Setting Up a GCP Landing Zone for Organizations with Strict Regulatory Requirements

Boris Teplitsky — Mon, 20 Apr 2026 07:46:06 +0000

Setting up a GCP Landing Zone for organizations with strict compliance requirements is not a trivial task. Cloud Foundation Fabric with a suitable template can significantly simplify the work — but what if no appropriate template exists, or your specific requirements go beyond what the templates cover? In this article, we explain how a tool we built, Merlin Studio, can help set up a landing zone under complex compliance requirements. We use a US healthcare provider as an example, walking through a landing zone aligned with the HIPAA compliance framework. The same approach applies to other regulations in the US and EU.

The setup process with Merlin Studio consists of three parts:
Discovery — defining business requirements and conditions
Configuration — setting parameters for all landing zone sections
Generation — producing a package of Cloud Foundation Fabric YAML files, scorecards, documentation, and guides.

If you want to try Merlin on your own landing zone, drop us an email at intentarcha@gmail.com and we’ll set up your access — it’s free.

Discovery

The goal of this stage is to determine who and what we are setting up. During Discovery, the user fills out 7 forms describing the company and project's business environment. The forms cover general information about the organization and specific GCP implementation conditions: deployment strategy (GCP-only, hybrid with on-premises, or multi-cloud), workload types, company size, timeline, and budget expectations. A critical section is compliance — which regulatory frameworks must be implemented.
In our example, we use a US healthcare provider that needs to connect GCP to an on-premises data center via Partner Interconnect. The required compliance frameworks are HIPAA, SOC 2, and CIS Benchmarks. Infrastructure requirements include multi-region deployment (us-east1 as primary, us-west1 as secondary) with warm standby disaster recovery.

Based on the information provided during Discovery, Merlin sets the default landing zone configuration parameters, determines the profile complexity, identifies which configuration sections are required, and recommends a configuration mode: Express (accept best-practice defaults), Guided (review recommendations, customize as needed), or Expert (full control over all options). The user can change the configuration mode at any time, but to change the profile, they must return to the Discovery stage.
In our example, Merlin recommends the Standard profile and activates 17 configuration sections. The user selects Guided mode.

Configuration

Configuration is organized into sections, each covering a specific domain — IAM, Networking, Security, and others. In our example, Merlin recommended 17 sections. A sidebar allows free navigation between sections in any order — completed sections are marked, so the user always knows where they are. This allows focusing on specific sections and leaving others at their default values.

In order to set up a landing zone, it is necessary to define hundreds of parameters. Merlin makes this task as straightforward as possible:

Most fields have default values, set based on data collected during Discovery and the selected compliance framework requirements.
Almost every field has a help panel with a short explanation, a link to the relevant Google documentation, and an optional LLM prompt.
Fields required by compliance frameworks are marked with a badge — red for mandatory, orange for recommended.
Merlin validates field values in real time and warns about errors and invalid inputs.

The final step of the Configuration stage is generating a specification. Clicking the "Generate Spec" button triggers cross-section validation and produces a structured JSON document summarizing all configuration parameters. The results screen shows two things: any unmet compliance requirements with direct links to the relevant configuration sections, and the full specification in a readable format.
The compliance posture summary is particularly useful — it shows exactly how many requirements are met per framework (in our example: SOC 2 12/13, HIPAA 28/29, CIS Benchmarks 16/17), lists each unmet requirement with the specific control reference, and provides a direct link to the configuration section where it can be fixed. No cross-referencing external documentation — everything needed to reach full compliance is on one screen.
If the user is satisfied with the configuration, they proceed to the next stage.

Generation

In the final stage, Merlin produces artifacts for setting up the landing zone with minimal effort compared to starting from scratch. All generated artifacts are divided into four categories:

Scorecards — Merlin evaluates the configuration from architecture and security perspectives and provides a score with an explanation of any issues found. In our example, the security scan scored 100/100 (Checkov) and the architecture scorecard 98/100 — Overall Grade A. This is shift-left in practice: issues are caught at design time, before deployment, without waiting for findings from Security Command Center or Wiz.
Terraform — Merlin generated 61 YAML files ready to use with Cloud Foundation Fabric. The files cover all five FAST stages: bootstrap (org setup, IAM, org policies), networking (VPC, subnets, firewall, DNS), security (KMS, SCC), project factory (workload projects), and VPC Service Controls (service perimeters). Dependencies between stages are handled automatically via FAST's $-interpolation tokens — no manual ID copying between stages.
Documentation — A landing zone description and a step-by-step deployment guide explaining how to use the generated YAML files with Cloud Foundation Fabric.
Diagrams — A set of diagrams describing the landing zone structure. Merlin produces Mermaid (.mmd) files rather than static images. Diagrams can be rendered at https://mermaid.live or converted to any graphics format. The complete set of generated files and other Merlin examples are available at https://github.com/Merlin-Studio. Merlin Studio is currently free — registration only at https://site.merlin-studio.cloud.

In our example we showed how weeks of work can be reduced to a single interactive session. Starting from business requirements and technical conditions, and with guidance from the tool throughout, the user ends up with 61 ready-to-use Cloud Foundation Fabric files, architecture and security scorecards, a deployment guide, and Mermaid diagrams — all aligned with HIPAA, SOC 2, and CIS Benchmarks.

Despite providing a rich set of deployment-ready files, Merlin does not replace the cloud architect. Design review, stakeholder discussions, and alignment with networking and security teams remain an essential part of any landing zone project. What Merlin does is take the tedious part off the table.

Interested in trying it? Email intentarcha@gmail.com — we’ll get you set up within 24 hours.

GCP Landing Zone Setup Automation

Boris Teplitsky — Mon, 16 Mar 2026 10:30:04 +0000

The Problem

Every GCP engagement starts the same way. Discovery call, spreadsheet
of requirements, weeks of manual Terraform, IAM wiring, VPC design,
org policies, budget alerts. Then a review cycle to catch what was
missed. Then another.

For a process that happens at the start of every cloud project,
it's remarkably unautomated.

What a Landing Zone Actually Requires

A production-ready GCP landing zone typically includes:

Organization hierarchy and folder structure
VPC and shared networking
IAM roles and service accounts
Org policies and constraints
Budget alerts and billing controls
Security baselines
FAST-compatible configuration

Getting all of this right manually takes 2-3 weeks minimum.

A New Approach: Merlin

Merlin is a GCP landing zone generator. Answer an architecture
questionnaire — org structure, environments, compliance, networking
— and it outputs a complete production-ready landing zone.

What comes out:

FAST-compatible Terraform files
Architecture and security scorecards
Mermaid diagrams
Validation warnings

See the Real Output

Published openly on GitHub — no signup required:

👉 github.com/Merlin-Studio

Includes Simple, Standard, and Advanced profile examples.

Worth Knowing About

👉 site.merlin-studio.cloud

DEV Community: Boris Teplitsky