Merge remote-tracking branch 'origin/fast-dev'

fast/stages/.gitignore

@@ -1 +0,0 @@
-!diagrams-data-platform.excalidraw

fast/stages/0-org-setup/README.md

@@ -899,7 +899,7 @@ Define values for the `var.environments` variable in a tfvars file.
 | [billing.tf](./billing.tf) | None | <code>billing-account</code> |  |
 | [cicd-workflows-preconditions.tf](./cicd-workflows-preconditions.tf) | None |  | <code>terraform_data</code> |
 | [cicd-workflows.tf](./cicd-workflows.tf) | None | <code>iam-service-account</code> | <code>google_storage_bucket_object</code> · <code>local_file</code> |
-| [factory.tf](./factory.tf) | None | <code>project-factory</code> |  |
+| [factory.tf](./factory.tf) | None | <code>net-vpc-factory</code> · <code>project-factory</code> |  |
 | [identity-providers-defs.tf](./identity-providers-defs.tf) | None |  |  |
 | [imports.tf](./imports.tf) | None |  |  |
 | [main.tf](./main.tf) | Module-level locals and resources. |  | <code>terraform_data</code> |
@@ -914,8 +914,8 @@ Define values for the `var.environments` variable in a tfvars file.
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [context](variables.tf#L17) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [factories_config](variables.tf#L40) | Configuration for the resource factories or external data. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies_imports](variables.tf#L59) | List of org policies to import. These need to also be defined in data files. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [factories_config](variables.tf#L41) | Configuration for the resource factories or external data. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policies_imports](variables.tf#L61) | List of org policies to import. These need to also be defined in data files. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 
 ## Outputs
 
@@ -923,5 +923,8 @@ Define values for the `var.environments` variable in a tfvars file.
 |---|---|:---:|
 | [iam_principals](outputs.tf#L17) | IAM principals. |  |
 | [projects](outputs.tf#L22) | Attributes for managed projects. |  |
-| [tfvars](outputs.tf#L27) | Stage tfvars. | ✓ |
+| [subnet_ips](outputs.tf#L27) | Map of subnet address ranges keyed by VPC and subnet name. |  |
+| [subnet_self_links](outputs.tf#L34) | Map of subnet self links keyed by VPC and subnet name. |  |
+| [tfvars](outputs.tf#L41) | Stage tfvars. | ✓ |
+| [vpc_self_links](outputs.tf#L47) | Map of VPC self links keyed by VPC name. |  |
 <!-- END TFDOC -->

fast/stages/0-org-setup/datasets/classic-gcd/defaults.yaml

@@ -93,11 +93,3 @@ output_files:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-project-factory
       service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
-    3-data-platform-dev:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    3-data-platform-dev-ro:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro

fast/stages/0-org-setup/datasets/classic-gcd/folders/data-platform/dev/.config.yaml

@@ -1,29 +0,0 @@
-# Copyright 2025 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
-
-name: Development
-iam_by_principals:
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-rw:
-    - roles/logging.admin
-    - roles/owner
-    - roles/resourcemanager.folderAdmin
-    - roles/resourcemanager.projectCreator
-    - roles/compute.xpnAdmin
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
-    - roles/viewer
-    - roles/resourcemanager.folderViewer
-tag_bindings:
-  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/classic-gcd/projects/core/iac-0.yaml

@@ -130,12 +130,6 @@ buckets:
             - $iam_principals:service_accounts/iac-0/iac-pf-rw
           $custom_roles:storage_viewer:
             - $iam_principals:service_accounts/iac-0/iac-pf-ro
-      3-data-platform-dev:
-        iam:
-          roles/storage.admin:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-          $custom_roles:storage_viewer:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
   # Terraform state bucket for FAST outputs
   iac-outputs:
     description: Terraform state for the org-level automation.
@@ -143,14 +137,12 @@ buckets:
     iam:
       roles/storage.admin:
         - $iam_principals:service_accounts/iac-0/iac-org-rw
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
         - $iam_principals:service_accounts/iac-0/iac-networking-rw
         - $iam_principals:service_accounts/iac-0/iac-security-rw
         - $iam_principals:service_accounts/iac-0/iac-pf-rw
         - $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
       $custom_roles:storage_viewer:
         - $iam_principals:service_accounts/iac-0/iac-org-ro
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
         - $iam_principals:service_accounts/iac-0/iac-networking-ro
         - $iam_principals:service_accounts/iac-0/iac-security-ro
         - $iam_principals:service_accounts/iac-0/iac-pf-ro
@@ -196,11 +188,6 @@ service_accounts:
     display_name: IaC service account for project factory (read-only).
   iac-pf-rw:
     display_name: IaC service account for project factory (read-write).
-  # IaC service accounts for data platform (dev) stage
-  iac-dp-dev-ro:
-    display_name: IaC service account for data platform dev (read-only).
-  iac-dp-dev-rw:
-    display_name: IaC service account for data platform dev (read-write).
 # workload_identity_pools:
 #   default:
 #     display_name: Default pool for CI/CD.

fast/stages/0-org-setup/datasets/classic/defaults.yaml

@@ -86,11 +86,3 @@ output_files:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-project-factory
       service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
-    3-data-platform-dev:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    3-data-platform-dev-ro:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro

fast/stages/0-org-setup/datasets/classic/folders/data-platform/dev/.config.yaml

@@ -1,29 +0,0 @@
-# Copyright 2025 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
-
-name: Development
-iam_by_principals:
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-rw:
-    - roles/logging.admin
-    - roles/owner
-    - roles/resourcemanager.folderAdmin
-    - roles/resourcemanager.projectCreator
-    - roles/compute.xpnAdmin
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
-    - roles/viewer
-    - roles/resourcemanager.folderViewer
-tag_bindings:
-  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml

@@ -135,12 +135,6 @@ buckets:
             - $iam_principals:service_accounts/iac-0/iac-pf-rw
           $custom_roles:storage_viewer:
             - $iam_principals:service_accounts/iac-0/iac-pf-ro
-      3-data-platform-dev:
-        iam:
-          roles/storage.admin:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-          $custom_roles:storage_viewer:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
   # Terraform state bucket for FAST outputs
   iac-outputs:
     description: Terraform state for the org-level automation.
@@ -148,14 +142,12 @@ buckets:
     iam:
       roles/storage.admin:
         - $iam_principals:service_accounts/iac-0/iac-org-rw
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
         - $iam_principals:service_accounts/iac-0/iac-networking-rw
         - $iam_principals:service_accounts/iac-0/iac-security-rw
         - $iam_principals:service_accounts/iac-0/iac-pf-rw
         - $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
       $custom_roles:storage_viewer:
         - $iam_principals:service_accounts/iac-0/iac-org-ro
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
         - $iam_principals:service_accounts/iac-0/iac-networking-ro
         - $iam_principals:service_accounts/iac-0/iac-security-ro
         - $iam_principals:service_accounts/iac-0/iac-pf-ro
@@ -201,11 +193,6 @@ service_accounts:
     display_name: IaC service account for project factory (read-only).
   iac-pf-rw:
     display_name: IaC service account for project factory (read-write).
-  # IaC service accounts for data platform (dev) stage
-  iac-dp-dev-ro:
-    display_name: IaC service account for data platform dev (read-only).
-  iac-dp-dev-rw:
-    display_name: IaC service account for data platform dev (read-write).
 # workload_identity_pools:
 #   default:
 #     display_name: Default pool for CI/CD.

fast/stages/0-org-setup/datasets/hardened/defaults.yaml

@@ -86,11 +86,3 @@ output_files:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-project-factory
       service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
-    3-data-platform-dev:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    3-data-platform-dev-ro:
-      bucket: $storage_buckets:iac-0/iac-stage-state
-      prefix: 3-data-platform-dev
-      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml

@@ -1,25 +0,0 @@
-# Copyright 2025 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# yaml-language-server: $schema=../../../../schemas/folder.schema.json
-
-name: Data Platform
-# To enforce once the constraints are provisionned
-# org_policies:
-#   custom.iamDisableAdminServiceAccount:
-#     rules:
-#       - enforce: false
-#   custom.iamDisableProjectServiceAccountImpersonationRoles:
-#     rules:
-#       - enforce: false

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/dev/.config.yaml

@@ -1,52 +0,0 @@
-# Copyright 2025 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
-
-name: Development
-iam_by_principals:
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-rw:
-    - roles/bigquery.admin
-    - roles/composer.admin
-    - roles/compute.xpnAdmin
-    - roles/dataflow.admin
-    - roles/iam.serviceAccountAdmin
-    - roles/logging.admin
-    - roles/pubsub.admin
-    - roles/resourcemanager.folderAdmin
-    - roles/resourcemanager.projectCreator
-    - roles/resourcemanager.projectDeleter
-    - roles/resourcemanager.projectIamAdmin
-    - roles/serviceusage.serviceUsageAdmin
-    - roles/storage.admin
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
-    - roles/bigquery.dataViewer
-    - roles/bigquery.jobUser
-    - roles/browser
-    - roles/composer.user
-    - roles/datacatalog.viewer
-    - roles/dataflow.viewer
-    - roles/logging.viewer
-    - roles/pubsub.viewer
-    - roles/resourcemanager.folderViewer
-    - roles/resourcemanager.tagViewer
-    - roles/serviceusage.serviceUsageViewer
-    - roles/storage.bucketViewer
-    - roles/storage.objectViewer
-    - $custom_roles:folder_viewer
-    - $custom_roles:logging_viewer
-    - $custom_roles:service_account_viewer
-    - $custom_roles:storage_viewer
-tag_bindings:
-  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml

@@ -220,12 +220,6 @@ buckets:
             - $iam_principals:service_accounts/iac-0/iac-pf-rw
           $custom_roles:storage_viewer:
             - $iam_principals:service_accounts/iac-0/iac-pf-ro
-      3-data-platform-dev:
-        iam:
-          roles/storage.admin:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-          $custom_roles:storage_viewer:
-            - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
   # Terraform state bucket for FAST outputs
   iac-outputs:
     description: Terraform state for the org-level automation.
@@ -259,14 +253,12 @@ buckets:
     iam:
       roles/storage.admin:
         - $iam_principals:service_accounts/iac-0/iac-org-rw
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
         - $iam_principals:service_accounts/iac-0/iac-networking-rw
         - $iam_principals:service_accounts/iac-0/iac-security-rw
         - $iam_principals:service_accounts/iac-0/iac-pf-rw
         - $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
       $custom_roles:storage_viewer:
         - $iam_principals:service_accounts/iac-0/iac-org-ro
-        - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
         - $iam_principals:service_accounts/iac-0/iac-networking-ro
         - $iam_principals:service_accounts/iac-0/iac-security-ro
         - $iam_principals:service_accounts/iac-0/iac-pf-ro
@@ -312,11 +304,6 @@ service_accounts:
     display_name: IaC service account for project factory (read-only).
   iac-pf-rw:
     display_name: IaC service account for project factory (read-write).
-  # IaC service accounts for data platform (dev) stage
-  iac-dp-dev-ro:
-    display_name: IaC service account for data platform dev (read-only).
-  iac-dp-dev-rw:
-    display_name: IaC service account for data platform dev (read-write).
 # workload_identity_pools:
 #   default:
 #     display_name: Default pool for CI/CD.

fast/stages/0-org-setup/datasets/starter-gcd/defaults.yaml

@@ -0,0 +1,61 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../schemas/defaults.schema.json
+
+global:
+  # use `gcloud beta billing accounts list` to populate
+  billing_account: ABCDEF-0123456-ABCDEF
+  organization:
+    # use `gcloud organizations list`` to populate
+    domain: fast-test-00.example.com
+    id: 1234567890
+projects:
+  defaults:
+    # prefix must be unique and less than 9 characters
+    prefix: test00
+    locations:
+      bigquery: $locations:primary
+      logging: $locations:primary
+      storage: $locations:primary
+  overrides:
+    universe:
+      # Replace with values from the Configuration Reference table in ../../README-GCD.md
+      domain: <UNIVERSE_API_DOMAIN>
+      prefix: <UNIVERSE_PREFIX>
+      forced_jit_service_identities:
+        - compute.googleapis.com
+      unavailable_service_identities:
+        - dns.googleapis.com
+        - monitoring.googleapis.com
+        - networksecurity.googleapis.com
+context:
+  # you can populate context variables here for use in YAML replacements
+  iam_principals:
+    # this is the default group used in bootstrap, initial user must be a member
+    gcp-organization-admins: group:gcp-organization-admins@example.com
+  locations:
+    # Replace with values from the Configuration Reference table
+    primary: <UNIVERSE_REGION>
+output_files:
+  # local path is optional but recommended when starting
+  local_path: ~/fast-config/fast-test-00
+  storage_bucket: $storage_buckets:iac-0/iac-outputs
+  providers:
+    0-org-setup:
+      bucket: $storage_buckets:iac-0/iac-org-state
+      service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
+    0-org-setup-ro:
+      bucket: $storage_buckets:iac-0/iac-org-state
+      service_account: $iam_principals:service_accounts/iac-0/iac-org-ro

fast/stages/0-org-setup/datasets/starter-gcd/folders/dev/.config.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,4 +14,6 @@
 
 # yaml-language-server: $schema=../../../../schemas/folder.schema.json
 
-name: Data Platform
+name: Development
+tag_bindings:
+  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/starter-gcd/folders/prod/.config.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
 
 name: Production
 tag_bindings:

fast/stages/0-org-setup/datasets/starter-gcd/organization/.config.yaml

@@ -0,0 +1,59 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO: data access logs
+
+# yaml-language-server: $schema=../../../schemas/organization.schema.json
+
+id: $defaults:organization/id
+iam_by_principals:
+  $iam_principals:gcp-organization-admins:
+    - roles/cloudasset.owner
+    - roles/cloudsupport.admin
+    - roles/cloudsupport.techSupportEditor
+    - roles/compute.osAdminLogin
+    - roles/compute.osLoginExternalUser
+    - roles/compute.xpnAdmin
+    - roles/orgpolicy.policyAdmin
+    - roles/owner
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.organizationAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.tagAdmin
+    - roles/iam.workforcePoolAdmin
+  $iam_principals:service_accounts/iac-0/iac-org-rw:
+    - roles/accesscontextmanager.policyAdmin
+    - roles/cloudasset.viewer
+    - roles/essentialcontacts.admin
+    - roles/iam.organizationRoleAdmin
+    - roles/iam.workforcePoolAdmin
+    - roles/logging.admin
+    - roles/orgpolicy.policyAdmin
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.organizationAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectMover
+    - roles/resourcemanager.tagAdmin
+    - roles/resourcemanager.tagUser
+logging:
+  sinks:
+    audit-logs:
+      destination: $log_buckets:iac-0/audit-logs
+      filter: |
+        log_id("cloudaudit.googleapis.com/activity") OR
+        log_id("cloudaudit.googleapis.com/system_event") OR
+        log_id("cloudaudit.googleapis.com/policy") OR
+        log_id("cloudaudit.googleapis.com/access_transparency")
+iam:
+  roles/billing.creator: []

fast/stages/0-org-setup/datasets/starter-gcd/organization/tags/environment.yaml

@@ -0,0 +1,43 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/tags.schema.json
+
+description: "Organization-level environments."
+# iam:
+#   "roles/resourcemanager.tagViewer":
+#     - "group:finance-team@example.com"
+values:
+  development:
+    description: "Development."
+    iam:
+      "roles/resourcemanager.tagUser":
+        - $iam_principals:service_accounts/iac-0/iac-networking-rw
+        - $iam_principals:service_accounts/iac-0/iac-security-rw
+        - $iam_principals:service_accounts/iac-0/iac-pf-rw
+      "roles/resourcemanager.tagViewer":
+        - $iam_principals:service_accounts/iac-0/iac-networking-ro
+        - $iam_principals:service_accounts/iac-0/iac-security-ro
+        - $iam_principals:service_accounts/iac-0/iac-pf-ro
+  production:
+    description: "Production."
+    iam:
+      "roles/resourcemanager.tagUser":
+        - $iam_principals:service_accounts/iac-0/iac-networking-rw
+        - $iam_principals:service_accounts/iac-0/iac-security-rw
+        - $iam_principals:service_accounts/iac-0/iac-pf-rw
+      "roles/resourcemanager.tagViewer":
+        - $iam_principals:service_accounts/iac-0/iac-networking-ro
+        - $iam_principals:service_accounts/iac-0/iac-security-ro
+        - $iam_principals:service_accounts/iac-0/iac-pf-ro

fast/stages/0-org-setup/datasets/starter-gcd/projects/apps/dev-app-0.yaml

@@ -0,0 +1,26 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: dev-app-example-0
+parent: $folder_ids:dev
+services:
+  - bigquery.googleapis.com
+  - compute.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+  - storage.googleapis.com
+shared_vpc_service_config:
+  host_project: $project_ids:dev-net-0

fast/stages/0-org-setup/datasets/starter-gcd/projects/apps/prod-app-0.yaml

@@ -0,0 +1,26 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: prod-app-example-0
+parent: $folder_ids:prod
+services:
+  - bigquery.googleapis.com
+  - compute.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+  - storage.googleapis.com
+shared_vpc_service_config:
+  host_project: $project_ids:prod-net-0

fast/stages/0-org-setup/datasets/starter-gcd/projects/iac-0.yaml

@@ -0,0 +1,73 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: prod-iac-core-0
+iam_by_principals:
+  $iam_principals:gcp-organization-admins:
+    - roles/iam.serviceAccountTokenCreator
+    - roles/iam.workloadIdentityPoolAdmin
+  $iam_principals:service_accounts/iac-0/iac-org-rw:
+    - roles/cloudbuild.builds.editor
+    - roles/iam.serviceAccountAdmin
+    - roles/iam.workloadIdentityPoolAdmin
+    - roles/owner
+    - roles/storage.admin
+services:
+  - accesscontextmanager.googleapis.com
+  - bigquery.googleapis.com
+  - bigquerystorage.googleapis.com
+  - cloudbilling.googleapis.com
+  - cloudkms.googleapis.com
+  - cloudresourcemanager.googleapis.com
+  - compute.googleapis.com
+  - container.googleapis.com
+  - essentialcontacts.googleapis.com
+  - iam.googleapis.com
+  - iamcredentials.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+  - orgpolicy.googleapis.com
+  - pubsub.googleapis.com
+  - serviceusage.googleapis.com
+  - storage-component.googleapis.com
+  - storage.googleapis.com
+  - sts.googleapis.com
+buckets:
+  iac-org-state:
+    description: Terraform state for the org-level automation.
+    versioning: true
+    iam:
+      roles/storage.admin:
+        - $iam_principals:service_accounts/iac-0/iac-org-rw
+      $custom_roles:storage_viewer:
+        - $iam_principals:service_accounts/iac-0/iac-org-ro
+  iac-outputs:
+    description: Terraform state for the org-level automation.
+    versioning: true
+    iam:
+      roles/storage.admin:
+        - $iam_principals:service_accounts/iac-0/iac-org-rw
+service_accounts:
+  iac-org-rw:
+    display_name: IaC service account for org setup (read-write).
+datasets:
+  billing_export:
+    friendly_name: Billing export
+log_buckets:
+  audit-logs:
+    log_analytics:
+      enable: true
+    retention: 31

fast/stages/0-org-setup/datasets/starter-gcd/projects/net/dev-net-0.yaml

@@ -0,0 +1,27 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: dev-net-shared-0
+parent: $folder_ids:dev
+services:
+  - container.googleapis.com
+  - compute.googleapis.com
+  - dns.googleapis.com
+  - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+shared_vpc_host_config:
+  enabled: true

fast/stages/0-org-setup/datasets/starter-gcd/projects/net/prod-net-0.yaml

@@ -0,0 +1,27 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: prod-net-shared-0
+parent: $folder_ids:prod
+services:
+  - container.googleapis.com
+  - compute.googleapis.com
+  - dns.googleapis.com
+  - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
+shared_vpc_host_config:
+  enabled: true

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/dev/.config.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json
 
-name: Production
-tag_bindings:
-  environment: $tag_values:environment/production
+name: dev-shared-0
+project_id: $project_ids:dev-net-0
+auto_create_subnetworks: false

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/dev/firewall-rules/default-ingress.yaml

@@ -0,0 +1,42 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
+
+ingress:
+
+  ingress-default-allow-iap:
+    description: Allow IAP.
+    source_ranges:
+      - 35.235.240.0/20
+    rules:
+      - protocol: all
+        ports: []
+
+  ingress-default-allow-healthchecks:
+    description: Allow GCP Healthcheck Ranges.
+    source_ranges:
+      - 35.191.0.0/16
+      - 130.211.0.0/22
+      - 209.85.152.0/22
+      - 209.85.204.0/22
+    rules:
+      - protocol: all
+        ports: []
+
+  ingress-default-allow-icmp:
+    description: Allow ICMP.
+    rules:
+      - protocol: icmp
+        ports: []

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/dev/subnets/default.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 
-name: Data Platform
+name: default
+region: $locations:primary
+ip_cidr_range: 10.0.0.0/24
+description: Default primary-region subnet for dev

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/prod/.config.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json
 
-name: Production
-tag_bindings:
-  environment: $tag_values:environment/production
+name: prod-shared-0
+project_id: $project_ids:prod-net-0
+auto_create_subnetworks: false

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/prod/firewall-rules/default-ingress.yaml

@@ -0,0 +1,42 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
+
+ingress:
+
+  ingress-default-allow-iap:
+    description: Allow IAP.
+    source_ranges:
+      - 35.235.240.0/20
+    rules:
+      - protocol: all
+        ports: []
+
+  ingress-default-allow-healthchecks:
+    description: Allow GCP Healthcheck Ranges.
+    source_ranges:
+      - 35.191.0.0/16
+      - 130.211.0.0/22
+      - 209.85.152.0/22
+      - 209.85.204.0/22
+    rules:
+      - protocol: all
+        ports: []
+
+  ingress-default-allow-icmp:
+    description: Allow ICMP.
+    rules:
+      - protocol: icmp
+        ports: []

fast/stages/0-org-setup/datasets/starter-gcd/vpcs/prod/subnets/default.yaml

@@ -0,0 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: default
+region: $locations:primary
+ip_cidr_range: 10.0.0.0/24
+description: Default primary-region subnet for prod

fast/stages/0-org-setup/factory.tf

@@ -68,3 +68,18 @@ module "factory" {
     paths    = var.factories_config.paths
   }
 }
+
+module "vpcs" {
+  source = "../../../modules/net-vpc-factory"
+  context = merge(local.ctx, {
+    project_ids = local.of_ctx.project_ids
+  })
+  data_defaults  = local.vpc_defaults.defaults
+  data_overrides = local.vpc_defaults.overrides
+  factories_config = {
+    basepath = var.factories_config.dataset
+    paths = {
+      vpcs = var.factories_config.paths.vpcs
+    }
+  }
+}

fast/stages/0-org-setup/main.tf

@@ -61,6 +61,10 @@ locals {
     defaults  = try(local._defaults.projects.defaults, {})
     overrides = try(local._defaults.projects.overrides, {})
   }
+  vpc_defaults = {
+    defaults  = try(local._defaults.vpcs.defaults, {})
+    overrides = try(local._defaults.vpcs.overrides, {})
+  }
   workload_identity_pools = merge([
     for k, v in module.factory.projects : {
       for wk, wv in v.workload_identity_pools :

fast/stages/0-org-setup/output-files.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,6 +45,19 @@ locals {
       local.org_tag_values
     )
   })
+  of_logging_sinks = {
+    # Include project_id in the destination if supported (omitted for
+    # "storage" sinks).
+    for k, v in module.organization-iam[0].logging_sinks :
+    k => merge(
+      v,
+      (
+        strcontains(v.destination, "projects/")
+        ? { project_id = split("/", v.destination)[2] }
+        : {}
+      )
+    )
+  }
   of_outputs_bucket = (
     local.output_files.storage_bucket == null
     ? null
@@ -98,19 +111,24 @@ locals {
       automation = {
         outputs_bucket = local.of_outputs_bucket
       }
-      custom_roles   = local.of_ctx.custom_roles
-      folder_ids     = local.of_ctx.folder_ids
-      iam_principals = local.of_ctx.iam_principals
-      logging = {
-        writer_identities = module.organization-iam[0].sink_writer_identities
-        project_number    = module.factory.project_numbers["log-0"]
+      custom_roles     = local.of_ctx.custom_roles
+      folder_ids       = local.of_ctx.folder_ids
+      iam_principals   = local.of_ctx.iam_principals
+      logging_sinks    = local.of_logging_sinks
+      project_ids      = local.of_ctx.project_ids,
+      project_numbers  = module.factory.project_numbers
+      service_accounts = module.factory.service_account_emails
+      storage_buckets  = module.factory.storage_buckets
+      subnet_ips = {
+        for k, v in module.vpcs.vpcs : k => v.subnet_ips
+      }
+      subnet_self_links = {
+        for k, v in module.vpcs.vpcs : k => v.subnet_ids
+      }
+      tag_values = local.of_ctx.tag_values
+      vpc_self_links = {
+        for k, v in module.vpcs.vpcs : k => v.id
       }
-      project_ids     = local.of_ctx.project_ids,
-      project_numbers = module.factory.project_numbers
-      # project_numbers = module.factory.project_numbers
-      service_accounts             = module.factory.service_account_emails
-      storage_buckets              = module.factory.storage_buckets
-      tag_values                   = local.of_ctx.tag_values
       workload_identity_providers  = local.workload_identity_providers
       workforce_identity_providers = module.organization[0].workforce_identity_providers
     }

fast/stages/0-org-setup/outputs.tf

@@ -24,8 +24,30 @@ output "projects" {
   value       = module.factory.projects
 }
 
+output "subnet_ips" {
+  description = "Map of subnet address ranges keyed by VPC and subnet name."
+  value = {
+    for k, v in module.vpcs.vpcs : k => v.subnet_ips
+  }
+}
+
+output "subnet_self_links" {
+  description = "Map of subnet self links keyed by VPC and subnet name."
+  value = {
+    for k, v in module.vpcs.vpcs : k => v.subnet_ids
+  }
+}
+
 output "tfvars" {
   description = "Stage tfvars."
   value       = local.of_tfvars
   sensitive   = true
 }
+
+output "vpc_self_links" {
+  description = "Map of VPC self links keyed by VPC name."
+  value = {
+    for k, v in module.vpcs.vpcs : k => v.id
+  }
+}
+

fast/stages/0-org-setup/schemas/defaults.schema.json

@@ -460,10 +460,231 @@
         }
       }
     },
+    "vpcs": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "defaults": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "project_id": {
+              "type": "string"
+            },
+            "description": {
+              "type": "string"
+            },
+            "auto_create_subnetworks": {
+              "type": "boolean"
+            },
+            "delete_default_routes_on_create": {
+              "type": "boolean"
+            },
+            "mtu": {
+              "type": "number",
+              "minimum": 1460,
+              "maximum": 1500
+            },
+            "routing_mode": {
+              "type": "string",
+              "enum": [
+                "GLOBAL",
+                "REGIONAL"
+              ]
+            },
+            "firewall_policy_enforcement_order": {
+              "type": "string",
+              "enum": [
+                "BEFORE_CLASSIC_FIREWALL",
+                "AFTER_CLASSIC_FIREWALL"
+              ]
+            },
+            "create_googleapis_routes": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "directpath": {
+                  "type": "boolean"
+                },
+                "directpath-6": {
+                  "type": "boolean"
+                },
+                "private": {
+                  "type": "boolean"
+                },
+                "private-6": {
+                  "type": "boolean"
+                },
+                "restricted": {
+                  "type": "boolean"
+                },
+                "restricted-6": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "dns_policy": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "inbound": {
+                  "type": "boolean"
+                },
+                "logging": {
+                  "type": "boolean"
+                },
+                "outbound": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                    "private_ns": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "public_ns": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    }
+                  }
+                }
+              }
+            },
+            "ipv6_config": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "enable_ula_internal": {
+                  "type": "boolean"
+                },
+                "internal_range": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "overrides": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "project_id": {
+              "type": "string"
+            },
+            "description": {
+              "type": "string"
+            },
+            "auto_create_subnetworks": {
+              "type": "boolean"
+            },
+            "delete_default_routes_on_create": {
+              "type": "boolean"
+            },
+            "mtu": {
+              "type": "number",
+              "minimum": 1460,
+              "maximum": 1500
+            },
+            "routing_mode": {
+              "type": "string",
+              "enum": [
+                "GLOBAL",
+                "REGIONAL"
+              ]
+            },
+            "firewall_policy_enforcement_order": {
+              "type": "string",
+              "enum": [
+                "BEFORE_CLASSIC_FIREWALL",
+                "AFTER_CLASSIC_FIREWALL"
+              ]
+            },
+            "create_googleapis_routes": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "directpath": {
+                  "type": "boolean"
+                },
+                "directpath-6": {
+                  "type": "boolean"
+                },
+                "private": {
+                  "type": "boolean"
+                },
+                "private-6": {
+                  "type": "boolean"
+                },
+                "restricted": {
+                  "type": "boolean"
+                },
+                "restricted-6": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "dns_policy": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "inbound": {
+                  "type": "boolean"
+                },
+                "logging": {
+                  "type": "boolean"
+                },
+                "outbound": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                    "private_ns": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "public_ns": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    }
+                  }
+                }
+              }
+            },
+            "ipv6_config": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "enable_ula_internal": {
+                  "type": "boolean"
+                },
+                "internal_range": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "context": {
       "type": "object",
       "additionalProperties": false,
       "properties": {
+        "cidr_ranges_sets": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        },
         "custom_roles": {
           "type": "object",
           "additionalProperties": {

fast/stages/0-org-setup/schemas/defaults.schema.md

@@ -127,8 +127,78 @@
     - **vpc_sc**: *object*
       - ⁺**perimeter_name**: *string*
       - **is_dry_run**: *boolean*
+- **vpcs**: *object*
+  <br>*additional properties: false*
+  - **defaults**: *object*
+    <br>*additional properties: false*
+    - **project_id**: *string*
+    - **description**: *string*
+    - **auto_create_subnetworks**: *boolean*
+    - **delete_default_routes_on_create**: *boolean*
+    - **mtu**: *number*
+    - **routing_mode**: *string*
+      <br>*enum: ['GLOBAL', 'REGIONAL']*
+    - **firewall_policy_enforcement_order**: *string*
+      <br>*enum: ['BEFORE_CLASSIC_FIREWALL', 'AFTER_CLASSIC_FIREWALL']*
+    - **create_googleapis_routes**: *object*
+      <br>*additional properties: false*
+      - **directpath**: *boolean*
+      - **directpath-6**: *boolean*
+      - **private**: *boolean*
+      - **private-6**: *boolean*
+      - **restricted**: *boolean*
+      - **restricted-6**: *boolean*
+    - **dns_policy**: *object*
+      <br>*additional properties: false*
+      - **inbound**: *boolean*
+      - **logging**: *boolean*
+      - **outbound**: *object*
+        <br>*additional properties: false*
+        - **private_ns**: *array*
+          - items: *string*
+        - **public_ns**: *array*
+          - items: *string*
+    - **ipv6_config**: *object*
+      <br>*additional properties: false*
+      - **enable_ula_internal**: *boolean*
+      - **internal_range**: *string*
+  - **overrides**: *object*
+    <br>*additional properties: false*
+    - **project_id**: *string*
+    - **description**: *string*
+    - **auto_create_subnetworks**: *boolean*
+    - **delete_default_routes_on_create**: *boolean*
+    - **mtu**: *number*
+    - **routing_mode**: *string*
+      <br>*enum: ['GLOBAL', 'REGIONAL']*
+    - **firewall_policy_enforcement_order**: *string*
+      <br>*enum: ['BEFORE_CLASSIC_FIREWALL', 'AFTER_CLASSIC_FIREWALL']*
+    - **create_googleapis_routes**: *object*
+      <br>*additional properties: false*
+      - **directpath**: *boolean*
+      - **directpath-6**: *boolean*
+      - **private**: *boolean*
+      - **private-6**: *boolean*
+      - **restricted**: *boolean*
+      - **restricted-6**: *boolean*
+    - **dns_policy**: *object*
+      <br>*additional properties: false*
+      - **inbound**: *boolean*
+      - **logging**: *boolean*
+      - **outbound**: *object*
+        <br>*additional properties: false*
+        - **private_ns**: *array*
+          - items: *string*
+        - **public_ns**: *array*
+          - items: *string*
+    - **ipv6_config**: *object*
+      <br>*additional properties: false*
+      - **enable_ula_internal**: *boolean*
+      - **internal_range**: *string*
 - **context**: *object*
   <br>*additional properties: false*
+  - **cidr_ranges_sets**: *object*
+    <br>*additional properties: array*
   - **custom_roles**: *object*
     <br>*additional properties: string*
   - **email_addresses**: *object*

fast/stages/0-org-setup/schemas/firewall-rules.schema.json

@@ -0,0 +1,104 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Firewall Rules",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "egress": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "$ref": "#/$defs/rule"
+        }
+      }
+    },
+    "ingress": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "$ref": "#/$defs/rule"
+        }
+      }
+    }
+  },
+  "$defs": {
+    "rule": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "deny": {
+          "type": "boolean"
+        },
+        "description": {
+          "type": "string"
+        },
+        "destination_ranges": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "disabled": {
+          "type": "boolean"
+        },
+        "enable_logging": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "include_metadata": {
+              "type": "boolean"
+            }
+          }
+        },
+        "priority": {
+          "type": "number"
+        },
+        "source_ranges": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "sources": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "targets": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "use_service_accounts": {
+          "type": "boolean"
+        },
+        "rules": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "protocol": {
+                "type": "string"
+              },
+              "ports": {
+                "type": "array",
+                "items": {
+                  "type": [
+                    "integer",
+                    "string"
+                  ],
+                  "pattern": "^[0-9]+(?:-[0-9]+)?$"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

fast/stages/0-org-setup/schemas/firewall-rules.schema.md

@@ -0,0 +1,42 @@
+# Firewall Rules
+
+<!-- markdownlint-disable MD036 -->
+
+## Properties
+
+*additional properties: false*
+
+- **egress**: *object*
+  <br>*additional properties: false*
+  - **`^[a-z0-9_-]+$`**: *reference([rule](#refs-rule))*
+- **ingress**: *object*
+  <br>*additional properties: false*
+  - **`^[a-z0-9_-]+$`**: *reference([rule](#refs-rule))*
+
+## Definitions
+
+- **rule**<a name="refs-rule"></a>: *object*
+  <br>*additional properties: false*
+  - **deny**: *boolean*
+  - **description**: *string*
+  - **destination_ranges**: *array*
+    - items: *string*
+  - **disabled**: *boolean*
+  - **enable_logging**: *object*
+    <br>*additional properties: false*
+    - **include_metadata**: *boolean*
+  - **priority**: *number*
+  - **source_ranges**: *array*
+    - items: *string*
+  - **sources**: *array*
+    - items: *string*
+  - **targets**: *array*
+    - items: *string*
+  - **use_service_accounts**: *boolean*
+  - **rules**: *array*
+    - items: *object*
+      <br>*additional properties: false*
+      - **protocol**: *string*
+      - **ports**: *array*
+        - items: *(integer|string)*
+          <br>*pattern: `^[0-9]+(?:-[0-9]+)?$`*

fast/stages/0-org-setup/schemas/subnet.schema.json

@@ -0,0 +1,231 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Subnet",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "region"
+  ],
+  "anyOf": [
+    {"required": ["ip_cidr_range"]},
+    {"required": ["reserved_internal_range"]},
+    {"required": ["ip_collection"]},
+    {
+      "allOf": [
+        {"not": {"required": ["ip_cidr_range"]}},
+        {"not": {"required": ["reserved_internal_range"]}},
+        {"not": {"required": ["ip_collection"]}},
+        {"properties": {"ipv6": {"properties": {"ipv6_only": {"const": true}}}}, "required": ["ipv6"]}
+      ]
+    }
+  ],
+  "properties": {
+    "active": {
+      "type": "boolean"
+    },
+    "description": {
+      "type": "string"
+    },
+    "enable_private_access": {
+      "type": "boolean"
+    },
+    "allow_subnet_cidr_routes_overlap": {
+      "type": "boolean"
+    },
+    "flow_logs_config": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "aggregation_interval": {
+          "type": "string"
+        },
+        "filter_expression": {
+          "type": "string"
+        },
+        "flow_sampling": {
+          "type": "number"
+        },
+        "metadata": {
+          "type": "string"
+        },
+        "metadata_fields": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "global": {
+      "type": "boolean"
+    },
+    "ip_cidr_range": {
+      "type": "string"
+    },
+    "reserved_internal_range": {
+      "type": "string",
+      "description": "Name of the internal range to use for this subnet. Mutually exclusive with ip_cidr_range and ip_collection."
+    },
+    "ipv6": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "access_type": {
+          "type": "string"
+        },
+        "ipv6_only": {
+          "type": "boolean"
+        }
+      }
+    },
+    "ip_collection": {
+      "type": "string"
+    },
+    "name": {
+      "type": "string"
+    },
+    "region": {
+      "type": "string"
+    },
+    "psc": {
+      "type": "boolean"
+    },
+    "proxy_only": {
+      "type": "boolean"
+    },
+    "secondary_ip_ranges": {
+      "type": "object",
+      "additionalProperties": {
+        "oneOf": [
+          {
+            "type": "string",
+            "description": "IP CIDR range for backward compatibility"
+          },
+          {
+            "type": "object",
+            "additionalProperties": false,
+            "anyOf": [
+              {"required": ["ip_cidr_range"]},
+              {"required": ["reserved_internal_range"]}
+            ],
+            "properties": {
+              "ip_cidr_range": {
+                "type": "string",
+                "description": "IP CIDR range for this secondary range"
+              },
+              "reserved_internal_range": {
+                "type": "string",
+                "description": "Name of the internal range to use for this secondary range"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "iam": {
+      "$ref": "#/$defs/iam"
+    },
+    "iam_bindings": {
+      "$ref": "#/$defs/iam_bindings"
+    },
+    "iam_bindings_additive": {
+      "$ref": "#/$defs/iam_bindings_additive"
+    }
+  },
+  "$defs": {
+    "iam": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^roles/": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+          }
+        }
+      }
+    },
+    "iam_bindings": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "members": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+              }
+            },
+            "role": {
+              "type": "string",
+              "pattern": "^roles/"
+            },
+            "condition": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": [
+                "expression",
+                "title"
+              ],
+              "properties": {
+                "expression": {
+                  "type": "string"
+                },
+                "title": {
+                  "type": "string"
+                },
+                "description": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "iam_bindings_additive": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "member": {
+              "type": "string",
+              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+            },
+            "role": {
+              "type": "string",
+              "pattern": "^roles/"
+            },
+            "condition": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": [
+                "expression",
+                "title"
+              ],
+              "properties": {
+                "expression": {
+                  "type": "string"
+                },
+                "title": {
+                  "type": "string"
+                },
+                "description": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

fast/stages/0-org-setup/schemas/subnet.schema.md

@@ -1,4 +1,4 @@
-# Dataplex Aspect Type
+# Subnet
 
 <!-- markdownlint-disable MD036 -->
 
@@ -6,10 +6,37 @@
 
 *additional properties: false*
 
+- **active**: *boolean*
 - **description**: *string*
-- **display_name**: *string*
-- **labels**: *object*
-- **metadata_template**: *string*
+- **enable_private_access**: *boolean*
+- **allow_subnet_cidr_routes_overlap**: *boolean*
+- **flow_logs_config**: *object*
+  <br>*additional properties: false*
+  - **aggregation_interval**: *string*
+  - **filter_expression**: *string*
+  - **flow_sampling**: *number*
+  - **metadata**: *string*
+  - **metadata_fields**: *array*
+    - items: *string*
+- **global**: *boolean*
+- **ip_cidr_range**: *string*
+- **reserved_internal_range**: *string*
+- **ipv6**: *object*
+  <br>*additional properties: false*
+  - **access_type**: *string*
+  - **ipv6_only**: *boolean*
+- **ip_collection**: *string*
+- **name**: *string*
+- ⁺**region**: *string*
+- **psc**: *boolean*
+- **proxy_only**: *boolean*
+- **secondary_ip_ranges**: *object*
+  <br>*additional properties: oneof*
+  - *string*
+  - *object*
+    <br>*additional properties: false*
+    - **ip_cidr_range**: *string*
+    - **reserved_internal_range**: *string*
 - **iam**: *reference([iam](#refs-iam))*
 - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
 - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
@@ -18,18 +45,18 @@
 
 - **iam**<a name="refs-iam"></a>: *object*
   <br>*additional properties: false*
-  - **`^(?:roles/|\$custom_roles:)`**: *array*
+  - **`^roles/`**: *array*
     - items: *string*
-      <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:||\$iam_principals:[a-z0-9_-]+)*
+      <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)*
 - **iam_bindings**<a name="refs-iam_bindings"></a>: *object*
   <br>*additional properties: false*
   - **`^[a-z0-9_-]+$`**: *object*
     <br>*additional properties: false*
     - **members**: *array*
       - items: *string*
-        <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
+        <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)*
     - **role**: *string*
-      <br>*pattern: ^(?:roles/|\$custom_roles:)*
+      <br>*pattern: ^roles/*
     - **condition**: *object*
       <br>*additional properties: false*
       - ⁺**expression**: *string*
@@ -40,9 +67,9 @@
   - **`^[a-z0-9_-]+$`**: *object*
     <br>*additional properties: false*
     - **member**: *string*
-      <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
+      <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)*
     - **role**: *string*
-      <br>*pattern: ^(?:roles/|\$custom_roles:)*
+      <br>*pattern: ^roles/*
     - **condition**: *object*
       <br>*additional properties: false*
       - ⁺**expression**: *string*

fast/stages/0-org-setup/schemas/vpc-factory.schema.json

@@ -0,0 +1,298 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "VPC Configuration",
+  "description": "Schema for a VPC .config.yaml file.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "name",
+    "project_id"
+  ],
+  "properties": {
+    "project_id": {
+      "type": "string"
+    },
+    "name": {
+      "type": "string"
+    },
+    "description": {
+      "type": "string"
+    },
+    "auto_create_subnetworks": {
+      "type": "boolean"
+    },
+    "delete_default_routes_on_create": {
+      "type": "boolean"
+    },
+    "mtu": {
+      "type": "number"
+    },
+    "routing_mode": {
+      "type": "string",
+      "enum": [
+        "GLOBAL",
+        "REGIONAL"
+      ]
+    },
+    "firewall_policy_enforcement_order": {
+      "type": "string",
+      "enum": [
+        "BEFORE_CLASSIC_FIREWALL",
+        "AFTER_CLASSIC_FIREWALL"
+      ]
+    },
+    "create_googleapis_routes": {
+      "$ref": "#/$defs/create_googleapis_routes"
+    },
+    "dns_policy": {
+      "$ref": "#/$defs/dns_policy"
+    },
+    "ipv6_config": {
+      "$ref": "#/$defs/ipv6_config"
+    },
+    "network_attachments": {
+      "$ref": "#/$defs/network_attachments"
+    },
+    "routers": {
+      "$ref": "#/$defs/routers"
+    },
+    "peering_config": {
+      "$ref": "#/$defs/peering_config"
+    },
+    "psa_configs": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/psa_config"
+      }
+    },
+    "nat_config": {
+      "$ref": "#/$defs/nat_config"
+    },
+    "ncc_config": {
+      "$ref": "#/$defs/ncc_config"
+    },
+    "routes": {
+      "type": "object"
+    },
+    "policy_based_routes": {
+      "type": "object"
+    },
+    "vpn_config": {
+      "type": "object"
+    }
+  },
+  "$defs": {
+    "create_googleapis_routes": {
+      "type": "object",
+      "properties": {
+        "directpath": {
+          "type": "boolean"
+        },
+        "directpath-6": {
+          "type": "boolean"
+        },
+        "private": {
+          "type": "boolean"
+        },
+        "private-6": {
+          "type": "boolean"
+        },
+        "restricted": {
+          "type": "boolean"
+        },
+        "restricted-6": {
+          "type": "boolean"
+        }
+      }
+    },
+    "dns_policy": {
+      "type": "object",
+      "properties": {
+        "inbound": {
+          "type": "boolean"
+        },
+        "logging": {
+          "type": "boolean"
+        },
+        "outbound": {
+          "type": "object",
+          "properties": {
+            "private_ns": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "public_ns": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      }
+    },
+    "ipv6_config": {
+      "type": "object",
+      "properties": {
+        "enable_ula_internal": {
+          "type": "boolean"
+        },
+        "internal_range": {
+          "type": "string"
+        }
+      }
+    },
+    "nat_config": {
+      "type": "object",
+      "patternProperties": {
+        "^[a-z0-9-]+$": {
+          "type": "object",
+          "required": [
+            "region"
+          ],
+          "properties": {
+            "region": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
+    "ncc_config": {
+      "type": "object",
+      "required": [
+        "hub"
+      ],
+      "properties": {
+        "hub": {
+          "type": "string"
+        },
+        "group": {
+          "type": "string"
+        }
+      }
+    },
+    "network_attachments": {
+      "type": "object",
+      "patternProperties": {
+        "^[a-z0-9-]+$": {
+          "type": "object",
+          "properties": {
+            "subnet": {
+              "type": "string"
+            },
+            "automatic_connection": {
+              "type": "boolean"
+            },
+            "description": {
+              "type": "string"
+            },
+            "producer_accept_lists": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "producer_reject_lists": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      }
+    },
+    "peering_config": {
+      "type": "object",
+      "properties": {
+        "peer_vpc_self_link": {
+          "type": "string"
+        },
+        "create_remote_peer": {
+          "type": "boolean"
+        },
+        "export_routes": {
+          "type": "boolean"
+        },
+        "import_routes": {
+          "type": "boolean"
+        }
+      }
+    },
+    "psa_config": {
+      "type": "object",
+      "properties": {
+        "deletion_policy": {
+          "type": "string"
+        },
+        "ranges": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z0-9-]+$": {
+              "type": "string"
+            }
+          }
+        },
+        "export_routes": {
+          "type": "boolean"
+        },
+        "import_routes": {
+          "type": "boolean"
+        },
+        "peered_domains": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "range_prefix": {
+          "type": "string"
+        },
+        "service_producer": {
+          "type": "string"
+        }
+      }
+    },
+    "routers": {
+      "type": "object",
+      "description": "A map of Cloud Routers to create in this VPC.",
+      "patternProperties": {
+        "^[a-z0-9-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "required": [
+            "region",
+            "asn"
+          ],
+          "properties": {
+            "region": {
+              "type": "string"
+            },
+            "asn": {
+              "type": "number"
+            },
+            "custom_advertise": {
+              "type": "object",
+              "properties": {
+                "all_subnets": {
+                  "type": "boolean"
+                },
+                "ip_ranges": {
+                  "type": "object",
+                  "patternProperties": {
+                    ".*": {
+                      "type": "string"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

fast/stages/0-org-setup/schemas/vpc-factory.schema.md

@@ -0,0 +1,91 @@
+# VPC Configuration
+
+<!-- markdownlint-disable MD036 -->
+
+## Properties
+
+*additional properties: false*
+
+- ⁺**project_id**: *string*
+- ⁺**name**: *string*
+- **description**: *string*
+- **auto_create_subnetworks**: *boolean*
+- **delete_default_routes_on_create**: *boolean*
+- **mtu**: *number*
+- **routing_mode**: *string*
+  <br>*enum: ['GLOBAL', 'REGIONAL']*
+- **firewall_policy_enforcement_order**: *string*
+  <br>*enum: ['BEFORE_CLASSIC_FIREWALL', 'AFTER_CLASSIC_FIREWALL']*
+- **create_googleapis_routes**: *reference([create_googleapis_routes](#refs-create_googleapis_routes))*
+- **dns_policy**: *reference([dns_policy](#refs-dns_policy))*
+- **ipv6_config**: *reference([ipv6_config](#refs-ipv6_config))*
+- **network_attachments**: *reference([network_attachments](#refs-network_attachments))*
+- **routers**: *reference([routers](#refs-routers))*
+- **peering_config**: *reference([peering_config](#refs-peering_config))*
+- **psa_configs**: *array*
+  - items: *reference([psa_config](#refs-psa_config))*
+- **nat_config**: *reference([nat_config](#refs-nat_config))*
+- **ncc_config**: *reference([ncc_config](#refs-ncc_config))*
+- **routes**: *object*
+- **policy_based_routes**: *object*
+- **vpn_config**: *object*
+
+## Definitions
+
+- **create_googleapis_routes**<a name="refs-create_googleapis_routes"></a>: *object*
+  - **directpath**: *boolean*
+  - **directpath-6**: *boolean*
+  - **private**: *boolean*
+  - **private-6**: *boolean*
+  - **restricted**: *boolean*
+  - **restricted-6**: *boolean*
+- **dns_policy**<a name="refs-dns_policy"></a>: *object*
+  - **inbound**: *boolean*
+  - **logging**: *boolean*
+  - **outbound**: *object*
+    - **private_ns**: *array*
+      - items: *string*
+    - **public_ns**: *array*
+      - items: *string*
+- **ipv6_config**<a name="refs-ipv6_config"></a>: *object*
+  - **enable_ula_internal**: *boolean*
+  - **internal_range**: *string*
+- **nat_config**<a name="refs-nat_config"></a>: *object*
+  - **`^[a-z0-9-]+$`**: *object*
+    - ⁺**region**: *string*
+- **ncc_config**<a name="refs-ncc_config"></a>: *object*
+  - ⁺**hub**: *string*
+  - **group**: *string*
+- **network_attachments**<a name="refs-network_attachments"></a>: *object*
+  - **`^[a-z0-9-]+$`**: *object*
+    - **subnet**: *string*
+    - **automatic_connection**: *boolean*
+    - **description**: *string*
+    - **producer_accept_lists**: *array*
+      - items: *string*
+    - **producer_reject_lists**: *array*
+      - items: *string*
+- **peering_config**<a name="refs-peering_config"></a>: *object*
+  - **peer_vpc_self_link**: *string*
+  - **create_remote_peer**: *boolean*
+  - **export_routes**: *boolean*
+  - **import_routes**: *boolean*
+- **psa_config**<a name="refs-psa_config"></a>: *object*
+  - **deletion_policy**: *string*
+  - **ranges**: *object*
+    - **`^[a-z0-9-]+$`**: *string*
+  - **export_routes**: *boolean*
+  - **import_routes**: *boolean*
+  - **peered_domains**: *array*
+    - items: *string*
+  - **range_prefix**: *string*
+  - **service_producer**: *string*
+- **routers**<a name="refs-routers"></a>: *object*
+  - **`^[a-z0-9-]+$`**: *object*
+    <br>*additional properties: false*
+    - ⁺**region**: *string*
+    - ⁺**asn**: *number*
+    - **custom_advertise**: *object*
+      - **all_subnets**: *boolean*
+      - **ip_ranges**: *object*
+        - **`.*`**: *string*

fast/stages/0-org-setup/variables.tf

@@ -17,6 +17,7 @@
 variable "context" {
   description = "Context-specific interpolations."
   type = object({
+    cidr_ranges_sets            = optional(map(list(string)), {})
     custom_roles                = optional(map(string), {})
     email_addresses             = optional(map(string), {})
     folder_ids                  = optional(map(string), {})
@@ -50,6 +51,7 @@ variable "factories_config" {
       organization      = optional(string, "organization")
       project_templates = optional(string, "templates")
       projects          = optional(string, "projects")
+      vpcs              = optional(string, "vpcs")
     }), {})
   })
   nullable = false

fast/stages/1-vpcsc/README.md

@@ -456,7 +456,7 @@ Some references that might be useful in setting up this stage:
 
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
-| [organization](variables-fast.tf#L35) | Organization details. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-org-setup</code> |
+| [organization](variables-fast.tf#L48) | Organization details. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-org-setup</code> |
 | [access_levels](variables.tf#L17) | Access level definitions. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [access_policy](variables.tf#L67) | Access policy id (used for tenant-level VPC-SC configurations). | <code>number</code> |  | <code>null</code> |  |
 | [context](variables.tf#L73) | External context used in replacements. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
@@ -464,13 +464,14 @@ Some references that might be useful in setting up this stage:
 | [factories_config](variables.tf#L130) | Paths to folders that enable factory functionality. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_principals](variables-fast.tf#L17) | Org-level IAM principals. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
 | [ingress_policies](variables.tf#L147) | Ingress policy definitions that can be referenced in perimeters. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [logging](variables-fast.tf#L25) | Log writer identities for organization / folders. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-org-setup</code> |
+| [logging_sinks](variables-fast.tf#L25) | Log sinks for the organization. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
 | [perimeters](variables.tf#L189) | Perimeter definitions. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [project_numbers](variables-fast.tf#L46) | Project numbers. | <code>map&#40;number&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
+| [project_ids](variables-fast.tf#L59) | Project IDs. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
+| [project_numbers](variables-fast.tf#L67) | Project numbers. | <code>map&#40;number&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
 | [resource_discovery](variables.tf#L223) | Automatic discovery of perimeter projects. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [root_node](variables-fast.tf#L54) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> |  | <code>null</code> | <code>0-org-setup</code> |
-| [service_accounts](variables-fast.tf#L68) | Org-level service accounts. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
-| [storage_buckets](variables-fast.tf#L76) | Storage buckets created in the bootstrap stage. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
+| [root_node](variables-fast.tf#L75) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> |  | <code>null</code> | <code>0-org-setup</code> |
+| [service_accounts](variables-fast.tf#L89) | Org-level service accounts. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
+| [storage_buckets](variables-fast.tf#L97) | Storage buckets created in the bootstrap stage. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-org-setup</code> |
 
 ## Outputs
 

fast/stages/1-vpcsc/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,7 +25,12 @@ locals {
     for k, v in local.ctx.storage_buckets : "$storage_buckets:${k}" => v
   }
   # fail if we have no valid defaults
-  _defaults = yamldecode(file(local.paths.defaults))
+  _defaults        = yamldecode(file(local.paths.defaults))
+  _project_numbers = merge(var.project_numbers, local._ctx.project_numbers)
+  _project_id_to_num = {
+    for k, v in var.project_ids :
+    v => local._project_numbers[k]
+  }
   discovered_projects = var.resource_discovery.enabled != true ? [] : [
     for v in module.vpc-sc-discovery[0].project_numbers :
     "projects/${v}"
@@ -42,13 +47,20 @@ locals {
       local._ctx.iam_principals
     )
     identity_sets = merge(local._ctx.identity_sets, {
-      logging_identities = try(distinct(values(var.logging.writer_identities)), [])
+      logging_identities = distinct([
+        for _, v in var.logging_sinks : v.writer_identity
+      ])
     })
-    project_numbers = merge(var.project_numbers, local._ctx.project_numbers)
+    project_numbers = local._project_numbers
     resource_sets = merge(
       {
         discovered_projects = local.discovered_projects
-        logging_project     = try(["projects/${var.logging.project_number}"], [])
+        logging_project = distinct(compact([
+          for _, v in var.logging_sinks :
+          try(v.project_id, null) != null
+          ? "projects/${lookup(local._project_id_to_num, v.project_id, v.project_id)}"
+          : null
+        ]))
         org_setup_projects = [
           for k, v in var.project_numbers : "projects/${v}"
         ]

fast/stages/1-vpcsc/variables-fast.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,14 +22,27 @@ variable "iam_principals" {
   default     = {}
 }
 
-variable "logging" {
+variable "logging_sinks" {
   # tfdoc:variable:source 0-org-setup
-  description = "Log writer identities for organization / folders."
-  type = object({
-    writer_identities = map(string)
-    project_number    = optional(string)
-  })
-  default = null
+  description = "Log sinks for the organization."
+  type = map(object({
+    project_id      = optional(string)
+    writer_identity = string
+    ## other available fields:
+    # bigquery_options   = list(string)
+    # description        = string
+    # disabled           = bool
+    # destination        = string
+    # exclusions         = list(string)
+    # filter             = string
+    # id                 = string
+    # include_children   = bool
+    # intercept_children = bool
+    # name               = string
+    # org_id             = string
+  }))
+  default  = {}
+  nullable = false
 }
 
 variable "organization" {
@@ -43,6 +56,14 @@ variable "organization" {
   nullable = false
 }
 
+variable "project_ids" {
+  # tfdoc:variable:source 0-org-setup
+  description = "Project IDs."
+  type        = map(string)
+  nullable    = false
+  default     = {}
+}
+
 variable "project_numbers" {
   # tfdoc:variable:source 0-org-setup
   description = "Project numbers."

fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml

@@ -39,9 +39,10 @@ projects:
   #     perimeter_name: $vpc_sc_perimeters:default
   #     is_dry_run: true
 vpcs:
-  auto_create_subnetworks: false
-  delete_default_route_on_create: true
-  mtu: 1500
+  defaults:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: true
+    mtu: 1500
 output_files:
   # local path is optional but recommended when starting
   # local_path: ~/fast-config/fast-test-00

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/response-policies/net-core-0.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns-response-policy-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/fwd-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/peer-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/pvt-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-dev-0/pvt-dev-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-prod-0/pvt-prod-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/firewall-policies/networking-policy.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/firewall-policy.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/ncc-hubs/hub.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/ncc-hub.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-core-0.yaml

@@ -1,19 +1,30 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 name: prod-net-core-0
 parent: $folder_ids:networking
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-dev-0.yaml

@@ -1,20 +1,31 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 
 name: dev-net-spoke-0
 parent: $folder_ids:networking/dev
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-prod-0.yaml

@@ -1,20 +1,31 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 
 name: prod-net-spoke-0
 parent: $folder_ids:networking/prod
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/subnets/hub-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-0.yaml

@@ -1,3 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-1.yaml

@@ -1,3 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml

@@ -1,3 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/subnets/prod-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/subnets/prod-proxy.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/defaults.yaml

@@ -39,9 +39,10 @@ projects:
   #     perimeter_name: $vpc_sc_perimeters:default
   #     is_dry_run: true
 vpcs:
-  auto_create_subnetworks: false
-  delete_default_route_on_create: true
-  mtu: 1500
+  defaults:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: true
+    mtu: 1500
 output_files:
   # local path is optional but recommended when starting
   # local_path: ~/fast-config/fast-test-00

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/response-policies/net-core-0.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns-response-policy-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/zones/fwd-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/zones/peer-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/zones/pvt-dev-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/zones/pvt-prod-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/dns/zones/pvt-test.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/firewall-policies/networking-policy.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/firewall-policy.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/nvas/main.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/nva.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/projects/net-core-0.yaml

@@ -1,19 +1,30 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 name: prod-net-core-0
 parent: $folder_ids:networking
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-nva/projects/net-dev-0.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 
@@ -13,14 +23,15 @@
 name: dev-net-spoke-0
 parent: $folder_ids:networking/dev
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-nva/projects/net-prod-0.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../schemas/project.schema.json
 
@@ -13,14 +23,15 @@
 name: prod-net-spoke-0
 parent: $folder_ids:networking/prod
 services:
-  - container.googleapis.com
   - compute.googleapis.com
+  - container.googleapis.com
   - dns.googleapis.com
   - iap.googleapis.com
+  - logging.googleapis.com
+  - monitoring.googleapis.com
   - networkmanagement.googleapis.com
   - networksecurity.googleapis.com
   - servicenetworking.googleapis.com
-  - stackdriver.googleapis.com
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dev/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dev/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dev/subnets/dev-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/subnets/dmz-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-0.yaml

@@ -1,3 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-1.yaml

@@ -1,3 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vpns/onprem.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/vpn.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/hub/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/hub/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/hub/subnets/hub-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/prod/.config.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/vpc.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/prod/firewall-rules/default-ingress.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/prod/subnets/prod-default.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/prod/subnets/prod-proxy.yaml

@@ -1,4 +1,16 @@
-# skip boilerplate check
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-peerings/defaults.yaml

@@ -39,9 +39,10 @@ projects:
   #     perimeter_name: $vpc_sc_perimeters:default
   #     is_dry_run: true
 vpcs:
-  auto_create_subnetworks: false
-  delete_default_route_on_create: true
-  mtu: 1500
+  defaults:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: true
+    mtu: 1500
 output_files:
   # local path is optional but recommended when starting
   # local_path: ~/fast-config/fast-test-00

fast/stages/2-networking/datasets/hub-and-spokes-peerings/dns/response-policies/net-core-0.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../schemas/dns-response-policy-rules.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-peerings/dns/zones/net-core-0/fwd-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json
 

fast/stages/2-networking/datasets/hub-and-spokes-peerings/dns/zones/net-core-0/peer-root.yaml

@@ -1,6 +1,16 @@
-# skip boilerplate check
----
-# start of document (---) avoids errors if the file only contains comments
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # yaml-language-server: $schema=../../../../../schemas/dns.schema.json