Book Image

The Ultimate Guide to Building a Google Cloud Foundation

By : Patrick Haggerty
Book Image

The Ultimate Guide to Building a Google Cloud Foundation

By: Patrick Haggerty

Overview of this book

From data ingestion and storage, through data processing and data analytics, to application hosting and even machine learning, whatever your IT infrastructural need, there's a good chance that Google Cloud has a service that can help. But instant, self-serve access to a virtually limitless pool of IT resources has its drawbacks. More and more organizations are running into cost overruns, security problems, and simple "why is this not working?" headaches. This book has been written by one of Google’s top trainers as a tutorial on how to create your infrastructural foundation in Google Cloud the right way. By following Google’s ten-step checklist and Google’s security blueprint, you will learn how to set up your initial identity provider and create an organization. Further on, you will configure your users and groups, enable administrative access, and set up billing. Next, you will create a resource hierarchy, configure and control access, and enable a cloud network. Later chapters will guide you through configuring monitoring and logging, adding additional security measures, and enabling a support plan with Google. By the end of this book, you will have an understanding of what it takes to leverage Terraform for properly building a Google Cloud foundational layer that engenders security, flexibility, and extensibility from the ground up.
Table of Contents (10 chapters)

Chapter 2: IAM, Users, Groups, and Admin Access

Building IT services for your organization in Google Cloud needs to start like a good house, with a firm and secure foundation. If the foundation is weak, then sooner or later, cracks appear, and that’s so much harder to fix after the house is built.

Interestingly, this is exactly what got me into working with Google Cloud. I’ve spent most of my career writing code, helping others to write code, training around writing code, and… well, you get the picture. I’ve been coding in one form or another since the mid-1980s. I never wanted to be a cloud consultant/trainer; I liked the code.

A Note on the Whole “Why Google Cloud?” Question

I regularly get asked why I like Google Cloud. There are a lot of good reasons, but they are based on my experiences and the types of work I do. I say the best answer is, “Go try it yourself.” AWS was the first and is currently the biggest cloud provider, followed by Azure (rhymes with pressure), with Google Cloud the third most popular. All the major cloud providers have free trials and other programs to allow you to give things a spin before you spend too much money. Do some tutorials, try to do what you need, and see what you like best. If it’s Google Cloud, then you’re reading the right book.

As a developer, I followed my aforementioned advice and did some work with AWS, a bit with Google Cloud, and working with SharePoint got me into a bit of Azure, but after playing with the big three cloud providers, the one that clicked best for me was Google. So, I started saying to my clients, “Hey, this app you want to build – why don’t we build it in Google Cloud?”

Those who were at least open to the idea came back with one of two common responses. First, there were the “Sounds like an interesting idea… How do we do that?” clients. They liked the idea of the cloud and were open to giving it a shot, but they didn’t know how to make a start. Understandably, they wanted help taking those first steps, and there I was.

Now, I am not a good liar, and if I don’t just say what I’m thinking, it typically shows all over my face, so for the clients who went with “Great idea – as a matter of fact, we’ve already started moving to Google Cloud. The CEO/CTO/CIO/big boss recently attended a conference, and we’ve started an initiative to create all future applications in the cloud. Come look,” it was really hard to not let the horror show.

Why horror? Well, because so many times, I would look at what they had done and it would be hard not to simply put my head in my hands. There would be so much fundamental cloud architecture to fix, and that was all before we could even start with the application development.

It’s generally not a good idea to burst out with uncontrollable laughter or to tell a client that they’re an idiot, so I usually went with something like, “Yes, I can see what you’ve done there and I’m glad you’re thinking cloud, but there’s a couple of things we should probably rework before building the application.” Hey, embellishment isn’t lying; it’s just good storytelling.

At some point, my brain kicked in and said, “Hey, there’s a need here. You should do this,” and then I wasn’t writing as much code anymore.

To help get our foundation started in Google Cloud Platform (GCP), Google has created a checklist, which you can find here: I’m not going to reinvent the wheel by coming up with my own checklist, but I am going to paraphrase Google’s a bit:

  1. Configuring identity management
  2. Adding an initial set of users and security groups
  3. Enabling administrator access
  4. Setting up billing and initial cost controls
  5. Creating a resource hierarchy to control logical organization
  6. Adding IAM trust boundaries to the resource hierarchy
  7. Building and configuring the initial Virtual Private Cloud (VPC) network
  8. Configuring logging and monitoring so that you know what’s happening in the cloud
  9. Adding organization policies, the Security Command Center, and other security measures
  10. Selecting and enabling a Google support plan

At the time of writing, Google is creating a wizard to help you through their steps ( Most of this help seems to be taking the form of instructions with links, then Google runs checks to see that you’ve completed each item, and you mark the items complete once you’re both satisfied. I’m going to walk you through the steps in detail so that you know what you’re doing and why. Feel free to just use the help that the wizard provides, but keep reading to truly understand the decisions that you and the wizard are making.

In this chapter, we’re going to take the first three major steps toward laying our foundation in Google Cloud:

  • Step 1 – configuring identity management
  • Step 2 – adding an initial set of users and security groups
  • Step 3 – enabling administrator access