What’s New at Google Cloud Next 2025 for Terraform and Guardrails

As cloud infrastructure grows more complex, ensuring that your environments comply with security and organizational policies is critical. One of the best ways to manage this is by embedding Resourcely Guardrails directly into your Terraform workflows. Guardrails act as an automated security policy enforcement layer, ensuring that your infrastructure deployments meet your standards every time.

In this post, we’ll explore a Resourcely Guardrail that enforces security policies for the Google Cloud Provider, specifically focusing on the google_control_plane_access resource. This resource was introduced in Terraform Provider for Google v6.29.0, and it manages control plane access to services like Google Kubernetes Engine (GKE) and Cloud SQL.

We’ll show you how to create a Resourcely Guardrail that ensures only approved VPC networks can access your Google Cloud control planes, preventing unauthorized access and improving the security of your cloud environment.

New Features in Terraform Google Provider: v6.29.0

In Terraform Provider for Google v6.29.0, released on April 8, 2025, several exciting new features were introduced, including:

• google_control_plane_access: This resource is crucial for managing access to Google Cloud control planes. It controls which VPC networks are allowed to connect to GCP services like GKE or Cloud SQL. Allowing unauthorized networks could pose significant security risks, so it’s important to restrict access to only approved networks.

Example Resourcely Guardrail for google_control_plane_access

To prevent unauthorized access to your Google Cloud control planes, we can create a Resourcely Guardrail that enforces the rule that only certain VPC networks are allowed to interact with these services. This Guardrail will run automatically as part of your Terraform deployments, ensuring compliance without manual intervention.

The Guardrail

resource "resourcely_guardrail" "restrict_control_plane_access" {
  name           = "Restrict Control Plane Access to Approved VPCs"
  description    = "Ensures that control plane access is only granted to specified VPC networks."
  cloud_provider = "PROVIDER_GOOGLE"
  category       = "GUARDRAIL_ACCESS_CONTROL"
  state          = "GUARDRAIL_STATE_ACTIVE"

  content = <<-EOT
GUARDRAIL "Restrict Control Plane Access to Approved VPCs"
WHEN google_control_plane_access
REQUIRE network IN ["vpc-1", "vpc-2", "vpc-3"]
EOT
}

‍Key Components:

• Resource Block: This defines a new Resourcely Guardrail resource named restrict_control_plane_access, which will be active as soon as it’s applied.
• Metadata:
  • name: The name of the guardrail, describing the policy it enforces.
  • description: A short explanation of what the guardrail is designed to do.
  • cloud_provider: Specifies the cloud provider — in this case, Google Cloud (PROVIDER_GOOGLE).
  • category: Categorizes the guardrail under Access Control policies, indicating its purpose is to secure network access.
  • state: This sets the guardrail to active, so it’s immediately enforced across any Terraform configurations.
• Content:
  • WHEN Clause: This clause targets the google_control_plane_access resource specifically, ensuring that it’s the subject of the guardrail.
  • REQUIRE Statement: The guardrail ensures that the network attribute in the google_control_plane_access resource matches one of the approved networks from the static list: ["vpc-1", "vpc-2", "vpc-3"]. Only these networks are allowed to access the control plane.

Global Values

In this Guardrail, we use included

global list of approved VPC networks (["vpc-1", "vpc-2", "vpc-3"]). This approach simplifies the Guardrail, making it easier to manage, especially in environments where the list of approved VPCs doesn’t change frequently.

variable "approved_vpcs" {
  type    = list(string)
  default = ["vpc-1", "vpc-2", "vpc-3"]
}

This approach makes the policy simpler for smaller teams or environments where a fixed list of VPCs is sufficient. You can easily modify the list of approved networks directly within the guardrail.

Why Implement Guardrails?

As cloud environments become increasingly complex, managing and securing infrastructure manually becomes more prone to errors. Guardrails help mitigate this risk by enforcing security policies at the code level, which:

• Prevents misconfigurations: Guardrails can enforce security best practices by ensuring that only authorized resources, like VPCs, are allowed to access sensitive infrastructure such as control planes.
• Automates security and compliance: Guardrails run automatically as part of the Terraform deployment process, preventing human error and ensuring compliance with organizational policies.
• Enhances cloud security: Guardrails can be extended to cover additional policies such as encryption, IAM roles, and network segmentation, ensuring that your entire infrastructure is secure by default.

Additional Examples

Below are two more examples of Resourcely guardrails for other new resources introduced in Terraform Provider for Google v6.29.0, which include google_storage_bucket and google_project_service.

Guardrail 2: Restrict Storage Bucket Creation to Specific Locations

Google Cloud Storage Buckets are often a key part of any cloud infrastructure, and it’s important to ensure that buckets are created in the right locations to meet compliance and latency requirements. This Resourcely guardrail ensures that any google_storage_bucket resources are created only in the allowed locations.

Guardrail Definition:

resource "resourcely_guardrail" "restrict_storage_bucket_location" {
  name           = "Restrict Storage Bucket Location"
  description    = "Ensures that storage buckets are only created in the specified locations."
  cloud_provider = "PROVIDER_GOOGLE"
  category       = "GUARDRAIL_STORAGE"
  state          = "GUARDRAIL_STATE_ACTIVE"
  content        = <<-EOT
GUARDRAIL "Restrict Storage Bucket Location"
WHEN google_storage_bucket
REQUIRE location IN ["US-EAST1", "US-WEST1", "EU-WEST1"]
EOT
}

‍
Key Components:

• Resource Block: The guardrail is applied to the google_storage_bucket resource.
• Location Requirement: This guardrail ensures that Storage Buckets are created only in the specified regions: US-EAST1, US-WEST1, and EU-WEST1.
• Metadata: The category is set to GUARDRAIL_STORAGE to indicate that this guardrail is focused on storage-related resources.

Guardrail 3: Enforce Required API Services for a Google Cloud Project

In Google Cloud, API services like Cloud SQL or BigQuery must be enabled for proper operation. This Resourcely guardrail ensures that certain Google Cloud services (like Cloud SQL and BigQuery) are enabled in the project, preventing accidental misconfigurations where essential services might be omitted.

Guardrail Definition:

resource "resourcely_guardrail" "enforce_project_service_enabled" {
  name          = "Enforce Required Project Services"
  description   = "Ensures that specific API services are enabled for the Google Cloud project."
  cloud_provider = "PROVIDER_GOOGLE"
  category      = "GUARDRAIL_SERVICE"
  state         = "GUARDRAIL_STATE_ACTIVE"
  content       = <<-EOT
GUARDRAIL "Enforce Required Project Services"
WHEN google_project_service
REQUIRE service IN ["sqladmin.googleapis.com", "bigquery.googleapis.com"]
EOT
}

Key Components:

• Resource Block: The guardrail is applied to the google_project_service resource.
• API Services Requirement: This guardrail ensures that the Cloud SQL API (sqladmin.googleapis.com) and BigQuery API (bigquery.googleapis.com) are enabled for any project managed by Terraform.
• Metadata: The category is set to GUARDRAIL_SERVICE to indicate that the guardrail governs API services related to cloud projects.

Summary of New Guardrails

These new Resourcely guardrails provide essential automated security checks to enforce policies across multiple types of resources in Google Cloud:

1. Restrict Storage Bucket Location: Ensures that storage buckets are only created in specific, compliant locations.
2. Enforce Required Project Services: Guarantees that key services like Cloud SQL and BigQuery are enabled for the project, avoiding accidental omissions.

By leveraging these guardrails alongside Terraform, you can automate the enforcement of policies related to infrastructure location, services, and more, allowing for greater consistency, security, and compliance in your cloud deployments.

Conclusion

Resourcely’s guardrails offer a powerful way to enforce consistent security and compliance across your cloud infrastructure while leveraging Terraform. By embedding guardrails directly into your Terraform workflows, you ensure that best practices are followed automatically, reducing the risk of misconfigurations and security breaches.

In this post, we’ve covered several guardrails designed to secure Google Cloud resources, including restricting control plane access to approved VPCs, enforcing specific locations for storage buckets, and ensuring that key API services are enabled for cloud projects. Each of these guardrails addresses a critical aspect of cloud security, ensuring that your infrastructure remains compliant with organizational standards without relying on manual oversight.

As your cloud environment scales, the complexity of managing security and compliance grows. By using Resourcely guardrails, you can automate the enforcement of policies, allowing you to focus on building and scaling your cloud infrastructure securely. Whether you’re managing a single project or a multi-region deployment, Resourcely provides the tools to ensure your cloud resources are always aligned with best practices.

Start integrating Resourcely Guardrails today and empower your team with automated security policies that work seamlessly with Terraform, improving both your operational efficiency and the security of your Google Cloud infrastructure.

To start using Resourcely guardrails in your own environment, check out the official documentation and begin securing your cloud resources today!

‍