This example repository shows how the CFT Terraform modules can build a secure Google Cloud foundation, following the Google Cloud Enterprise Foundations Blueprint (previously called the Security Foundations Guide). The supplied structure and code is intended to form a starting point for building your own foundation with pragmatic defaults that you can customize to meet your own requirements.
The intended audience of this blueprint is large enterprise organizations with a dedicated platform team responsible for deploying and maintaining their GCP environment, who is commited to separation of duties across multiple teams and managing their environment solely through version-controlled Infrastructure as Code. Smaller organizations looking for a turnkey solution might prefer other options such as Google Cloud Setup
This repository is intended as an example to be forked, tweaked, and maintained in the user's own version-control system; the modules within this repository are not intended for use as remote references. Though this blueprint can help accelerate your foundation design and build, we assume that you have the engineering skills and teams to deploy and customize your own foundation based on your own requirements.
We will support:
We will not support:
This repo contains several distinct Terraform projects, each within their own directory that must be applied separately, but in sequence.
Stage 0-bootstrap
is manually executed, and subsequent stages are executed using your preferred CI/CD tool.
Each of these Terraform projects are to be layered on top of each other, and run in the following order.
This stage executes the CFT Bootstrap module which bootstraps an existing Google Cloud organization, creating all the required Google Cloud resources and permissions to start using the Cloud Foundation Toolkit (CFT). For CI/CD Pipelines, you can use either Cloud Build (by default) or Jenkins. If you want to use Jenkins instead of Cloud Build, see README-Jenkins on how to use the Jenkins sub-module.
The bootstrap step includes:
prj-b-seed
project that contains the following:
prj-b-cicd
project that contains the following:
It is a best practice to separate concerns by having two projects here: one for the Terraform state and one for the CI/CD tool.
prj-b-seed
project stores Terraform state and has the service accounts that can create or modify infrastructure.prj-b-cicd
project holds the CI/CD tool (either Cloud Build or Jenkins) that coordinates the infrastructure deployment.To further separate the concerns at the IAM level as well, a distinct service account is created for each stage. The Terraform custom service accounts are granted the IAM permissions required to build the foundation.
If using Cloud Build as the CI/CD tool, these service accounts are used directly in the pipeline to execute the pipeline steps (plan
or apply
).
In this configuration, the baseline permissions of the CI/CD tool are unchanged.
If using Jenkins as the CI/CD tool, the service account of the Jenkins Agent (sa-jenkins-agent-gce@prj-b-cicd-xxxx.iam.gserviceaccount.com
) is granted impersonation access so it can generate tokens over the Terraform custom Service Accounts.
In this configuration, the baseline permissions of the CI/CD tool are limited.
After executing this step, you will have the following structure:
example-organization/
└── fldr-bootstrap
├── prj-b-cicd
└── prj-b-seed
When this step uses the Cloud Build submodule, it sets up the cicd project (prj-b-cicd
) with Cloud Build and Cloud Source Repositories for each of the stages below.
Triggers are configured to run a terraform plan
for any non-environment branch and terraform apply
when changes are merged to an environment branch (development
, nonproduction
or production
).
Usage instructions are available in the 0-bootstrap README.
The purpose of this stage is to set up the common folder used to house projects that contain shared resources such as Security Command Center notification, Cloud Key Management Service (KMS), org level secrets, and org level logging.
This stage also sets up the network folder used to house network related projects such as DNS Hub, Interconnect, network hub, and base and restricted projects for each environment (development
, nonproduction
or production
).
This will create the following folder and project structure:
example-organization
└── fldr-common
├── prj-c-logging
├── prj-c-billing-export
├── prj-c-scc
├── prj-c-kms
└── prj-c-secrets
└── fldr-network
├── prj-net-hub-base
├── prj-net-hub-restricted
├── prj-net-dns
├── prj-net-interconnect
├── prj-d-shared-base
├── prj-d-shared-restricted
├── prj-n-shared-base
├── prj-n-shared-restricted
├── prj-p-shared-base
└── prj-p-shared-restricted
Under the common folder, a project prj-c-logging
is used as the destination for organization wide sinks. This includes admin activity audit logs from all projects in your organization and the billing account.
Logs are collected into a logging bucket with a linked BigQuery dataset, which can be used for ad-hoc log investigations, querying, or reporting. Log sinks can also be configured to export to Pub/Sub for exporting to external systems or Cloud Storage for long-term storage.
Notes:
log_export_storage_versioning
.Another project created under the common folder. This project will host the Security Command Center notification resources at the organization level. This project will contain a Pub/Sub topic, a Pub/Sub subscription, and a Security Command Center notification configured to send all new findings to the created topic. You can adjust the filter when deploying this step.
Another project created under the common folder. This project is allocated for Cloud Key Management for KMS resources shared by the organization.
Usage instructions are available for the org step in the README.
Another project created under the common folder. This project is allocated for Secret Manager for secrets shared by the organization.
Usage instructions are available for the org step in the README.
This project is created under the network folder. This project will host the DNS hub for the organization.
Another project created under the network folder. This project will host the Dedicated Interconnect Interconnect connection for the organization. In case of Partner Interconnect, this project is unused and the VLAN attachments will be placed directly into the corresponding hub projects.
Under the network folder, two projects, one for base and another for restricted network, are created per environment (development
, nonproduction
, and production
) which is intended to be used as a Shared VPC host project for all projects in that environment.
This stage only creates the projects and enables the correct APIs, the following networks stages, 3-networks-dual-svpc and 3-networks-hub-and-spoke, create the actual Shared VPC networks.
The purpose of this stage is to set up the environments folders that contain shared projects for each environemnt. This will create the following folder and project structure:
example-organization
└── fldr-development
├── prj-d-kms
└── prj-d-secrets
└── fldr-nonproduction
├── prj-n-kms
└── prj-n-secrets
└── fldr-production
├── prj-p-kms
└── prj-p-secrets
Under the environment folder, a project is created per environment (development
, nonproduction
, and production
), which is intended to be used by Cloud Key Management for KMS resources shared by the environment.
Usage instructions are available for the environments step in the README.
Under the environment folder, a project is created per environment (development
, nonproduction
, and production
), which is intended to be used by Secret Manager for secrets shared by the environment.
Usage instructions are available for the environments step in the README.
This step focuses on creating a Shared VPC per environment (development
, nonproduction
, and production
) in a standard configuration with a reasonable security baseline. Currently, this includes:
development
, nonproduction
, and production
inclusive of secondary ranges for those that want to use Google Kubernetes Engine.egress-internet
required on VMs in order to reach the internet.Usage instructions are available for the networks step in the README.
This step configures the same network resources that the step 3-networks-dual-svpc does, but this time it makes use of the architecture based on the hub-and-spoke reference network model.
Usage instructions are available for the networks step in the README.
This step is focused on creating service projects with a standard configuration that are attached to the Shared VPC created in the previous step and application infrastructure pipelines. Running this code as-is should generate a structure as shown below:
example-organization/
└── fldr-development
└── fldr-development-bu1
├── prj-d-bu1-sample-floating
├── prj-d-bu1-sample-base
├── prj-d-bu1-sample-restrict
├── prj-d-bu1-sample-peering
└── fldr-development-bu2
├── prj-d-bu2-sample-floating
├── prj-d-bu2-sample-base
├── prj-d-bu2-sample-restrict
└── prj-d-bu2-sample-peering
└── fldr-nonproduction
└── fldr-nonproduction-bu1
├── prj-n-bu1-sample-floating
├── prj-n-bu1-sample-base
├── prj-n-bu1-sample-restrict
├── prj-n-bu1-sample-peering
└── fldr-nonproduction-bu2
├── prj-n-bu2-sample-floating
├── prj-n-bu2-sample-base
├── prj-n-bu2-sample-restrict
└── prj-n-bu2-sample-peering
└── fldr-production
└── fldr-production-bu1
├── prj-p-bu1-sample-floating
├── prj-p-bu1-sample-base
├── prj-p-bu1-sample-restrict
├── prj-p-bu1-sample-peering
└── fldr-production-bu2
├── prj-p-bu2-sample-floating
├── prj-p-bu2-sample-base
├── prj-p-bu2-sample-restrict
└── prj-p-bu2-sample-peering
└── fldr-common
├── prj-c-bu1-infra-pipeline
└── prj-c-bu2-infra-pipeline
The code in this step includes two options for creating projects. The first is the standard projects module which creates a project per environment, and the second creates a standalone project for one environment. If relevant for your use case, there are also two optional submodules which can be used to create a subnet per project, and a dedicated private DNS zone per project.
Usage instructions are available for the projects step in the README.
The purpose of this step is to deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.
Usage instructions are available for the app-infra step in the README.
After all steps above have been executed, your Google Cloud organization should represent the structure shown below, with projects being the lowest nodes in the tree.
example-organization
└── fldr-common
├── prj-c-logging
├── prj-c-billing-export
├── prj-c-scc
├── prj-c-kms
├── prj-c-secrets
├── prj-c-bu1-infra-pipeline
└── prj-c-bu2-infra-pipeline
└── fldr-network
├── prj-net-hub-base
├── prj-net-hub-restricted
├── prj-net-dns
├── prj-net-interconnect
├── prj-d-shared-base
├── prj-d-shared-restricted
├── prj-n-shared-base
├── prj-n-shared-restricted
├── prj-p-shared-base
└── prj-p-shared-restricted
└── fldr-development
├── prj-d-kms
└── prj-d-secrets
└── fldr-development-bu1
├── prj-d-bu1-sample-floating
├── prj-d-bu1-sample-base
├── prj-d-bu1-sample-restrict
├── prj-d-bu1-sample-peering
└── fldr-development-bu2
├── prj-d-bu2-sample-floating
├── prj-d-bu2-sample-base
├── prj-d-bu2-sample-restrict
└── prj-d-bu2-sample-peering
└── fldr-nonproduction
├── prj-n-kms
└── prj-n-secrets
└── fldr-nonproduction-bu1
├── prj-n-bu1-sample-floating
├── prj-n-bu1-sample-base
├── prj-n-bu1-sample-restrict
├── prj-n-bu1-sample-peering
└── fldr-nonproduction-bu2
├── prj-n-bu2-sample-floating
├── prj-n-bu2-sample-base
├── prj-n-bu2-sample-restrict
└── prj-n-bu2-sample-peering
└── fldr-production
├── prj-p-kms
└── prj-p-secrets
└── fldr-production-bu1
├── prj-p-bu1-sample-floating
├── prj-p-bu1-sample-base
├── prj-p-bu1-sample-restrict
├── prj-p-bu1-sample-peering
└── fldr-production-bu2
├── prj-p-bu2-sample-floating
├── prj-p-bu2-sample-base
├── prj-p-bu2-sample-restrict
└── prj-p-bu2-sample-peering
└── fldr-bootstrap
├── prj-b-cicd
└── prj-b-seed
There are three main named branches: development
, nonproduction
, and production
that reflect the corresponding environments. These branches should be protected. When the CI/CD Pipeline (Jenkins or Cloud Build) runs on a particular named branch (say for instance development
), only the corresponding environment (development
) is applied. An exception is the shared
environment, which is only applied when triggered on the production
branch. This is because any changes in the shared
environment may affect resources in other environments and can have adverse effects if not validated correctly.
Development happens on feature and bug fix branches (which can be named feature/new-foo
, bugfix/fix-bar
, etc.) and when complete, a pull request (PR) or merge request (MR) can be opened targeting the development
branch. This will trigger the CI/CD Pipeline to perform a plan and validate against all environments (development
, nonproduction
, shared
, and production
). After the code review is complete and changes are validated, this branch can be merged into development
. This will trigger a CI/CD Pipeline that applies the latest changes in the development
branch on the development
environment.
After validated in development
, changes can be promoted to nonproduction
by opening a PR or MR targeting the nonproduction
branch and merging them. Similarly, changes can be promoted from nonproduction
to production
.
This repo uses the terraform-tools component of the gcloud
CLI to validate the Terraform plans against a library of Google Cloud policies.
The Scorecard bundle was used to create the policy-library folder with one extra constraint added.
See the policy-library documentation if you need to add more constraints from the samples folder in your configuration based in your type of workload.
Step 1-org has instructions on the creation of the shared repository to host these policies.
Some variables used to deploy the steps have default values, check those before deployment to ensure they match your requirements. For more information, there are tables of inputs and outputs for the Terraform modules, each with a detailed description of their variables. Look for variables marked as not required in the section Inputs of these READMEs:
jenkins-agent
.shared
.Refer to the errata summary for an overview of the delta between the example foundation repository and the Google Cloud security foundations guide.
Refer to the contribution guidelines for information on contributing to this module.