Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Profile: STANDARD Compliance: CIS, PCI_DSS, SOX
The same intent spec is compiled to two Terraform-family formats — apply the
OpenTofu HCL directly, or feed the .auto.tfvars into your own community-module
wrappers.
.
├── README.md (this file)
├── DEPLOYMENT_GUIDE.md Step-by-step deploy runbook (OpenTofu + tfvars)
├── architecture.mmd Mermaid diagram of the landing zone topology
├── PLACEHOLDERS.md Every PLACEHOLDER_ token to replace before deploy
├── aws-opentofu/ Format 1: OpenTofu + Spacelift (HCL + per-stack YAML)
│ ├── versions.tf, providers.tf, backend.tf
│ ├── organizations.tf, accounts.tf, iam.tf, vpc.tf
│ ├── transit_gateway.tf, transit_gateway_inspection.tf, inspection_vpc.tf
│ ├── network_firewall.tf, hybrid_connectivity.tf
│ ├── security.tf, cloudtrail.tf, config.tf, kms.tf, s3_log_archive.tf
│ ├── backup.tf, budgets.tf, outputs.tf
│ ├── spacelift/stacks/*.yaml
│ └── .spacelift/config.yml
└── aws-tfvars/ Format 2: .auto.tfvars for terraform-aws-modules wrappers
├── organizations.auto.tfvars, accounts.auto.tfvars
├── network.auto.tfvars, iam.auto.tfvars, hybrid_connectivity.auto.tfvars
├── security.auto.tfvars, cloudtrail.auto.tfvars, kms.auto.tfvars
└── backup.auto.tfvars
| Organization name | Acme Bank |
| Primary contact | admin@gcp1.intentarch.app |
| Security contact | my2mail@acme.com |
| Billing contact | my3mail@acme.com |
| Home region | us-east-2 |
| Enabled regions | us-east-1, us-east-2, us-west-1, us-west-2 |
| Profile | standard (mid-size) |
| Compliance | cis, pci_dss, sox |
| OpenTofu | 1.12.0 |
| hashicorp/aws | ~> 5.80 |
| Name | Purpose | OU |
|---|---|---|
| Management | AWS Organizations payer + org control plane | Root |
| LogArchive | Central log archive (CloudTrail org trail, Config) | Security |
| Audit | Security tooling delegated administrator | Security |
| SharedServices | DNS resolver endpoints, golden AMIs, etc. | Infrastructure |
| Network | Central network hub (TGW, Site-to-Site VPN) | Infrastructure |
| Name | OU | Description |
|---|---|---|
| PciWorkload | Workloads/Prod/PCI | Dedicated CDE workload account — PCI-DSS 4.0 scope, SAQ-D level, ASV-scanned, isolated from non-CDE. |
| AppDev | Workloads/Dev | Application development account |
| AppProd | Workloads/Prod | Application production account |
- Search and replace
PLACEHOLDER_tokens. The wizard could not infer real AWS account IDs, OU IDs, or some ARNs. SeePLACEHOLDERS.mdif present. - Pre-create your AWS Organization with a Management account. OpenTofu cannot bootstrap the org itself.
- Enable AWS Organizations trusted service access.
organizations.tfcarries the required principals on acount = 0resource — a documentation anchor only, so Terraform does not enable them (it must not manage your existing org). From the management account, enable trusted access for each principal — or confirm AWS Control Tower already has — before deploying:And enable the organization policy types the zone uses:aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com aws organizations enable-aws-service-access --service-principal config.amazonaws.com aws organizations enable-aws-service-access --service-principal controltower.amazonaws.com aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com aws organizations enable-aws-service-access --service-principal securityhub.amazonaws.com aws organizations enable-aws-service-access --service-principal ram.amazonaws.com aws organizations enable-aws-service-access --service-principal sso.amazonaws.com aws organizations enable-aws-service-access --service-principal fms.amazonaws.com
Skipping this breaks org-wide CloudTrail, the Config aggregator, GuardDuty / Security Hub org auto-enable, RAM sharing (Transit Gateway), IAM Identity Center, and Firewall Manager — they fail to deploy or silently no-op.aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICY aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type TAG_POLICY
- Enable AWS IAM Identity Center in the management account if you want SSO
permission sets to provision. Set the instance ARN in
iam.auto.tfvars(or the OpenTofuidentity_centerdata source). - Bootstrap state storage for OpenTofu (S3 + DynamoDB lock) — see
DEPLOYMENT_GUIDE.md.
This zone is configured to meet the requirements of:
- CIS
- PCI DSS
- SOX
Specific controls applied:
- CloudTrail organization trail with KMS-CMK encryption and log file validation
- AWS Config recorder + aggregator delegated to the Audit account
- GuardDuty with
auto_enable = truefor all org members - Security Hub with framework-aligned standards subscriptions
- IAM password policy: min length 14, rotation every 90 days
- KMS CMKs with auto-rotation every 90 days
- Object Lock on the central log archive bucket (when FedRAMP / SOX is in scope)
- S3 default encryption + SSL-only bucket policies
- VPC Flow Logs on every VPC, all-traffic, with CloudWatch + S3 destinations
This zone was authored by Merlin Studio v2, which uses a compile-AI approach. LLMs were used at design time to encode AWS best-practice patterns, compliance- framework requirements, and discovery-driven defaults into a static rules engine. At generation time, every value below was derived deterministically from your discovery answers + a layered rules engine — no LLM call happens during generation. The same answers always produce the same artifact.
Deeper reading: "Compiled AI for GCP Landing Zones" → dev.to/boristep. The methodology is identical for the AWS pipeline.
Values in this spec come from up to four layers, with later layers winning on conflict:
1. Schema defaults ← floor: a value exists for every field
2. Profile defaults ← simple / standard / advanced — broad shape
3. Compliance overlays ← HIPAA / CIS / PCI / FedRAMP add-ons (per framework)
4. Discovery overlays ← driven by YOUR answers (multi-region, encryption, ...)
5. User edits ← anything you typed in the wizard ALWAYS wins
Arrays append by name — a compliance overlay adding a required account (e.g.
PhiWorkload) to your workload_accounts inventory does not erase the accounts
you selected. Scalars: discovery
overlays overwrite profile defaults (the discovery answer is the more specific
signal); compliance overlays only fill empty slots; your saved values are merged
last and override everything.
The wizard ran these overlays against your answers. Each entry is the rules-engine trace — what was added, why, and what triggered it.
| Section | Triggered by | Rationale |
|---|---|---|
02_account_hierarchy |
PCI_DSS | PCI-DSS requires cardholder-data environment (CDE) isolation. A dedicated PCI account scopes Requirement 1.2 (network segmentation) and Requirement 7 (least-privilege) cleanly. |
04_networking |
PCI_DSS | PCI-DSS Req 1.2 mandates CDE network segmentation. The dedicated PciWorkload account (added by the account-hierarchy overlay) needs its own VPC, otherwise cardholder-data workloads would land in AppProd's VPC and drag every workload there into PCI scope. This CDE VPC has no public subnets — workloads run in private subnets, reach AWS services via VPC endpoints, and all egress flows through the Transit Gateway to centralized inspection, never sharing a network boundary with non-CDE workloads. |
| Section | Overlay | Triggered by | Rationale |
|---|---|---|---|
04_networking |
multi_region_secondary_networking |
multi_region_required=true |
Multi-region answers (warm/active-active DR) require a second hub VPC + workloads VPC in the secondary region, a secondary regional Transit Gateway, and an inter-region TGW peering attachment. Without these, the spec declares warm-standby but is physically single-region — a direct contradiction the generators cannot recover from. |
04_networking |
regulated_centralized_egress |
compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' |
Boundary-control frameworks (PCI-DSS Req 1 NSCs, NIST 800-53 / FedRAMP SC-7, EUCS) require a controlled, inspected egress boundary. The egress model is set to centralized so spoke egress flows through the inspection VPC's AWS Network Firewall; the compliance overlay adds that inspection VPC. |
07_advanced_security |
regulated_enables_macie |
compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'hipaa' OR compliance_requirements contains 'gdpr' OR compliance_requirements contains 'eucs' OR compliance_requirements contains 'nis2' |
Data-protection frameworks require knowing where sensitive data (PANs / PII / PHI) lives — PCI-DSS Req 3 / 12.5.1, HIPAA, GDPR. Amazon Macie is the native S3 discovery/classification control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Macie-off for these frameworks. |
07_advanced_security |
regulated_enables_inspector |
compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' |
PCI-DSS 11.3.1 (internal vulnerability scanning) and NIST 800-53 / FedRAMP RA-5 require continuous vulnerability scanning. Amazon Inspector is the native control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Inspector-off for these frameworks. |
08_logging_monitoring |
multi_region_enables_log_replication |
multi_region_required=true |
Multi-region DR needs the central log bucket replicated to the secondary region so a regional outage does not destroy the audit trail of last resort. |
10_backup_dr |
multi_region_secondary_region |
multi_region_required=true |
Multi-region answers (warm/active-active DR) require AWS Backup to copy recovery points to the secondary region. Pre-fill from discovery.secondary_region so the user does not have to retype it. |
10_backup_dr |
warm_or_active_standby_strengthens_backup |
dr_requirements = 'warm_standby' OR dr_requirements = 'active_active' |
Warm-standby / active-active DR strategies imply org-level backup policy + vault lock so the secondary region can never lag. |
17_ec2_compute |
encryption_cmk_drives_ebs_default_alias |
encryption_requirements = 'cmk' |
When the discovery encryption posture is cmk, EBS must default to a customer-managed key, not alias/aws/ebs. |
This trace is scoped to the overlays whose resources are emitted in these foundation bundles. Overlays that targeted application-layer sections (data platform, observability, app services, EC2 fleet) also fired in the wizard but are not part of an OpenTofu/tfvars landing-zone foundation — see
INPUT_ASSERTIONS.mdfor the full list.
See DEPLOYMENT_GUIDE.md for the deploy-and-verify runbook for OpenTofu + tfvars.