Google Cloud Landing Zone with Terraform and Cloud Foundation Fabric FAST — Part 1

Published in

Google Cloud - Community

9 min readApr 10, 2023

Introduction

Here I’ll provide step-by-step guidance for setting up a new Landing Zone on Google Cloud, using Google’s open source Fabric FAST, which is part of their Cloud Foundation Fabric.

Why am I bothering? Afterall, Google has documentation on its own repo. The problem is, if you’re new to the process, some of the documentation can be a bit hard to follow. The first time I used this, I found it a little unclear how many steps needed to be done manually, before switching to the FAST process. So my goal here is to give some pragmatic guidance and steps that are easy to follow.

Before you crack on, I recommend you first take a look at my blog on Landing Zones. It provides an overview of what an LZ is, why you need one, and some of the approaches to creating one.

Subscribe!

Don’t forget to subscribe to see my latest publications.

Overview of Cloud Foundation Fabric and FAST

Cloud Foundation Fabric (CFF) is an open-source project that provides a set of Terraform modules and reference configurations to deploy some commonly used blueprints on Google Cloud.

The Cloud Foundation Fabric provides:

A set of ready-to-go composable Terraform modules.
End-to-end blueprints for achieving common multi-component goals.
FAST — a production-ready landing zone blueprint implementation. It is a Terraform-based solution to bootstrapping and building a GCP LZ, from scratch.

In this blog, I will be using FAST to build a landing zone.

Fabric FAST provides an automated infrastructure-as-code approach for creating a production-ready landing zone for an organisation. Although customisable, it provides a way to deploy a landing zone with “battle-tested” default configuration options. It is also factory-centric, meaning that it makes use of both tenant and project factories, in order to allow tenants to spin up their own resources by simply providing a configuration file.

Google describes FAST as “an ideal blueprint for organizations of all sizes, ranging from startups to the largest companies.”

And finally: because it’s open source, if you stumble across any issues along the way, you can always make changes to improve FAST, and raise a PR to incorporate your changes. I’ve personally contributed a few changes to Fabric FAST, including changes to both Terraform code, and to the documentation.

About Part 1

This guide will describe:

All the pre-requisites that need to be in place.
Initial setup activity that is driven from the Cloud foundation checklist in the Google Cloud Console.

Pre-Reqs

First, make sure have the following pre-requisites:

You have git installed, and you already have a GitHub account.
You have Terraform installed. This is the infrastructure-as-code tool that we will use to run the Fabric FAST process. The Terraform application is very lightweight! See Terraform installation instructions.
You have a domain. If you don’t yet have one, you’ll need to register one. It’s usually very cheap. Personally, I use Ionos for my domains, but there are loads of domain registrars out there. You can even register your domain with Google. It is important that you have your own domain, since you’ll need to verify your ownership later in the Google Cloud organisation creation process.

Getting Started — Fork and Clone the CFF Repo

First, we need to fork the Google Cloud Foundation Fabric repo. I’ve called my fork cf-fast-lz.

Then clone the repo to your local machine. E.g.

git clone https://github.com/derailed-dash/cff-fast-lz.git

Organisation Creation

Here we’re following the Cloud Identity and Organization steps from Google’s Enterprise Setup Checklist. There’s also a guided version of the Cloud foundation setup.

Create Your Google Organisation and Admin Account

We’re going to create a Google organisation resource, associated with your domain. (This assumes you don’t already have an organisation within Google Cloud.) For example, I’ve created a Google organisation associated with my just2good.co.uk domain. When working with Google Cloud, the organisation resource is the top level of your resource hierarchy. Everything hangs off this resource.

To create a Google Cloud organisation, you must create a Google Workspace or Cloud Identity account. This is a summary of how it works:

You sign up for a Cloud Identity account, with your existing email address. (It can be any email address that belongs to you.)
The email address you sign-up with becomes your Super Admin account.
You will then verify your domain, which results in the creation of your Google organisation associated with that domain.

Let’s start by vising the Google Cloud Identity and Organisation Guided Setup. You’ll see a Cloud foundation page like this:

Click on BEGIN THE SETUP. We’ll see a page like this:

Now click on Sign Up For Cloud Identity, which will take you to the Cloud Identity Sign-Up Page. Note: if you’re already paying for Google Workspace, then you’ll already have an account, and you’ll already be familiar with the Google Admin Console. Otherwise, you’ll want a Google Cloud Identity account. It’s free!

When you visit the Cloud Identity sign-up page, you’ll see a page that looks like this:

You’ll be guided through a few screens.

Enter the business name you want to associate with your account. You can call it whatever you want.
Specify how many employees your business will have. For the purposes of testing setting up various identities for your Google Cloud organisation, I’d suggest that 10–99 will be more than enough.
Eventually, you’ll be asked to provide your domain name. Here, you must provide the domain name that you own. E.g. yourdomain.com.
You’ll then be asked for a username that you will use to sign in to your new Cloud Identity Account. This will be your new Super Administrator identity. It needs to be an email address associated with the same domain you provided earlier. For example, it might be super-bob@yourdomain.com.

Your account is now created! You will be asked to login to the Google Admin Console with the email address you just provided. Note that the Google Admin Console is NOT the same as the Google Cloud Console.

Google Admin Console: a web interface for managing Google identities, groups, devices, browser policies, security (e.g. requiring 2FA for all users in this domain), reports, domain management, etc.

Google Cloud Console: a web interface for managing Google Cloud.

Verify Your Domain

You are now directed to verify that you own the domain. The manual process (which you are guided through) involves obtaining a domain verification code from the Admin Console, which you then need to supply as a DNS TXT record with your domain registrar. For example, in Ionos, I add the record in a screen that looks like this:

It’s a very trivial process. But if you’re lucky, Google will recognise your domain registrar and automate the whole process for you. (It does with Ionos, for example.) Verification typically takes a few minutes.

Don’t Create New Users Now!

The Admin Console asks you to setup users now. Don’t do this, because the Checklist will help us automate some of the work. Instead, click on “Setup GCP Console now.” This will open the Google Cloud Console, in the IAM page.

Click on GO TO THE CHECKLIST, and you’ll be directed back to the Cloud foundation page.

If, at this point, the Checklist does not detect your new organisation, it might be because you’re signed in with an email address belonging to a different domain to the one you just used to set up your organisation. If so, switch over to your newly created Admin account to continue with the checklist.

User and Group Setup

Creating Groups

The Fabric FAST process expects that you will provision user groups that align to the best practice set of groups. Later, we will use FAST to assign Cloud IAM roles to these groups, as required. It is Google best practice to manage access at group level, not at individual user level.

We could provision the required groups from within the Google Admin Console. But the foundation setup page can actually automate most of the hard work for us.

Click on START USERS AND GROUPS.

Now click on CREATE ALL GROUPS, then on SAVE AND CREATE. A couple of minutes later, our groups have been created. If you were to now click on Groups in the Google Admin Console, you’ll see that all the groups have now been created:

Create an Org Admin User

Okay, we’ve got our groups, but we have to create users manually. At the very least, we will need to create a user who will be a Cloud Organisational Admin.

Note that the Super Admin and the Organisation Admin accounts should be two different accounts, and they serve different purposes:

Cloud Identity Super Admin: provides the capability to create and manage users and groups in Google Cloud Identity. You will use this to create your Google Cloud Organisational Admin account.
Google Cloud Organisational Admin: the administrative account for use within Google Cloud, including Google Cloud IAM.

From the Google Admin Console, select Users > Add New User. We’ll create a user who will be one of our Organisation Admins. Much of the FAST process will subsequent be run as this user. You could go with something like… admin-andy@yourdomain.com.

Now assign this new user to the Organisation Admins (gcp-organization-admins) group. Click on Groups > gcp-organisation-admins > Add Members. Find your newly created user.

Creating Other Users

While we’re at it, let’s create a user for each of these three groups also:

grp-gcp-network-admins
grp-gcp-billing-admins
grp-gcp-devops

Here are my users:

Don’t forget to add your newly created users to their respective groups.

Summary

We’ve created everything we need, in order to progress with Fabric FAST. We have:

Cloned the Google CFF repo.
Created a Cloud Identity Account.
Created a Cloud Identity Super Admin account.
Created a Google Cloud organisation resource, and associated it with our domain.
Created a set of user groups.
Created some users, and associated them with their respective user groups.

Next up… Let’s get Terraforming with FAST!

Before You Go

Please share this with anyone that you think will be interested. It might help them, and it really helps me!
Please clap for this article. You know you can clap more than once, right?
Feel free to leave a comment 💬.
Follow and subscribe, so you don’t miss any of my content. Go to my Profile Page, and click on these icons: