GCP Organization Structure

This page documents the complete GCP organization hierarchy created and managed by Badal Foundations, including all folders, projects, IAM groups, service accounts, and naming conventions.

Property	Value
Foundations Organization	foundation.badal.io (758951886862)
Legacy Organization	badal.io (42165644541)
Billing Account	01DEF7-F9833E-AD765A
Default Regions	northamerica-northeast1 (primary), us-west1 (secondary)
Total Projects	~219 (excluding system projects)

Two GCP Organizations

Badal operates two GCP organizations. foundation.badal.io is the Foundations platform described in this documentation. badal.io is the legacy organization containing older projects, client-specific workloads (e.g., Scotiabank GDAP), sandbox environments, and infrastructure pipelines predating Foundations. New workloads should be deployed into foundation.badal.io via the Foundations platform.

Full Organization Hierarchy

foundation.badal.io (758951886862)
│
├── fldr-bootstrap/
│   ├── prj-b-seed
│   │   └── State bucket (bkt-prj-b-seed-tfstate-6a60), SAs, KMS
│   └── prj-b-cicd-wif-gh
│       └── GitHub Actions WIF provider
│
├── fldr-common/
│   ├── prj-c-logging
│   ├── prj-c-billing-logs
│   ├── prj-c-kms
│   ├── prj-c-secrets
│   ├── prj-c-artifact-registry
│   ├── prj-c-scc
│   │
│   ├── platform-0r4dp/          (Platform BU common folder)
│   │   └── wif-host-0r4dp
│   ├── devex-9c9dl/             (DevEx BU common folder)
│   │   └── wif-host-9c9dl
│   └── data-80r13/              (Data BU common folder)
│       └── wif-host-80r13
│
├── fldr-network/
│   ├── prj-c-dns-hub
│   ├── prj-c-interconnect
│   ├── prj-d-shared-base           (development)
│   ├── prj-d-shared-restricted     (development)
│   ├── prj-n-shared-base           (non-production)
│   ├── prj-n-shared-restricted     (non-production)
│   ├── prj-p-shared-base           (production)
│   └── prj-p-shared-restricted     (production)
│
├── fldr-pci-dss/
│   └── (Excluded from most org policies)
│
├── fldr-sandbox/
│   ├── common/
│   ├── non-production/
│   └── production/
│
├── fldr-development/
│   ├── fldr-development/monitoring, secrets, KMS projects
│   ├── platform-0r4dp/
│   │   └── Tenant projects (e.g., gke-argocd-d-{suffix})
│   ├── data-80r13/
│   │   └── Tenant projects (e.g., governance-d-f6y39, template-d-b8cbu)
│   └── {bu-name}-{suffix}/
│       └── {tenant}-d-{suffix} (tenant projects)
│
├── fldr-non-production/
│   ├── fldr-non-production/monitoring, secrets, KMS projects
│   ├── platform-0r4dp/
│   │   └── Tenant projects
│   ├── devex-9c9dl/
│   │   └── Tenant projects (e.g., backstage-np-mly9n)
│   ├── data-80r13/
│   │   └── Tenant projects
│   └── {bu-name}-{suffix}/
│       └── {tenant}-np-{suffix} (tenant projects)
│
└── fldr-production/
    ├── fldr-production/monitoring, secrets, KMS projects
    ├── platform-0r4dp/
    │   └── Tenant projects
    ├── devex-9c9dl/
    │   └── Tenant projects
    ├── data-80r13/
    │   └── Tenant projects
    └── {bu-name}-{suffix}/
        └── {tenant}-p-{suffix} (tenant projects)

Top-Level Folders

Folder	Created By	Purpose
fldr-bootstrap	Stage 0 (Bootstrap)	Seed project, CI/CD project, Terraform state, service accounts
fldr-common	Stage 1 (Organization)	Shared infrastructure projects and BU common folders
fldr-network	Stage 1 (Organization)	DNS hub, interconnect, per-env shared VPC host projects
fldr-pci-dss	Stage 1 (Organization)	PCI-DSS workloads, excluded from restrictive org policies
fldr-sandbox	Stage 4 (Projects)	Sandbox business unit for experimentation
fldr-development	Stage 2 (Environments)	Development environment workloads
fldr-non-production	Stage 2 (Environments)	Non-production (staging) environment workloads
fldr-production	Stage 2 (Environments)	Production environment workloads

Per-Environment Folder Structure

Each environment folder (fldr-development, fldr-non-production, fldr-production) contains:

1. Shared infrastructure projects created by Stage 2 (Environments):

   • Monitoring project
   • Secrets project
   • KMS project

2. Business unit folders ({bu-name}-{suffix}) created by the BU module, containing:

   • Tenant projects ({tenant}-{env_code}-{suffix}) created by the tenant module

The same BU folder name appears in each environment folder. For example, data-80r13 exists under fldr-development, fldr-non-production, and fldr-production.

Business Unit Folder Pattern

Each business unit creates folders in two locations:

Location	Folder Name	Contents
fldr-common/{bu}-{suffix}/	Common folder	WIF host project (wif-host-{suffix})
fldr-{env}/{bu}-{suffix}/	Per-env folder	Tenant GCP projects

Tenant Project Naming

Tenant projects follow the pattern: {tenant}-{env_code}-{suffix}

Component	Description	Example
{tenant}	Tenant name	backstage, governance, template
{env_code}	First letter(s) of environment	d, np, p
{suffix}	Random 5-char alphanumeric	mly9n, f6y39, b8cbu

Examples:

Tenant	Environment	Project ID
backstage	non-production	backstage-np-mly9n
backstage	production	backstage-p-mly9n
governance	development	governance-d-f6y39
template	development	template-d-b8cbu
template	non-production	template-np-b8cbu
template	production	template-p-b8cbu

Shared Infrastructure Projects

Project ID	Folder	Purpose
prj-b-seed	fldr-bootstrap	Terraform state bucket, KMS keys, service accounts
prj-b-cicd-wif-gh	fldr-bootstrap	GitHub Actions OIDC / Workload Identity Federation
prj-c-logging	fldr-common	Centralized org-level audit and access logs
prj-c-billing-logs	fldr-common	Billing export and billing-specific logs
prj-c-kms	fldr-common	Organization-wide KMS key rings and crypto keys
prj-c-secrets	fldr-common	Centralized Secret Manager for shared secrets
prj-c-artifact-registry	fldr-common	Organization-wide Artifact Registry
prj-c-scc	fldr-common	Security Command Center configuration
prj-c-dns-hub	fldr-network	DNS hub VPC (172.16.0.0/25), Cloud DNS zones
prj-c-interconnect	fldr-network	Dedicated/Partner Interconnect attachments
prj-d-shared-base	fldr-network	Development base Shared VPC host project
prj-d-shared-restricted	fldr-network	Development restricted Shared VPC host project
prj-n-shared-base	fldr-network	Non-production base Shared VPC host project
prj-n-shared-restricted	fldr-network	Non-production restricted Shared VPC host project
prj-p-shared-base	fldr-network	Production base Shared VPC host project
prj-p-shared-restricted	fldr-network	Production restricted Shared VPC host project

IAM Groups

The Foundations bootstrap creates Google Groups for role-based access control:

Group	Purpose	Typical Roles
grp-gcp-org-admins	Organization administrators	roles/resourcemanager.organizationAdmin
grp-gcp-billing-admins	Billing account management	roles/billing.admin
grp-gcp-security-admins	Security and compliance	roles/iam.securityAdmin, roles/securitycenter.admin
grp-gcp-network-admins	Network infrastructure	roles/compute.networkAdmin, roles/dns.admin
grp-gcp-platform-admins	Platform operations	roles/resourcemanager.folderAdmin

Groups are managed via Google Workspace or Cloud Identity and are referenced by org policies and IAM bindings throughout the hierarchy.

Service Accounts

The bootstrap layer creates 5 granular Terraform service accounts, each scoped to a specific pipeline stage:

Service Account	Pipeline Stage	Key Permissions
sa-terraform-bootstrap	0-bootstrap	roles/resourcemanager.organizationAdmin, roles/billing.admin
sa-terraform-org	1-org	roles/resourcemanager.folderCreator, roles/orgpolicy.policyAdmin, roles/logging.admin
sa-terraform-env	2-environments	roles/resourcemanager.folderCreator, roles/resourcemanager.projectCreator
sa-terraform-net	3-networks	roles/compute.networkAdmin, roles/dns.admin, roles/servicenetworking.networksAdmin
sa-terraform-proj	4-projects	roles/resourcemanager.projectCreator, roles/billing.user

All service accounts authenticate via Workload Identity Federation (GitHub OIDC), eliminating the need for long-lived service account keys (enforced by org policy iam.disableServiceAccountKeyCreation).

Naming Conventions

Folder Prefixes

Prefix	Meaning	Example
fldr-	Foundation-level folder	fldr-bootstrap, fldr-common
{bu}-{suffix}	Business unit folder	data-80r13, platform-0r4dp

Project Prefixes

Prefix	Meaning	Example
prj-b-	Bootstrap project	prj-b-seed, prj-b-cicd-wif-gh
prj-c-	Common (shared) project	prj-c-logging, prj-c-kms
prj-d-	Development environment project	prj-d-shared-base
prj-n-	Non-production environment project	prj-n-shared-base
prj-p-	Production environment project	prj-p-shared-base
wif-host-	WIF host project (per BU)	wif-host-80r13
{tenant}-{env}-	Tenant project	backstage-np-mly9n

Environment Codes

Environment	Short Code	Single Letter
development	d	d
non-production	np	n
production	p	p
common	c	c
cross-env	ce	-

Other Naming Patterns

Resource Type	Pattern	Example
State bucket	bkt-{project}-tfstate-{suffix}	bkt-prj-b-seed-tfstate-6a60
GitHub repo (BU)	bu-{name}-{suffix}	bu-data-80r13
GitHub repo (tenant)	{bu}-{tenant}-{suffix}	data-template-b8cbu

Org Policies

Key organization policies enforced across the hierarchy (except fldr-pci-dss):

Policy	Effect
Disable nested virtualization	Prevents VMs inside VMs
Disable serial port access	Blocks serial console access
Require OS Login	Enforces OS Login for SSH access
Disable external IPs on VMs	Prevents public IP assignment to compute instances
Restrict public Cloud SQL	Blocks public IP on Cloud SQL instances
Disable SA key creation	Prevents creation of service account keys (forces WIF)
Disable default SA grants	Prevents automatic IAM grants to default SAs
Enforce uniform bucket access	Requires uniform bucket-level access on GCS
Block public GCS access	Prevents public access to storage buckets
Domain restricted sharing	Limits IAM grants to approved domains only