Your First Step in Google Cloud Platform : Building a Landing Zone with Terraform

Stepping into the world of Google Cloud means a leap into innovation and efficiency. The first step, however, begins on a solid ground called the Landing Zone. This initial setup isn’t just a launch pad — it’s the architect’s blueprint, laying out the foundation for secure and efficient cloud operations.

Google Cloud Landing zone

In this article, we’ll unpack the key elements of constructing an efficient Landing Zone within Google Cloud Platform (GCP). This includes mastering identity and privilege management for top-notch security, implementing encryption and key management practices for data protection, designing an intuitive organizational structure for better control, and harnessing efficient cost management techniques to monitor and control spending.

Furthermore, we’ll dive into best practices for resource referencing and management, network configuration, and how to keep a pulse on your infrastructure with effective monitoring and event logging. Each of these elements plays a critical role in creating a Landing Zone that propels your cloud journey forward.

Key components in a landing zone?

The requirements for applications can differ greatly based on organizations size and security requirements. Certain systems, such as those deemed critical, may necessitate higher security measures or more rigorous backup protocols. As such, the architecture of every landing zone should be tailored to meet these unique needs. Nonetheless, there are key components that all effectively constructed landing zones should encompass:

1. Identity and privilege management: Here, maintaining a secure cloud environment hinges on a well-devised plan for account creation, privilege assignment, identity management for users and service accounts, and handling credentials securely. Regular reviews of access rights should also be an integral part of the process.
2. Security and compliance : Ensuring the protection of data, applications, and the network is vital. It involves key considerations like data encryption, maintaining firewall rules, and scanning for vulnerabilities. Additionally, adherence to industry-specific laws and regulations, such as data privacy laws or industry standards like PCI DSS and HIPAA, are essential aspects of compliance.
3. Network and internet access: Designing and managing network architecture requires careful planning. This encompasses secure internet access, designing a scalable network architecture, defining an IP addressing strategy, and managing connectivity between cloud and on-premise infrastructure, if any.
4. Organizational structure : How resources are grouped and isolated plays a significant role. A clear plan for segregating environments (like production, staging, development), establishing naming conventions for resources, and assigning resource management responsibilities need careful consideration.
5. Cost management: Keeping a tab on cloud costs and controlling them is crucial. It involves setting up budgets and alerts, understanding pricing models of different services, and tracking resource usage. Continuous practice of cost optimization is beneficial for efficient use of cloud resources.
6. Monitoring and event logging: Having visibility into the cloud environment is fundamental for managing it effectively. It involves setting up comprehensive monitoring for all resources, collecting logs for troubleshooting and audits, setting up alerts for anomalies, and planning for incident response.
7. Infrastructure as Code: The way resources are created, updated, and managed affects the overall efficiency and security. Key elements include a defined process for resource lifecycle management, employing Infrastructure as Code (IaC) practices, and automating processes to avoid manual errors.

Design of the landing zone

Before i start writing this article, I explored existing resources for implementing a GCP landing zone using Terraform. My search led me to a GitHub repository that contained an example implementation based on the Google Cloud Security Foundations Guide. This project stood out for its extensive configurability, encompassing a broad range of security considerations and network configurations. However, its complexity could potentially make it daunting for individuals new to the subject.

Consequently, I decided to take a different route and opted to pen a simplified version. My intention was to make it more accessible, easy to understand, and amenable to customization based on organizational needs, despite it offering fewer configuration options. I hope this approach will bridge the gap between theory and practice, providing readers with a clear path to establishing their GCP landing zone.

In an effort to maintain simplicity and adaptability, I have intentionally refrained from integrating any pipeline tools or configurations. Instead, I will provide the necessary commands to orchestrate each step manually, allowing you to use the tool of your choice for the orchestration process.

1- Organization Design

This landing zone is maint to be used for small/medium companies, this is why i decided to go with a simple organizational structure and associate each project with many functions. Here the structure:

example-organization(<org_domain>)
|
├── <org_prefix>-bootstrap-prod (1)
|
└── <org_prefix>-infra (2)
    ├── <org_prefix>-logging-prod  (3)
    ├── <org_prefix>-security-prod (4)
    └── <org_prefix>-nethub-prod   (5)

└── dev-Environment (6)
    └── <org_prefix>-netenv-dev   (7)
    └── <org_prefix>-business-dev (8)
      ├── <org_prefix>-prj1-dev   (9)
      ├── <org_prefix>-prj2-dev   (9)
      └── <org_prefix>-prj3-dev   (9)

└── ...

└── prod-Environment (6)
    └── <org_prefix>-netenv-prod   (7)
    └── <org_prefix>-business-prod (8)
      ├── <org_prefix>-prj1-prod   (9)
      ├── <org_prefix>-prj2-prod   (9)
      └── <org_prefix>-prj3-prod   (9)

• Bootstrap project (1) : This project serves as IAC main repository as it used for hosting terraform service account and the bucket for storing its state.
• Infrastructure folder (2): Infrastructure, often referred to as the “common” or “platform” , folder this is the compartment where projects with shared resources reside. It plays a crucial role in hosting various projects that encapsulate organization-level elements like the Network Hub, secrets, logging, and more. It is designed to store the following projects: Logging, Nethub and Security
• Logging project (3): This project is organization wide billing, applications and infra logs. The logs are collected into BigQuery datasets which you can then use for general querying, dashboarding, and reporting. Logs are also exported to Pub/Sub, a Cloud Storage bucket, and a log bucket.
• Nethub project (4): This project is designed to serve as the hub for both the networks and DNS within the organization. It essentially contains two types of networks : DMZ and Internal Hub.
• Security project (5): This project, overseen by your organization’s security teams, forms the foundation for centralized audit logs and security alerts at the organization level. This secure hub will feature a Pub/Sub topic and subscription, along with a Security Command Center notification set up to broadcast all new findings to the established topic. Furthermore, it serves as a home for the Secret Manager, where your organization can safely store and share secrets.
• Environments folders (6): For the sake of enhanced security and streamlined management, our architecture includes a distinct folder for each environment, with the capacity to extend this division into individual security zones as well. Within each environment-specific folder, we create a series of projects intended to provide shared services across the various projects housed in the same folder. This organized approach is designed to facilitate effective cooperation and secure operation within each individual environment.
• NetEnv project (7): unlike the NetHub, this project is specifically designed to accommodate resources related to a single environment or security zone. It is charged with the task of ensuring secure communication among all projects within the same environment. Additionally, it provides common services, such as a Bastion Host, further enhancing its utility within the designated environment.
• Business projects (9): Here we create the service projects with a standard configuration that are attached to the Shared VPC created in the previous steps. Each project can be associated to an application or team.

2- Network Design

Landing Zone Network Design

From right to left, the first tier is designed to accommodate multiple applications with identical security levels and environments. Since these applications belong to the same security zone, our primary goal will be to streamline management. To achieve this, we will leverage a Shared VPC (called Environment Hub Network) housed in the “netenv” projects. Additionally, we will share subnets with the spoke projects, which will host user workloads. This design promotes an efficient network management process and fosters an environment where workloads can be effectively managed.

The second tier is designed to host tow networks with different roles :

• DMZ Network: the ‘Demilitarized Zone’ network primarily manages all incoming and outgoing internet traffic. In our case, the DMZ network houses a Http Squid Proxy for egress and, if required, it can also accommodate the global external load balancer for ingress traffic. It also incorporates tools like Network Address Translation (NAT) and routers, which are solely utilized by our Http Proxy, given that it is the only service permitted to access the internet without proxying. Serving as a buffer zone between the public internet and your organization’s internal network, the DMZ network bolsters security by mitigating exposure to potential internet threats.
• Internal Hub Network: unlike the DMZ, the internal hub network is designed primarily for intra-organizational connectivity. It facilitates secure and efficient communication within your organization. It hosts and internal Transit Gateway Appliance for inter-VPC communication and additionally, it can also be linked to on-premise infrastructure via VPN (Virtual Private Network) or Interconnect, enabling seamless integration between cloud-based and on-premise resources.

3- DNS Design

In this configuration, a private DNS zone is hosted within the “nethub” project. By default, this zone is peered with all “netenv” projects, enabling any records created in this zone to be resolved throughout the entire GCP environment. This design also accommodates the expansion of private DNS resolution into a hybrid environment, which can be facilitated when necessary.

Infrastructure as Code

In alignment with the focus of this article, my choice is to use Terraform for Infrastructure as Code (IaC). The decision is influenced by several significant attributes of Terraform, including its vast community and ecosystem, provider-agnostic capabilities, declarative language approach, modular structure, and efficient state management. As for naming conventions, i choose to go with a generic one define by Stepan S

Building your landing zone

Prerequisites

Before diving into the process, ensure that the following setup steps have been completed:

1. Set up a Google Cloud organization and billing account.
2. Create a parent folder (optional) that will be used as container for all the setup
3. Create a bootstrap GCP project that will be used for running terraform scripts and enable “IAM Service Account Credentials API” and “Cloud Resource Manager API” APIs
4. Create your IAC service account with the following permissions

organisation -> Billing Account Costs Manager
organisation -> Billing Account User
folder -> Owner
folder -> Project Creator
folder -> Security Admin
folder -> Service Account Token Creator
folder -> Service Account User

5. Create the following groups (optional)

<org_prefix>-organization-admins@<org_domain>
<org_prefix>-security-admins@<org_domain>
<org_prefix>-security-reviewers@<org_domain>
<org_prefix>-billing-admins@<org_domain>
<org_prefix>-organization-viewers@<org_domain>
<org_prefix>-network-admins@<org_domain>
<org_prefix>-network-viewers@<org_domain>

Installation

Step 1 : Clone the github repo by running the follwing command

git clone https://github.com/belgacem-io/gcp-landing-zone.git

Step 2: In your bootstrap project, for the already created service account, create a key and download the credentials file as JSON, it will be used in the next step for authenticating your terraform. Next, you need to update and run the following commands :

##################################### GCP Credentials ################### 
export GOOGLE_APPLICATION_CREDENTIALS=<path to credentials file> 
export PROJECT_ID=<org_prefix>-myboostrap-prod-xxx # Bootstrap project ID
export PROJECT_NAME=<org_prefix>-myboostrap-prod # Bootstrap project name

Step 3: Once these steps are accomplished, you’re all set to proceed with the terraform bootstrap phase. This will create, update and configure the the resources in the bootstrap project

terraform -chdir=main-bootstrap init
terraform -chdir=main-bootstrap apply

Step 4: Time to update the terraform state backend, for each main-xxx module, add a ‘backend.tf’ and configure it to point to created bucket. The result should look like this:

terraform {
       backend "gcs" {
         bucket  = "<generated bucket name >"
         prefix  = "terraform/main-xxx/state"
       }
   }

Step 5: This is a crucial step, as we will create infrastructure folder, projects and networks resources, during which all the necessary parameters should be defined . For your reference and to facilitate testing, a detailed documentation and an example has been provided.

terraform -chdir=main-infra init
terraform -chdir=main-infra apply

Step 6: Create and configure environment projects, this phase will complete the first tier on the two-tier network design. It also include the DNS peering.For your reference and to facilitate testing, a detailed documentation and an example has been provided.

terraform -chdir=main-env init
terraform -chdir=main-env apply

Step 7: Create and configure business projects.For your reference and to facilitate testing, a detailed documentation and an example has been provided.

terraform -chdir=main-bp init
terraform -chdir=main-bp apply

Conclusion

Creating a landing zone in a cloud environment is an essential step in making the cloud migration process efficient, secure, and scalable. It addresses the vital aspects of identity and privilege management, security and compliance, organizational structure, cost management, resource referencing and management, network and internet access, and monitoring and event logging.

A well-structured landing zone sets the stage for successful cloud operations, ensuring seamless integration of applications, secure data handling, and simplified management. It provides a foundation that supports business growth, assists in regulatory compliance, and mitigates potential risks. Moreover, it aids in controlling costs and maintaining visibility into the cloud environment.

Whether your organization is just beginning its cloud journey or looking to optimize its current cloud operations, investing time and effort into properly designing a landing zone will undoubtedly reap significant benefits. It’s not just about getting onto the cloud; it’s about doing so in a way that is sustainable, secure, and beneficial for the long term.

Originally published at https://hassene.belgacem.io .