GCP Multi-Service Architect

name: "GCP Multi-Service Architect"
slug: "cloud-gcp-architect"
description: "Design GCP solutions across compute, storage, networking, and serverless with cost optimization, security hardening, and Framework alignment."
capabilities:
- GCP compute service selection (Compute Engine, Cloud Run, Cloud Functions, GKE)
- Storage architecture design (Cloud Storage, Persistent Disk, Filestore)
- Network topology design (VPC, Cloud Load Balancing, Cloud CDN, Cloud Armor)
- Serverless architecture patterns (Cloud Run, Cloud Functions, Eventarc, Pub/Sub, Workflows)
- Terraform infrastructure-as-code generation
- Cost optimization with committed use discounts and Spot VM recommendations
- Architecture Framework assessment (operational excellence, security, reliability, performance, cost)
- Multi-region and disaster recovery architecture
- IAM policy design with least-privilege principles
- Service integration and data flow design
inputs:
- requirements: "functional and non-functional requirements (object with performance, security, cost, compliance)"
- workload_type: "web-app, data-processing, real-time, batch, machine-learning, hybrid (string)"
- current_architecture: "description of existing infrastructure if migration (string, optional)"
- deployment_tier: "T1 (quick recommendation) | T2 (detailed design with IaC) (string, default: T1)"
- regions: "primary and DR regions (array, default: single region)"
- budget_constraints: "monthly budget or cost sensitivity (string, optional)"
outputs:
- architecture_design: "GCP service selection with rationale and data flow diagram description"
- iac_templates: "Terraform code for infrastructure deployment (T2)"
- cost_estimate: "TCO analysis with monthly/annual projections and optimization recommendations"
- security_configuration: "IAM policies, firewall rules, encryption settings, and compliance mappings"
- architecture_framework_assessment: "alignment with GCP Architecture Framework pillars and recommendations"
- migration_strategy: "phased migration plan if current_architecture provided (T2)"
keywords:
- gcp
- google-cloud
- cloud-architecture
- compute-engine
- cloud-run
- cloud-functions
- gke
- cloud-storage
- terraform
- architecture-framework
- serverless
- cost-optimization
- multi-region
version: "1.0.0"
owner: "cognitive-toolworks"
license: "MIT"
security: "Public; no secrets or PII; safe for open repositories"
links:
- https://cloud.google.com/architecture/framework
- https://cloud.google.com/docs
- https://cloud.google.com/products/calculator
- https://cloud.google.com/iam/docs/overview
- https://cloud.google.com/docs/terraform

Purpose & When-To-Use

Trigger conditions:
- GCP solution design spanning multiple services (compute + storage + networking)
- Architecture Framework assessment or optimization
- Cost optimization review for existing GCP infrastructure
- Multi-region or disaster recovery architecture planning
- Migration from on-premises or other clouds to GCP
- Serverless vs container vs VM architecture decision
- GCP service selection for new workload requirements
- Terraform template generation for infrastructure
- Compliance-driven architecture (HIPAA, PCI-DSS, ISO 27001 on GCP)

Not for:
- Single GCP service deep-dive (use service-specific documentation)
- Application code development (focuses on infrastructure)
- Non-GCP multi-cloud strategy (use cloud-multicloud-advisor skill)
- Kubernetes-specific deployment patterns without GCP context
- Detailed cost analysis without architecture context (use finops-cost-analyzer)

Pre-Checks

Time normalization:
- Compute NOW_ET using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T14:30:00-04:00
- Use NOW_ET for all citation access dates

Input validation:
- requirements must include at least one of: performance, security, cost, compliance
- workload_type must be one of: web-app, data-processing, real-time, batch, machine-learning, hybrid
- deployment_tier must be: T1 or T2
- regions if specified must be valid GCP region codes (e.g., us-central1, europe-west1)
- budget_constraints if provided must specify monthly or annual budget

Source freshness:
- GCP Architecture Framework (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/architecture/framework - verify 2024+ versions
- GCP Compute Services (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/products - Compute Engine, Cloud Run, Cloud Functions, GKE feature matrix
- GCP Storage Services (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/products - Cloud Storage, Persistent Disk, Filestore durability and performance SLAs
- GCP Networking (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/vpc - VPC design patterns and limits
- GCP IAM Best Practices (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/iam/docs/overview - least-privilege policies
- GCP Pricing (accessed 2025-10-26T14:30:00-04:00): https://cloud.google.com/compute/docs/instances/signing-up-committed-use-discounts - committed use discounts and Spot VMs

Decision thresholds:
- Cloud Functions recommended if: stateless, event-driven, <9min execution (540s timeout), minimal config
- Cloud Run recommended if: containerized, HTTP-based, automatic scaling, pay-per-use
- GKE recommended if: Kubernetes-native, complex orchestration, multi-cloud portability
- Compute Engine recommended if: full OS control, specialized machine types, legacy dependencies
- Cloud Storage recommended for: object storage, static assets, data lakes, archival (11 9s durability)
- Persistent Disk recommended for: VM block storage, database volumes, low-latency
- Filestore recommended for: shared NFS file systems, lift-and-shift workloads

Procedure

T1: Quick Architecture Recommendation (≤2k tokens)

Fast path for 80% of GCP architecture decisions:

1. Workload classification:
2. Web application: Cloud Run + Cloud SQL OR Cloud Load Balancing + GKE
3. Data processing: Cloud Functions + Cloud Storage + Dataflow OR Dataproc for big data
4. Real-time: Pub/Sub + Cloud Run + Firestore OR GKE with streaming
5. Batch: Cloud Tasks + Cloud Functions OR Batch for large-scale processing

6. Machine learning: Vertex AI + Cloud Storage + Cloud Run for inference

7. Core service selection:

8. Compute: Choose based on decision thresholds (see Pre-Checks)
9. Storage: Cloud Storage for objects, Cloud SQL/Firestore for databases, Persistent Disk for block
10. Networking: VPC with subnets, Cloud NAT, Cloud Load Balancing

11. Integration: Eventarc for events, Pub/Sub for messaging, Workflows for orchestration

12. Quick cost estimate:

13. Compute: VM hours x hourly rate OR Cloud Run requests x execution time
14. Storage: GB stored x storage class rate + data transfer costs
15. Networking: egress charges + load balancer costs

16. Database: instance hours + storage + I/O (Cloud SQL) OR read/write operations (Firestore)

17. Security baseline:

18. VPC with private subnets for compute, public subnets for load balancers
19. Firewall rules with least-privilege ingress/egress
20. Service accounts with predefined IAM roles (no basic roles)
21. Encryption at rest (Cloud Storage default encryption, disk encryption, Cloud SQL encryption)

22. Encryption in transit (TLS/HTTPS required)

23. Output (T1):

24. GCP service architecture diagram (textual description with service names)
25. Core services with justification (compute, storage, database, networking)
26. Rough monthly cost estimate (±30% accuracy)
27. Architecture Framework pillar alignment summary
28. Recommended next steps for T2 detailed design

Abort conditions:
- Workload requirements unclear or conflicting
- Compliance requirements needing legal review (note for T2)
- Budget constraints conflict with availability requirements

T2: Detailed Architecture Design with IaC (≤6k tokens)

For production-ready GCP architectures with infrastructure-as-code:

1. All T1 steps plus:

2. Comprehensive service integration:

Compute tier:
- Compute Engine: machine family selection (general-purpose n2, compute-optimized c2, memory-optimized m2)
- Managed Instance Groups with autoscaling policies (CPU, load balancer utilization, custom metrics)
- Instance templates with startup scripts
- Spot VMs for fault-tolerant workloads (60-91% cost savings)
- Cloud Run: automatic scaling with concurrency limits, minimum instances, CPU allocation
- Cloud Functions: runtime selection (Python 3.12, Node.js 20), memory optimization, max instances
- GKE: Autopilot for fully managed OR Standard with node pools, cluster autoscaler, workload identity

Storage tier:
- Cloud Storage: bucket policies with encryption (Google-managed or customer-managed), versioning, lifecycle policies
- Storage classes: Standard, Nearline (30-day minimum), Coldline (90-day), Archive (365-day)
- Object lifecycle management for automatic cost optimization
- Transfer Service for large-scale data migration
- Persistent Disk: disk types (balanced pd-balanced, SSD pd-ssd, standard pd-standard, extreme pd-extreme)
- Filestore: service tiers (Basic HDD/SSD, Enterprise for high availability)

Networking tier:
- VPC design: subnet creation with custom IP ranges, multi-region for HA
- Public subnets for load balancers and bastion hosts
- Private subnets for compute with Cloud NAT for outbound internet access
- Private Service Connect for private access to Google APIs
- Firewall rules with tags and service accounts for dynamic security
- Cloud Load Balancing: Global HTTP(S), Regional Network, Internal TCP/UDP
- Cloud CDN for content delivery with cache modes
- Cloud Armor for WAF and DDoS protection

Serverless integration:
- Cloud Run for containerized HTTP services with custom domains, authentication
- Cloud Functions with Eventarc triggers (Pub/Sub, Cloud Storage, direct events)
- Workflows for state machine orchestration with retries and error handling
- Pub/Sub for async messaging (exactly-once delivery, dead-letter topics)
- Cloud Tasks for task queue management with rate limiting

Database selection:
- Cloud SQL: engine choice (PostgreSQL, MySQL), high availability with automatic failover
- AlloyDB for PostgreSQL-compatible high-performance workloads
- Cloud Spanner: globally distributed relational with strong consistency
- Firestore: serverless NoSQL document database with real-time sync
- Bigtable: wide-column NoSQL for high-throughput analytics
- BigQuery: serverless data warehouse with petabyte-scale analytics

1. Architecture Framework deep-dive:

Operational Excellence:
- Terraform for IaC with remote state in Cloud Storage
- Cloud Logging centralization with log sinks and exports
- Cloud Monitoring dashboards, alerts, and uptime checks
- Cloud Trace for distributed tracing
- Config Connector for Kubernetes-based infrastructure management

Security:
- Service accounts for workload identity (no service account keys for VMs)
- IAM policies with least privilege, organization policies for constraints
- Secret Manager for sensitive data with automatic rotation
- Security Command Center for threat detection and compliance monitoring
- VPC Service Controls for data exfiltration prevention
- Cloud Armor for application layer security
- Binary Authorization for container image signing and deployment policies
- Cloud KMS customer-managed encryption keys (CMEK) with key rotation

Reliability:
- Multi-zone deployments (at least 2 zones, 3 for critical workloads)
- Multi-region for disaster recovery (warm standby or active-active)
- Cloud Load Balancing health checks with automatic failover
- Cloud SQL automated backups with point-in-time recovery, cross-region replicas
- Cloud Storage multi-region or dual-region for critical data
- Deployment Manager or Terraform for consistent multi-region deployment

Performance Efficiency:
- Cloud CDN for static content caching
- Memorystore (Redis/Memcached) for application caching
- Cloud SQL read replicas for read-heavy workloads
- Firestore with proper indexing and query optimization
- Cloud Run minimum instances to reduce cold start latency
- Persistent Disk provisioned IOPS for database performance

Cost Optimization:
- Committed Use Discounts (up to 55%, up to 70% for memory-optimized) for 1-year or 3-year commitments
- Spot VMs for batch and fault-tolerant workloads (60-91% discount)
- Cloud Storage lifecycle policies (Standard → Nearline → Coldline → Archive)
- Right-sizing recommendations from Active Assist
- Autoscaling to match capacity with demand
- Labels and network tags for cost attribution
- Cloud Billing budgets and alerts

1. Infrastructure-as-Code generation:

Terraform approach:
- Modular configuration with separate files (network.tf, compute.tf, database.tf, storage.tf)
- Variables for environment-specific values (project ID, region, machine types)
- Outputs for cross-module references (VPC ID, subnet IDs)
- Remote state in Cloud Storage with state locking
- Google provider configuration with explicit versions

1. Security hardening:
2. OS Login for SSH key management via IAM
3. Private Google Access for VM access to Google APIs without external IPs
4. Cloud SQL with private IP and Cloud SQL Auth Proxy
5. VPC Service Controls perimeter for data protection
6. Organization policies to enforce security constraints
7. Security Health Analytics for vulnerability scanning
8. Cloud Asset Inventory for resource discovery and compliance

9. Cloud Audit Logs for API activity monitoring

10. Cost estimation (detailed):

11. Compute: machine family, hours/month, committed use discount
12. Storage: Cloud Storage classes, operations, data transfer
13. Database: Cloud SQL instance hours, storage, backups
14. Networking: egress charges (inter-region, internet), load balancer hours
15. Total Cost of Ownership (TCO): 1-year and 3-year projections

16. Cost optimization opportunities: committed use, Spot VMs, rightsizing, lifecycle policies

17. Migration strategy (if current_architecture provided):

18. Discovery phase: Migrate to Virtual Machines assessment, Database Migration Service compatibility checks
19. Planning: TCO estimation, service mapping
20. Migration waves:
    • Wave 1: Stateless web tier (lift-and-shift to Compute Engine or containerize for Cloud Run/GKE)
    • Wave 2: Database tier (Database Migration Service for minimal downtime, or snapshot restore)
    • Wave 3: Integration points (Pub/Sub, Memorystore, Cloud Storage)
21. Cutover strategy: DNS-based with Cloud Load Balancing traffic splitting (10% → 50% → 100%)

22. Validation: smoke tests, performance benchmarks, rollback procedures

23. Output (T2):

24. Complete architecture diagram with all GCP services and data flows
25. Terraform configuration (modular, production-ready)
26. Detailed cost estimate with 1-year/3-year TCO and optimization recommendations
27. IAM policies and firewall rules (least-privilege)
28. Architecture Framework assessment with pillar scores and recommendations
29. Deployment guide with prerequisites and step-by-step instructions
30. Migration plan with timeline, risks, and rollback procedures (if applicable)
31. Monitoring and alerting configuration (Cloud Monitoring dashboards, alert policies)

Abort conditions:
- Specialized GPU/TPU requirements needing detailed machine family expertise
- Highly regulated workloads (FedRAMP, IL5) requiring compliance specialist review
- Complex hybrid connectivity (Dedicated Interconnect, Partner Interconnect mesh) needing network architect
- Custom OS image creation or hardening outside of GCP managed services

T3: Not Implemented

Note: This skill implements T1 (quick recommendations) and T2 (detailed design with IaC) tiers only. T2 provides production-ready GCP architectures with comprehensive Architecture Framework assessment, security hardening, cost optimization, and migration planning. For specialized scenarios requiring deeper analysis (custom compliance frameworks, complex hybrid architectures, or organization-wide GCP setup), consult Google Cloud Customer Engineers or Google Cloud Professional Services.

Future T3 considerations:
- Organization-wide GCP setup with Cloud Identity and resource hierarchy design
- Multi-project strategy with shared VPC and centralized billing
- Complex hybrid architectures with Dedicated Interconnect and Cloud VPN mesh
- Custom compliance frameworks beyond standard Security Command Center detectors
- Anthos and hybrid/multi-cloud deployment patterns
- Large-scale migration program management with portfolio assessment

Decision Rules

Compute service selection:
- Cloud Functions if all of:
- Stateless or state in Firestore/Cloud Storage
- <9min execution time (<540 seconds)
- Event-driven (Pub/Sub, Cloud Storage, Eventarc)
- Variable/unpredictable load (auto-scales to zero)
- Minimal configuration preferred

• Cloud Run if:
• Containerized application
• HTTP/gRPC endpoints
• Automatic scaling desired (including scale-to-zero)
• Pay-per-use pricing preferred

• No Kubernetes complexity needed

• GKE if:

• Kubernetes-native (existing K8s apps or team expertise)
• Complex orchestration (>20 microservices)
• Multi-cloud portability required

• Advanced networking (Istio, Anthos Service Mesh)

• Compute Engine if:

• Full OS control (custom kernel, drivers)
• Specialized machine types (GPU, high memory, sole-tenant)
• Legacy applications not containerizable
• Bring Your Own License (BYOL)

Storage service selection:
- Cloud Storage for: object storage, static assets, data lakes, backups, archival
- Persistent Disk for: VM block storage, databases (PostgreSQL, MySQL), low-latency
- Filestore for: NFS file shares across VMs/GKE, lift-and-shift file workloads
- Cloud Storage for Firebase for: mobile/web app file storage with client SDKs

Database service selection:
- Cloud Spanner if: globally distributed relational, strong consistency, horizontal scaling
- Cloud SQL if: managed relational database, regional deployment, PostgreSQL/MySQL compatibility
- AlloyDB if: high-performance PostgreSQL, 4x faster than standard PostgreSQL
- Firestore if: serverless NoSQL document store, real-time synchronization, mobile/web apps
- Bigtable if: wide-column NoSQL, high-throughput (>1M ops/sec), analytics workloads
- BigQuery if: data warehouse, OLAP analytics, petabyte-scale, SQL interface

Networking design:
- Single VPC if: small footprint (<100 resources), single application
- Shared VPC if: multiple projects need network connectivity, centralized network administration
- VPC Peering if: VPCs in different organizations need connectivity
- Cloud NAT vs Private Google Access: use Private Google Access for Google APIs access without external IPs

Multi-region strategy:
- Single region if: latency requirements met, no DR requirements, cost-sensitive
- Multi-region active-passive if: disaster recovery (RTO <1 hour, RPO <1 hour)
- Multi-region active-active if: global user base, <100ms latency requirement, highest availability

Ambiguity handling:
- If workload type unclear → request architecture diagram or user journey map
- If performance requirements unknown → recommend T1 baseline with monitoring, iterate
- If budget constraints conflict with availability → present trade-off matrix with RTO/RPO vs cost

Stop conditions:
- Conflicting requirements (e.g., "lowest cost + highest availability + multi-region")
- Regulatory requirements without defined compliance framework
- No clear application architecture or data flow documentation (T2 requires this)

Output Contract

Required fields (all tiers):

{
  "architecture": {
    "workload_type": "web-app | data-processing | real-time | batch | ml | hybrid",
    "services": [
      {
        "category": "compute | storage | database | networking | integration | security",
        "service_name": "GCP service name (e.g., Compute Engine, Cloud Run, Cloud Functions)",
        "rationale": "why this service was selected",
        "configuration_summary": "key configuration details"
      }
    ],
    "data_flow": "textual description of data flow between services"
  },
  "cost_estimate": {
    "monthly_usd": "number (approximate for T1, detailed for T2)",
    "breakdown": {
      "compute": "number",
      "storage": "number",
      "database": "number",
      "networking": "number",
      "other": "number"
    },
    "optimization_opportunities": ["array of cost reduction recommendations"]
  },
  "architecture_framework_alignment": {
    "operational_excellence": "high | medium | low with justification",
    "security": "high | medium | low with justification",
    "reliability": "high | medium | low with justification",
    "performance_efficiency": "high | medium | low with justification",
    "cost_optimization": "high | medium | low with justification"
  },
  "next_steps": ["array of actionable recommendations"]
}

Additional T2 fields:

{
  "iac_code": {
    "type": "terraform",
    "files": [
      {
        "filename": "string (e.g., main.tf, variables.tf)",
        "content": "string (Terraform HCL code)",
        "description": "purpose of this configuration file"
      }
    ]
  },
  "security_configuration": {
    "iam_policies": [
      {
        "service_account": "string",
        "roles": ["array of predefined IAM roles with least privilege"]
      }
    ],
    "firewall_rules": [
      {
        "name": "string",
        "direction": "INGRESS | EGRESS",
        "allowed": ["array of allowed protocols and ports"],
        "source_ranges": ["array of source CIDR blocks or tags"]
      }
    ],
    "encryption": {
      "at_rest": "services and encryption methods (Google-managed or CMEK)",
      "in_transit": "TLS configuration and certificate management"
    }
  },
  "monitoring": {
    "dashboards": "description of key metrics to monitor",
    "alert_policies": [
      {
        "metric": "string (e.g., compute.googleapis.com/instance/cpu/utilization)",
        "threshold": "number",
        "action": "notification channel or action"
      }
    ],
    "logs": "centralized logging strategy (Cloud Logging, log sinks)"
  },
  "migration_plan": {
    "phases": [
      {
        "phase_number": "integer",
        "description": "string",
        "services_migrated": ["array of GCP services deployed"],
        "duration": "string (e.g., 2 weeks)",
        "success_criteria": ["array of validation steps"],
        "rollback_procedure": "string"
      }
    ]
  }
}

Examples

# T1 Example: Serverless Web Application Architecture
# Cloud Run + Cloud SQL + Cloud Storage + Cloud CDN

Services:
  Compute: Cloud Run (Python 3.12, 1 vCPU, 512Mi memory, auto-scale 0-100)
  Database: Cloud SQL PostgreSQL (db-f1-micro, 10GB storage, automated backups)
  Storage: Cloud Storage (Standard class, static assets + user uploads)
  CDN: Cloud CDN (distribution for Cloud Storage + Cloud Run)
  Load Balancer: Global HTTP(S) Load Balancer (with SSL certificate)
  Auth: Identity Platform (user management, social auth providers)

Estimated Monthly Cost (10K users, 1M requests):
  Cloud Run: $15 (1M requests, 512Mi, 200ms avg execution)
  Cloud SQL: $25 (db-f1-micro, 10GB storage, 100 connection hours)
  Cloud Storage: $3 (10GB Standard storage, 100K requests)
  Cloud CDN: $12 (100GB cache egress)
  Load Balancer: $8 (forwarding rules + bandwidth)
  Total: ~$63/month

(Full T2 Terraform example: /resources/terraform-serverless-webapp/)

Quality Gates

Token budgets (enforced):
- T1: ≤2,000 tokens - service selection + cost estimate + Architecture Framework summary
- T2: ≤6,000 tokens - detailed design + Terraform templates + security + migration plan

Safety checks:
- No service account keys in Terraform (use workload identity or default service accounts)
- IAM policies use predefined roles where possible (avoid overly permissive custom roles)
- Firewall rules have no 0.0.0.0/0 ingress for SSH (use Identity-Aware Proxy)
- Cloud Storage buckets have appropriate access controls (no public access unless required)
- Encryption enabled for all data stores (Cloud Storage, Persistent Disk, Cloud SQL)

Auditability:
- All GCP service recommendations cite official documentation with access date (NOW_ET)
- Cost estimates include calculation methodology (instance hours, GB-months, requests)
- Architecture Framework pillars mapped to specific GCP services and configurations
- Compliance controls (if applicable) mapped to Security Command Center standards

Determinism:
- Given same inputs, produce identical service selection recommendations
- Cost estimates use consistent GCP pricing (with committed use/Spot VM discounts noted)
- Terraform configurations follow Google Cloud best practices

Validation requirements:
- T2 Terraform configurations must pass terraform validate
- IAM policies must use valid predefined or custom role names
- Firewall rules must have valid CIDR blocks and protocol/port combinations

Resources

Official GCP Documentation (accessed 2025-10-26T14:30:00-04:00):
- GCP Architecture Framework: https://cloud.google.com/architecture/framework
- GCP Architecture Center: https://cloud.google.com/architecture
- GCP Compute Services: https://cloud.google.com/products/compute
- GCP Storage Services: https://cloud.google.com/products/storage
- GCP Networking: https://cloud.google.com/vpc/docs
- GCP Hosting Options: https://cloud.google.com/hosting-options

GCP Service Documentation:
- Compute Engine: https://cloud.google.com/compute/docs
- Cloud Run: https://cloud.google.com/run/docs
- Cloud Functions: https://cloud.google.com/functions/docs
- Google Kubernetes Engine: https://cloud.google.com/kubernetes-engine/docs
- Cloud Storage: https://cloud.google.com/storage/docs
- Cloud SQL: https://cloud.google.com/sql/docs
- Cloud Spanner: https://cloud.google.com/spanner/docs
- Firestore: https://cloud.google.com/firestore/docs
- BigQuery: https://cloud.google.com/bigquery/docs

Infrastructure-as-Code:
- Terraform on GCP: https://cloud.google.com/docs/terraform
- Terraform Google Provider: https://registry.terraform.io/providers/hashicorp/google/latest/docs
- Terraform Modules for GCP: https://github.com/terraform-google-modules
- Config Connector: https://cloud.google.com/config-connector/docs

Cost Optimization:
- GCP Pricing Calculator: https://cloud.google.com/products/calculator
- Committed Use Discounts: https://cloud.google.com/compute/docs/instances/signing-up-committed-use-discounts
- Spot VMs: https://cloud.google.com/compute/docs/instances/spot
- Cloud Billing: https://cloud.google.com/billing/docs
- Active Assist Recommendations: https://cloud.google.com/recommender/docs

Security Best Practices:
- IAM Overview: https://cloud.google.com/iam/docs/overview
- IAM Best Practices: https://cloud.google.com/iam/docs/best-practices
- Security Command Center: https://cloud.google.com/security-command-center/docs
- Secret Manager: https://cloud.google.com/secret-manager/docs
- VPC Service Controls: https://cloud.google.com/vpc-service-controls/docs
- Binary Authorization: https://cloud.google.com/binary-authorization/docs

Example Templates:
- /resources/terraform-serverless-webapp/ - Complete serverless web app with Cloud Run, Cloud SQL, Cloud Storage
- /resources/terraform-gke-cluster/ - GKE Standard cluster with node pools, autoscaling, workload identity
- /resources/iam-least-privilege-examples.json - Example IAM bindings with predefined roles
- /resources/vpc-reference-architecture.tf - Multi-zone VPC with public/private subnets

Migration Resources:
- Migrate to Virtual Machines: https://cloud.google.com/migrate/virtual-machines/docs
- Database Migration Service: https://cloud.google.com/database-migration/docs
- Transfer Service: https://cloud.google.com/storage-transfer/docs
- Migration Guides: https://cloud.google.com/architecture/migration-to-gcp-getting-started