A secure foundation for your Google Cloud environment using Infrastructure as Code. This project helps new GCP users establish a well-architected, secure foundation following enterprise best practices.
This project automatically sets up:
- A GCP organizational structure with dedicated folders
- Two separate projects for different workloads
- Enterprise-grade security policies
- Role-based access control (RBAC)
Organization
└── Folder (TF-GCP-Bootstrap)
├── Project 1 (App Development)
│ └── IAM Group: Application Developers
└── Project 2 (Data Science)
└── IAM Group: Data Scientists
-
Google Cloud Organization
- A Google Workspace or Cloud Identity account
- Organization Admin role
- Billing Account Administrator role
-
Required Tools
- Terraform (>= 1.0.0)
- Google Cloud SDK
-
Google Groups Setup
- Navigate to Google Workspace Admin Console
- Go to Groups → Create Group
- Create two groups:
- Application Developers group
- Data Scientists group
- Detailed Google Groups Setup Guide
# Clone the repository
git clone [repository-url]
# Copy and edit configuration
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
# Initialize and apply
terraform init
terraform plan
terraform applyImplements security guardrails including:
- Prevention of public GCS buckets
- VM external IP restrictions
- Resource location constraints
- Domain-restricted sharing
Key benefits:
- Prevents accidental data exposure
- Enforces network security
- Ensures regulatory compliance
- Controls resource deployment locations
Learn more about GCP Organization Policies
Sets up two permission sets:
-
Application Developers
- Cloud Run deployment
- Cloud Functions management
- Basic Vertex AI access
- Cloud Build management
-
Data Scientists
- Full Vertex AI access
- Notebook management
- BigQuery access
- Storage management
Learn more about GCP IAM Best Practices
.
├── main.tf # Main Terraform configuration
├── variables.tf # Variable definitions
├── outputs.tf # Output definitions
├── versions.tf # Provider and version constraints
├── terraform.tfvars.example # Example variable values
└── modules/
├── org-policies/ # Organization policies configuration
│ ├── main.tf # Policy definitions
│ ├── variables.tf # Policy variables
│ └── outputs.tf # Policy outputs
└── iam/ # IAM roles and permissions
├── main.tf # Role assignments
├── variables.tf # IAM variables
└── outputs.tf # IAM outputs
- ✅ Least privilege access through role-based permissions
- ✅ Resource isolation with separate projects
- ✅ Network security with VM external IP restrictions
- ✅ Data protection through bucket access controls
- ✅ Compliance support with location restrictions
-
Edit
terraform.tfvarsfor basic configuration:- Organization ID
- Billing Account
- Project names
- Google Groups
-
Modify modules for additional policies or roles:
- Add new organization policies in
modules/org-policies/main.tf - Add additional IAM roles in
modules/iam/main.tf
- Add new organization policies in
-
Permission Errors
- Ensure you have Organization Admin role
- Verify billing account access
- Check Google Groups membership
-
Project ID Conflicts
- Project IDs include random suffix for uniqueness
- Change base names in terraform.tfvars if needed
-
API Enablement
- Required APIs are enabled automatically
- May need to wait a few minutes after project creation
- Check the GCP Documentation
- Review Terraform GCP Provider Documentation
- Open an issue in this repository
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a Pull Request
This project is licensed under the MIT License - see the LICENSE file.