Available Features
Badal Foundations provides a rich set of infrastructure features that are available at the organization, Business Unit, or Tenant level. This guide summarizes each feature, how it works, and how to enable it.
Google Artifact Registry (GAR)
Level: Business Unit + Tenant
Google Artifact Registry provides a centralized, secure location for storing and managing build artifacts. Foundations implements a tiered architecture:
Tiered Architecture
| Layer | Type | Purpose |
|---|---|---|
| BU virtual repos | Virtual | Single pull endpoint for consumers — aggregates all upstream repos |
| BU standard repos | Standard | BU-wide shared artifacts (shared tenant project) |
| Tenant standard repos | Standard | Per-tenant, per-environment artifact storage |
Supported Artifact Types
| Type | Use Case |
|---|---|
DOCKER | Container images |
PYTHON | Python packages (pip) |
NPM | Node.js packages |
MAVEN | Java packages |
Enabling GAR
GAR is enabled at BU creation time:
gar_config = {
enabled = true
artifact_types = ["DOCKER", "PYTHON"]
}
When a Tenant is added to a GAR-enabled BU, tenant-level standard repositories are automatically created and linked as upstreams to the BU virtual repositories.
Region
All GAR repositories are created in northamerica-northeast1 (Montreal), the primary region for the Foundations deployment.
VPC Service Controls
Level: Organization (via Restricted VPC)
VPC Service Controls (VPC-SC) create a security perimeter around Google Cloud resources to prevent data exfiltration. Foundations implements this through the restricted Shared VPC.
How It Works
- Workloads in the base VPC have standard API access
- Workloads in the restricted VPC are inside a VPC-SC perimeter
- The perimeter restricts which Google APIs can be called and from where
- Access is mediated through access levels and ingress/egress rules
When to Use Restricted VPC
| Scenario | VPC |
|---|---|
| General workloads, internal tools | Base |
| Sensitive data processing, PII handling | Restricted |
| Regulated workloads (PCI, HIPAA) | Restricted |
| External-facing services with strict controls | Restricted |
Tenants request attachment to either the base or restricted VPC when their projects are created.
Budget Alerts and Cost Management
Level: Tenant
Budget alerts help teams manage cloud spend. Each Tenant can configure per-environment budgets.
Configuration
budget_config = {
enabled = true
amount = 1000 # Monthly budget in USD
alerts = [0.5, 0.8, 1.0] # Alert thresholds (percentages)
notification_channels = [
"projects/my-project/notificationChannels/12345"
]
}
Alert Thresholds
| Threshold | Meaning |
|---|---|
0.5 | Alert when 50% of budget is consumed |
0.8 | Alert when 80% of budget is consumed |
1.0 | Alert when 100% of budget is consumed |
Best Practices
- Set lower budgets for dev environments, higher for production
- Use different notification channels per environment (e.g., Slack for dev, PagerDuty for prod)
- Review billing exports in
prj-c-billing-logsfor detailed cost analysis
Centralized Logging
Level: Organization
All GCP audit logs and platform logs are collected centrally for security monitoring and compliance.
Architecture
| Component | Project | Purpose |
|---|---|---|
| Centralized logging | prj-c-logging | Aggregates org-wide audit and data access logs |
| Billing logs | prj-c-billing-logs | Billing export to BigQuery for cost analysis |
| BigQuery exports | prj-c-logging | Queryable log data for security investigations |
What Gets Logged
- Admin Activity audit logs (always on)
- Data Access audit logs (configurable per service)
- System Event audit logs
- Billing data exports
Security Command Center
Level: Organization
Security Command Center (SCC) provides centralized threat detection and vulnerability management across the entire GCP organization.
Capabilities
| Feature | Description |
|---|---|
| Vulnerability scanning | Identifies misconfigurations and vulnerabilities in GCP resources |
| Threat detection | Detects anomalous activity using built-in threat models |
| Security Health Analytics | Monitors compliance with security best practices |
| Web Security Scanner | Scans web applications for common vulnerabilities |
SCC is managed through the prj-c-scc project in the common folder.
Organization Policies
Level: Organization
Badal Foundations enforces a comprehensive set of organization policies to maintain security posture across all projects.
Compute Policies
| Policy | Effect |
|---|---|
| Disable nested virtualization | Prevents VMs from running nested hypervisors |
| Disable serial port access | Blocks serial port connections to VMs |
| Require OS Login | Enforces OS Login for SSH access to VMs |
| No external IPs on VMs | Prevents VMs from having public IP addresses |
IAM Policies
| Policy | Effect |
|---|---|
| Disable SA key creation | Forces use of WIF instead of static keys |
| Disable default SA grants | Prevents default compute SA from getting Editor role |
Storage Policies
| Policy | Effect |
|---|---|
| Uniform bucket-level access | Enforces consistent bucket access control |
| No public buckets | Prevents accidental exposure of storage data |
SQL Policies
| Policy | Effect |
|---|---|
| Restrict public IP | Prevents Cloud SQL instances from having public endpoints |
Network Policies
| Policy | Effect |
|---|---|
| Domain-restricted sharing | Limits resource sharing to the organization's domain |
| VPC SC access policy | Defines the org-wide VPC Service Controls policy |
The fldr-pci-dss folder is excluded from most organization policies to accommodate PCI-DSS compliance requirements that may need different security controls.
PCI-DSS Compliance Zone
Level: Organization
For workloads that must comply with PCI-DSS (Payment Card Industry Data Security Standard), Foundations provides a dedicated folder:
- Folder:
fldr-pci-dss - Excluded from standard org policies to allow PCI-specific controls
- Designed for workloads that process, store, or transmit cardholder data
- Custom security policies can be applied at the folder level
Databricks Integration
Level: Business Unit
Foundations supports Databricks workspace provisioning for data engineering and machine learning workloads.
- Managed through the gcp-foundations-projects repository (see the
databricks/subdirectory) - Databricks workspaces are created within BU project structures
- Integrated with the Shared VPC for network connectivity
Backstage Developer Portal
Level: Organization
Backstage provides a self-service developer portal for the Foundations platform.
Repository: repo-devex-backstage
Custom Plugins
The Foundations Backstage instance includes 15 custom plugins:
| Plugin | Purpose |
|---|---|
| homepage-links | Customized homepage with useful links |
| claude-flow | AI assistant integration |
| vault-secrets | HashiCorp Vault secret management |
| terraform-cloud | TFC workspace visibility and management |
| mockup | Design mockup viewer |
| gemini-agent | Gemini AI integration |
Self-Service Templates
Five active templates for infrastructure provisioning:
| Template | Purpose |
|---|---|
| create-business-unit | Create a new BU |
| create-tenant | Create a new Tenant within a BU |
| create-sandbox-project | Create a sandbox GCP project |
| edit-tenant-module | Modify tenant infrastructure |
| edit-business-unit | Modify BU configuration |
Infrastructure
- Runtime: Cloud Run on GCP
- Database: Cloud SQL PostgreSQL 15
- Secrets: HashiCorp Vault
- Auth: GitHub OAuth + Google OAuth
- Registry: GAR for container images
CI/CD with Reusable Workflows
Level: Organization
Repository: devex-reusable-workflows
A library of 14 reusable GitHub Actions workflows and 22+ composite actions that standardize CI/CD across all Foundations repositories.
Key Workflows
| Workflow | Purpose |
|---|---|
terraform-pr | Plan and validate Terraform on PRs |
terraform-ci | Apply Terraform on merge |
docker-pr / docker-ci / docker-release | Build, test, and publish container images |
semantic-release | Automated versioning and changelog generation |
generate-backends | Generate TFC backend configurations |
tfc-plan / tfc-apply | Terraform Cloud plan and apply operations |
release-please | Automated release management |
Composite Actions
Organized by domain:
docker/*— Docker build, push, tag operationsgithub/*— GitHub API interactions, PR managementterraform/*— Terraform init, validate, plan, applyrelease-please/*— Release automation
Versioning
Workflows use independent versioning with path-based tags (e.g., workflows/terraform-ci/v0.3.0), allowing teams to pin to specific versions.
Documentation Standards
Level: Organization
Repository: badal-documentation-standard
Two documentation standards are available:
| Standard | Tool | Use Case |
|---|---|---|
| Generic | MkDocs | Non-Terraform repositories |
| Terraform | Docusaurus | Terraform modules and infrastructure repos |
Each standard includes bootstrap scripts that auto-discover git context and generate catalog-info.yaml for Backstage integration.
Feature Summary
| Feature | Level | Enabled By |
|---|---|---|
| GAR (Artifact Registry) | BU + Tenant | BU creation config |
| VPC Service Controls | Organization | Restricted VPC attachment |
| Budget alerts | Tenant | Tenant creation config |
| Centralized logging | Organization | Always on |
| Security Command Center | Organization | Always on |
| Org policies | Organization | Always on |
| PCI-DSS zone | Organization | Folder placement |
| Databricks | BU | Project config |
| Backstage portal | Organization | Deployed separately |
| Reusable workflows | Organization | Referenced in repos |
| Documentation standards | Organization | Bootstrap script |