Generated: 2026-02-22T10:15:40.581203Z Profile: Standard Organization: acme.com
This document describes the Cloud Foundation configuration for acme.com. This establishes your GCP Landing Zone.
| Attribute | Value |
|---|---|
| Cloud Foundation Name | healthcare-provider-acme |
| Organization ID | `` |
| Primary Region | us-east1 |
| Configuration Profile | Standard |
| Architecture Type | Shared VPC |
| Compliance Frameworks | SOC2, HIPAA, CIS |
| Organization Policies | 10 enforced |
| Log Retention | 2190 days |
| Billing Account | `` |
This cloud foundation is configured to support:
-
SOC2
-
HIPAA
-
CIS
acme.com ()
│
├── 📁 Production
│ └── Purpose: environment
├── 📁 Staging
│ └── Purpose: environment
├── 📁 Development
│ └── Purpose: environment
├── 📁 Shared Services
│ └── Purpose: shared_services
├── 📁 Security
│ └── Purpose: security
| Folder | Purpose | Description |
|---|
| Production | environment | Production workloads |
| Staging | environment | Pre-production testing |
| Development | environment | Development |
| Shared Services | shared_services | Common infrastructure |
| Security | security | Security tooling |
| Project Name | Folder | Purpose | APIs |
|---|
| prj-seed-cicd | Shared Services | cicd | cloudbuild.googleapis.com, artifactregistry.googleapis.com |
| prj-seed-logging | Security | logging | logging.googleapis.com |
| prj-seed-networking | Shared Services | networking | compute.googleapis.com, servicenetworking.googleapis.com |
Configured environments: Development, Staging, Production
| Group Name | Purpose | Roles |
|---|
| gcp-organization-admins@acme.com | org_admin | roles/resourcemanager.organizationAdmin |
| gcp-billing-admins@acme.com | billing_admin | roles/billing.admin |
| gcp-network-admins@acme.com | network_admin | roles/compute.networkAdmin |
| gcp-security-admins@acme.com | security_admin | roles/iam.securityAdmin |
| Name | Project | Purpose | Roles |
|---|
| terraform-org-sa | prj-seed-cicd | terraform | roles/resourcemanager.projectCreator, roles/resourcemanager.folderAdmin |
| cicd-deploy-sa | prj-seed-cicd | cicd | roles/clouddeploy.operator, roles/cloudbuild.builds.editor, roles/artifactregistry.writer |
| Attribute | Value |
|---|---|
| Architecture Type | Shared VPC |
| VPC Name | Project | Routing Mode | Purpose |
|---|
| vpc-shared-prod | prj-network-prod | GLOBAL | production |
| vpc-shared-dev | prj-network-dev | GLOBAL | non_production |
| Subnet | VPC | Region | CIDR | Private Google Access |
|---|
| sb-prod-us-east1 | vpc-shared-prod | us-east1 | 10.0.0.0/20 | Yes |
| sb-dev-us-east1 | vpc-shared-dev | us-east1 | 10.1.0.0/20 | Yes |
| sb-prod-us-west1 | vpc-shared-prod | us-west1 | 10.128.0.0/20 | Yes |
| sb-dev-us-west1 | vpc-shared-dev | us-west1 | 10.129.0.0/20 | Yes |
| Attribute | Value |
|---|---|
| Connectivity Type | Partner Interconnect |
| VPN Type | HA VPN | | Routing | Dynamic |
| Network Name | CIDR Ranges |
|---|
| on-prem-network | 192.20.0.0/20 |
| Setting | Value |
|---|---|
| Inbound Forwarding | Enabled |
10 organization policies configured:
| Constraint | Enforcement | Scope |
|---|
| compute.skipDefaultNetworkCreation | enforce | organization |
| compute.requireOsLogin | enforce | organization |
| compute.requireShieldedVm | enforce | organization |
| compute.disableSerialPortAccess | enforce | organization |
| compute.disableNestedVirtualization | enforce | organization |
| compute.vmExternalIpAccess | deny_all | organization |
| storage.uniformBucketLevelAccess | enforce | organization |
| storage.publicAccessPrevention | enforce | organization |
| sql.restrictPublicIp | enforce | organization |
| iam.disableServiceAccountKeyCreation | enforce | organization |
| Setting | Value |
|---|---|
| Default Retention Period | 2190 days |
| Bucket Name | Retention (Days) | Locked |
|---|
| audit-logs | 365 | No |
| Setting | Value |
|---|---|
| Logging Project | prj-seed-logging |
| Aggregated Sinks | 1 configured |
| Attribute | Value |
|---|---|
| DR Strategy | Backup Restore |
| Failover Automation | Disabled |
| Default RPO | 24h | | Default RTO | 4h |
| Primary Region | us-east1 | | DR Region | us-west1 |
| Policy Name | Resource Type | Frequency | Retention (Days) | Cross-Region |
|---|
| daily-compute-snapshots | compute_disk | daily | 30 | No |
| daily-sql-backup | cloud_sql | daily | 30 | No |
| Setting | Value |
|---|---|
| Testing Frequency | annually |
| Test Type | tabletop |
| Budget Name | Amount | Scope |
|---|
| Production Budget | USD 5000 | folder |
| Non-Production Budget | USD 2000 | folder |
This wizard generated FAST factory YAML data files — structured configuration that plugs directly into Google Cloud's FAST Fabric landing zone framework.
| Attribute | Value |
|---|---|
| Output Format | FAST Factory YAML |
| Framework | Cloud Foundation Fabric (FAST) |
| Stages Generated | 5 |
| Stage | Directory | Description |
|---|
| Organization Setup | org-setup/ | Folders, IAM bindings, org policies, tags, billing |
| Networking | networking/ | VPC networks, subnets, firewall rules, DNS, VPNs |
| Security | security/ | KMS keyrings, security projects, SCC |
| Project Factory | project-factory/ | Workload projects (GKE, data, apps, compute, ops) |
| VPC Service Controls | vpcsc/ | Service perimeters, access levels, ingress/egress policies |
- Cloud Foundation Fabric repository cloned
- GCP Organization with appropriate permissions
- Terraform >= 1.7 installed
- A service account or user with Organization Admin privileges
-
Clone FAST Fabric (if not already done):
git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git cd cloud-foundation-fabric/fast -
Place the generated data files into the corresponding FAST stage directories:
-
Copy
org-setup/contents into the FASTorg-setup/stage data directory -
Copy
networking/contents into the FASTnetworking/stage data directory -
Copy
security/contents into the FASTsecurity/stage data directory -
Copy
project-factory/contents into the FASTproject-factory/stage data directory -
Copy
vpcsc/contents into the FASTvpcsc/stage data directory
-
-
Deploy stages in order:
-
Stage 0: Organization Setup (
org-setup/) -
Stage 1: Networking (
networking/) -
Stage 2: Security (
security/) -
Stage 3: Project Factory (
project-factory/) -
Stage 4: VPC Service Controls (
vpcsc/)
-
-
Review and apply each stage with Terraform:
terraform init terraform plan terraform apply
The generated YAML files use FAST's factory data format with $-interpolation tokens that are resolved at terraform plan time:
$iam_principals:...— References to IAM identities$project_ids:...— References to project IDs from the FAST registry$folder_ids:...— References to folder IDs
These tokens ensure that cross-stage dependencies are resolved automatically by FAST.
- FAST Documentation: See FAST README
- Stage-specific docs: Each FAST stage directory contains its own README
- Community: r/googlecloud, Stack Overflow
-
No Warranty: These configurations are generated based on your inputs. Review thoroughly before any deployment.
-
Security Review Required: Have your security team review IAM bindings and org policies before deployment.
-
Cost Implications: Deploying this infrastructure will incur GCP charges. Review the Cost Management section.
-
Not Standalone: The YAML data files require FAST Fabric modules to deploy. They are not standalone Terraform.
-
Your Responsibility: Actual deployment, testing, and maintenance are your responsibility.
| Role | |
|---|---|
| Primary Contact | cloudteam@acme.com |
Generated by Cloud Foundation Design Studio v1.0.0