Set up a new Google Cloud organization with security policies, folder hierarchy, and networking already in place before application teams start deploying workloads.
Use the hub-and-spoke networking stack as a starting point for connecting multiple GCP projects through a shared VPC with Cloud NAT and optional VPN.
Adapt the organization policy stack to enforce custom constraints like blocking specific regions or requiring encryption across all Cloud Storage buckets.
Study the service account impersonation pattern in the security stack as a replacement for static JSON key files in enterprise GCP environments.
Requires a Google Cloud organization account with billing configured and Terraform 1.14.6, five stacks must be applied in the correct sequence.
Landing-Zone-GCP is a collection of Terraform configuration files that sets up a standardized, security-first Google Cloud environment for enterprise use. The repository is written primarily in Vietnamese but the concepts translate clearly: it creates the foundational plumbing that a company's cloud platform team would install once, then hand off to application teams who can deploy workloads without worrying about networking, access control, or cost tracking. The central idea is that most organizations make a mistake when first moving to the cloud: they create projects and deploy applications immediately, and only add governance and security policies later. This project instead builds a "landing zone," a pre-configured environment with guardrails already in place, so teams can start building on a safe foundation from day one. The infrastructure is split into five independent Terraform stacks. The first establishes the organization structure: a folder hierarchy, five projects created through a project factory, and seven organization-level policies that enforce rules such as blocking public IP addresses and prohibiting static service account keys. The second stack sets up networking using a hub-and-spoke model with two custom VPCs, shared networking for application teams, Cloud NAT for outbound internet traffic, and optional VPN connectivity to on-premises systems. The third stack handles security and access control. The fourth provides a sample application workload. The fifth manages logging, monitoring, dashboards, and budget alerts. Authentication across all five stacks relies on service account impersonation rather than static JSON keys, which reduces the risk of credential leaks. Each stack has its own state file and its own runner account, so an error in one layer cannot cascade into another. The code targets Terraform version 1.14.6 and the Google Cloud provider version 6.50.0, deployed to the Singapore region by default. The project is open source and framed as a personal reference architecture that teams can adapt to their own environments.
← sontxdev04 on gitmyhub — every repo by this author, as a profile.
Verify against the repo before relying on details.