Skip to content

Merlin-Studio/Healthcare-Example

BranchesTags

Repository files navigation

GCP Landing Zone — Healthcare · HIPAA + SOC 2 + CIS

This is a reference configuration for a healthcare organization GCP landing zone, generated by Merlin Studio — a GCP Landing Zone Design Studio built on Cloud Foundation Fabric (FAST). Generate your own at site.merlin-studio.cloud.

🆓 Merlin is now open — no signup, no email. Guest mode lets you

start designing your own landing zone instantly. Open Merlin →

Overview

Attribute Value
Profile Standard
Architecture Shared VPC
Primary Region us-east1 · DR Region us-west1
Compliance Frameworks HIPAA · SOC 2 · CIS
Organization Policies 10 enforced
Log Retention 2190 days (6 years)
FAST Stages 5

1. Organization Structure

Folder Hierarchy

Organization
│
├── 📁 Production         — production workloads
├── 📁 Staging            — pre-production testing
├── 📁 Development        — development
├── 📁 Shared Services    — common infrastructure
└── 📁 Security           — security tooling

Bootstrap Projects

Project Folder Purpose APIs
prj-seed-cicd Shared Services CI/CD Cloud Build, Artifact Registry
prj-seed-logging Security Centralized logging Cloud Logging
prj-seed-networking Shared Services Network host Compute, Service Networking

2. Identity & Access Management

Administrative Groups

Group Purpose Role
gcp-organization-admins@ Org administration roles/resourcemanager.organizationAdmin
gcp-billing-admins@ Billing control roles/billing.admin
gcp-network-admins@ Network management roles/compute.networkAdmin
gcp-security-admins@ Security oversight roles/iam.securityAdmin

Service Accounts

Name Project Purpose Key Roles
terraform-org-sa prj-seed-cicd Terraform automation projectCreator, folderAdmin
cicd-deploy-sa prj-seed-cicd CI/CD deployments clouddeploy.operator, builds.editor

3. Networking

Attribute Value
Architecture Shared VPC
Hybrid Connectivity Partner Interconnect + HA VPN
Routing Dynamic (BGP)
Inbound DNS Forwarding Enabled

VPC Networks

VPC Project Routing Purpose
vpc-shared-prod prj-network-prod GLOBAL Production
vpc-shared-dev prj-network-dev GLOBAL Non-production

Subnets

Subnet VPC Region CIDR Private Google Access
sb-prod-us-east1 vpc-shared-prod us-east1 10.0.0.0/20 Yes
sb-dev-us-east1 vpc-shared-dev us-east1 10.1.0.0/20 Yes
sb-prod-us-west1 vpc-shared-prod us-west1 10.128.0.0/20 Yes
sb-dev-us-west1 vpc-shared-dev us-west1 10.129.0.0/20 Yes

On-Premises Networks

Network CIDR
on-prem-network 192.20.0.0/20

4. Security

Organization Policies

Constraint Enforcement Scope
compute.skipDefaultNetworkCreation enforce organization
compute.requireOsLogin enforce organization
compute.requireShieldedVm enforce organization
compute.disableSerialPortAccess enforce organization
compute.disableNestedVirtualization enforce organization
compute.vmExternalIpAccess deny_all organization
storage.uniformBucketLevelAccess enforce organization
storage.publicAccessPrevention enforce organization
sql.restrictPublicIp enforce organization
iam.disableServiceAccountKeyCreation enforce organization

5. Logging & Monitoring

Setting Value
Default Retention 2190 days
Logging Project prj-seed-logging
Aggregated Sinks 1
Audit Log Bucket Retention 365 days

6. Backup & Disaster Recovery

Setting Value
DR Strategy Backup & Restore
RPO 24h
RTO 4h
Primary Region us-east1
DR Region us-west1

Backup Policies

Policy Resource Frequency Retention Cross-Region
daily-compute-snapshots Compute Disk Daily 30 days No
daily-sql-backup Cloud SQL Daily 30 days No

7. Cost Management

Budget Amount Scope
Production Budget USD 5,000 folder
Non-Production Budget USD 2,000 folder

What Was Generated

FAST factory YAML data files — structured configuration that plugs directly into Google Cloud's FAST Fabric.

Stage Directory Description
0 org-setup/ Folders, IAM bindings, org policies, tags, billing
1 networking/ VPC networks, subnets, firewall rules, DNS, VPNs
2 security/ KMS keyrings, security projects, SCC
3 project-factory/ Workload projects
4 vpcsc/ Service perimeters, access levels, ingress/egress policies

The YAML files use FAST's factory data format with $-interpolation tokens resolved at terraform plan time:

  • $iam_principals:... — IAM identity references
  • $project_ids:... — Project IDs from the FAST registry
  • $folder_ids:... — Folder ID references

Cross-stage dependencies are resolved automatically by FAST.

How to Deploy

Prerequisites

  • Cloud Foundation Fabric cloned locally
  • GCP Organization with a seed project already created
  • Terraform >= 1.7 and gcloud CLI installed
  • Service account with Organization Admin at org level

Create the Terraform state bucket before deploying:

gcloud storage buckets create gs://YOUR_STATE_BUCKET \
  --project=YOUR_SEED_PROJECT \
  --location=us-east1 \
  --uniform-bucket-level-access

Deployment Steps

1. Clone FAST Fabric

git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git

2. Copy generated files into FAST stage directories

cp -r org-setup/*       cloud-foundation-fabric/fast/stages/0-org-setup/data/
cp -r networking/*      cloud-foundation-fabric/fast/stages/1-networking/data/
cp -r security/*        cloud-foundation-fabric/fast/stages/2-security/data/
cp -r project-factory/* cloud-foundation-fabric/fast/stages/3-project-factory/data/
cp -r vpcsc/*           cloud-foundation-fabric/fast/stages/4-vpcsc/data/

3. Deploy stages in order

# Stage 0 — Organization Setup
cd cloud-foundation-fabric/fast/stages/0-org-setup
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/0-org-setup"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 1 — Networking
cd ../1-networking
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/1-networking"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 2 — Security
cd ../2-security
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/2-security"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 3 — Project Factory
cd ../3-project-factory
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/3-project-factory"
terraform plan -out=tfplan
terraform apply tfplan

# Stage 4 — VPC Service Controls
cd ../4-vpcsc
terraform init -backend-config="bucket=YOUR_STATE_BUCKET" \
               -backend-config="prefix=stages/4-vpcsc"
terraform plan -out=tfplan
terraform apply tfplan

Post-Deployment Verification

# Verify organization folder structure
gcloud resource-manager folders list --organization=YOUR_ORG_ID

# Verify IAM bindings at org level
gcloud organizations get-iam-policy YOUR_ORG_ID

# Verify projects were created
gcloud projects list --filter="parent.type=folder"

# Verify VPC networks
gcloud compute networks list --project=YOUR_NETWORK_PROJECT

FAST Documentation

  • FAST README
  • Each stage directory contains its own README with stage-specific details

Generated by Merlin Studio. Licensed under the Apache License, Version 2.0.

Merlin Studio implements the Compiled AI paradigm: LLMs at build time, deterministic code at runtime. This makes generated artifacts auditable and reproducible — properties that direct LLM generation can't provide.

Article: Compile-Time AI for GCP Landing Zones.

About

GCP Landing Zone for a healthcare organization — HIPAA, SOC 2, CIS. Generated by Merlin Studio implements the Compiled AI paradigm: LLMs at build time, deterministic code at runtime.

app.merlin-studio.cloud/

Topics

fast cis terraform gcp google-cloud infrastructure-as-code hipaa soc2 landing-zone gcp-automation cloud-foundation-fabric compiled-ai

Resources

Readme

License

View license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors