IaC Bazaar
Get started
Google CloudPlan-validated

GCP Project Factory

Opinionated project creation: API enablement, billing budget, default-SA lockdown, audit log sinks and baseline IAM.

terraformGCP#gcp
gcp-project-factoryterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

gcp-project-factory

An opinionated GCP project factory: creates a project with a deny-by-default network posture, explicit API enablement, default service-account lockdown, additive baseline IAM, an optional billing budget with threshold alerts, and an optional audit log sink. One module call gives you a project that is not shipped with the legacy default VPC and whose over-privileged default compute SA has had Editor stripped. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the hashicorp/google provider. It cannot be live-tested without an Organization/Folder plus roles/resourcemanager.projectCreator and roles/billing.user (a standalone personal project is insufficient), so it ships under live-test quarantine.

Design & secure defaults

  • No legacy default network (auto_create_network = false) — bring your own VPC for a deny-by-default footprint.
  • Default-SA lockdown: the default compute / App Engine service accounts are over-privileged (Editor) out of the box. default_service_accounts_action = "DEPRIVILEGE" strips that role at create time; DISABLE / DELETE go further; NONE opts out.
  • Explicit API enablement only — serviceusage and cloudresourcemanager are always added; nothing else is on unless you list it. disable_dependent_services stays off so a destroy never cascades unless you opt in.
  • Additive baseline IAM (google_project_iam_member), non-authoritative and safe to compose with bindings managed elsewhere.
  • deletion_policy = "PREVENT" so the project cannot be destroyed by accident.
  • Optional budget with multi-threshold alerts and audit log sink with a unique writer identity.

Cross-field invariants are enforced with preconditions: exactly one of org_id / folder_id, and a budget requires billing_account.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

Caller IAM: roles/resourcemanager.projectCreator on the org/folder and roles/billing.user on the billing account.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs