Building a Google Cloud Landing Zone in a Scalable, Repeatable and Secure Way (Part 1)

Introduction

Landing zones are a way for an organization or enterprise to build its Google Cloud environment in a structured and consistent way, following a load of proven best practices. It ensures that all the tenants that run on the landing zone avoid reinventing the wheel, and, using appropriate shared components, are adhering to agreed policies and are only building their environments using approved IaC routes.

Overview of Cloud Foundation Fabric and Fabric FAST

Cloud Foundation Fabric was designed from the ground-up to provide a robust way to implement a landing zone. It provides a set of Terraform modules, a landing zone blueprint, a set of reference blueprints to achieve certain goals (e.g., working with Cloud SQL, Dataflow and BigQuery, GKE, etc.) and Fabric FAST.

Fabric FAST is a production-ready landing zone blueprint implementation, built by pre-aggregating the Fabric reference blueprints. It’s a Terraform-based solution for bootstrapping and building a GCP LZ from scratch.

In this blog, I will be using FAST to build a landing zone. Google describes FAST as “an ideal blueprint for organizations of all sizes, ranging from startups to the largest companies.”Since it’s open source, if you stumble across any issues along the way, you can always make changes to improve FAST and raise a PR to incorporate your changes.

 Pre-requisites

First, make sure you have the following prerequisites:

• You have Git installed and a GitHub account.
• You have Terraform installed, the infrastructure-as-code tool we’ll use to run the Fabric FAST process.
• You have a domain. If you don’t yet have one, you’ll need to register one. It’s usually very cheap. It is important that you have your own domain, since you’ll need to verify your ownership later in the Google Cloud organization creation process.

Getting started — Fork and clone the CFF repo

First, we need to fork the Google Cloud Foundation Fabric repo.

Next, clone the repo to your local machine, e.g., git clone here.

Organization creation

We’re following the Cloud Identity and Organization steps from Google’s Enterprise Setup Checklist.

1. Create your Google organization and admin account

We’re going to create a Google organization resource associated with your domain. (This assumes you don’t already have an organization within Google Cloud.) For example, I’ve created a Google organization associated with my ccoe-gcp.org domain. When working with Google Cloud, the organization's resources are at the top level of your resource hierarchy.

To create a Google Cloud organization, you must create a Google Workspace or Cloud Identity account. This is a summary of how it works:

• Sign up for a Cloud Identity account with your existing email address. (It can be any email address that belongs to you.)
• The email address you sign-up with becomes your super admin account.
• You will then verify your domain, which results in the creation of your Google organization associated with that domain.

Let’s start by visiting the Google Cloud Identity and Organization guided setup. You’ll see a Cloud Foundation page like this:

 Click on ‘Begin the Setup' -  You’ll see a page like this:

Now click on ‘Sign Up for Cloud Identity,’ which will take you to the Cloud Identity Sign-Up Page.

Note: if you’re already paying for Google Workspace, then you’ll already have an account, and you’ll already be familiar with the Google Admin Console. Otherwise, you’ll want a Google Cloud Identity account. It’s free!

When you visit the Cloud Identity sign-up page, you’ll see a page that looks like this: 

You’ll be guided through a few screens:

• Enter the business name you want to associate with your account. You can call it whatever you want.
• Specify how many employees your business will have. For the purposes of testing, and for setting up various identities for your Google Cloud organization, I’d suggest that 10 – 99 is more than enough.
• Eventually, you’ll be asked to provide your domain name. Here, you must provide the domain name that you own, e.g. yourdomain.com.
• You’ll then be asked for a username that you will use to sign into your new Cloud Identity account. This will be your new super administrator identity. It needs to be an email address associated with the same domain you provided earlier. For example, it might be super-admin@yourdomain.com.

Your account is now created. You’ll be asked to login to the Google Admin console with the email address you just provided.

Verify your domain

You’ll now be directed to verify that you own the domain. The manual process (which you are guided through) involves obtaining a domain verification code from the Admin Console, which you then need to supply as a DNS TXT record with your domain registrar. The Admin Console will ask you to set up users. Don’t do this, because the Checklist will help you automate some of the work. Instead, click on ‘Setup GCP Console now.’ This will open the Google Cloud Console on the IAM page.

Click on ‘Go to the Checklist,’ and you’ll be directed back to the Cloud Foundation page.

If, at this point, the Checklist does not detect your new organization, it might be because you’re signed in with an email address that belongs to a different domain than the one you used to set up your organization. If so, switch over to your newly created Admin account to continue with the checklist.

User and group setup

Creating groups

The Fabric FAST process expects that you will provision user groups that align with the best practice set of groups. Later, we will use Fabric FAST to assign Cloud IAM roles to the groups, as required. It’s Google's best practice to manage access at the group level, not at an individual user level. We could provision the required groups from within the Google Admin Console. But the Cloud foundation setup page can automate most of the hard work for us.

 Click on ‘Start Users and Groups.’

Now click on ‘Create All Groups,’ then on ‘Save and Create.’ A couple of minutes later, the groups will be created. Click on Groups in the Google Admin Console to see  all the newly created groups:

Create an org admin user

Okay, we’ve got our groups, but we must create users manually. At the very least, we will need to create a user who will be a Cloud Organization Admin.

Note that the super admin and the organization admin accounts should be two different accounts, as they serve different purposes:

• Cloud Identity Super Admin: Provides the capability to create and manage users and groups in Google Cloud Identity. You will use this to create your Google Cloud Organizational Admin account.

• Google Cloud Organization Admin: Use within Google Cloud, including Google Cloud IAM.

From the Google Admin Console, select Users > Add New User. We’ll create a user who will be one of our Organization Admins. Most of the Fabric FAST process will be run by this user. 

Now, assign this new user to the Organization Admin (gcp-organization-admins) group. Click on Groups > gcp-organization-admins > Add Members. Find your newly created user.

Creating other users

While we’re at it, let’s create a user for each of these three groups also:

• gcp-network-admins
• gcp-billing-admins
• gcp-devops

Summary

We’ve created everything we need to progress with Fabric FAST, including:

• Clone of the Google CFF repo
• Cloud Identity Account
• Cloud Identity Super Admin account
• Google Cloud organization resource and associated it with our domain
• Set of user groups
• Some users, now associated with their respective user group

Read Part 2 here.