Skip to content

Secure Landing Zone Folder Structure

Overview

This code snippet defines a hierarchical folder structure within Google Cloud Platform, designed to be a core component of a secure landing zone strategy. The folder structure promotes segregation of responsibilities and isolation of different environment aspects, such as billing, logging, security, networking, and shared resources.

Secure Landing Zone Context

The design emphasizes security by:

  • Isolating Responsibilities: By segregating resources into dedicated folders, you minimize the risk of unintended access or modifications.
  • Scalable Organization: This structure allows for expandable management and the easy addition of more departments, projects, or environmental divisions.
  • Hierarchical Access Control: Implementing IAM policies at different folder levels provides fine-grained control, supporting the principle of least privilege.
  • Auditability: The Logging and Monitoring folder can be configured to centralize logs, improving visibility and compliance.

Module: Folders

Organizations
├── Seed
├── Core/
│   ├── Billing
│   ├── Logging-Monitoring
│   ├── Security
│   └── Network
├── Shared/
│   ├── Shared-Prod
│   └── Shared-NonProd
└── BussinesUnits/*

Info

From this point on the document is autogenerated, don't modify it directly

Code

Folder Structure

  • Organizations: The root level, representing your organization on Google Cloud Platform.
  • Core: A foundational folder for critical organizational resources. subfolders:
  • Billing: Managing billing accounts and related information.
  • Logging-Monitoring: Segregating logging and monitoring resources.
  • Security: Holds security-related configurations and policies.
  • Network: For managing network-related resources.
  • Shared: A folder hosting shared resources with subfolders for production and non-production environments.
  • BussinesUnits: Businnes Unit. this folder or folders holds all projects.
module "folders" {
  source = "../modules/google_folder"

  folders = {
    "Core"               = { external_parent_id = "organizations/${var.org_id}" },
    "Billing"            = { parent_entry_key = "Core" },
    "Logging-Monitoring" = { parent_entry_key = "Core" },
    "Security"           = { parent_entry_key = "Core" },
    "Network"            = { parent_entry_key = "Core" },
    "Shared"             = { external_parent_id = "organizations/${var.org_id}" },
    "Shared-Prod"        = { parent_entry_key = "Shared" },
    "Shared-NonProd"     = { parent_entry_key = "Shared" },
    "BussinesUnits" = {
      name               = "BussinesUnits"
      external_parent_id = "organizations/${var.org_id}"
    },
  }
}