Skip to content

Merlin-Studio/EU-Enterprise-Example

BranchesTags

Repository files navigation

Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

This is a reference configuration for a GCP Landing Zone foundation for acme.com, generated by Merlin Studio. Generate your own at app.merlin-studio.cloud.

🆓 Merlin is now open — no signup, no email. Guest mode lets you start designing your own landing zone instantly. Open Merlin → app.merlin-studio.cloud.

acme-corp - Configuration Documentation

Generated: 2026-05-03T04:00:35.483229Z Profile: Standard Organization: acme.com

Executive Summary

This document describes the Cloud Foundation configuration for acme.com. This establishes your GCP Landing Zone.

Attribute Value
Cloud Foundation Name acme-corp
Organization ID <YOUR_ORG_ID>
Primary Region europe-west1
Configuration Profile Standard
Architecture Type Shared VPC

| Compliance Frameworks | ISO27001, GDPR, NIS2 |

| Organization Policies | 11 enforced |

| Log Retention | 2555 days |

| Billing Account | <YOUR_BILLING_ACCOUNT_ID> |

Compliance Requirements

This cloud foundation is configured to support:

  • ISO27001

  • GDPR

  • NIS2

Before deploying: This is an example reference. Replace <YOUR_ORG_ID>, <YOUR_BILLING_ACCOUNT_ID>, the acme.com domain, and the acme-corp project prefix with your own values. See DEPLOYMENT_GUIDE.md for the full prerequisite checklist.

1. Organization Structure

1.1 Folder Hierarchy

acme.com (<YOUR_ORG_ID>)
│

├── 📁 Production
│   └── Purpose: Environment
│       └── 📁 Integration

├── 📁 Staging
│   └── Purpose: Environment

├── 📁 Development
│   └── Purpose: Environment

├── 📁 Shared Services
│   └── Purpose: Shared Services

├── 📁 Security
│   └── Purpose: Security
Folder Purpose Description

| Production | Environment | Production workloads |

| Staging | Environment | Pre-production testing |

| Development | Environment | Development |

| Shared Services | Shared Services | Common infrastructure |

| Security | Security | Security tooling |

1.2 Bootstrap Projects

Project Name Folder Purpose APIs

| prj-seed-cicd | Shared Services | Cicd | cloudbuild.googleapis.com, artifactregistry.googleapis.com |

| prj-seed-logging | Security | Logging | logging.googleapis.com |

| prj-seed-networking | Shared Services | Networking | compute.googleapis.com, servicenetworking.googleapis.com |

1.3 Environments

Configured environments: Development, Staging, Production, Integration

2. Identity & Access Management

2.1 Administrative Groups

Group Name Purpose Roles

| gcp-organization-admins@acme.com | Org Admin | roles/resourcemanager.organizationAdmin |

| gcp-billing-admins@acme.com | Billing Admin | roles/billing.admin |

| gcp-network-admins@acme.com | Network Admin | roles/compute.networkAdmin |

| gcp-security-admins@acme.com | Security Admin | roles/iam.securityAdmin |

2.3 Service Accounts

Name Project Purpose Roles

| terraform-org-sa | prj-seed-cicd | Terraform | roles/resourcemanager.projectCreator, roles/resourcemanager.folderAdmin |

| cicd-deploy-sa | prj-seed-cicd | Cicd | roles/clouddeploy.operator, roles/cloudbuild.builds.editor, roles/artifactregistry.writer |

3. Networking

3.1 Network Architecture

Attribute Value
Architecture Type Shared VPC

3.2 VPC Networks

VPC Name Project Routing Mode Purpose

| vpc-shared-prod | prj-network-prod | GLOBAL | Production |

| vpc-shared-dev | prj-network-dev | GLOBAL | Non Production |

3.3 Subnets

Subnet VPC Region CIDR Private Google Access

| sb-prod-europe-west1 | vpc-shared-prod | europe-west1 | 10.0.0.0/20 | Yes |

| sb-dev-europe-west1 | vpc-shared-dev | europe-west1 | 10.1.0.0/20 | Yes |

| sb-prod-europe-west4 | vpc-shared-prod | europe-west4 | 10.128.0.0/20 | Yes |

| sb-dev-europe-west4 | vpc-shared-dev | europe-west4 | 10.129.0.0/20 | Yes |

4. Hybrid Connectivity

Attribute Value
Connectivity Type Partner Interconnect

| VPN Type | HA VPN | | Routing | Dynamic |

4.1 On-Premises Networks

Network Name CIDR Ranges

| on-prem-network | 192.20.0.0/20 |

4.2 Hybrid DNS

Setting Value
Inbound Forwarding Enabled

5. Security Configuration

5.1 Organization Policies

11 organization policies configured:

Constraint Enforcement Scope

| compute.skipDefaultNetworkCreation | enforce | organization |

| compute.requireOsLogin | enforce | organization |

| compute.requireShieldedVm | enforce | organization |

| compute.disableSerialPortAccess | enforce | organization |

| compute.disableNestedVirtualization | enforce | organization |

| compute.vmExternalIpAccess | deny_all | organization |

| storage.uniformBucketLevelAccess | enforce | organization |

| storage.publicAccessPrevention | enforce | organization |

| sql.restrictPublicIp | enforce | organization |

| iam.disableServiceAccountKeyCreation | enforce | organization |

| gcp.resourceLocations | allow_list | organization |

6. Logging & Monitoring

6.1 Log Retention

Setting Value
Default Retention Period 2555 days

6.2 Custom Retention Buckets

Bucket Name Retention (Days) Locked

| audit-logs | 2555 | No |

6.3 Centralized Logging

Setting Value
Logging Project prj-seed-logging

| Aggregated Sinks | 1 configured |

7. Backup & Disaster Recovery

7.1 What the landing zone provides

Aspect Value
DR Region europe-west4
DR-region subnets sb-prod-europe-west4, sb-dev-europe-west4
DR-region KMS keyring kr-europe-west4 (per-service CMEK keys)
Audit log retention 7 years (2555 days)

7.2 What workload teams must configure

  • Cloud SQL cross-region replicas and failover policy
  • GCS bucket cross-region replication or dual-region buckets
  • Backup policies (snapshot frequency, cross-region copy, retention)
  • Failover orchestration (manual promotion, app-layer retries)
  • DR runbook and tabletop testing schedule

RPO and RTO are workload-layer outcomes. The landing zone supports a warm-standby posture (RPO: minutes, RTO: hours) but does not configure workload-specific replication.

8. Cost Management

8.1 Budgets

Budget Name Amount Scope

| Production Budget | USD 5000 | folder |

| Non-Production Budget | USD 2000 | folder |

What Was Generated

This wizard generated FAST factory YAML data files — structured configuration that plugs directly into Google Cloud's FAST Fabric landing zone framework.

Attribute Value
Output Format FAST Factory YAML
Framework Cloud Foundation Fabric (FAST)

| Stages Generated | 5 |

FAST Stages Overview

Stage Directory Description

| Organization Setup | org-setup/ | Folders, IAM bindings, org policies, tags, billing |

| Networking | networking/ | VPC networks, subnets, firewall rules, DNS, VPNs |

| Security | security/ | KMS keyrings, security projects, SCC |

| Project Factory | project-factory/ | Workload projects (GKE, data, apps, compute, ops) |

| VPC Service Controls | vpcsc/ | Service perimeters, access levels, ingress/egress policies |

How to Deploy

Prerequisites

  • Cloud Foundation Fabric repository cloned
  • GCP Organization with appropriate permissions
  • Terraform >= 1.7 installed
  • A service account or user with Organization Admin privileges

Deployment Steps

  1. Clone FAST Fabric (if not already done):

    git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git
cd cloud-foundation-fabric/fast

  2. Place the generated data files into the corresponding FAST stage directories:

    • Copy org-setup/ contents into the FAST org-setup/ stage data directory

    • Copy networking/ contents into the FAST networking/ stage data directory

    • Copy security/ contents into the FAST security/ stage data directory

    • Copy project-factory/ contents into the FAST project-factory/ stage data directory

    • Copy vpcsc/ contents into the FAST vpcsc/ stage data directory

  3. Deploy stages in order:

    • Stage 0: Organization Setup (org-setup/)

    • Stage 1: Networking (networking/)

    • Stage 2: Security (security/)

    • Stage 3: Project Factory (project-factory/)

    • Stage 4: VPC Service Controls (vpcsc/)

  4. Review and apply each stage with Terraform:

    terraform init
terraform plan
terraform apply

FAST Data File Format

The generated YAML files use FAST's factory data format with $-interpolation tokens that are resolved at terraform plan time:

  • $iam_principals:... — References to IAM identities
  • $project_ids:... — References to project IDs from the FAST registry
  • $folder_ids:... — References to folder IDs

These tokens ensure that cross-stage dependencies are resolved automatically by FAST.

Getting Help

Important Disclaimers

  1. No Warranty: These configurations are generated based on your inputs. Review thoroughly before any deployment.

  2. Security Review Required: Have your security team review IAM bindings and org policies before deployment.

  3. Cost Implications: Deploying this infrastructure will incur GCP charges. Review the Cost Management section.

  4. Not Standalone: The YAML data files require FAST Fabric modules to deploy. They are not standalone Terraform.

  5. Your Responsibility: Actual deployment, testing, and maintenance are your responsibility.

Contacts

Role Email
Primary Contact acme@gmail.com

Generated by Merlin Studio. Licensed under the Apache License, Version 2.0

About

Reference GCP Landing Zone for EU enterprises with strict data residency. ISO 27001, GDPR, NIS2. EU-only regions (europe-west1 + europe-west4), EU-pinned KMS, Access Transparency, residency-enforcing org policies, Assured Workloads. FAST-compatible. Generated by Merlin Studio.

app.merlin-studio.cloud/

Topics

terraform gcp infrastructure-as-code gdpr iso27001 landing-zone system-automation nis2 cloud-foundation-fabric merlin-studio

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors