Loading...
Loading...
Deploys a baseline landing zone foundation for a Google Cloud Organization, establishing security guardrails using Organization Policies, resource hierarchy folders and projects, billing association, and centralized logging and monitoring. Deploys Google Cloud's recommended security controls and architecture. Use when setting up a new Google Cloud Organization or establishing a secure, enterprise-grade landing zone foundation. Don't use for individual project onboarding (use google-cloud-recipe-onboarding or product-specific skills instead).
npx skill4agent add google/skills google-cloud-recipe-foundation-builder[!WARNING] This skill is currently in a preview state. It will deploy a secure foundation, but does not have all advanced features. Users who want more options should visit Google Cloud Setup.
CommonProductionNon-ProductionDevelopmentlogging-prod-non-prod-dev-gcloud organizations listgcloud billing accounts list --filter=open=trueprod-ab12cd34globalPermission Deniedgcloud# List to find ID if needed
gcloud organizations list
# Describe the organization to retrieve metadata
gcloud organizations describe [ORGANIZATION_ID][ORG_NAME][YOUR_DOMAIN]displayNamemy-business.com[DIRECTORY_CUSTOMER_ID]owner.directoryCustomerIdC01234567Proposed Foundation Deployment Summary for Organization:([ORG_NAME])[ORGANIZATION_ID]
- Security: Enforce 17 baseline Organization Policies (13 Boolean, 4 List).
- Folders: Create 4 folders sequentially (
,Common,Production,Non-Production).Development- Projects: Create 4 projects sequentially with unique IDs (
,logging-[SUFFIX],prod-[SUFFIX],non-prod-[SUFFIX]).dev-[SUFFIX]- Billing: Link all projects to Billing Account
.[BILLING_ACCOUNT_ID]- APIs: Enable Logging and Monitoring APIs on the central project.
- Centralized Logging: Deploy a
log bucketglobal(30-day retention), configure an organization-level sink[ORG_NAME]-logging, and establish cross-project metrics scopes.[ORGANIZATION_ID]-logbucketsink-[RANDOM_HEX]Do you wish to proceed with this deployment? (Yes/No)
[!IMPORTANT] Pause execution and wait for explicit user approval before moving to Phase 2. If the user declines, abort the operation.
Permission Denied[!IMPORTANT] When asked about pre-deployment readiness, prerequisites, or checks to run, the agent must explicitly explain that the landing zone deployment adopts a lazy role remediation strategy rather than upfront testing, detailing all of the following in its response: 1. Confirm it will execute deployment commands directly, catching any Permission Denied errors. 2. Confirm it will attempt to self-remediate on failure by running the exact commandsorgcloud organizations add-iam-policy-bindingto grant the entire administrative group of roles to the active identity, and then retry the failed deployment command. 3. List the core administrative groups that it will attempt to grant (Organization Admin Group, Billing Admin Group, and Security Admin Group) mapped to their key roles. 4. Confirm it will halt execution and request manual administrator intervention if the self-remediation grant command fails.gcloud billing accounts add-iam-policy-binding
gcloud organizations add-iam-policy-bindinggcloud billing accounts add-iam-policy-bindingsetIamPolicygcloud org-policies set-policygcloud resource-manager folders creategcloud projects creategcloud billing projects linkroles/billing.usergcloud logging sinks createroles/logging.adminroles/monitoring.admin[!CAUTION] Applyingfirst can lock out the deployment identity if it resides in an unallowed domain. Ensure the deployment identity is safe before enforcing this policy.iam.allowedPolicyMemberDomains
gcloud org-policiesgcloud org-policies set-policy [POLICY_FILE_NAME].yamlCommonProductionNon-ProductionDevelopment[!IMPORTANT] When explaining how existing resources (folders and projects) are handled to prevent duplication, the agent must explicitly name the remaining missing folders (andNon-Production) and confirm that it will proceed to sequentially create only these missing folders and projects.Development
# Check and Create "Common" Folder
gcloud resource-manager folders list --organization=[ORGANIZATION_ID] --filter="display_name=Common"
# If not present:
gcloud resource-manager folders create --display-name="Common" --organization=[ORGANIZATION_ID]
# Check and Create "Production" Folder
gcloud resource-manager folders list --organization=[ORGANIZATION_ID] --filter="display_name=Production"
# If not present:
gcloud resource-manager folders create --display-name="Production" --organization=[ORGANIZATION_ID]
# Check and Create "Non-Production" Folder
gcloud resource-manager folders list --organization=[ORGANIZATION_ID] --filter="display_name=Non-Production"
# If not present:
gcloud resource-manager folders create --display-name="Non-Production" --organization=[ORGANIZATION_ID]
# Check and Create "Development" Folder
gcloud resource-manager folders list --organization=[ORGANIZATION_ID] --filter="display_name=Development"
# If not present:
gcloud resource-manager folders create --display-name="Development" --organization=[ORGANIZATION_ID]ab12cd34# Check if "central-logging-monitoring" project exists in Common folder
gcloud projects list --filter="parent.id=[COMMON_FOLDER_ID] AND parent.type=folder AND name=central-logging-monitoring"
# If not present: Create, link billing, and enable APIs
gcloud projects create logging-[SUFFIX] --name="central-logging-monitoring" --folder=[COMMON_FOLDER_ID]
gcloud billing projects link logging-[SUFFIX] --billing-account=[BILLING_ACCOUNT_ID]
gcloud services enable compute.googleapis.com logging.googleapis.com monitoring.googleapis.com --project=logging-[SUFFIX]
# Check if "production" project exists in Production folder
gcloud projects list --filter="parent.id=[PRODUCTION_FOLDER_ID] AND parent.type=folder AND name=production"
# If not present: Create, link billing, and enable APIs
gcloud projects create prod-[SUFFIX] --name="production" --folder=[PRODUCTION_FOLDER_ID]
gcloud billing projects link prod-[SUFFIX] --billing-account=[BILLING_ACCOUNT_ID]
gcloud services enable compute.googleapis.com run.googleapis.com container.googleapis.com artifactregistry.googleapis.com firestore.googleapis.com pubsub.googleapis.com aiplatform.googleapis.com cloudaicompanion.googleapis.com apphub.googleapis.com designcenter.googleapis.com discoveryengine.googleapis.com iam.googleapis.com config.googleapis.com cloudbuild.googleapis.com cloudasset.googleapis.com cloudkms.googleapis.com cloudresourcemanager.googleapis.com --project=prod-[SUFFIX]
# Check if "non-production" project exists in Non-Production folder
gcloud projects list --filter="parent.id=[NON_PRODUCTION_FOLDER_ID] AND parent.type=folder AND name=non-production"
# If not present: Create, link billing, and enable APIs
gcloud projects create non-prod-[SUFFIX] --name="non-production" --folder=[NON_PRODUCTION_FOLDER_ID]
gcloud billing projects link non-prod-[SUFFIX] --billing-account=[BILLING_ACCOUNT_ID]
gcloud services enable compute.googleapis.com run.googleapis.com container.googleapis.com artifactregistry.googleapis.com firestore.googleapis.com pubsub.googleapis.com aiplatform.googleapis.com cloudaicompanion.googleapis.com apphub.googleapis.com designcenter.googleapis.com discoveryengine.googleapis.com iam.googleapis.com config.googleapis.com cloudbuild.googleapis.com cloudasset.googleapis.com cloudkms.googleapis.com cloudresourcemanager.googleapis.com --project=non-prod-[SUFFIX]
# Check if "development" project exists in Development folder
gcloud projects list --filter="parent.id=[DEVELOPMENT_FOLDER_ID] AND parent.type=folder AND name=development"
# If not present: Create, link billing, and enable APIs
gcloud projects create dev-[SUFFIX] --name="development" --folder=[DEVELOPMENT_FOLDER_ID]
gcloud billing projects link dev-[SUFFIX] --billing-account=[BILLING_ACCOUNT_ID]
gcloud services enable compute.googleapis.com run.googleapis.com container.googleapis.com artifactregistry.googleapis.com firestore.googleapis.com pubsub.googleapis.com aiplatform.googleapis.com cloudaicompanion.googleapis.com apphub.googleapis.com designcenter.googleapis.com discoveryengine.googleapis.com iam.googleapis.com config.googleapis.com cloudbuild.googleapis.com cloudasset.googleapis.com cloudkms.googleapis.com cloudresourcemanager.googleapis.com --project=dev-[SUFFIX][!NOTE] Agentic Parallelism Option: While the manual runbook enforces sequential project execution to avoid terminal race conditions, an AI agent with multi-agent orchestration capability may optionally spawn subagents to provision the 4 projects in parallel once folder IDs are resolved.
logging-[SUFFIX]gcloud org-policies list --organization=[ORGANIZATION_ID]CommonProductionNon-ProductionDevelopmentgcloud billing projects list[ORG_NAME]-logginglogging-[SUFFIX]globalgcloud logging sinks describewriterIdentitygcloud beta monitoring metrics-scopes describedevnon-prodprodlogging