.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/provider.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/ratelimit.tf
 create mode 100644 examples/terraform/envoy-ratelimiter/variables.tf

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
new file mode 100644
index 000000000000..19bec416773d
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -0,0 +1,150 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+# Envoy Rate Limiter on GKE (Terraform)
+This directory contains a production-ready Terraform module to deploy a scalable **Envoy Rate Limit Service** on Google Kubernetes Engine (GKE) Autopilot.
+
+## Architectures:
+- **GKE Autopilot**: Fully managed, serverless Kubernetes environment.
+  - **Private Cluster**: Nodes have internal IPs only.
+  - **Cloud NAT (Prerequisite)**: Allows private nodes to pull Docker images.
+- **Envoy Rate Limit Service**: A stateless Go/gRPC service that handles rate limit logic.
+- **Redis**: Stores the rate limit counters.
+- **StatsD Exporter**: Sidecar container that converts StatsD metrics to Prometheus format, exposed on port `9102`.
+- **Internal Load Balancer**: A Google Cloud TCP Load Balancer exposing the Rate Limit service internally within the VPC.
+
+## Prerequisites:
+### Following items need to be setup for Envoy Rate Limiter deployment on GCP:
+1. [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
+
+2. [Tools Installed](https://cloud.google.com/sdk/docs/install):
+   - [Terraform](https://www.terraform.io/downloads.html) >= 1.0
+   - [Google Cloud SDK](https://cloud.google.com/sdk/docs/install) (`gcloud`)
+   - [kubectl](https://kubernetes.io/docs/tasks/tools/)
+
+3. APIs Enabled:
+   ```bash
+   gcloud services enable container.googleapis.com compute.googleapis.com
+   ```
+
+4. **Network Configuration**:
+   - **Cloud NAT**: Must exist in the region to allow Private Nodes to pull images and reach external APIs.
+   - **Validation via Console**:
+     1. Go to **Network Services** > **Cloud NAT** in the Google Cloud Console.
+     2. Verify a NAT Gateway exists for your **Region** (`us-central1`) and **VPC Network**.
+     3. Ensure it is configured to apply to **Primary and Secondary ranges** (or at least the ranges GKE will use).
+
+# Prepare deployment configuration:
+1. Create a `terraform.tfvars` file to define variables specific to your environment:
+
+* `terraform.tfvars` environment variables:
+```
+project_id            = "my-project-id"             # GCP Project ID
+region                = "us-central1"               # GCP Region for deployment
+cluster_name          = "ratelimit-cluster"         # Name of the GKE cluster
+deletion_protection   = true                        # Prevent accidental cluster deletion (set "true" for prod)
+control_plane_cidr    = "172.16.0.0/28"             # CIDR for GKE control plane (must not overlap with subnet)
+ratelimit_replicas    = 1                           # Initial number of Rate Limit pods
+min_replicas          = 1                           # Minimum HPA replicas
+max_replicas          = 5                           # Maximum HPA replicas
+hpa_cpu_target        = 80                          # CPU utilization target for HPA (%)
+vpc_name              = "default"                   # Existing VPC name to deploy into
+subnet_name           = "default"                   # Existing Subnet name (required for Internal LB IP)
+ratelimit_image       = "envoyproxy/ratelimit:e9ce92cc" # Docker image for Rate Limit service
+redis_image           = "redis:6.2-alpine"          # Docker image for Redis
+```
+
+* Custom Rate Limit Configuration (Must override in `terraform.tfvars`):
+```
+ratelimit_config_yaml = <<EOF
+domain: edge_proxy
+descriptors:
+  - key: remote_address
+    rate_limit:
+      unit: second
+      requests_per_unit: 50
+EOF
+```
+
+# Deploy Envoy Rate Limiter:
+1. Initialize Terraform to download providers and modules:
+```bash
+terraform init
+```
+
+2. Plan and apply the changes:
+```bash
+terraform plan -out=tfplan
+terraform apply tfplan
+```
+
+3. Connect to the service:
+After deployment, get the **Internal** IP address:
+```bash
+terraform output load_balancer_ip
+```
+The service is accessible **only from within the VPC** (e.g., via Dataflow workers or GCE instances in the same network) at `<INTERNAL_IP>:8081`.
+
+4. **Test with Dataflow Workflow**:
+   Verify connectivity and rate limiting logic by running the example Dataflow pipeline.
+
+   ```bash
+   # Get the Internal Load Balancer IP
+   export RLS_IP=$(terraform output -raw load_balancer_ip)
+
+   python sdks/python/apache_beam/examples/rate_limiter_simple.py \
+     --runner=DataflowRunner \
+     --project=<YOUR_PROJECT_ID> \
+     --region=<YOUR_REGION> \
+     --temp_location=gs://<YOUR_BUCKET>/temp \
+     --staging_location=gs://<YOUR_BUCKET>/staging \
+     --job_name=ratelimit-test-$(date +%s) \
+     # Point to the Terraform-provisioned Internal IP
+     --rls_address=${RLS_IP}:8081 \
+     # REQUIRED: Run workers in the same private subnet
+     --subnetwork=regions/<YOUR_REGION>/subnetworks/<YOUR_SUBNET_NAME> \
+     --no_use_public_ips
+   ```
+
+
+# Clean up resources:
+To destroy the cluster and all created resources:
+```bash
+terraform destroy
+```
+*Note: If `deletion_protection` was enabled, you must set it to `false` in `terraform.tfvars` before destroying.*
+
+# Variables description:
+
+|Variable               |Description                                          |Default                          |
+|-----------------------|:----------------------------------------------------|:--------------------------------|
+|project_id             |**Required** Google Cloud Project ID                 |-                                |
+|vpc_name               |**Required** Existing VPC name to deploy into        |-                                |
+|subnet_name            |**Required** Existing Subnet name                    |-                                |
+|region                 |GCP Region for deployment                            |us-central1                      |
+|control_plane_cidr     |CIDR block for GKE control plane                     |172.16.0.0/28                    |
+|cluster_name           |Name of the GKE cluster                              |ratelimit-cluster                |
+|deletion_protection    |Prevent accidental cluster deletion                  |false                            |
+|ratelimit_replicas     |Initial number of Rate Limit pods                    |1                                |
+|min_replicas           |Minimum HPA replicas                                 |1                                |
+|max_replicas           |Maximum HPA replicas                                 |5                                |
+|hpa_cpu_target         |CPU utilization target for HPA (%)                   |80                               |
+|ratelimit_image        |Docker image for Rate Limit service                  |envoyproxy/ratelimit:e9ce92cc    |
+|redis_image            |Docker image for Redis                               |redis:6.2-alpine                 |
+
diff --git a/examples/terraform/envoy-ratelimiter/gke.tf b/examples/terraform/envoy-ratelimiter/gke.tf
new file mode 100644
index 000000000000..b0fadbf5f87b
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/gke.tf
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Provision the Kubernetes cluster.
+resource "google_container_cluster" "primary" {
+  name     = var.cluster_name
+  location = var.region
+
+  enable_autopilot    = true
+  deletion_protection = var.deletion_protection
+
+  network    = data.google_compute_network.default.id
+  subnetwork = data.google_compute_subnetwork.default.id
+
+  ip_allocation_policy {}
+
+  # Private Cluster Configuration
+  private_cluster_config {
+    enable_private_nodes    = true            # Nodes have internal IPs only
+    enable_private_endpoint = false           # Master is accessible via Public IP (required for Terraform from outside VPC)
+    master_ipv4_cidr_block  = var.control_plane_cidr
+  }
+}
\ No newline at end of file
diff --git a/examples/terraform/envoy-ratelimiter/network.tf b/examples/terraform/envoy-ratelimiter/network.tf
new file mode 100644
index 000000000000..3c31907e4d16
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/network.tf
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+resource "google_compute_address" "ratelimit_ip" {
+  name         = var.ip_name != "" ? var.ip_name : "${var.cluster_name}-ratelimit-ip"
+  region       = var.region
+  address_type = "INTERNAL"
+  subnetwork   = data.google_compute_subnetwork.default.id
+}
diff --git a/examples/terraform/envoy-ratelimiter/outputs.tf b/examples/terraform/envoy-ratelimiter/outputs.tf
new file mode 100644
index 000000000000..011069e85556
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/outputs.tf
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cluster_name" {
+  value = google_container_cluster.primary.name
+}
+
+output "load_balancer_ip" {
+  value = google_compute_address.ratelimit_ip.address
+}
diff --git a/examples/terraform/envoy-ratelimiter/prerequisites.tf b/examples/terraform/envoy-ratelimiter/prerequisites.tf
new file mode 100644
index 000000000000..1456d009d282
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/prerequisites.tf
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_project_service" "required" {
+  for_each = toset([
+    "container",
+    "iam",
+    "compute",
+  ])
+  service            = "${each.key}.googleapis.com"
+  disable_on_destroy = false
+}
+
+// Query the VPC network to make sure it exists.
+data "google_compute_network" "default" {
+  depends_on = [google_project_service.required]
+  name       = var.vpc_name
+}
+
+// Query the VPC subnetwork to make sure it exists in the region specified.
+data "google_compute_subnetwork" "default" {
+  depends_on = [google_project_service.required]
+  name       = var.subnet_name
+  region     = var.region
+  lifecycle {
+    postcondition {
+      condition     = self.private_ip_google_access
+      error_message = <<EOT
+fatal: ${self.id} misconfigured: private Google access disabled.
+See https://cloud.google.com/vpc/docs/configure-private-google-access for details.
+EOT
+    }
+  }
+}
+
+
diff --git a/examples/terraform/envoy-ratelimiter/provider.tf b/examples/terraform/envoy-ratelimiter/provider.tf
new file mode 100644
index 000000000000..be80b994255e
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/provider.tf
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+# Configure kubernetes provider to use the GKE cluster
+provider "kubernetes" {
+  host                   = "https://${google_container_cluster.primary.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
+}
+
+data "google_client_config" "default" {}
diff --git a/examples/terraform/envoy-ratelimiter/ratelimit.tf b/examples/terraform/envoy-ratelimiter/ratelimit.tf
new file mode 100644
index 000000000000..aa1e94ba4e5a
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/ratelimit.tf
@@ -0,0 +1,344 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Wait for cluster propagation
+# GKE Public Endpoint takes ~1-2 minutes to become globally routable after creation.
+# This delay prevents "network is unreachable" errors during initial resource deployment.
+resource "time_sleep" "wait_for_cluster" {
+  depends_on = [google_container_cluster.primary]
+
+  create_duration = "60s"
+}
+
+# ConfigMap
+resource "kubernetes_config_map" "ratelimit_config" {
+  metadata {
+    name = "ratelimit-config"
+  }
+
+  data = {
+    "config.yaml" = var.ratelimit_config_yaml
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
+
+# Redis Deployment
+resource "kubernetes_deployment" "redis" {
+  metadata {
+    name = "redis"
+    labels = {
+      app = "redis"
+    }
+  }
+
+  spec {
+    replicas = 1
+
+    selector {
+      match_labels = {
+        app = "redis"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app = "redis"
+        }
+      }
+
+      spec {
+        container {
+          image = var.redis_image
+          name  = "redis"
+
+          port {
+            container_port = 6379
+          }
+
+          resources {
+            requests = {
+              cpu    = "100m"
+              memory = "128Mi"
+            }
+            limits = {
+              cpu    = "500m"
+              memory = "512Mi"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
+
+# Redis Service
+resource "kubernetes_service" "redis" {
+  metadata {
+    name = "redis"
+  }
+
+  spec {
+    selector = {
+      app = "redis"
+    }
+
+    port {
+      port        = 6379
+      target_port = 6379
+    }
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
+
+# Rate Limit Deployment
+resource "kubernetes_deployment" "ratelimit" {
+  metadata {
+    name = "ratelimit"
+    labels = {
+      app = "ratelimit"
+    }
+  }
+
+  spec {
+    replicas = var.ratelimit_replicas
+
+    selector {
+      match_labels = {
+        app = "ratelimit"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app = "ratelimit"
+        }
+      }
+
+      spec {
+        container {
+          name  = "ratelimit"
+          image = var.ratelimit_image
+          command = ["/bin/ratelimit"]
+
+          port {
+            container_port = 8080
+          }
+          port {
+            container_port = 8081
+          }
+          port {
+            container_port = 6070
+          }
+
+          env {
+            name  = "USE_STATSD"
+            value = "true"
+          }
+          env {
+            name  = "LOG_LEVEL"
+            value = var.ratelimit_log_level
+          }
+          env {
+            name  = "REDIS_SOCKET_TYPE"
+            value = "tcp"
+          }
+          env {
+            name  = "REDIS_URL"
+            value = "redis:6379"
+          }
+          env {
+            name  = "RUNTIME_ROOT"
+            value = "/data"
+          }
+          env {
+            name  = "RUNTIME_SUBDIRECTORY"
+            value = "ratelimit"
+          }
+          env {
+            name  = "RUNTIME_WATCH_ROOT"
+            value = "false"
+          }
+          env {
+            name  = "RUNTIME_IGNOREDOTFILES"
+            value = "true"
+          }
+          env {
+            name  = "CONFIG_TYPE"
+            value = "FILE"
+          }
+          env {
+            name  = "STATSD_HOST"
+            value = "localhost"
+          }
+          env {
+            name  = "STATSD_PORT"
+            value = "9125"
+          }
+
+          resources {
+            requests = {
+              cpu    = "250m"
+              memory = "512Mi"
+            }
+            limits = {
+              cpu    = "500m"
+              memory = "512Mi"
+            }
+          }
+
+          volume_mount {
+            name       = "config-volume"
+            mount_path = "/data/ratelimit/config"
+          }
+        }
+
+        container {
+          name  = "statsd-exporter"
+          image = var.statsd_exporter_image
+
+          port {
+            name           = "metrics"
+            container_port = 9102
+          }
+          port {
+            name           = "statsd-udp"
+            container_port = 9125
+            protocol       = "UDP"
+          }
+        }
+
+        volume {
+          name = "config-volume"
+          config_map {
+            name = kubernetes_config_map.ratelimit_config.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [spec[0].replicas]
+  }
+
+  depends_on = [
+    time_sleep.wait_for_cluster,
+    kubernetes_config_map.ratelimit_config,
+    kubernetes_service.redis
+  ]
+}
+
+resource "kubernetes_horizontal_pod_autoscaler" "ratelimit" {
+  metadata {
+    name = "ratelimit-hpa"
+  }
+
+  spec {
+    min_replicas = var.min_replicas
+    max_replicas = var.max_replicas
+
+    scale_target_ref {
+      kind        = "Deployment"
+      name        = kubernetes_deployment.ratelimit.metadata[0].name
+      api_version = "apps/v1"
+    }
+
+    target_cpu_utilization_percentage = var.hpa_cpu_target
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
+
+# Rate Limit Internal Service
+resource "kubernetes_service" "ratelimit" {
+  metadata {
+    name = "ratelimit"
+  }
+
+  spec {
+    selector = {
+      app = "ratelimit"
+    }
+
+    port {
+      name        = "http"
+      port        = 8080
+      target_port = 8080
+    }
+    port {
+      name        = "grpc"
+      port        = 8081
+      target_port = 8081
+    }
+    port {
+      name        = "debug"
+      port        = 6070
+      target_port = 6070
+    }
+    port {
+      name        = "metrics"
+      port        = 9102
+      target_port = 9102
+    }
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
+
+# Rate Limit External Service (LoadBalancer)
+resource "kubernetes_service" "ratelimit_external" {
+  metadata {
+    name = "ratelimit-external"
+    annotations = {
+      "networking.gke.io/load-balancer-type" = "Internal"
+    }
+  }
+
+  spec {
+    type             = "LoadBalancer"
+    load_balancer_ip = google_compute_address.ratelimit_ip.address
+
+    selector = {
+      app = "ratelimit"
+    }
+
+    port {
+      name        = "grpc"
+      port        = 8081
+      target_port = 8081
+    }
+    port {
+      name        = "debug"
+      port        = 6070
+      target_port = 6070
+    }
+    port {
+      name        = "metrics"
+      port        = 9102
+      target_port = 9102
+    }
+  }
+
+  depends_on = [time_sleep.wait_for_cluster]
+}
diff --git a/examples/terraform/envoy-ratelimiter/variables.tf b/examples/terraform/envoy-ratelimiter/variables.tf
new file mode 100644
index 000000000000..6d7d5d0f4ad3
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/variables.tf
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The Google Cloud Project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "The region to deploy resources to"
+  type        = string
+  default     = "us-central1"
+}
+
+variable "control_plane_cidr" {
+  description = "CIDR block for GKE control plane"
+  type        = string
+  default     = "172.16.0.0/28"
+}
+
+variable "cluster_name" {
+  description = "The name of the GKE cluster"
+  type        = string
+  default     = "ratelimit-cluster"
+}
+
+variable "deletion_protection" {
+  description = "Whether to enable deletion protection on the GKE cluster. Set to true for production."
+  type        = bool
+  default     = false
+}
+
+variable "vpc_name" {
+  description = "The name of the existing VPC network"
+  type        = string
+}
+
+variable "subnet_name" {
+  description = "The name of the existing subnetwork."
+  type        = string
+}
+
+variable "ip_name" {
+  description = "The name of the static IP address to reserve. If empty, defaults to <cluster_name>-ratelimit-ip"
+  type        = string
+  default     = ""
+}
+
+variable "ratelimit_replicas" {
+  description = "Number of replicas for the rate limit deployment"
+  type        = number
+  default     = 1
+}
+
+variable "min_replicas" {
+  description = "Minimum number of replicas for rate limit deployment"
+  type        = number
+  default     = 1
+}
+
+variable "max_replicas" {
+  description = "Maximum number of replicas for rate limit deployment"
+  type        = number
+  default     = 5
+}
+
+variable "hpa_cpu_target" {
+  description = "Target CPU utilization percentage for autoscaling"
+  type        = number
+  default     = 80
+}
+
+variable "ratelimit_image" {
+  description = "Docker image for Envoy Rate Limit service"
+  type        = string
+  default     = "envoyproxy/ratelimit:e9ce92cc" 
+}
+
+variable "redis_image" {
+  description = "Docker image for Redis"
+  type        = string
+  default     = "redis:6.2-alpine"
+}
+
+variable "statsd_exporter_image" {
+  description = "Docker image for StatsD Exporter"
+  type        = string
+  default     = "prom/statsd-exporter:v0.24.0"
+}
+
+variable "ratelimit_config_yaml" {
+  description = "Content of the ratelimit config.yaml"
+  type        = string
+  default     = <<EOF
+domain: mongo_cps
+descriptors:
+  - key: database
+    value: users
+    detailed_metric: true
+    rate_limit:
+      unit: second
+      requests_per_unit: 100
+EOF
+}
+
+variable "ratelimit_log_level" {
+  description = "Log level for ratelimit service"
+  type        = string
+  default     = "debug"
+}
\ No newline at end of file

From aa4623e662f910d493e86e9093243aeda47b82ab Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Mon, 12 Jan 2026 17:01:40 +0530
Subject: [PATCH 2/8] fix variables

---
 .../terraform/envoy-ratelimiter/README.md     |  5 +-
 .../terraform/envoy-ratelimiter/variables.tf  | 48 +++++++++----------
 2 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index 19bec416773d..7ff3d8ab480c 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -44,10 +44,10 @@ This directory contains a production-ready Terraform module to deploy a scalable
    ```
 
 4. **Network Configuration**:
-   - **Cloud NAT**: Must exist in the region to allow Private Nodes to pull images and reach external APIs.
+   - **Cloud NAT**: Must exist in the region to allow Private Nodes to pull images and reach external APIs. Follow [this](https://docs.cloud.google.com/nat/docs/gke-example#create-nat) for more details.
    - **Validation via Console**:
      1. Go to **Network Services** > **Cloud NAT** in the Google Cloud Console.
-     2. Verify a NAT Gateway exists for your **Region** (`us-central1`) and **VPC Network**.
+     2. Verify a NAT Gateway exists for your **Region** and **VPC Network**.
      3. Ensure it is configured to apply to **Primary and Secondary ranges** (or at least the ranges GKE will use).
 
 # Prepare deployment configuration:
@@ -137,6 +137,7 @@ terraform destroy
 |project_id             |**Required** Google Cloud Project ID                 |-                                |
 |vpc_name               |**Required** Existing VPC name to deploy into        |-                                |
 |subnet_name            |**Required** Existing Subnet name                    |-                                |
+|ratelimit_config_yaml  |**Required** Rate Limit configuration content        |-                                |
 |region                 |GCP Region for deployment                            |us-central1                      |
 |control_plane_cidr     |CIDR block for GKE control plane                     |172.16.0.0/28                    |
 |cluster_name           |Name of the GKE cluster                              |ratelimit-cluster                |
diff --git a/examples/terraform/envoy-ratelimiter/variables.tf b/examples/terraform/envoy-ratelimiter/variables.tf
index 6d7d5d0f4ad3..a1622a1c6007 100644
--- a/examples/terraform/envoy-ratelimiter/variables.tf
+++ b/examples/terraform/envoy-ratelimiter/variables.tf
@@ -16,11 +16,34 @@
  * limitations under the License.
  */
 
+# ------------------------------------------------------------------------------
+# REQUIRED VARIABLES
+# ------------------------------------------------------------------------------
+
 variable "project_id" {
   description = "The Google Cloud Project ID"
   type        = string
 }
 
+variable "vpc_name" {
+  description = "The name of the existing VPC network"
+  type        = string
+}
+
+variable "subnet_name" {
+  description = "The name of the existing subnetwork."
+  type        = string
+}
+
+variable "ratelimit_config_yaml" {
+  description = "Content of the ratelimit config.yaml (Required)"
+  type        = string
+}
+
+# ------------------------------------------------------------------------------
+# OPTIONAL VARIABLES
+# ------------------------------------------------------------------------------
+
 variable "region" {
   description = "The region to deploy resources to"
   type        = string
@@ -45,16 +68,6 @@ variable "deletion_protection" {
   default     = false
 }
 
-variable "vpc_name" {
-  description = "The name of the existing VPC network"
-  type        = string
-}
-
-variable "subnet_name" {
-  description = "The name of the existing subnetwork."
-  type        = string
-}
-
 variable "ip_name" {
   description = "The name of the static IP address to reserve. If empty, defaults to <cluster_name>-ratelimit-ip"
   type        = string
@@ -103,21 +116,6 @@ variable "statsd_exporter_image" {
   default     = "prom/statsd-exporter:v0.24.0"
 }
 
-variable "ratelimit_config_yaml" {
-  description = "Content of the ratelimit config.yaml"
-  type        = string
-  default     = <<EOF
-domain: mongo_cps
-descriptors:
-  - key: database
-    value: users
-    detailed_metric: true
-    rate_limit:
-      unit: second
-      requests_per_unit: 100
-EOF
-}
-
 variable "ratelimit_log_level" {
   description = "Log level for ratelimit service"
   type        = string

From 850fc8e8731172f8b9f39aad72a6fc1ad0ac92b7 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Mon, 12 Jan 2026 17:18:55 +0530
Subject: [PATCH 3/8] Add nat creation command to readme

---
 examples/terraform/envoy-ratelimiter/README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index 7ff3d8ab480c..48f8873cecd9 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -45,6 +45,15 @@ This directory contains a production-ready Terraform module to deploy a scalable
 
 4. **Network Configuration**:
    - **Cloud NAT**: Must exist in the region to allow Private Nodes to pull images and reach external APIs. Follow [this](https://docs.cloud.google.com/nat/docs/gke-example#create-nat) for more details.
+     **Helper Command** (if you need to create one):
+     ```bash
+     gcloud compute routers create nat-router --network <VPC_NAME> --region <REGION>
+     gcloud compute routers nats create nat-config \
+         --router=nat-router \
+         --region=<REGION> \
+         --auto-allocated-nat-external-ips \
+         --nat-all-subnet-ip-ranges
+     ```
    - **Validation via Console**:
      1. Go to **Network Services** > **Cloud NAT** in the Google Cloud Console.
      2. Verify a NAT Gateway exists for your **Region** and **VPC Network**.

From ea52f5b38fcf93861744fbc1158b42046cadf421 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Mon, 12 Jan 2026 20:05:35 +0530
Subject: [PATCH 4/8] add hpa for memory

---
 .../terraform/envoy-ratelimiter/README.md     | 14 ++++--
 .../terraform/envoy-ratelimiter/ratelimit.tf  | 44 +++++++++++--------
 .../terraform/envoy-ratelimiter/variables.tf  | 44 ++++++++++++++++++-
 3 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index 48f8873cecd9..fecfc2e1d5d7 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -77,17 +77,20 @@ vpc_name              = "default"                   # Existing VPC name to deplo
 subnet_name           = "default"                   # Existing Subnet name (required for Internal LB IP)
 ratelimit_image       = "envoyproxy/ratelimit:e9ce92cc" # Docker image for Rate Limit service
 redis_image           = "redis:6.2-alpine"          # Docker image for Redis
+ratelimit_resources   = { requests = { cpu = "100m", memory = "128Mi" }, limits = { cpu = "500m", memory = "512Mi" } }
+redis_resources       = { requests = { cpu = "250m", memory = "256Mi" }, limits = { cpu = "500m", memory = "512Mi" } }
 ```
 
 * Custom Rate Limit Configuration (Must override in `terraform.tfvars`):
 ```
 ratelimit_config_yaml = <<EOF
-domain: edge_proxy
+domain: mongo_cps
 descriptors:
-  - key: remote_address
+  - key: database
+    value: users
     rate_limit:
       unit: second
-      requests_per_unit: 50
+      requests_per_unit: 500
 EOF
 ```
 
@@ -154,7 +157,10 @@ terraform destroy
 |ratelimit_replicas     |Initial number of Rate Limit pods                    |1                                |
 |min_replicas           |Minimum HPA replicas                                 |1                                |
 |max_replicas           |Maximum HPA replicas                                 |5                                |
-|hpa_cpu_target         |CPU utilization target for HPA (%)                   |80                               |
+|hpa_cpu_target         |CPU utilization target for HPA (%)                   |75                               |
+|hpa_memory_target      |Memory utilization target for HPA (%)                |75                               |
 |ratelimit_image        |Docker image for Rate Limit service                  |envoyproxy/ratelimit:e9ce92cc    |
 |redis_image            |Docker image for Redis                               |redis:6.2-alpine                 |
+|ratelimit_resources    |Resources for Rate Limit service (map)               |requests/limits (CPU/Mem)        |
+|redis_resources        |Resources for Redis container (map)                  |requests/limits (CPU/Mem)        |
 
diff --git a/examples/terraform/envoy-ratelimiter/ratelimit.tf b/examples/terraform/envoy-ratelimiter/ratelimit.tf
index aa1e94ba4e5a..a9748115296d 100644
--- a/examples/terraform/envoy-ratelimiter/ratelimit.tf
+++ b/examples/terraform/envoy-ratelimiter/ratelimit.tf
@@ -73,14 +73,8 @@ resource "kubernetes_deployment" "redis" {
           }
 
           resources {
-            requests = {
-              cpu    = "100m"
-              memory = "128Mi"
-            }
-            limits = {
-              cpu    = "500m"
-              memory = "512Mi"
-            }
+            requests = var.redis_resources.requests
+            limits   = var.redis_resources.limits
           }
         }
       }
@@ -197,14 +191,8 @@ resource "kubernetes_deployment" "ratelimit" {
           }
 
           resources {
-            requests = {
-              cpu    = "250m"
-              memory = "512Mi"
-            }
-            limits = {
-              cpu    = "500m"
-              memory = "512Mi"
-            }
+            requests = var.ratelimit_resources.requests
+            limits   = var.ratelimit_resources.limits
           }
 
           volume_mount {
@@ -249,7 +237,7 @@ resource "kubernetes_deployment" "ratelimit" {
   ]
 }
 
-resource "kubernetes_horizontal_pod_autoscaler" "ratelimit" {
+resource "kubernetes_horizontal_pod_autoscaler_v2" "ratelimit" {
   metadata {
     name = "ratelimit-hpa"
   }
@@ -264,7 +252,27 @@ resource "kubernetes_horizontal_pod_autoscaler" "ratelimit" {
       api_version = "apps/v1"
     }
 
-    target_cpu_utilization_percentage = var.hpa_cpu_target
+    metric {
+      type = "Resource"
+      resource {
+        name  = "cpu"
+        target {
+          type                = "Utilization"
+          average_utilization = var.hpa_cpu_target
+        }
+      }
+    }
+
+    metric {
+      type = "Resource"
+      resource {
+        name  = "memory"
+        target {
+          type                = "Utilization"
+          average_utilization = var.hpa_memory_target
+        }
+      }
+    }
   }
 
   depends_on = [time_sleep.wait_for_cluster]
diff --git a/examples/terraform/envoy-ratelimiter/variables.tf b/examples/terraform/envoy-ratelimiter/variables.tf
index a1622a1c6007..d2c4d76177bd 100644
--- a/examples/terraform/envoy-ratelimiter/variables.tf
+++ b/examples/terraform/envoy-ratelimiter/variables.tf
@@ -95,7 +95,13 @@ variable "max_replicas" {
 variable "hpa_cpu_target" {
   description = "Target CPU utilization percentage for autoscaling"
   type        = number
-  default     = 80
+  default     = 75
+}
+
+variable "hpa_memory_target" {
+  description = "Target Memory utilization percentage for autoscaling"
+  type        = number
+  default     = 75
 }
 
 variable "ratelimit_image" {
@@ -120,4 +126,40 @@ variable "ratelimit_log_level" {
   description = "Log level for ratelimit service"
   type        = string
   default     = "debug"
+}
+
+variable "redis_resources" {
+  description = "Compute resources for Redis container"
+  type = object({
+    requests = map(string)
+    limits   = map(string)
+  })
+  default = {
+    requests = {
+      cpu    = "100m"
+      memory = "128Mi"
+    }
+    limits = {
+      cpu    = "500m"
+      memory = "512Mi"
+    }
+  }
+}
+
+variable "ratelimit_resources" {
+  description = "Compute resources for Rate Limit container"
+  type = object({
+    requests = map(string)
+    limits   = map(string)
+  })
+  default = {
+    requests = {
+      cpu    = "250m"
+      memory = "256Mi"
+    }
+    limits = {
+      cpu    = "500m"
+      memory = "512Mi"
+    }
+  }
 }
\ No newline at end of file

From 372edadf4a1b515582ede50330586aeb70327709 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Fri, 16 Jan 2026 01:36:28 +0530
Subject: [PATCH 5/8] fix redability comments

---
 examples/terraform/envoy-ratelimiter/README.md   |  7 ++++---
 examples/terraform/envoy-ratelimiter/outputs.tf  |  6 ++++--
 .../terraform/envoy-ratelimiter/prerequisites.tf |  7 +++----
 .../terraform/envoy-ratelimiter/ratelimit.tf     | 16 ++++++++--------
 .../terraform/envoy-ratelimiter/variables.tf     |  4 ++--
 5 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index fecfc2e1d5d7..57609184d6ca 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -72,7 +72,8 @@ control_plane_cidr    = "172.16.0.0/28"             # CIDR for GKE control plane
 ratelimit_replicas    = 1                           # Initial number of Rate Limit pods
 min_replicas          = 1                           # Minimum HPA replicas
 max_replicas          = 5                           # Maximum HPA replicas
-hpa_cpu_target        = 80                          # CPU utilization target for HPA (%)
+hpa_cpu_target_percentage        = 75                          # CPU utilization target for HPA (%)
+hpa_memory_target_percentage     = 75                          # Memory utilization target for HPA (%)
 vpc_name              = "default"                   # Existing VPC name to deploy into
 subnet_name           = "default"                   # Existing Subnet name (required for Internal LB IP)
 ratelimit_image       = "envoyproxy/ratelimit:e9ce92cc" # Docker image for Rate Limit service
@@ -157,8 +158,8 @@ terraform destroy
 |ratelimit_replicas     |Initial number of Rate Limit pods                    |1                                |
 |min_replicas           |Minimum HPA replicas                                 |1                                |
 |max_replicas           |Maximum HPA replicas                                 |5                                |
-|hpa_cpu_target         |CPU utilization target for HPA (%)                   |75                               |
-|hpa_memory_target      |Memory utilization target for HPA (%)                |75                               |
+|hpa_cpu_target_percentage         |CPU utilization target for HPA (%)                   |75                               |
+|hpa_memory_target_percentage      |Memory utilization target for HPA (%)                |75                               |
 |ratelimit_image        |Docker image for Rate Limit service                  |envoyproxy/ratelimit:e9ce92cc    |
 |redis_image            |Docker image for Redis                               |redis:6.2-alpine                 |
 |ratelimit_resources    |Resources for Rate Limit service (map)               |requests/limits (CPU/Mem)        |
diff --git a/examples/terraform/envoy-ratelimiter/outputs.tf b/examples/terraform/envoy-ratelimiter/outputs.tf
index 011069e85556..9ee95093f644 100644
--- a/examples/terraform/envoy-ratelimiter/outputs.tf
+++ b/examples/terraform/envoy-ratelimiter/outputs.tf
@@ -17,9 +17,11 @@
  */
 
 output "cluster_name" {
-  value = google_container_cluster.primary.name
+  description = "The name of the GKE cluster."
+  value       = google_container_cluster.primary.name
 }
 
 output "load_balancer_ip" {
-  value = google_compute_address.ratelimit_ip.address
+  description = "The IP address of the load balancer."
+  value       = google_compute_address.ratelimit_ip.address
 }
diff --git a/examples/terraform/envoy-ratelimiter/prerequisites.tf b/examples/terraform/envoy-ratelimiter/prerequisites.tf
index 1456d009d282..41151fae91cc 100644
--- a/examples/terraform/envoy-ratelimiter/prerequisites.tf
+++ b/examples/terraform/envoy-ratelimiter/prerequisites.tf
@@ -22,21 +22,22 @@ resource "google_project_service" "required" {
     "iam",
     "compute",
   ])
+
   service            = "${each.key}.googleapis.com"
   disable_on_destroy = false
 }
 
 // Query the VPC network to make sure it exists.
 data "google_compute_network" "default" {
-  depends_on = [google_project_service.required]
   name       = var.vpc_name
+  depends_on = [google_project_service.required]
 }
 
 // Query the VPC subnetwork to make sure it exists in the region specified.
 data "google_compute_subnetwork" "default" {
-  depends_on = [google_project_service.required]
   name       = var.subnet_name
   region     = var.region
+  depends_on = [google_project_service.required]
   lifecycle {
     postcondition {
       condition     = self.private_ip_google_access
@@ -47,5 +48,3 @@ EOT
     }
   }
 }
-
-
diff --git a/examples/terraform/envoy-ratelimiter/ratelimit.tf b/examples/terraform/envoy-ratelimiter/ratelimit.tf
index a9748115296d..795edf9c7b4d 100644
--- a/examples/terraform/envoy-ratelimiter/ratelimit.tf
+++ b/examples/terraform/envoy-ratelimiter/ratelimit.tf
@@ -20,9 +20,9 @@
 # GKE Public Endpoint takes ~1-2 minutes to become globally routable after creation.
 # This delay prevents "network is unreachable" errors during initial resource deployment.
 resource "time_sleep" "wait_for_cluster" {
-  depends_on = [google_container_cluster.primary]
-
   create_duration = "60s"
+
+  depends_on = [google_container_cluster.primary]
 }
 
 # ConfigMap
@@ -226,15 +226,15 @@ resource "kubernetes_deployment" "ratelimit" {
     }
   }
 
-  lifecycle {
-    ignore_changes = [spec[0].replicas]
-  }
-
   depends_on = [
     time_sleep.wait_for_cluster,
     kubernetes_config_map.ratelimit_config,
     kubernetes_service.redis
   ]
+
+  lifecycle {
+    ignore_changes = [spec[0].replicas]
+  }
 }
 
 resource "kubernetes_horizontal_pod_autoscaler_v2" "ratelimit" {
@@ -258,7 +258,7 @@ resource "kubernetes_horizontal_pod_autoscaler_v2" "ratelimit" {
         name  = "cpu"
         target {
           type                = "Utilization"
-          average_utilization = var.hpa_cpu_target
+          average_utilization = var.hpa_cpu_target_percentage
         }
       }
     }
@@ -269,7 +269,7 @@ resource "kubernetes_horizontal_pod_autoscaler_v2" "ratelimit" {
         name  = "memory"
         target {
           type                = "Utilization"
-          average_utilization = var.hpa_memory_target
+          average_utilization = var.hpa_memory_target_percentage
         }
       }
     }
diff --git a/examples/terraform/envoy-ratelimiter/variables.tf b/examples/terraform/envoy-ratelimiter/variables.tf
index d2c4d76177bd..661a1531f31f 100644
--- a/examples/terraform/envoy-ratelimiter/variables.tf
+++ b/examples/terraform/envoy-ratelimiter/variables.tf
@@ -92,13 +92,13 @@ variable "max_replicas" {
   default     = 5
 }
 
-variable "hpa_cpu_target" {
+variable "hpa_cpu_target_percentage" {
   description = "Target CPU utilization percentage for autoscaling"
   type        = number
   default     = 75
 }
 
-variable "hpa_memory_target" {
+variable "hpa_memory_target_percentage" {
   description = "Target Memory utilization percentage for autoscaling"
   type        = number
   default     = 75

From a2490669825d95c867b1a0af6968ad2045157054 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Sat, 17 Jan 2026 01:07:25 +0530
Subject: [PATCH 6/8] fix comments

---
 .../terraform/envoy-ratelimiter/README.md     | 11 ++++++++-
 .../envoy-ratelimiter/terraform.tfvars        | 23 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 examples/terraform/envoy-ratelimiter/terraform.tfvars

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index 57609184d6ca..bab7a6284f46 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -20,6 +20,15 @@
 # Envoy Rate Limiter on GKE (Terraform)
 This directory contains a production-ready Terraform module to deploy a scalable **Envoy Rate Limit Service** on Google Kubernetes Engine (GKE) Autopilot.
 
+## Overview
+Apache Beam pipelines often process data at massive scale, which can easily overwhelm external APIs (e.g., Databases, LLM Inference endpoints, SaaS APIs).
+
+This Terraform module deploys a **centralized Rate Limit Service (RLS)** using Envoy. Dataflow workers can query this service to coordinate global quotas across thousands of distributed workers, ensuring you stay within safe API limits without hitting `429 Too Many Requests` errors.
+
+Example Beam Pipelines using it:
+*   [Simple DoFn RateLimiter](https://github.com/apache/beam/blob/master/sdks/python/apache_beam/examples/rate_limiter_simple.py)
+*   [Vertex AI RateLimiter](https://github.com/apache/beam/blob/master/sdks/python/apache_beam/examples/inference/rate_limiter_vertex_ai.py)
+
 ## Architectures:
 - **GKE Autopilot**: Fully managed, serverless Kubernetes environment.
   - **Private Cluster**: Nodes have internal IPs only.
@@ -60,7 +69,7 @@ This directory contains a production-ready Terraform module to deploy a scalable
      3. Ensure it is configured to apply to **Primary and Secondary ranges** (or at least the ranges GKE will use).
 
 # Prepare deployment configuration:
-1. Create a `terraform.tfvars` file to define variables specific to your environment:
+1. Update the `terraform.tfvars` file to define variables specific to your environment:
 
 * `terraform.tfvars` environment variables:
 ```
diff --git a/examples/terraform/envoy-ratelimiter/terraform.tfvars b/examples/terraform/envoy-ratelimiter/terraform.tfvars
new file mode 100644
index 000000000000..b814a0967779
--- /dev/null
+++ b/examples/terraform/envoy-ratelimiter/terraform.tfvars
@@ -0,0 +1,23 @@
+project_id = "PROJECT_ID"
+region     = "REGION"
+
+vpc_name    = "VPC_NAME"
+subnet_name = "SUBNET_NAME"
+
+# update the below config value to match your need
+# https://github.com/envoyproxy/ratelimit?tab=readme-ov-file#examples
+ratelimit_config_yaml = <<EOF
+domain: mongo_cps
+descriptors:
+  - key: database
+    value: users
+    rate_limit:
+      unit: second
+      requests_per_unit: 1
+EOF
+
+# Optional Resource Limits
+# ratelimit_resources = {
+#   requests = { cpu = "100m", memory = "128Mi" }
+#   limits   = { cpu = "500m", memory = "512Mi" }
+# }

From fa21471b9114ef7be96b9e578b42594562e2ca50 Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Sat, 17 Jan 2026 01:36:51 +0530
Subject: [PATCH 7/8] add license

---
 .../envoy-ratelimiter/terraform.tfvars         | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/examples/terraform/envoy-ratelimiter/terraform.tfvars b/examples/terraform/envoy-ratelimiter/terraform.tfvars
index b814a0967779..69d8bc8860e2 100644
--- a/examples/terraform/envoy-ratelimiter/terraform.tfvars
+++ b/examples/terraform/envoy-ratelimiter/terraform.tfvars
@@ -1,3 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 project_id = "PROJECT_ID"
 region     = "REGION"
 

From 1315c86dae09445ee96f81a98f9a0bbf3c538dfd Mon Sep 17 00:00:00 2001
From: Tarun Annapareddy <tannapareddy@google.com>
Date: Sat, 17 Jan 2026 01:43:26 +0530
Subject: [PATCH 8/8] Update examples/terraform/envoy-ratelimiter/README.md

Co-authored-by: Danny McCormick <dannymccormick@google.com>
---
 examples/terraform/envoy-ratelimiter/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/terraform/envoy-ratelimiter/README.md b/examples/terraform/envoy-ratelimiter/README.md
index bab7a6284f46..47d66832487d 100644
--- a/examples/terraform/envoy-ratelimiter/README.md
+++ b/examples/terraform/envoy-ratelimiter/README.md
@@ -23,7 +23,7 @@ This directory contains a production-ready Terraform module to deploy a scalable
 ## Overview
 Apache Beam pipelines often process data at massive scale, which can easily overwhelm external APIs (e.g., Databases, LLM Inference endpoints, SaaS APIs).
 
-This Terraform module deploys a **centralized Rate Limit Service (RLS)** using Envoy. Dataflow workers can query this service to coordinate global quotas across thousands of distributed workers, ensuring you stay within safe API limits without hitting `429 Too Many Requests` errors.
+This Terraform module deploys a **centralized Rate Limit Service (RLS)** using Envoy. Beam workers can query this service to coordinate global quotas across thousands of distributed workers, ensuring you stay within safe API limits without hitting `429 Too Many Requests` errors.
 
 Example Beam Pipelines using it:
 *   [Simple DoFn RateLimiter](https://github.com/apache/beam/blob/master/sdks/python/apache_beam/examples/rate_limiter_simple.py)