A reference GCP landing zone for a small company / startup, aligned with CIS GCP Benchmarks. Generated by Merlin Studio — a Cloud Foundation Design Studio for GCP. Generate your own at site.merlin-studio.cloud — free.
🆓 Merlin is now open — no signup, no email. Guest mode lets you
start designing your own landing zone instantly. Open Merlin →
| Attribute | Value |
|---|---|
| Profile | Simple |
| Architecture | Standalone (single VPC) |
| Primary Region | europe-west1 |
| Environments | Development · Production |
| Compliance | CIS GCP Benchmarks |
| Workloads | Cloud Run · Cloud Functions · Compute Engine |
| Data Services | BigQuery · Firestore · Cloud Storage · Pub/Sub |
| Organization Policies | 8 enforced |
| Log Retention | 365 days |
| Monthly Budget | USD 1,000 |
| IaC Output | Generic Terraform .tfvars (12 files) |
| Architecture Score | 100 / 100 — Grade A |
| Security Score | 91 / 100 — Grade A |
| File / Group | Purpose |
|---|---|
*.auto.tfvars (12 files) |
Terraform variable values — folder structure, IAM, networking, security baseline, logging, cost, automation, data platform, application services, resource management, compute |
DEPLOYMENT_GUIDE.md |
Step-by-step instructions to deploy with Terraform |
SECURITY_SCORECARD.md |
CIS compliance check results |
ARCHITECTURE_SCORECARD.md |
Architecture quality assessment |
architecture.mmd |
Mermaid architecture diagram (render at mermaid.live) |
derived_metadata.json |
Computed values referenced by downstream templates |
ARCHITECTURE_REPORT.json |
Detailed architecture check results |
acme.com
├── Production
└── Development
| Project | Folder | Purpose | APIs |
|---|---|---|---|
prj-shared-services |
Production | CI/CD, shared resources | cloudbuild.googleapis.com |
| Group | Roles |
|---|---|
gcp-admins@acme.com |
roles/resourcemanager.organizationAdmin, roles/billing.admin |
| Account | Project | Purpose |
|---|---|---|
terraform-sa@prj-shared-services.iam.gserviceaccount.com |
prj-shared-services |
Terraform org-level provisioning |
| VPC | Project | Routing | Subnet | CIDR | Region |
|---|---|---|---|---|---|
vpc-main |
prj-shared-services |
GLOBAL | sb-main-europe-west1 |
10.0.0.0/24 |
europe-west1 |
Private Google Access enabled. VPC Flow Logs on.
Eight organization policies enforced across the org:
| Constraint | Enforcement |
|---|---|
compute.skipDefaultNetworkCreation |
enforce |
storage.uniformBucketLevelAccess |
enforce |
compute.requireShieldedVm |
enforce |
compute.disableSerialPortAccess |
enforce |
compute.requireOsLogin |
enforce |
compute.disableNestedVirtualization |
enforce |
compute.vmExternalIpAccess |
deny_all |
iam.disableServiceAccountKeyCreation |
not_enforce |
CMEK enabled across Cloud Storage, BigQuery, and Cloud SQL. Data Access audit logging enabled with 365-day retention.
See SECURITY_SCORECARD.md for the full CIS check results.
See DEPLOYMENT_GUIDE.md for full deployment instructions — prerequisites, Terraform project structure, provider and backend configuration, deployment workflow, and post-deployment verification commands.
This is a reference configuration generated by Merlin Studio. Review all IAM bindings and org policies before deploying to your own environment. Several values (organization ID, billing account ID, identity provider) are intentionally left empty for you to fill in based on your GCP environment.
- Healthcare Example — HIPAA · SOC 2 · CIS · Standard profile · FAST output
- US Federal Agency Example — FedRAMP · NIST 800-53 · SOC 2 · SOX · Advanced profile · FAST output
Generated by Merlin Studio. Licensed under CC BY-ND 4.0.