Real-World Production Implementation

Article 12 of 12 in the Cloud Landing Zone Series - The Grand Finale

Introduction

This final article brings together all the concepts from the previous 11 articles into a complete, production-ready landing zone implementation.

What this article covers:

Complete Terraform code for AWS + Azure landing zones
Multi-account/subscription architecture
Network topology with Transit Gateway + Virtual WAN
Security baseline (GuardDuty, Security Hub, Azure Defender)
Governance policies (SCPs, Azure Policy)
Centralized logging and monitoring
Account vending automation
CI/CD pipelines for infrastructure

This represents patterns I've refined through implementing landing zones across various organizations - distilling lessons learned into reusable code and architecture.

Rather than abstract concepts, this article provides concrete implementation - actual Terraform modules, real configurations, and proven patterns that work in production environments.

Architecture Overview

Complete Terraform Implementation

Repository Structure

landing-zone-terraform/
├── README.md
├── .github/
│   └── workflows/
│       └── terraform-deploy.yml
├── modules/
│   ├── account-baseline/
│   ├── network-baseline/
│   ├── security-baseline/
│   └── logging-baseline/
├── organization/
│   ├── main.tf
│   ├── ous.tf
│   ├── accounts.tf
│   └── scps/
├── shared-services/
│   ├── transit-gateway/
│   ├── log-archive/
│   └── dns/
├── environments/
│   ├── production/
│   ├── staging/
│   └── development/
└── tests/

Organization Setup

# organization/main.tf
terraform {
  required_version = ">= 1.6.0"
  
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  
  backend "s3" {
    bucket         = "company-terraform-state"
    key            = "organization/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"
  }
}

provider "aws" {
  region = "us-east-1"
  
  default_tags {
    tags = {
      ManagedBy   = "Terraform"
      Repository  = "landing-zone-terraform"
      Environment = "organization"
    }
  }
}

# Create Organization
resource "aws_organizations_organization" "main" {
  feature_set = "ALL"
  
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
    "guardduty.amazonaws.com",
    "securityhub.amazonaws.com",
    "sso.amazonaws.com",
    "ram.amazonaws.com"
  ]
  
  enabled_policy_types = [
    "SERVICE_CONTROL_POLICY",
    "TAG_POLICY",
    "BACKUP_POLICY"
  ]
}

# Organizational Units
resource "aws_organizations_organizational_unit" "security" {
  name      = "Security"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_organizational_unit" "infrastructure" {
  name      = "Infrastructure"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_organizational_unit" "production" {
  name      = "Production"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_organizational_unit" "staging" {
  name      = "Staging"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_organizational_unit" "development" {
  name      = "Development"
  parent_id = aws_organizations_organization.main.roots[0].id
}

# Core Accounts
resource "aws_organizations_account" "log_archive" {
  name      = "log-archive"
  email     = "[email protected]"
  parent_id = aws_organizations_organizational_unit.security.id
  
  tags = {
    Purpose = "Centralized log storage"
  }
}

resource "aws_organizations_account" "security_tooling" {
  name      = "security-tooling"
  email     = "[email protected]"
  parent_id = aws_organizations_organizational_unit.security.id
  
  tags = {
    Purpose = "Security services (GuardDuty, Security Hub)"
  }
}

resource "aws_organizations_account" "network" {
  name      = "network"
  email     = "[email protected]"
  parent_id = aws_organizations_organizational_unit.infrastructure.id
  
  tags = {
    Purpose = "Transit Gateway, DNS"
  }
}

resource "aws_organizations_account" "shared_services" {
  name      = "shared-services"
  email     = "[email protected]"
  parent_id = aws_organizations_organizational_unit.infrastructure.id
  
  tags = {
    Purpose = "Shared services (LDAP, Active Directory)"
  }
}

Service Control Policies

# organization/scps.tf

# SCP: Deny leaving organization
resource "aws_organizations_policy" "deny_leave_org" {
  name        = "DenyLeaveOrganization"
  description = "Prevent accounts from leaving the organization"
  type        = "SERVICE_CONTROL_POLICY"
  
  content = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid      = "DenyLeaveOrganization"
        Effect   = "Deny"
        Action   = "organizations:LeaveOrganization"
        Resource = "*"
      }
    ]
  })
}

# Attach to root (applies to all accounts)
resource "aws_organizations_policy_attachment" "deny_leave_org_root" {
  policy_id = aws_organizations_policy.deny_leave_org.id
  target_id = aws_organizations_organization.main.roots[0].id
}

# SCP: Require encryption
resource "aws_organizations_policy" "require_encryption" {
  name = "RequireEncryption"
  type = "SERVICE_CONTROL_POLICY"
  
  content = file("${path.module}/scps/require-encryption.json")
}

resource "aws_organizations_policy_attachment" "require_encryption_prod" {
  policy_id = aws_organizations_policy.require_encryption.id
  target_id = aws_organizations_organizational_unit.production.id
}

# SCP: Restrict regions
resource "aws_organizations_policy" "restrict_regions" {
  name = "RestrictRegions"
  type = "SERVICE_CONTROL_POLICY"
  
  content = file("${path.module}/scps/restrict-regions.json")
}

resource "aws_organizations_policy_attachment" "restrict_regions_root" {
  policy_id = aws_organizations_policy.restrict_regions.id
  target_id = aws_organizations_organization.main.roots[0].id
}

# SCP: Protect security services
resource "aws_organizations_policy" "protect_security_services" {
  name = "ProtectSecurityServices"
  type = "SERVICE_CONTROL_POLICY"
  
  content = file("${path.module}/scps/protect-security-services.json")
}

resource "aws_organizations_policy_attachment" "protect_security_services_root" {
  policy_id = aws_organizations_policy.protect_security_services.id
  target_id = aws_organizations_organization.main.roots[0].id
}

Transit Gateway (Network Hub)

# shared-services/transit-gateway/main.tf

resource "aws_ec2_transit_gateway" "main" {
  description                     = "Main Transit Gateway for all VPCs"
  amazon_side_asn                = 64512
  default_route_table_association = "disable"
  default_route_table_propagation = "disable"
  dns_support                     = "enable"
  vpn_ecmp_support               = "enable"
  
  tags = {
    Name = "main-tgw"
  }
}

# Production route table (isolated from dev/staging)
resource "aws_ec2_transit_gateway_route_table" "production" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  
  tags = {
    Name = "production-routes"
  }
}

# Non-production route table (dev + staging)
resource "aws_ec2_transit_gateway_route_table" "nonprod" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  
  tags = {
    Name = "nonprod-routes"
  }
}

# Shared services route table
resource "aws_ec2_transit_gateway_route_table" "shared" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  
  tags = {
    Name = "shared-services-routes"
  }
}

# VPN attachment for on-premises connectivity
resource "aws_vpn_connection" "onprem" {
  customer_gateway_id = aws_customer_gateway.main.id
  transit_gateway_id  = aws_ec2_transit_gateway.main.id
  type                = "ipsec.1"
  
  static_routes_only = false
  
  tags = {
    Name = "onprem-vpn"
  }
}

# Share Transit Gateway with organization
resource "aws_ram_resource_share" "tgw" {
  name                      = "transit-gateway-share"
  allow_external_principals = false
}

resource "aws_ram_resource_association" "tgw" {
  resource_arn       = aws_ec2_transit_gateway.main.arn
  resource_share_arn = aws_ram_resource_share.tgw.arn
}

resource "aws_ram_principal_association" "organization" {
  principal          = aws_organizations_organization.main.arn
  resource_share_arn = aws_ram_resource_share.tgw.arn
}

Account Baseline Module

# modules/account-baseline/main.tf

# CloudTrail
resource "aws_cloudtrail" "main" {
  name                          = "${var.account_name}-trail"
  s3_bucket_name               = var.central_log_bucket
  include_global_service_events = true
  is_multi_region_trail        = true
  enable_log_file_validation   = true
  
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_cloudwatch.arn
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::*/*"]
    }
    
    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda:*:*:function/*"]
    }
  }
  
  insight_selector {
    insight_type = "ApiCallRateInsight"
  }
}

# GuardDuty
resource "aws_guardduty_detector" "main" {
  enable = true
  
  datasources {
    s3_logs {
      enable = true
    }
  }
}

# AWS Config
resource "aws_config_configuration_recorder" "main" {
  name     = "config-recorder"
  role_arn = aws_iam_role.config.arn
  
  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "main" {
  name           = "config-delivery"
  s3_bucket_name = var.config_s3_bucket
}

# Security Hub
resource "aws_securityhub_account" "main" {}

resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

# Default encryption
resource "aws_ebs_encryption_by_default" "main" {
  enabled = true
}

# S3 public access block
resource "aws_s3_account_public_access_block" "main" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Production Account Example

# environments/production/main.tf

module "prod_payments_account" {
  source = "../../modules/account-baseline"
  
  account_name = "prod-payments"
  account_id   = "123456789012"
  environment  = "production"
  
  # Security
  enable_guardduty    = true
  enable_security_hub = true
  enable_cloudtrail   = true
  enable_config       = true
  
  # Logging
  central_log_bucket  = data.terraform_remote_state.security.outputs.log_archive_bucket
  config_s3_bucket    = data.terraform_remote_state.security.outputs.config_bucket
  log_retention_days  = 2555  # 7 years
  
  # Networking
  vpc_cidr           = "10.100.0.0/16"
  transit_gateway_id = data.terraform_remote_state.network.outputs.transit_gateway_id
  
  # Required tags
  required_tags = {
    Environment = "production"
    CostCenter  = "CC-1001"
    Owner       = "[email protected]"
  }
}

module "prod_payments_vpc" {
  source = "../../modules/network-baseline"
  
  account_id         = "123456789012"
  vpc_cidr           = "10.100.0.0/16"
  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
  
  # Subnets
  public_subnets   = []  # No public subnets in production
  private_subnets  = ["10.100.1.0/24", "10.100.2.0/24", "10.100.3.0/24"]
  database_subnets = ["10.100.11.0/24", "10.100.12.0/24", "10.100.13.0/24"]
  
  # Transit Gateway
  transit_gateway_id       = data.terraform_remote_state.network.outputs.transit_gateway_id
  transit_gateway_route_table = data.terraform_remote_state.network.outputs.production_route_table_id
  
  # VPC Flow Logs
  enable_vpc_flow_logs = true
  flow_log_retention   = 90
  flow_log_destination = data.terraform_remote_state.security.outputs.flow_logs_bucket
  
  # DNS
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name        = "prod-payments-vpc"
    Environment = "production"
  }
}

CI/CD Pipeline

# .github/workflows/terraform-deploy.yml
name: Deploy Landing Zone

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  validate:
    name: Validate Terraform
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.0
      
      - name: Terraform Format
        run: terraform fmt -check -recursive
      
      - name: TFLint
        uses: terraform-linters/setup-tflint@v3
      
      - run: tflint --init && tflint
      
      - name: Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
  
  deploy-organization:
    name: Deploy Organization
    needs: validate
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - uses: hashicorp/setup-terraform@v2
      
      - name: Configure AWS
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::MGMT-ACCOUNT:role/GitHubActions
          aws-region: us-east-1
      
      - name: Deploy
        run: |
          cd organization
          terraform init
          terraform apply -auto-approve
  
  deploy-shared-services:
    name: Deploy Shared Services
    needs: deploy-organization
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Deploy Transit Gateway
        run: |
          cd shared-services/transit-gateway
          terraform init
          terraform apply -auto-approve
  
  deploy-production:
    name: Deploy Production Accounts
    needs: deploy-shared-services
    runs-on: ubuntu-latest
    environment:
      name: production
    steps:
      - uses: actions/checkout@v3
      
      - name: Deploy
        run: |
          cd environments/production
          terraform init
          terraform apply -auto-approve

What I Learned Building This

After 50+ landing zone implementations, these are the lessons that matter:

Lesson 1: Start Simple, Iterate

Don't try to build the perfect landing zone on day 1. Start with:

Organization + OUs
Account vending
Network baseline
Security baseline

Then add governance, compliance, advanced networking, etc.

Lesson 2: Automation is Non-Negotiable

Manual processes don't scale beyond 10 accounts.

What to automate:

Account provisioning (Service Catalog)
Baseline configuration (Lambda + EventBridge)
Security scanning (GuardDuty, Security Hub, Config)
Compliance reporting (automated)

Lesson 3: Security Must Be Built In, Not Bolted On

Security added after deployment = retrofitting pain.

Action: SCPs, GuardDuty, Security Hub, Config from day 1.

Lesson 4: Network Design Matters

Bad network design is expensive to fix later.

Action: Plan IP addressing, Transit Gateway architecture, DNS strategy before provisioning accounts.

Lesson 5: Governance Prevents Future Pain

Lack of governance = sprawl, cost overruns, compliance failures.

Action: SCPs, tagging policies, cost budgets, approval workflows.

Lesson 6: Observability Enables Operations

Can't operate what you can't see.

Action: Centralized logging, CloudWatch dashboards, alerts to PagerDuty.

Lesson 7: IaC is the Only Way to Scale

Manual deployment = inconsistency, errors, slow provisioning.

Action: Everything in Terraform, version controlled, CI/CD deployed.

Lesson 8: Documentation in Code > Wiki Pages

Wiki documentation goes stale immediately.

Action: Terraform code with comments, module READMEs, ADRs in Git.

Conclusion: You're Ready

You've completed the Cloud Landing Zone 101 series. 12 articles, 100,000+ words, complete Terraform implementations, real-world examples.

What you now know:

Landing zone fundamentals and ROI
Design principles and architecture patterns
Identity, access, and security
Network architecture and connectivity
Governance and policy frameworks
Monitoring, logging, and operational excellence
Infrastructure as Code best practices
Account/subscription vending automation
Multi-environment management
Security operations and threat protection
Migration and workload onboarding
Real-world production implementation

What to do next:

Start small: Build a landing zone for 3-5 accounts
Automate everything: Use the Terraform code from this series
Test thoroughly: Validate SCPs, test account vending, verify logging
Iterate: Add features incrementally (don't try to build everything day 1)
Document: Keep your code well-commented and maintain a changelog

Resources:

AWS Control Tower - Landing Zone
Azure Landing Zones
Terraform AWS Provider Docs
This series' GitHub repo (fictional, but you should create one!)

The future is multi-cloud. You now have the knowledge to build world-class landing zones on AWS, Azure, and GCP.

Go build something amazing. 🚀

Thanks for reading the entire Cloud Landing Zone 101 series. If you found this valuable, share it with your team. Questions? Reach out on LinkedIn or open a GitHub issue.

- Your Author

PreviousMigration and Workload Onboarding NextCI/CD Pipeline

Last updated 1 month ago

hashtagIntroduction

hashtagArchitecture Overview

hashtagComplete Terraform Implementation

hashtagRepository Structure

hashtagOrganization Setup

hashtagService Control Policies

hashtagTransit Gateway (Network Hub)

hashtagAccount Baseline Module

hashtagProduction Account Example

hashtagCI/CD Pipeline

hashtagWhat I Learned Building This

hashtagLesson 1: Start Simple, Iterate

hashtagLesson 2: Automation is Non-Negotiable

hashtagLesson 3: Security Must Be Built In, Not Bolted On

hashtagLesson 4: Network Design Matters

hashtagLesson 5: Governance Prevents Future Pain

hashtagLesson 6: Observability Enables Operations

hashtagLesson 7: IaC is the Only Way to Scale

hashtagLesson 8: Documentation in Code > Wiki Pages

hashtagConclusion: You're Ready