A comprehensive demonstration of building a HIPAA-compliant healthcare data platform on Google Cloud Platform using Infrastructure as Code, secure CI/CD, and automated incident response.
This project implements a four-phase approach to building a secure, audit-ready healthcare data exchange platform:
- Resource Hierarchy & Guardrails: Terraform Org Policies for compute restrictions
- VPC Network: Private networking with no external IPs
- Secret Management: Google Secret Manager with IAM-controlled access
- Build & Scan Pipeline: Cloud Build with SAST vulnerability scanning
- Binary Authorization: KMS-signed attestations for container images
- Malware Scanner: Cloud Run service with Eventarc triggers
- Managed Monitoring: Google Cloud Managed Service for Prometheus (GMP)
- Custom Metrics: .NET instrumentation with Alertmanager integration
- Diagrams as Code: Automated architecture documentation
- Detection: Security Command Center anomaly detection
- Automated Evidence Capture: Cloud Functions with Forensics Utils
- Isolation: Forensics Sandbox Project for chain of custody
├── terraform/
│ ├── phase1-foundation/ # VPC, IAM, Secret Manager
│ ├── phase2-cicd/ # Binary Authorization, GKE config
│ ├── phase3-sre/ # GMP, alerting, monitoring
│ └── phase4-forensics/ # SCC, forensics automation
├── cloudbuild/
│ ├── cloudbuild.yaml # Cloud Build pipeline
│ └── gitlab-ci.yaml # GitLab CI alternative
├── dotnet-service/
│ ├── Controllers/ # API controllers
│ ├── Metrics/ # OpenTelemetry metrics
│ ├── Models/ # Data models
│ ├── Services/ # Business logic
│ └── Dockerfile # Container build
├── malware-scanner/ # Cloud Run malware scanning service
├── forensics-function/ # Python Cloud Function for evidence capture
├── k8s/ # Kubernetes manifests
├── diagrams/ # Architecture diagrams as code
└── docs/
└── demo-script.md # Demo walkthrough
- Google Cloud Organization with appropriate permissions
- Terraform >= 1.5.0
- gcloud CLI configured
- .NET 8.0 SDK
- Python 3.11+
- Graphviz (for generating diagrams)
-
Configure your GCP project variables:
cp terraform/terraform.tfvars.example terraform/terraform.tfvars # Edit terraform.tfvars with your values -
Deploy Phase 1 Foundation:
cd terraform/phase1-foundation terraform init && terraform apply
-
Continue with subsequent phases as documented.
Demo Highlights: Automated governance, HIPAA-compliant Landing Zones with Terraform, Binary Authorization to ensure only scanned .NET containers run in GKE, and implementation of serverless malware scanning with Cloud Run. Incident Response handled as an engineering task using Forensics Utils to automate evidence capture, moving from manual reactive monitoring to a proactive, audit-ready platform.
Apache 2.0