GCP Landing Zone
A Google Cloud Landing Zone is a secure, scalable, and policy-driven GCP environment that provides a foundation for cloud adoption. It enables organizations to deploy workloads with governance, security, and compliance from day one, using best practices and automation.
What is a GCP Landing Zone?
A pre-configured GCP environment with hierarchical resource organization (folders, projects, billing accounts)
Implements guardrails using IAM, Organization Policies, and centralized logging
Automates project creation, baseline networking (VPCs), and security controls
References:
Real-Life Use Cases
Enterprise Cloud Adoption: Standardize environments for multiple teams or business units
Regulated Industries: Enforce compliance (e.g., GDPR, HIPAA) with automated guardrails
Startups/Scale-ups: Rapidly scale with secure, repeatable project structures
Configuration Options
Resource Hierarchy: Organization, folders, projects, billing accounts
Networking: Shared VPCs, subnets, firewall rules, Private Google Access
Security: IAM roles, Organization Policies, Cloud Audit Logs, Security Command Center
Automation: Use Terraform, Deployment Manager, or gcloud CLI
Example: GCP Landing Zone with Terraform
Below is a simplified example using Terraform to create a GCP organization folder, project, and baseline IAM policies.
provider "google" {
project = var.org_project
region = var.region
}
resource "google_folder" "engineering" {
display_name = "Engineering"
parent = "organizations/${var.org_id}"
}
resource "google_project" "app" {
name = "app-project"
project_id = var.project_id
org_id = var.org_id
folder_id = google_folder.engineering.id
}
resource "google_project_iam_member" "no_public_bucket" {
project = google_project.app.project_id
role = "roles/storage.objectViewer"
member = "group:devs@example.com"
}
resource "google_organization_policy" "restrict_bucket_public_access" {
org_id = var.org_id
constraint = "constraints/storage.publicAccessPrevention"
boolean_policy {
enforced = true
}
}
Tip: Use variables for organization IDs, project IDs, and regions for reusability.
Example: Terraform Test with terraform-compliance
You can use terraform-compliance to test your Terraform code for security and compliance. Example test to ensure public access to storage buckets is prevented:
Feature: Prevent Public Access to GCS Buckets
Scenario: Ensure GCS buckets have public access prevention enabled
Given I have google_storage_bucket defined
Then it must contain public_access_prevention
And its public_access_prevention must be "enforced"
Notes for Linux, WSL, and NixOS Users
Linux: Use the latest Terraform binary and Google Cloud SDK. Install via your package manager or official releases.
WSL: Ensure your GCP credentials are accessible in your WSL home directory. Use
wsl --mount
for shared filesystems if needed.NixOS: Use nixpkgs for reproducible installs:
environment.systemPackages = with pkgs; [ terraform google-cloud-sdk ];
Always use environment variables or gcloud auth application-default login for credentials—never hard-code secrets.
Landing Zone Joke
Why did the DevOps engineer refuse to deploy in an unprepared GCP project?
Because there was no landing zone—he didn’t want to fall into the cloud!
For more advanced patterns, see the GCP Security Foundations Guide and Terraform GCP modules.
Last updated