Example Terraform Config for a Google Cloud Platform (GCP) Organization
This terraform configuration is based off of the Google Cloud Platform checklist for setting up a new Organization.
https://console.cloud.google.com/cloud-setup/overview
For detailed instructions on how to install this Terraform config, see INSTALL.md.
Items marked with "✅" are managed by this Terraform configuration.
- Sign up for Google Workspace or Google Cloud Identity
- Verify your domain to Google Cloud organization resource
- Add users
- Add groups
gcp-organization-admins
✅gcp-network-admins
✅gcp-billing-admins
✅gcp-security-admins
✅gcp-devops
✅gcp-developers
✅
- Add users to groups
- Grant the Organization Administrator role to the
gcp-organization-admins
group ✅
- Grant the Billing Administrator role to the
gcp-billing-admins
group ✅ - Create a new billing account or migrate an existing billing account into the organization
- Plan the resource hierarchy
- Create initial folders of the resource hierarchy
Non-Production
✅Non-Production/Shared
✅Production
✅Production/Shared
✅
- Create initial projects of the resource hierarchy
example-vpc-host-nonprod
inNon-Production
✅example-vpc-host-prod
inProduction
✅example-monitoring-nonprod
inNon-Production
✅example-monitoring-prod
inProduction
✅example-logging-nonprod
inNon-Production
✅example-logging-prod
inProduction
✅
- Confirm projects are linked to the appropriate billing account ✅
- Set IAM policies at the organization level ✅
- Grant network roles to the
gcp-network-admins
group ✅ - Grant security roles to the
gcp-security-admins
group ✅ - Grant devops roles to the
gcp-devops
group ✅
- Grant network roles to the
- Set folder-level policies ✅
- Grant devops roles on the
Production
folder to thegcp-devops
group ✅ - Grant developer roles on the
Production
folder to thegcp-developers
group ✅
- Grant devops roles on the
- Set project-level policies
- Grant network roles on the
example-vpc-host-nonprod
andexample-vpc-host-prod
projects to thegcp-network-admins
group ✅ - Grant devops roles on the
example-monitoring-nonprod
,example-monitoring-prod
,example-logging-nonprod
, andexample-logging-prod
projects to thegcp-devops
group ✅
- Grant network roles on the
- Choose a support option
- Virtual private cloud architecture
- Create the Shared VPC networks
- Create the
Non-Production
VPC network ✅ - Create the
Production
VPC network ✅
- Create the
- Configure connectivity between the external provider and GCP
- Set up a path for external egress traffic
- Implement network security controls
- Choose an ingress traffic option
- Set up monitoring
- Enable
example-monitoring-nonprod
as a Stackdriver workspace - Add nonprod projects to nonprod workspace
- Enable
example-monitoring-prod
as a Stackdriver workspace - Add prod projects to prod workspace
- Enable
- Set up logging ✅
- Enable Audit logs for all services ✅
- Create BigQuery logging dataset for nonprod ✅
- Create BigQuery logging dataset for prod ✅
- Create Folder logging sink to BigQuery for nonprod ✅
- Create Folder logging sink to BigQuery for prod ✅
- Add nonprod sync logwriter as editor of nonprod dataset ✅
- Add prod sync logwriter as editor of prod dataset ✅
- Enable the Security Command Center dashboard
- Enable the Security Command Center
- Add org IAM roles for Security Command Cennter service account ✅
- Set up Organization Policy ✅
- Skip default network creation. ✅
- Set up the Domain restricted sharing constraint ✅
- Disable external IP address access for VM instances ✅