MERLIN

Cloud Foundation Design Studio

Design Your GCP Landing Zone with Confidence

Merlin is a Landing Zone Design Studio built on top of cloud-foundation-fabric — translating your requirements into production-ready Terraform through structured discovery, interactive configuration, and iterative refinement.

Request Preview Access See Why Merlin →

First 2 tasks free for one week • Pay after 30 days • No credit card

THE CHALLENGE

Landing Zone Design Is Complex

Designing a GCP landing zone means making decisions across resource hierarchy, identity and access management, networking, security policies, logging, cost controls, and more. These decisions interact — a choice in networking affects security, which affects compliance, which affects cost.

Most teams handle this with spreadsheets, scattered documents, and tribal knowledge. When requirements change — and they always do — nobody knows which document is current. The result: inconsistencies, security gaps discovered after deployment, and costly rework.

16 domains

Technical areas covered in a comprehensive landing zone

40+

Configuration decisions across hierarchy, IAM, networking, and security

3 profiles

Complexity levels to match your organization's needs

HOW MERLIN WORKS — AT A GLANCE

How Merlin Works - Full width infographic

* Illustration: Conceptual overview. See detailed workflow below.

THE MERLIN WORKFLOW

Three Phases to Production-Ready Infrastructure

01
15–30 minutes

Structured Discovery

Answer guided questions across 7 categories to capture everything Merlin needs to recommend a landing zone design. Instead of blank-page requirements gathering, each question includes context and examples so stakeholders can contribute without deep GCP expertise.

  • Business Profile — organization size, project scope, team structure, and contact information
  • Identity & Billing — authentication providers, directory sync, billing account setup, and cost allocation
  • Technical Profile — existing infrastructure, migration context, and operational maturity
  • Compliance & Security — regulatory requirements, data residency, and security baselines
  • Infrastructure — regions, connectivity needs, and compute environment preferences
  • Workload Profile — application types, traffic patterns, and scaling requirements
  • Preferences — naming conventions, tagging strategy, and configuration mode selection

When discovery is complete, Merlin analyzes your answers and recommends a configuration profile — Simple, Standard, or Advanced — with a confidence score. You can accept the recommendation or override it based on your own judgment.

Merlin Discovery — business profile questionnaire Merlin Discovery — profile recommendation result with confidence score
02
1 hour to 2+ days depending on profile

Guided Configuration

Configure up to 16 technical domains with the level of detail you choose. Three configuration modes let you control depth per section — switch freely between them as needed.

  • Express Mode — accept best-practice defaults with a single click, ideal for standard domains where defaults fit
  • Guided Mode — see Merlin's recommendation for each setting with an explanation of why, then accept or adjust
  • Expert Mode — full access to every option for domains that need fine-grained control like IAM or networking

16 technical domains span the full scope of a GCP landing zone, including:

  • Resource Hierarchy — folder structure, project naming, and environment separation
  • IAM & Access — roles, groups, service accounts, and least-privilege policies
  • Networking — VPC design, subnets, firewall rules, and hybrid connectivity
  • Security & Guardrails — Organization Policies, VPC Service Controls, and Security Command Center
  • Logging & Monitoring — log sinks, audit trails, alerting, and dashboards
  • Billing & Cost Management — budgets, alerts, cost allocation labels, and export configuration

Save progress at any point, return later, incorporate stakeholder feedback, and adjust as requirements evolve. Every change is versioned so you never lose previous decisions.

Merlin Configuration — Landing Zone Metadata with sidebar navigation and mode selector Merlin Configuration — Compliance settings
03
Seconds

Production-Ready Output

One click generates a complete, deployable landing zone from your design — infrastructure code, security validation, and documentation in seconds.

  • Infrastructure Code — choose between FAST YAML datasets for Google Cloud Foundation Fabric stages (org-setup, networking, security, project-factory, VPC-SC, CMEK) or classic Terraform .tfvars files — both production-ready
  • Architecture Scorecard — weighted design-quality assessment covering subnet sizing, CIDR conflicts, GKE ranges, DR readiness, data sovereignty, and cross-section consistency — scored 0–100
  • Security Scorecard — your design graded A through F with Checkov static analysis plus manual checks against GCP security best practices
  • Compliance Upgrades — automatic enforcement of framework-driven defaults for FedRAMP, HIPAA, SOX, NIST 800-53, GDPR, and more — applied before code generation so your output is compliant from the start
  • Architecture Diagrams — Mermaid visuals of your resource hierarchy, VPC topology, security perimeters, workloads, and DR configuration
  • README & Validation Report — full design document with per-section configuration tables, plus a unified validation report surfacing HCL issues, hollow configs, and actionable fix steps
  • CMEK Wiring Guide — per-service encryption key mappings with post-deployment gcloud commands for granting CryptoKey permissions to service agents

Everything is packaged into a single downloadable zip, versioned alongside your design. Update a configuration, regenerate, and compare the diff — then hand the output directly to your infrastructure team or feed it into CI/CD.

Merlin Generation Results — Terraform files, documentation, and architecture diagrams Merlin Generated Terraform — production-ready .tfvars output

Iterate at Any Point

Requirements change. Stakeholders have new constraints. Regulations shift. With Merlin, you can update your configuration at any point and regenerate — your design decisions are preserved and versioned. You can create new versions of the same landing zone, so you never lose previous work.

Merlin — iterate and update your design at any point

INTELLIGENT PROFILE RECOMMENDATION

Your Answers Shape Your Architecture

After a brief discovery questionnaire, Merlin scores your responses across dimensions like team size, compliance needs, GCP experience, and connectivity requirements — then recommends the complexity level that fits. You can always override.

Simple

Simple Profile

  • Single team, cloud-native workloads
  • No regulatory compliance requirements
  • Secure defaults, minimal configuration
1-2 hours typical completion
Standard

Standard Profile

  • Multiple teams, environment separation
  • Compliance-ready (SOC 2, ISO, HIPAA)
  • Shared VPC, logging, budget controls
4-8 hours typical completion
Advanced

Advanced Profile

  • Complex multi-BU org structure
  • Strict compliance (FedRAMP, NIST)
  • Interconnect, VPC SC, CMEK encryption
1-2 weeks typical completion

YOUR SPEED, YOUR CONTROL

Choose How You Work

Express Mode

Accept best-practice defaults, review at end

  • Pre-filled configuration based on your discovery answers and profile
  • Summary-only view — see what Merlin chose without the detail
  • Click “Customize” on any section to drill into specifics
  • Ideal for proof-of-concept setups and time-sensitive deployments
~30% of guided mode time
📋

Guided Mode

Review recommendations, customize as needed

  • Each setting shows Merlin's recommendation with an explanation of why
  • Sections start collapsed — expand what matters, skip what doesn't
  • Accept or override any value with full context on trade-offs
  • The default for most production deployments and compliance-conscious teams
Baseline configuration time
🔧

Expert Mode

Full control over all configuration options

  • Every field visible and expanded — nothing hidden, nothing collapsed
  • Terraform variable names displayed alongside each setting
  • Advanced options exposed: VPC peering, custom DNS, MTU, flow logs
  • Built for experienced GCP architects and complex migration scenarios
~2.5x guided mode time

Mix modes freely — use Express for straightforward sections and Expert where you need fine-grained control. Switch at any time without losing work.

PRODUCTION-READY OUTPUTS

Everything You Need to Deploy

One click generates a complete, validated infrastructure package — Terraform variable files, YAML datasets, architecture documentation, Mermaid diagrams, and security scorecards. Every artifact is cross-referenced, compliance-annotated, and ready to feed directly into Google Cloud FAST Foundation.

{}

Terraform & YAML

60+ .tfvars and YAML dataset files covering org setup, networking, security, project factory, VPC Service Controls, and CMEK — ready for FAST deployment

📄

Documentation

Architecture README, CMEK wiring guide with post-deployment gcloud commands, and validation warnings — everything your team needs for handoff

📊

Diagrams

Mermaid architecture diagrams showing VPC topology, folder hierarchy, security boundaries, workload placement, and DR layout

A

Scorecards

Checkov security scan plus a weighted architecture scorecard with 26+ checks across IP planning, IAM, encryption, multi-region, and operational readiness

Merlin generation results — security scan with Checkov 100/100 score, architecture scorecard at 89/100, and detailed check breakdown across IP planning, multi-region, GKE, hybrid connectivity, naming, identity, security, and logging

Security scan and architecture scorecard — every generation is validated across IP planning, multi-region readiness, GKE configuration, hybrid connectivity, naming consistency, IAM, encryption, org policies, and logging

Merlin generated artifacts browser — 63 Terraform files, 2 documentation files, 1 diagram, and 2 scorecards with inline YAML preview showing org-setup configuration

Browse, preview, and download every generated artifact — Terraform variable files, project factory YAML, VPC-SC perimeters, access levels, ingress and egress policies, all with inline code preview

BUILT FOR TEAMS

One Organization, Many Architects, Full Visibility

Landing zone design is a team effort. Merlin gives your organization a shared workspace where admins assign tasks, architects own their designs, and everyone works from a single source of truth — with role-based access and full audit trails.

Admin Role

  • Invite team members and assign roles across the organization
  • Create landing zone tasks and assign them to architects
  • Reassign tasks individually or in bulk when workloads shift
  • Monitor workload distribution and task progress from a central dashboard

Architect Role

  • Own assigned tasks end-to-end — from discovery through generation
  • Create multiple design versions within each task for iterative refinement
  • Configure at your own pace with progress saved automatically
  • Generate and compare outputs across versions to track design evolution
Merlin Admin Panel — organization member management with roles, task counts, and workload tabs
Members — add, remove, and manage roles for your team All Tasks — see every landing zone design across the organization Workload — visualize task distribution and rebalance with one click

COMPLIANCE ON DAY ZERO

Security and Compliance, Wired In — Not Bolted On

Select your compliance frameworks. Merlin automatically applies the required security controls, encryption policies, data residency constraints, and audit retention — across every section of your landing zone. No spreadsheets. No manual checklists. Every setting is traceable to its regulatory source.

CIS SOC 2 ISO 27001 HIPAA PCI-DSS v4.0 FedRAMP NIST 800-53 SOX GDPR NIS2 EUCS
Merlin compliance and security configuration — framework selection and automated policy application
  • Automatic compliance defaults — 370+ field-level upgrades applied based on your selected frameworks, from encryption settings to audit retention periods
  • VPC Service Controls — data exfiltration perimeters generated with per-file compliance citations mapped to all applicable frameworks
  • Customer-managed encryption — CMEK keys generated per service across 14 GCP products, with compliance-driven rotation and HSM enforcement
  • Data loss prevention — DLP inspect templates, job triggers, and de-identification policies configured for PII, PHI, and PCI data types
  • Data residency enforcement — resource locations locked to US or EU based on FedRAMP, GDPR, EUCS, or NIS2 requirements
  • Architecture scorecard — weighted pre-deployment validation across 26+ checks covering encryption, IAM, networking, and operational readiness
  • Six validation layers — scorecard, operational readiness, cross-section consistency, HCL syntax, parser verification, and unified issue tracking

THE MERLIN ADVANTAGE

Before and After

Without Merlin
With Merlin
Weeks of editing YAML and HCL files, tracing module dependencies, commenting out what you don't need — hoping nothing breaks downstream
Guided wizard across 16 domains with three modes — Express for smart defaults, Guided for explanations, Expert for full control. No raw code editing.
One-size-fits-all enterprise template. A 15-VM shop gets the same 8-folder hierarchy and hub-and-spoke network as a Fortune 500 bank.
Discovery-driven profiles — Simple, Standard, or Advanced — with calibrated defaults for hierarchy, IAM, networking, and security that match your actual organization.
Compliance mapped in spreadsheets. Manual checklists for SOC 2, HIPAA, FedRAMP. Controls verified during audits — not during design.
Select your frameworks and Merlin applies 370+ field-level compliance upgrades automatically — CMEK, VPC-SC, DLP, data residency — all traceable to their regulatory source.
Requirements change, stakeholders give feedback — and you're back in the code, manually re-editing Terraform, updating docs, redrawing diagrams separately.
Adjust inputs in the wizard, regenerate in seconds. Terraform, documentation, architecture diagrams, and security scorecard all stay in sync — versioned with every iteration.
Terraform code with no documentation trail. Decisions live in Slack threads and meeting notes. New team members reverse-engineer intent from module parameters.
Complete output package — production-ready .tfvars, comprehensive README, Mermaid diagrams, compliance mapping, and a security scorecard grading your design A through F.
Security validation happens after deployment. Overly broad IAM roles, missing org policies, and encryption gaps discovered during the first audit — or the first breach.
Six validation layers run before you deploy — architecture scorecard, operational readiness, cross-section consistency, HCL syntax, parser checks, and Checkov static analysis.

SEE OUR WORK

Real Examples, Open Source

Explore complete GCP landing zone configurations generated by Merlin — open source on GitHub. Watch how it works in action.

gcp-landing-zone-2026

A practical, opinionated guide to building a GCP Landing Zone in 2026. Architecture, tooling, compliance, and automation — with real examples.

guide
US-Federal-Agency-Example

GCP landing zone for a US government agency — FedRAMP, NIST, SOC 2, SOX. Complete FAST Fabric configuration generated by Merlin.

fedramp nist-800-53 gcp-automation
Healthcare-Example

GCP landing zone for a healthcare organization — HIPAA, SOC 2, CIS. Complete FAST Fabric configuration generated by Merlin.

hipaa soc2 gcp-automation
View All on GitHub →

USAGE-BASED PRICING

Use First, Pay for What You Use

No plan to choose. Register, design your landing zones, and pay after 30 days based on actual usage.

free for preview period
Simple
$1 /day

~$30/month

Standard
$3 /day

~$90/month

Advanced
$10 /day

~$300/month

First 2 tasks free for one week • Pay after 30 days • No credit card required

View Full Pricing →

FREQUENTLY ASKED QUESTIONS

Got Questions?

Yes. Every section is independent — you can configure only the domains you care about and skip the rest. Skipped sections use profile-appropriate defaults, so you'll still get a complete, deployable output. Many teams start with networking and security, then fill in IAM and logging later.

Yes. You can go back to the discovery step and adjust your answers at any point — the profile will be recalculated automatically. When the profile changes, Merlin recalculates defaults for all sections, but any values you've explicitly set are preserved. You won't lose your work.

Each task is assigned to one architect at a time. However, an admin can reassign a task to a different architect whenever needed — for handoffs, reviews, or workload rebalancing. The full configuration history is preserved regardless of who works on it.

Billing stops immediately on the day you delete it — you're only charged for the days the task existed. If it was your only active task, your account stays active under the $30 monthly minimum until the next billing cycle. You can create new tasks at any time.

Delete all your active tasks and you won't be charged beyond the current billing cycle. There's no cancellation process, no contract, and no exit fee. Your generated outputs (Terraform, docs, diagrams) are yours — download them before deleting.

Absolutely. The generated .tfvars and YAML files are standard Terraform artifacts — edit them like any other code. Many teams use Merlin to get 90% of the way there, then fine-tune specific values in their IDE or CI/CD pipeline before deploying.

No. Merlin never connects to your GCP organization, projects, or APIs. It generates configuration based entirely on what you tell it during discovery and configuration. Your cloud credentials stay with you — Merlin produces the code, you deploy it.

Merlin is purpose-built for Google Cloud Platform. It generates output compatible with Google Cloud Foundation Fabric FAST. Depth over breadth — we'd rather cover GCP exceptionally well than cover three clouds superficially.

REQUEST PREVIEW ACCESS

Start Your Free Trial

Your email has to be suitable to login with Google

Your information is used solely to set up your preview access. We do not share, sell, or use your data for any other purpose.

First 2 tasks free for one week • No credit card