Skip to content

Merlin-Studio/US-Federal-Agency-Example

BranchesTags

Repository files navigation

GCP Landing Zone — US Federal Agency · FedRAMP + NIST 800-53 + SOC 2 + SOX

This is a reference configuration for a US federal agency GCP landing zone, generated by Merlin Studio — a GCP Landing Zone Design Studio built on Cloud Foundation Fabric (FAST). Generate your own at site.merlin-studio.cloud.

🆓 Merlin is now open — no signup, no email. Guest mode lets you

start designing your own landing zone instantly. Open Merlin →

Overview

Attribute Value
Profile Advanced
Architecture Hub and Spoke
Primary Region us-central1 · DR Region us-east1
Compliance Frameworks FedRAMP · NIST 800-53 · SOC 2 · SOX
Organization Policies 15 enforced
Log Retention 2555 days (7 years)
FAST Stages 5

1. Organization Structure

Folder Hierarchy

Organization
│
├── 📁 Production         — production workloads
├── 📁 Staging            — pre-production testing
├── 📁 Development        — development
├── 📁 Shared Services    — common infrastructure
├── 📁 Security           — security tooling
├── 📁 Networking         — hub networks and connectivity
├── 📁 Data Platform      — analytics and data services
└── 📁 Sandbox            — experimentation

Bootstrap Projects

Project Folder Purpose Key APIs
prj-new-service Shared Services CI/CD · KMS · Logging Cloud Build, KMS, Secret Manager, Logging, Monitoring, Compute, DNS, Artifact Registry

Environments

Development · Staging · Production · Sandbox

2. Identity & Access Management

Administrative Groups

Group Purpose Roles
gcp-organization-admins@ Org administration roles/resourcemanager.organizationAdmin
gcp-billing-admins@ Billing control roles/billing.admin
gcp-network-admins@ Network management roles/compute.networkAdmin · roles/compute.securityAdmin
gcp-security-admins@ Security oversight roles/iam.securityAdmin · roles/accesscontextmanager.policyAdmin
gcp-audit-viewers@ Audit access roles/iam.securityReviewer · roles/logging.viewer
gcp-support-admins@ Support operations roles/cloudsupport.techSupportEditor

Service Accounts

Name Project Purpose Key Roles
terraform-org-sa prj-seed-terraform Org-level Terraform roles/resourcemanager.organizationAdmin
terraform-network-sa prj-seed-terraform Network Terraform roles/compute.networkAdmin · roles/dns.admin
terraform-security-sa prj-seed-terraform Security Terraform roles/resourcemanager.organizationAdmin
cicd-deploy-sa prj-seed-cicd CI/CD deployments roles/clouddeploy.operator · roles/builds.editor
security-scanner-sa prj-seed-security Security scanning roles/iam.securityReviewer · roles/securitycenter.sourcesViewer

3. Networking

Attribute Value
Architecture Hub and Spoke
Hybrid Connectivity Dedicated Interconnect + HA VPN
Routing Dynamic (BGP)
Inbound DNS Forwarding Enabled

VPC Networks

VPC Project Routing Purpose
vpc-hub prj-network-hub GLOBAL Hub — central connectivity
vpc-prod prj-network-prod GLOBAL Production spoke
vpc-dev prj-network-dev GLOBAL Non-production spoke

Subnets

Subnet VPC Region CIDR Private Google Access
sb-hub-us-central1 vpc-hub us-central1 10.0.0.0/20 Yes
sb-prod-us-central1 vpc-prod us-central1 10.1.0.0/20 Yes
sb-dev-us-central1 vpc-dev us-central1 10.2.0.0/20 Yes
sb-hub-us-west2 vpc-hub us-west2 10.128.0.0/20 Yes
sb-prod-us-west2 vpc-prod us-west2 10.129.0.0/20 Yes
sb-dev-us-west2 vpc-dev us-west2 10.130.0.0/20 Yes

On-Premises Networks

Network CIDR
on-prem-network 192.20.0.0/20

4. Security

Organization Policies

Constraint Enforcement Scope
compute.skipDefaultNetworkCreation enforce organization
compute.requireOsLogin enforce organization
compute.requireShieldedVm enforce organization
compute.disableSerialPortAccess enforce organization
compute.vmExternalIpAccess deny_all organization
compute.disableNestedVirtualization enforce organization
storage.uniformBucketLevelAccess enforce organization
storage.publicAccessPrevention enforce organization
sql.restrictPublicIp enforce organization
sql.restrictAuthorizedNetworks enforce organization
iam.disableServiceAccountKeyCreation enforce organization
iam.disableServiceAccountKeyUpload enforce organization
gcp.detailedAuditLoggingMode enforce organization
gcp.resourceLocations allow_list organization
iam.allowedPolicyMemberDomains allow_list organization

5. Logging & Monitoring

Setting Value
Default Retention 2555 days
Logging Project prj-seed-logging
Aggregated Sinks 3

Log Retention Buckets

Bucket Retention Locked
audit-logs 730 days Yes
security-logs 365 days Yes

6. Backup & Disaster Recovery

Setting Value
DR Strategy Backup & Restore
Failover Automation Enabled
RPO 1h
RTO 15m
Primary Region us-central1
DR Region us-east1

Backup Policies

Policy Resource Frequency Retention Cross-Region
hourly-compute-snapshots Compute Disk Hourly 7 days Yes
daily-compute-snapshots Compute Disk Daily 90 days Yes
continuous-sql-backup Cloud SQL Continuous 30 days Yes
daily-gcs-versioning Cloud Storage Continuous 90 days Yes
daily-bigquery-snapshots BigQuery Daily 30 days No

Failover Testing

Setting Value
Frequency Quarterly
Test Type Partial

7. Cost Management

Budget Amount Scope
Organization Budget USD 100,000 billing_account

What Was Generated

FAST factory YAML data files — structured configuration that plugs directly into Google Cloud's FAST Fabric.

Stage Directory Description
0 org-setup/ Folders, IAM bindings, org policies, tags, billing
1 networking/ VPC networks, subnets, firewall rules, DNS, VPNs
2 security/ KMS keyrings, security projects, SCC
3 project-factory/ Workload projects
4 vpcsc/ Service perimeters, access levels, ingress/egress policies

The YAML files use FAST's factory data format with $-interpolation tokens resolved at terraform plan time:

  • $iam_principals:... — IAM identity references
  • $project_ids:... — Project IDs from the FAST registry
  • $folder_ids:... — Folder ID references

Cross-stage dependencies are resolved automatically by FAST.

How to Deploy

Prerequisites

  • Cloud Foundation Fabric cloned locally
  • GCP Organization with a seed project already created
  • Terraform >= 1.7 and gcloud CLI installed
  • Service account with Organization Admin at org level

Create the Terraform state bucket before deploying:

gcloud storage buckets create gs://YOUR_STATE_BUCKET \
  --project=YOUR_SEED_PROJECT \
  --location=us-central1 \
  --uniform-bucket-level-access

Deployment Steps

1. Clone FAST Fabric

git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git

2. Copy generated files into FAST stage directories

cp -r org-setup/*       cloud-foundation-fabric/fast/stages/0-org-setup/data/
cp -r networking/*      cloud-foundation-fabric/fast/stages/1-networking/data/
cp -r security/*        cloud-foundation-fabric/fast/stages/2-security/data/
cp -r project-factory/* cloud-foundation-fabric/fast/stages/3-project-factory/data/
cp -r vpcsc/*           cloud-foundation-fabric/fast/stages/4-vpcsc/data/

3. Deploy stages in order

# Stage 0 — Organization Setup
cd cloud-foundation-fabric/fast/stages/0-org-setup
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/0-org-setup"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 1 — Networking
cd ../1-networking
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/1-networking"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 2 — Security
cd ../2-security
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/2-security"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 3 — Project Factory
cd ../3-project-factory
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/3-project-factory"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 4 — VPC Service Controls
cd ../4-vpcsc
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/4-vpcsc"
terraform plan -out=tfplan
terraform apply tfplan

Post-Deployment Verification

# Verify organization folder structure
gcloud resource-manager folders list --organization=YOUR_ORG_ID

# Verify IAM bindings at org level
gcloud organizations get-iam-policy YOUR_ORG_ID

# Verify projects were created
gcloud projects list --filter="parent.type=folder"

# Verify VPC networks
gcloud compute networks list --project=YOUR_NETWORK_PROJECT

FAST Documentation

  • FAST README
  • Each stage directory contains its own README with stage-specific details

See Also

Generated by Merlin Studio

About

Example of GCP Landing Zone for US government agency — FedRAMP, NIST, SOC 2, SOX. Generated by Merlin Studio — free, no signup.

app.merlin-studio.cloud/

Topics

fast terraform gcp sox infrastructure-as-code fedramp soc-2 gcp-automation cloud-foundation-fabric

Resources

Readme

License

View license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors