Architecture
The SSC/GCP KCC Landing Zone is a collection of packages that together deploy a core landing zone along with 1 or more client landing zones around a shared VPC and service projects.
Branch
- see diagrams in https://github.com/ssc-spc-ccoe-cei/gcp-documentation/tree/main/Architecture/img
- https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/737
- slide 7 of https://docs.google.com/presentation/d/1Ztqn7G2rWFlssVwC7r5Xl-WFSFCbVo6MoHJffrXScmw/edit#slide=id.g18837ac3d5a_0_0
- older LZ V1 proposed architecture - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md#low-level-zoning-diagram
- https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/architecture.md
These are the dependencies on the Landing Zone packages in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions. There are direct/deploy-time and indirect/runtime dependencies (required/optional). The following diagram is the direct dependences. For example the hub-env deployment needs the networking-sa service account defined in core-landing-zone. An example of a indirect optional package is the org-policies folder in any package - it is optional for development but recommended for production.
- core-landing-zone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/core-landing-zone
- client-setup - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-setup
- client-landing-zone - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-landing-zone
- client-project-setup - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-project-setup
- guardrails - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/guardrails
graph LR;
style LZV2 fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
%% mapped and documented
project/hub-env-->core-landing-zone;
client-setup;
client-setup-->dns-project;
client-setup-->kcc-management-project;
client-landing-zone-->client-setup;
client-project-setup-->client-landing-zone;
client-project-setup-->client-management-project;
gatekeeper-policies;
kcc-management-project;
core-landing-zone-->kcc-management-project;
dns-project-->core-landing-zone;
logging-project-->core-landing-zone;
client-management-project-->client-setup;
host-project-->client-landing-zone;
- Note: PSC forwarding rule gcloud addition https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/823
Resource manager view for combined (core-landing-zone, client-setup and client-landing-zone)
- client-project-setup - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-project-setup
- IaaS security - not serverless Firewall Plus
-
see all CSP landing zones known in https://github.com/orgs/CloudLandingZone/repositories?type=all
-
Public Sector PBMM Landing Zone V3 (Terraform) based on the TEF V4 (202403+) https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding off https://github.com/terraform-google-modules/terraform-example-foundation see https://cloud.google.com/architecture/security-foundations
-
Managed by SSC Public Sector PBMM Landing Zone V2 (Kubernetes Config Controller) (202205+) - https://github.com/ssc-spc-ccoe-cei/gcp-documentation/blob/main/Landing%20Zone%20Operations/Building.md
-
Public Sector PBMM Landing Zone V2 (Kubernetes Config Controller) (202205+) - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2
-
Public Sector PBMM Landing Zone V1 (Terraform) based on the TEF V1 (deprecated 202403) - https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/z_2024_v020_pre_tef_v4