GCP Application Migration Project

Introduction

This project simulates a real-world application migration to Google Cloud, demonstrating a multi-phased approach that encompasses modern DevOps and cloud security best practices. It involves containerizing a Python Flask app, deploying it, and establishing robust, least-privilege access controls and logging.

Problem Statement

A proper cloud migration requires more than a simple "lift-and-shift." Key challenges include establishing granular access controls, creating a repeatable deployment process, and ensuring all access to sensitive data is logged for compliance. This project tackles these issues head-on.

Key Objectives

  • Design a least-privilege IAM framework with custom roles.
  • Containerize a web application using Docker for portability.
  • Implement secure and auditable Cloud Storage with bucket-level policies.
  • Automate infrastructure setup using Infrastructure as Code (IaC) principles.

Phase 1: IAM Policy Design

The project's security foundation was built on custom, least-privilege IAM roles defined in YAML files. An `HRViewer` role was created for read-only auditing, while an `EngineeringOperator` role was given specific permissions to manage compute resources, enforcing a clear separation of duties.

Phase 2: Application Containerization

To ensure portability, a simple Python Flask application (`app.py`) was containerized using a `Dockerfile`. This created a standardized, immutable artifact, decoupling the application from the underlying infrastructure and allowing it to run consistently anywhere. The application was successfully built and tested locally in a Docker container.

Phase 3: Secure Data Management

A Google Cloud Storage bucket was provisioned as a secure resource with uniform bucket-level access. Fine-grained IAM permissions were applied directly to this bucket, granting `objectViewer` and `objectAdmin` roles to different users.

Infrastructure as Code (IaC)

A set of Bash scripts (`create-bucket.sh`, `assign-iam-roles.sh`, `enable-logging.sh`) was developed to automate the provisioning of GCS buckets and the assignment of IAM policies via the `gsutil` CLI. This approach makes the entire infrastructure setup programmatic, repeatable, and less prone to human error. Critically, access logging was enabled to a separate, secure bucket for a complete audit trail.

Implementation Results

The phased implementation was highly successful. Custom IAM roles were assigned correctly, and the Flask application was successfully containerized and tested. The automation scripts for GCS provisioning ran without error, creating the buckets and applying precise, resource-level permissions as designed.

Conclusion

This project successfully showcases an end-to-end, security-first approach to moving applications to the cloud. By integrating custom IAM policies, Docker containerization, and automated infrastructure provisioning, it demonstrates a comprehensive skill set in modern cloud administration and DevOps. The resulting architecture is secure, scalable, and observable, aligning perfectly with Google Cloud best practices.

Link to the Project