OpenClaw GitOps: AI Agent Infrastructure as Code

OpenClaw GitOps: Production AI Agent Infrastructure on Google Cloud

OpenClaw GitOps is a professional-grade, zero-cost DevOps stack that automates the deployment and management of the OpenClaw AI Agent on Google Cloud Platform. It leverages Google's Gemini 3 API, Terraform Infrastructure-as-Code, and GitHub Actions CI/CD to create a fully automated, secure, and cost-optimized agent runtime—all within Google's $10 monthly free credit.

This project bridges the gap between powerful AI agents and practical infrastructure concerns: how do you deploy, monitor, and iterate on an AI agent without cloud bill shock? OpenClaw GitOps answers that by coupling intelligent infrastructure automation with intelligent cost management, delivering a production-ready system for developers, AI researchers, and DevOps practitioners who want hands-off agent deployment.

Core Architecture & Technology Stack

Compute: Google Cloud Spot VM (e2-medium) in Stockholm (europe-north2) runs OpenClaw in a containerized environment, reducing compute costs by 60–70% vs. on-demand pricing.

Storage & State: 10GB persistent disk stores Signal session data and agent memory; Terraform Cloud manages infrastructure state with built-in locking and versioning.

Intelligence Layer: Google Gemini 3 Pro/Flash API powers agent reasoning via the opencode-antigravity-auth bridge, enabling advanced multi-turn conversations and task execution.

Messaging Interface: Signal integration allows the agent to receive and respond to messages as a linked device, making it accessible via your existing Signal app.

CI/CD Pipeline: GitHub Actions automates the entire deployment workflow—code push triggers Terraform validation, Docker image build, artifact registry push, and VM update in a single workflow.

Key Features

• Zero-Cost Infrastructure: Entire stack fits within Google Cloud's $10/month free credit ($6 Spot VM, $3.60 static IP, $0.40 storage).
• Fully Automated Deployment: Push to main triggers end-to-end CI/CD: infrastructure validation, container build, registry push, and live server update.
• Infrastructure-as-Code Quality Gates: Every commit validated via terraform fmt, terraform validate, and TFLint with Google-specific rules.
• Immutable Artifact Versioning: Docker images tagged with Git SHA and pushed to private Google Artifact Registry; easy version rollback.
• Secure Remote Access: SSH tunneling via Identity-Aware Proxy (IAP) for headless server debugging, log access, and UI control without exposing ports.
• Least-Privilege Security: Dedicated GCP Service Account with narrowly scoped IAM roles; secrets managed via Terraform Cloud and GitHub encrypted secrets.
• Code Quality Enforcement: Node.js and configuration linting via Biome; integrated into CI/CD to catch issues before deployment.
• Easy Version Pinning: OpenClaw version controlled in docker/Dockerfile; update one line and re-push to main for automated rollout.
• Signal Integration: Agent links as a Signal device; test via "Note to Self" messaging for reliable real-world validation.

Getting Started

Prerequisites:

• Google Cloud Project with billing enabled (use $10 free credit).
• Terraform Cloud free account (app.terraform.io).
• OpenCode CLI installed locally (bun install -g opencode-ai).
• GitHub repository access with secrets management.

Setup Overview:

1. Terraform Cloud: Create workspace "openclaw-gitops" in org "aasan_dev"; add workspace variables for GCP credentials and project ID.
2. GitHub Secrets: Store TF_API_TOKEN, GCP_PROJECT_ID, GCP_CREDENTIALS, and SIGNAL_PHONE_NUMBER as repository secrets.
3. Authenticate Gemini: Run opencode auth login locally, copy session to VM via gcloud compute scp + IAP tunnel.
4. Link Signal: SSH into VM via IAP, run docker compose exec openclaw npx openclaw channels login signal, and scan QR code from Signal app.
5. Deploy: Push to main; GitHub Actions validates, builds, and deploys automatically.

Full deployment instructions with command examples are documented in the repository README.

Monitoring & Debugging

Secure Control UI: Create SSH tunnel to localhost:18789 via IAP; access the OpenClaw debugging dashboard without exposing it to the internet.

Live Logs: SSH into VM and stream Docker logs in real-time to observe agent reasoning and troubleshoot Signal connectivity issues.

Local Testing: Use Signal "Note to Self" messaging to send test prompts (e.g., "ping") and verify agent responses in logs.

Who This Is For

• AI Developers: Need a production-grade platform to test and iterate on OpenClaw agents without managing cloud infrastructure costs.
• DevOps & SRE Teams: Want to adopt AI agents into their stacks with best-practice IaC, CI/CD, security, and cost control.
• Startups & Solo Builders: Bootstrapping AI applications and need maximum leverage from free cloud credits.
• Open-Source Contributors: Interested in practical examples of Terraform, GitHub Actions, and containerized agent deployment.
• Google Cloud Practitioners: Seeking real-world patterns for Spot VMs, IAP tunneling, and service account security.

Cost Breakdown

The system is designed to stay under $10/month on a single Google Cloud free credit:

• Spot VM (e2-medium, Stockholm): ~$6.00/month
• Static IP address: ~$3.60/month
• Persistent disk (10GB): ~$0.40/month
• Total: ~$10.00/month (fully covered by Google's $10 credit)

No egress charges, no compute overages, no surprise bills.

Security & Quality Standards

Infrastructure Quality: Terraform code validated on every commit with terraform fmt, terraform validate, and TFLint (Google-specific rules).

Code Quality: Node.js and configuration files linted and formatted via Biome; integrated into CI/CD gates.

Artifact Integrity: Docker images tagged with Git SHA and stored in private Google Artifact Registry; enables reproducible, auditable deployments.

Access Control: Dedicated GCP Service Account with minimal IAM roles; SSH access only via Identity-Aware Proxy (no public key exposure).

Secret Management: Credentials stored in Terraform Cloud variables and GitHub encrypted secrets; never committed to git.

Resource Links

• Antfarm: Multi-Agent Workflow Orchestration for OpenClaw – The AI Agent runtime this infrastructure deploys.
• Terraform Cloud – Infrastructure state and secret management.
• Google Cloud Platform – Compute, networking, and API services.
• Repository: https://github.com/kennethaasan/openclaw-gitops
• OpenCode CLI: Command-line authentication and orchestration for Gemini API.
• Signal API: Messaging integration documentation.

Credits: OpenClaw by Peter Steinberger. Antigravity Auth bridge by NoeFabris. Infrastructure design by Antigravity (Google DeepMind). Project maintained by Kenneth Aasan.