Architecture - multi-cloud-landing-zone

Executive Summary

A comprehensive, production-ready multi-cloud landing zone reference architecture spanning AWS, Azure, and GCP. Provides Terraform modules that establish secure, compliant, and well-governed cloud foundations with unified identity federation. The AWS module configures Organizations, SCPs, Control Tower, CloudTrail, GuardDuty, and Security Hub. The Azure module provisions Management Groups, Azure Policy, Blueprints, and Defender. The GCP module establishes Organization hierarchy, Folder structures, and Org Policies. An identity federation module ties all three clouds together via SAML 2.0/OIDC with SCIM provisioning.

Overview

HCL

Language

Infrastructure

Architecture Diagram

Enterprise IdP
Azure AD / Okta

SAML 2.0 / OIDC
Identity Federation

SCIM
User Provisioning

Identity Federation Layer

v v v

AWS Landing Zone
Organizations + Control Tower

Azure Landing Zone
Mgmt Groups + Policy

GCP Landing Zone
Folders + Org Policies

v v v

SCPs + GuardDuty
Security Hub + CloudTrail

Defender + Blueprints
Azure Policy

Org Policies
Project Factory

v v v

Account Structure
Mgmt/Log/Audit/Shared/Workload

Subscription Structure
Platform/Identity/Connectivity

Project Structure
Seed/Logging/Network/Security

Unified Governance
Tagging | Cost Mgmt | Compliance | Drift

Cross-Cloud Networking
Transit GW | Virtual WAN | NCC | VPN Mesh

Component Breakdown

Module	Path	Purpose	Key Resources
AWS Landing Zone	`modules/aws-landing-zone/`	AWS Organization, SCPs, Control Tower guardrails, CloudTrail, GuardDuty, Security Hub, multi-account structure	aws_organizations_organization, aws_guardduty_detector, aws_securityhub_account
Azure Landing Zone	`modules/azure-landing-zone/`	Management Groups, Azure Policy, Blueprints, Defender, subscription structure aligned to CAF	azurerm_management_group, azurerm_policy_assignment, azurerm_security_center_subscription_pricing
GCP Landing Zone	`modules/gcp-landing-zone/`	Organization hierarchy, Folder structure, Org Policies, project factory pattern	google_folder, google_organization_policy, google_project
Identity Federation	`modules/identity-federation/`	Centralized SSO with SAML 2.0/OIDC federation and SCIM provisioning across all clouds	aws_iam_saml_provider, azuread_application, google_iam_workforce_pool

Data Flow / Request Flow

Identity Federation -- Enterprise IdP (Azure AD/Okta) provides SAML 2.0/OIDC assertions federated to all three cloud providers via the identity-federation module.
AWS Provisioning -- The AWS module creates an Organization with SCPs, enables Control Tower, configures CloudTrail, GuardDuty, and Security Hub, and provisions management/log/audit/shared/workload accounts.
Azure Provisioning -- The Azure module establishes Management Groups, assigns Azure Policies, deploys Blueprints, enables Defender, and creates platform/identity/connectivity/management/landing zone subscriptions.
GCP Provisioning -- The GCP module creates the Organization, folder hierarchy, Org Policies, and provisions seed/logging/network/security/workload projects.
Governance -- Unified tagging standards, cost management, compliance reporting, and drift detection are enforced across all three clouds.
Cross-Cloud Networking -- AWS Transit Gateway, Azure Virtual WAN, and GCP Network Connectivity Center are connected via a VPN mesh for inter-cloud connectivity.

Security Controls

Control	Implementation
Identity Federation	Centralized SAML 2.0/OIDC with SCIM provisioning; no local cloud accounts
Service Control Policies	AWS SCPs restrict regions, services, and actions at the Organization level
Azure Policy	Azure Policy assignments enforce compliance at Management Group scope
GCP Org Policies	Organization-level constraints restrict regions, services, and configurations
Security Monitoring	GuardDuty (AWS), Defender (Azure), Security Command Center (GCP)
Audit Logging	CloudTrail (AWS), Activity Log (Azure), Audit Logs (GCP) with centralized archival
Network Segmentation	Separate accounts/subscriptions/projects per workload classification
Encryption	Encryption at rest and in transit enforced via policy across all providers

Industry Adaptation

Healthcare

HIPAA BAA-eligible regions, PHI data classification tags, 365-day log retention, Defender/GuardDuty for medical device network monitoring.

Finance

PCI-DSS Security Hub checks, SOX audit log archival, MFA-enforced federation, regulatory jurisdiction region restrictions.

Government

GovCloud/Azure Government/Assured Workloads, PIV/CAC-integrated SAML, NIST 800-53 control mapping, US-only region restrictions.

Retail

PCI scope subscription isolation, CCPA/GDPR data residency region controls, customer data breach playbooks.

Education

FERPA compliance tags, domestic region restrictions, Shibboleth/InCommon SAML federation, student data access monitoring.

Production Readiness Checklist

Configure cloud provider credentials for all three providers (AWS, Azure, GCP)
Set up Terraform backend with remote state and state locking
Configure identity federation with enterprise IdP (Azure AD/Okta)
Define allowed regions for each cloud provider per compliance requirements
Enable security services (GuardDuty, Defender, SCC) across all clouds
Configure audit logging with centralized archival and retention policies
Define tagging standards and cost allocation tags
Test with terraform plan in a sandbox environment
Set up cross-cloud VPN mesh for inter-cloud connectivity
Configure drift detection and compliance reporting
Conduct security review with compliance team

Configuration / Environment Variables

Variable	Required	Default	Description
`AWS_ACCESS_KEY_ID`	Yes	--	AWS access key for Organization management account
`AWS_SECRET_ACCESS_KEY`	Yes	--	AWS secret key
`ARM_SUBSCRIPTION_ID`	Yes	--	Azure management subscription ID
`ARM_TENANT_ID`	Yes	--	Azure AD tenant ID
`ARM_CLIENT_ID`	Yes	--	Azure service principal client ID
`ARM_CLIENT_SECRET`	Yes	--	Azure service principal secret
`GOOGLE_PROJECT`	Yes	--	GCP seed project ID
`GOOGLE_CREDENTIALS`	Yes	--	GCP service account key JSON path

Deployment

Local Development

git clone https://github.com/kogunlowo123/multi-cloud-landing-zone.git
cd multi-cloud-landing-zone
terraform init
terraform validate
terraform fmt -recursive
terraform plan

Production Deployment

# Configure remote backend
terraform init -backend-config=backend.hcl

# Deploy per-module or full stack
terraform plan -var-file=prod.tfvars
terraform apply -auto-approve

# Verify with drift detection
terraform plan -detailed-exitcode

Links

Repository	github.com/kogunlowo123/multi-cloud-landing-zone
README	README.md
Changelog	CHANGELOG.md
Industry Adaptation	INDUSTRY-ADAPTATION.md
License	MIT License