Terraform + Google Cloud

GCP Landing Zone

Production-grade 3-tier infrastructure on Google Cloud, fully automated with Terraform. 54 resources across 7 modules.

54 Resources 7 Modules ~15 min Deploy $3-5/day

The Problem

Cloud infrastructure is hard
to get right from scratch.

Most teams click through the console. One misconfig = open database, public bucket, or surprise bill.
Infrastructure as Code eliminates drift, enforces standards, and makes every change auditable.
This project is a production-ready reference — network isolation, WAF, secrets management, autoscaling — all codified.
Deploy a secure 3-tier GCP environment in ~15 minutes. Tear it down in seconds. Repeat anywhere.

Architecture

3-Tier Infrastructure

Internet / Edge

Cloud Armor (WAF) + Global HTTPS Load Balancer + Cloud CDN

Frontend Tier

GCE + nginx in public subnet (Managed Instance Group, autoscaler)

Backend Tier

GCE + Python Flask API in private subnet (Cloud NAT for outbound)

Database

Cloud SQL PostgreSQL -- private IP only, VPC peering, automated backups

Network

VPC, subnets, Cloud NAT, firewall rules

Secrets

Secret Manager for DB credentials

Infrastructure as Code

7 Terraform Modules

Network

VPC, subnets, firewall, Cloud Router, NAT, Private Services Access

IAM

Service accounts with least-privilege role bindings

Compute

Instance templates, MIGs, health checks, autoscalers

Database

Cloud SQL PostgreSQL, private IP, automated backups

Storage

GCS bucket + IAM bindings

Secrets

Secret Manager entries + access bindings

Load Balancer

Global LB, backend services, URL routing, CDN

Production Patterns

Enterprise Patterns Demonstrated

Network Isolation

Public and private subnets with strict firewall rules between tiers

VPC Peering

Private Services Access for managed services -- the tricky part

Least-Privilege IAM

No default compute service account. Custom SAs with minimal roles.

Secrets Management

Secret Manager for credentials. Not env vars, not config files.

Defense in Depth

Layered security: firewall rules + Cloud Armor WAF at the edge

Cost Control

Preemptible instances, autoscaling, right-sized e2-micro VMs

Tools

Tech Stack

Terraform >= 1.5 GCE (e2-micro) Cloud SQL PostgreSQL 15 Global HTTPS LB Cloud CDN Cloud NAT Cloud Armor Secret Manager Cloud Logging

Hard-Won Gotchas

Key Learnings

1

Public subnet still needs NAT -- instances have no external IPs; all traffic routes through the load balancer. Outbound requires Cloud NAT.

2

Private Services Access requires /16 CIDR + VPC peering -- the most confusing part of Cloud SQL private networking. Needs a reserved IP range and explicit peering connection.

3

5 resources = 1 load balancer -- GCP LB is verbose: forwarding rule, target proxy, URL map, backend service, health check. Each one a separate Terraform resource.

4

Cloud Armor quota = 0 on free trial -- you need to request a quota increase or use a billing account. Discovered this at deploy time.

5

Interactive setup.sh for guided deployment -- built a shell script that walks through project setup, API enablement, and terraform apply in ~15 minutes.

By The Numbers

Project Stats

54

GCP Resources

7

Terraform Modules

$3-5

Per Day Cost

~15

Min Deploy Time

A production-grade landing zone you can deploy in 15 minutes, tear down in seconds, and fork for any GCP project.

GCP Landing Zone

Production-grade Terraform infrastructure on Google Cloud.

Built by Jazz Lien | 2026

github.com/jazzpujols34 jazzlien.com

GCP Landing Zone

Cloud infrastructure is hardto get right from scratch.

3-Tier Infrastructure

7 Terraform Modules

Network

IAM

Compute

Database

Storage

Secrets

Load Balancer

Enterprise Patterns Demonstrated

Network Isolation

VPC Peering

Least-Privilege IAM

Secrets Management

Defense in Depth

Cost Control

Tech Stack

Key Learnings

Project Stats

GCP Landing Zone

Cloud infrastructure is hard
to get right from scratch.