diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf
index 237f8fb1..03a2fa96 100644
--- a/fast/stages/01-resman/branch-data-platform.tf
+++ b/fast/stages/01-resman/branch-data-platform.tf
@@ -56,7 +56,8 @@ module "branch-dp-dev-folder" {
   }
   tag_bindings = {
     context = try(
-      module.organization.tag_values["${var.tag_names.environment}/development"].id, null
+      module.organization.tag_values["${var.tag_names.environment}/development"].id,
+      null
     )
   }
 }
@@ -82,7 +83,8 @@ module "branch-dp-prod-folder" {
   }
   tag_bindings = {
     context = try(
-      module.organization.tag_values["${var.tag_names.environment}/production"].id, null
+      module.organization.tag_values["${var.tag_names.environment}/production"].id,
+      null
     )
   }
 }
diff --git a/fast/stages/01-resman/branch-gke.tf b/fast/stages/01-resman/branch-gke.tf
index 72b3ffec..42d640e7 100644
--- a/fast/stages/01-resman/branch-gke.tf
+++ b/fast/stages/01-resman/branch-gke.tf
@@ -16,99 +16,137 @@
 
 # tfdoc:file:description GKE multitenant stage resources.
 
-# top-level gke folder
+moved {
+  from = module.branch-gke-folder
+  to   = module.branch-gke-folder.0
+}
 
 module "branch-gke-folder" {
   source = "../../../modules/folder"
+  count  = var.fast_features.gke ? 1 : 0
   parent = "organizations/${var.organization.id}"
   name   = "GKE"
-  # iam = {
-  #   "roles/logging.admin"                  = [module.branch-gke-sa.iam_email]
-  #   "roles/owner"                          = [module.branch-gke-sa.iam_email]
-  #   "roles/resourcemanager.folderAdmin"    = [module.branch-gke-sa.iam_email]
-  #   "roles/resourcemanager.projectCreator" = [module.branch-gke-sa.iam_email]
-  # }
-}
-
-# GKE-level folders, service accounts and buckets for each individual environment
-
-module "branch-gke-prod-folder" {
-  source = "../../../modules/folder"
-  parent = module.branch-gke-folder.id
-  name   = "Production"
-  iam = {
-    "roles/owner" = [
-      module.branch-gke-prod-sa.iam_email
-    ]
-    "roles/resourcemanager.projectCreator" = [
-      module.branch-gke-prod-sa.iam_email
-    ]
-    "roles/compute.xpnAdmin" = [
-      module.branch-gke-prod-sa.iam_email
-    ]
+  tag_bindings = {
+    context = try(
+      module.organization.tag_values["${var.tag_names.context}/gke"].id, null
+    )
   }
 }
 
-module "branch-gke-prod-sa" {
-  source      = "../../../modules/iam-service-account"
-  project_id  = var.automation.project_id
-  name        = "prod-resman-gke-0"
-  description = "Terraform gke multitenant prod service account."
-  prefix      = var.prefix
-  iam = {
-    # FIXME(jccb): who should we use here?
-    "roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
-  }
+moved {
+  from = module.branch-gke-dev-folder
+  to   = module.branch-gke-dev-folder.0
 }
 
-module "branch-gke-prod-gcs" {
-  source     = "../../../modules/gcs"
-  project_id = var.automation.project_id
-  name       = "prod-resman-gke-0"
-  prefix     = var.prefix
-  versioning = true
-  iam = {
-    "roles/storage.objectAdmin" = [module.branch-gke-prod-sa.iam_email]
-  }
-}
-
-
 module "branch-gke-dev-folder" {
   source = "../../../modules/folder"
-  parent = module.branch-gke-folder.id
+  count  = var.fast_features.gke ? 1 : 0
+  parent = module.branch-gke-folder.0.id
   name   = "Development"
   iam = {
-    "roles/owner" = [
-      module.branch-gke-dev-sa.iam_email
-    ]
-    "roles/resourcemanager.projectCreator" = [
-      module.branch-gke-dev-sa.iam_email
-    ]
-    "roles/compute.xpnAdmin" = [
-      module.branch-gke-dev-sa.iam_email
-    ]
+    "roles/owner"                          = [module.branch-gke-dev-sa.0.iam_email]
+    "roles/logging.admin"                  = [module.branch-gke-dev-sa.0.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-gke-dev-sa.0.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-gke-dev-sa.0.iam_email]
+    "roles/compute.xpnAdmin"               = [module.branch-gke-dev-sa.0.iam_email]
   }
+  tag_bindings = {
+    context = try(
+      module.organization.tag_values["${var.tag_names.environment}/development"].id,
+      null
+    )
+  }
+}
+
+moved {
+  from = module.branch-gke-prod-folder
+  to   = module.branch-gke-prod-folder.0
+}
+
+module "branch-gke-prod-folder" {
+  source = "../../../modules/folder"
+  count  = var.fast_features.gke ? 1 : 0
+  parent = module.branch-gke-folder.0.id
+  name   = "Production"
+  iam = {
+    "roles/owner"                          = [module.branch-gke-prod-sa.0.iam_email]
+    "roles/logging.admin"                  = [module.branch-gke-prod-sa.0.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-gke-prod-sa.0.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-gke-prod-sa.0.iam_email]
+    "roles/compute.xpnAdmin"               = [module.branch-gke-prod-sa.0.iam_email]
+  }
+  tag_bindings = {
+    context = try(
+      module.organization.tag_values["${var.tag_names.environment}/production"].id,
+      null
+    )
+  }
+}
+
+moved {
+  from = module.branch-gke-dev-sa
+  to   = module.branch-gke-dev-sa.0
 }
 
 module "branch-gke-dev-sa" {
   source      = "../../../modules/iam-service-account"
+  count       = var.fast_features.gke ? 1 : 0
   project_id  = var.automation.project_id
   name        = "dev-resman-gke-0"
   description = "Terraform gke multitenant dev service account."
   prefix      = var.prefix
   iam = {
-    # FIXME(jccb): who should we use here?
     "roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
   }
 }
 
+moved {
+  from = module.branch-gke-prod-sa
+  to   = module.branch-gke-prod-sa.0
+}
+
+module "branch-gke-prod-sa" {
+  source      = "../../../modules/iam-service-account"
+  count       = var.fast_features.gke ? 1 : 0
+  project_id  = var.automation.project_id
+  name        = "prod-resman-gke-0"
+  description = "Terraform gke multitenant prod service account."
+  prefix      = var.prefix
+  iam = {
+    "roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
+  }
+}
+
+moved {
+  from = module.branch-gke-dev-gcs
+  to   = module.branch-gke-dev-gcs.0
+}
+
 module "branch-gke-dev-gcs" {
   source     = "../../../modules/gcs"
+  count      = var.fast_features.gke ? 1 : 0
   project_id = var.automation.project_id
   name       = "dev-resman-gke-0"
   prefix     = var.prefix
   versioning = true
   iam = {
-    "roles/storage.objectAdmin" = [module.branch-gke-dev-sa.iam_email]
+    "roles/storage.objectAdmin" = [module.branch-gke-dev-sa.0.iam_email]
+  }
+}
+
+moved {
+  from = module.branch-gke-prod-gcs
+  to   = module.branch-gke-prod-gcs.0
+}
+
+module "branch-gke-prod-gcs" {
+  source     = "../../../modules/gcs"
+  count      = var.fast_features.gke ? 1 : 0
+  project_id = var.automation.project_id
+  name       = "prod-resman-gke-0"
+  prefix     = var.prefix
+  versioning = true
+  iam = {
+    "roles/storage.objectAdmin" = [module.branch-gke-prod-sa.0.iam_email]
   }
 }
diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf
index 952c8326..bf15c468 100644
--- a/fast/stages/01-resman/branch-networking.tf
+++ b/fast/stages/01-resman/branch-networking.tf
@@ -50,15 +50,16 @@ module "branch-network-prod-folder" {
   parent = module.branch-network-folder.id
   name   = "Production"
   iam = {
-    "roles/compute.xpnAdmin" = compact([
+    (local.custom_roles.service_project_network_admin) = compact([
       try(module.branch-dp-prod-sa.0.iam_email, ""),
       try(module.branch-pf-prod-sa.0.iam_email, ""),
-      module.branch-gke-prod-sa.iam_email,
+      try(module.branch-gke-prod-sa.0.iam_email, ""),
     ])
   }
   tag_bindings = {
     environment = try(
-      module.organization.tag_values["${var.tag_names.environment}/production"].id, null
+      module.organization.tag_values["${var.tag_names.environment}/production"].id,
+      null
     )
   }
 }
@@ -71,12 +72,13 @@ module "branch-network-dev-folder" {
     (local.custom_roles.service_project_network_admin) = compact([
       try(module.branch-dp-dev-sa.0.iam_email, ""),
       try(module.branch-pf-dev-sa.0.iam_email, ""),
-      module.branch-gke-dev-sa.iam_email,
+      try(module.branch-gke-dev-sa.iam_email, ""),
     ])
   }
   tag_bindings = {
     environment = try(
-      module.organization.tag_values["${var.tag_names.environment}/development"].id, null
+      module.organization.tag_values["${var.tag_names.environment}/development"].id,
+      null
     )
   }
 }
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index 0de7193a..913a5f86 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -29,8 +29,8 @@ locals {
   branch_gke_sa_iam_emails = (
     var.fast_features.gke
     ? [
-      module.branch-gke-dev-sa.iam_email,
-      module.branch-gke-prod-sa.iam_email
+      module.branch-gke-dev-sa.0.iam_email,
+      module.branch-gke-prod-sa.0.iam_email
     ]
     : []
   )
diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf
index e57a4ca8..44152069 100644
--- a/fast/stages/01-resman/outputs.tf
+++ b/fast/stages/01-resman/outputs.tf
@@ -62,16 +62,16 @@ locals {
   }
   folder_ids = merge(
     {
-      data-platform-dev    = try(module.branch-dp-dev-folder.0.id, null)
-      data-platform-prod   = try(module.branch-dp-prod-folder.0.id, null)
-      gke-multitenant-dev  = module.branch-gke-dev-folder.id
-      gke-multitenant-prod = module.branch-gke-prod-folder.id
-      networking           = module.branch-network-folder.id
-      networking-dev       = module.branch-network-dev-folder.id
-      networking-prod      = module.branch-network-prod-folder.id
-      sandbox              = try(module.branch-sandbox-folder.0.id, null)
-      security             = module.branch-security-folder.id
-      teams                = try(module.branch-teams-folder.0.id, null)
+      data-platform-dev  = try(module.branch-dp-dev-folder.0.id, null)
+      data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
+      gke-dev            = try(module.branch-gke-dev-folder.0.id, null)
+      gke-prod           = try(module.branch-gke-prod-folder.0.id, null)
+      networking         = module.branch-network-folder.id
+      networking-dev     = module.branch-network-dev-folder.id
+      networking-prod    = module.branch-network-prod-folder.id
+      sandbox            = try(module.branch-sandbox-folder.0.id, null)
+      security           = module.branch-security-folder.id
+      teams              = try(module.branch-teams-folder.0.id, null)
     },
     {
       for k, v in module.branch-teams-team-folder :
@@ -98,16 +98,6 @@ locals {
         name   = "security"
         sa     = module.branch-security-sa.email
       })
-      "03-gke-dev" = templatefile(local._tpl_providers, {
-        bucket = module.branch-gke-dev-gcs.name
-        name   = "gke-dev"
-        sa     = module.branch-gke-dev-sa.email
-      })
-      "03-gke-prod" = templatefile(local._tpl_providers, {
-        bucket = module.branch-gke-prod-gcs.name
-        name   = "gke-prod"
-        sa     = module.branch-gke-prod-sa.email
-      })
     },
     !var.fast_features.data_platform ? {} : {
       "03-data-platform-dev" = templatefile(local._tpl_providers, {
@@ -121,6 +111,18 @@ locals {
         sa     = module.branch-dp-prod-sa.0.email
       })
     },
+    !var.fast_features.gke ? {} : {
+      "03-gke-dev" = templatefile(local._tpl_providers, {
+        bucket = module.branch-gke-dev-gcs.0.name
+        name   = "gke-dev"
+        sa     = module.branch-gke-dev-sa.0.email
+      })
+      "03-gke-prod" = templatefile(local._tpl_providers, {
+        bucket = module.branch-gke-prod-gcs.0.name
+        name   = "gke-prod"
+        sa     = module.branch-gke-prod-sa.0.email
+      })
+    },
     !var.fast_features.project_factory ? {} : {
       "03-project-factory-dev" = templatefile(local._tpl_providers, {
         bucket = module.branch-pf-dev-gcs.0.name
@@ -252,18 +254,22 @@ output "security" {
 output "gke_multitenant" {
   # tfdoc:output:consumers 03-gke-multitenant
   description = "Data for the GKE multitenant stage."
-  value = {
-    "dev" = {
-      folder          = module.branch-gke-dev-folder.id
-      gcs_bucket      = module.branch-gke-dev-gcs.name
-      service_account = module.branch-gke-dev-sa.email
+  value = (
+    var.fast_features.gke
+    ? {
+      "dev" = {
+        folder          = module.branch-gke-dev-folder.0.id
+        gcs_bucket      = module.branch-gke-dev-gcs.0.name
+        service_account = module.branch-gke-dev-sa.0.email
+      }
+      "prod" = {
+        folder          = module.branch-gke-prod-folder.0.id
+        gcs_bucket      = module.branch-gke-prod-gcs.0.name
+        service_account = module.branch-gke-prod-sa.0.email
+      }
     }
-    "prod" = {
-      folder          = module.branch-gke-prod-folder.id
-      gcs_bucket      = module.branch-gke-prod-gcs.name
-      service_account = module.branch-gke-prod-sa.email
-    }
-  }
+    : {}
+  )
 }
 
 output "teams" {
diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
index f74fe8b7..68d2645b 100644
--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -126,7 +126,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-dev,
     local.service_accounts.project-factory-dev,
-    local.service_accounts.gke-multitenant-dev,
+    local.service_accounts.gke-dev,
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
index 3e54419e..1edfdc75 100644
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -126,7 +126,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-prod,
     local.service_accounts.project-factory-prod,
-    local.service_accounts.gke-multitenant-prod,
+    local.service_accounts.gke-prod,
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf
index 2fe29d78..594afd26 100644
--- a/fast/stages/02-networking-nva/variables.tf
+++ b/fast/stages/02-networking-nva/variables.tf
@@ -209,8 +209,8 @@ variable "service_accounts" {
   type = object({
     data-platform-dev    = string
     data-platform-prod   = string
-    gke-multitenant-dev  = string
-    gke-multitenant-prod = string
+    gke-dev              = string
+    gke-prod             = string
     project-factory-dev  = string
     project-factory-prod = string
   })
diff --git a/fast/stages/02-networking-peering/README.md b/fast/stages/02-networking-peering/README.md
index 3bd20824..ae2ddf17 100644
--- a/fast/stages/02-networking-peering/README.md
+++ b/fast/stages/02-networking-peering/README.md
@@ -151,8 +151,8 @@ There are two broad sets of variables you will need to fill in:
 
 To avoid the tedious job of filling in the first group of variables with values derived from other stages' outputs, the same mechanism used above for the provider configuration can be used to leverage pre-configured `.tfvars` files.
 
-If you have set a valid value for `outputs_location` in the bootstrap and in the resman stage, simply link the relevant `*.auto.tfvars.json` files from this stage's folder in the path you specified. 
-The `*` above is set to the name of the stage that produced it, except for `globals.auto.tfvars.json` which is also generated by the bootstrap stage, containing global values compiled manually for the bootstrap stage. 
+If you have set a valid value for `outputs_location` in the bootstrap and in the resman stage, simply link the relevant `*.auto.tfvars.json` files from this stage's folder in the path you specified.
+The `*` above is set to the name of the stage that produced it, except for `globals.auto.tfvars.json` which is also generated by the bootstrap stage, containing global values compiled manually for the bootstrap stage.
 For this stage, link the following files:
 
 ```bash
@@ -302,7 +302,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map&#40;object&#40;&#123;&#10;  export_local_custom_routes &#61; bool&#10;  export_peer_custom_routes  &#61; bool&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  dev &#61; &#123;&#10;    export_local_custom_routes &#61; true&#10;    export_peer_custom_routes  &#61; true&#10;  &#125;&#10;  prod &#61; &#123;&#10;    export_local_custom_routes &#61; true&#10;    export_peer_custom_routes  &#61; true&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10;  dev &#61; object&#40;&#123;&#10;    ranges &#61; map&#40;string&#41;&#10;    routes &#61; object&#40;&#123;&#10;      export &#61; bool&#10;      import &#61; bool&#10;    &#125;&#41;&#10;  &#125;&#41;&#10;  prod &#61; object&#40;&#123;&#10;    ranges &#61; map&#40;string&#41;&#10;    routes &#61; object&#40;&#123;&#10;      export &#61; bool&#10;      import &#61; bool&#10;    &#125;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10;  adv &#61; object&#40;&#123;&#10;    custom  &#61; list&#40;string&#41;&#10;    default &#61; bool&#10;  &#125;&#41;&#10;  asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1 &#61; &#123;&#10;    asn &#61; &#34;65533&#34;&#10;    adv &#61; null&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
-| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10;  data-platform-dev    &#61; string&#10;  data-platform-prod   &#61; string&#10;  gke-multitenant-dev  &#61; string&#10;  gke-multitenant-prod &#61; string&#10;  project-factory-dev  &#61; string&#10;  project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>01-resman</code> |
+| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10;  data-platform-dev    &#61; string&#10;  data-platform-prod   &#61; string&#10;  gke-dev  &#61; string&#10;  gke-multitenant-prod &#61; string&#10;  project-factory-dev  &#61; string&#10;  project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>01-resman</code> |
 | [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10;  adv &#61; object&#40;&#123;&#10;    default &#61; bool&#10;    custom  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#10;  peer_external_gateway &#61; object&#40;&#123;&#10;    redundancy_type &#61; string&#10;    interfaces &#61; list&#40;object&#40;&#123;&#10;      id         &#61; number&#10;      ip_address &#61; string&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  tunnels &#61; list&#40;object&#40;&#123;&#10;    peer_asn                        &#61; number&#10;    peer_external_gateway_interface &#61; number&#10;    secret                          &#61; string&#10;    session_range                   &#61; string&#10;    vpn_gateway_interface           &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1 &#61; &#123;&#10;    adv &#61; &#123;&#10;      default &#61; false&#10;      custom &#61; &#91;&#10;        &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10;      &#93;&#10;    &#125;&#10;    peer_external_gateway &#61; &#123;&#10;      redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10;      interfaces &#61; &#91;&#10;        &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10;      &#93;&#10;    &#125;&#10;    tunnels &#61; &#91;&#10;      &#123;&#10;        peer_asn                        &#61; 65534&#10;        peer_external_gateway_interface &#61; 0&#10;        secret                          &#61; &#34;foobar&#34;&#10;        session_range                   &#61; &#34;169.254.1.0&#47;30&#34;&#10;        vpn_gateway_interface           &#61; 0&#10;      &#125;,&#10;      &#123;&#10;        peer_asn                        &#61; 65534&#10;        peer_external_gateway_interface &#61; 0&#10;        secret                          &#61; &#34;foobar&#34;&#10;        session_range                   &#61; &#34;169.254.1.4&#47;30&#34;&#10;        vpn_gateway_interface           &#61; 1&#10;      &#125;&#10;    &#93;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 
 ## Outputs
diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf
index 1ae1be2d..19aaeba7 100644
--- a/fast/stages/02-networking-peering/spoke-dev.tf
+++ b/fast/stages/02-networking-peering/spoke-dev.tf
@@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-dev,
     local.service_accounts.project-factory-dev,
-    local.service_accounts.gke-multitenant-dev,
+    local.service_accounts.gke-dev,
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf
index 3b009daa..19a79030 100644
--- a/fast/stages/02-networking-peering/spoke-prod.tf
+++ b/fast/stages/02-networking-peering/spoke-prod.tf
@@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-prod,
     local.service_accounts.project-factory-prod,
-    local.service_accounts.gke-multitenant-prod,
+    local.service_accounts.gke-prod,
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-peering/variables.tf b/fast/stages/02-networking-peering/variables.tf
index 77ef3884..018e3983 100644
--- a/fast/stages/02-networking-peering/variables.tf
+++ b/fast/stages/02-networking-peering/variables.tf
@@ -187,8 +187,8 @@ variable "service_accounts" {
   type = object({
     data-platform-dev    = string
     data-platform-prod   = string
-    gke-multitenant-dev  = string
-    gke-multitenant-prod = string
+    gke-dev              = string
+    gke-prod             = string
     project-factory-dev  = string
     project-factory-prod = string
   })
diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md
index 4f0b8540..32b144f4 100644
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@@ -327,7 +327,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10;  dev &#61; object&#40;&#123;&#10;    ranges &#61; map&#40;string&#41;&#10;    routes &#61; object&#40;&#123;&#10;      export &#61; bool&#10;      import &#61; bool&#10;    &#125;&#41;&#10;  &#125;&#41;&#10;  prod &#61; object&#40;&#123;&#10;    ranges &#61; map&#40;string&#41;&#10;    routes &#61; object&#40;&#123;&#10;      export &#61; bool&#10;      import &#61; bool&#10;    &#125;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10;  adv &#61; object&#40;&#123;&#10;    custom  &#61; list&#40;string&#41;&#10;    default &#61; bool&#10;  &#125;&#41;&#10;  asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1 &#61; &#123;&#10;    asn &#61; &#34;65533&#34;&#10;    adv &#61; null&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map&#40;object&#40;&#123;&#10;  adv &#61; object&#40;&#123;&#10;    custom  &#61; list&#40;string&#41;&#10;    default &#61; bool&#10;  &#125;&#41;&#10;  asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1    &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10;  landing-ew4    &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10;  spoke-dev-ew1  &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10;  spoke-dev-ew4  &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10;  spoke-prod-ew1 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10;  spoke-prod-ew4 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
-| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10;  data-platform-dev    &#61; string&#10;  data-platform-prod   &#61; string&#10;  gke-multitenant-dev  &#61; string&#10;  gke-multitenant-prod &#61; string&#10;  project-factory-dev  &#61; string&#10;  project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>01-resman</code> |
+| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10;  data-platform-dev    &#61; string&#10;  data-platform-prod   &#61; string&#10;  gke-dev  &#61; string&#10;  gke-multitenant-prod &#61; string&#10;  project-factory-dev  &#61; string&#10;  project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>01-resman</code> |
 | [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10;  adv &#61; object&#40;&#123;&#10;    default &#61; bool&#10;    custom  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#10;  peer_external_gateway &#61; object&#40;&#123;&#10;    redundancy_type &#61; string&#10;    interfaces &#61; list&#40;object&#40;&#123;&#10;      id         &#61; number&#10;      ip_address &#61; string&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  tunnels &#61; list&#40;object&#40;&#123;&#10;    peer_asn                        &#61; number&#10;    peer_external_gateway_interface &#61; number&#10;    secret                          &#61; string&#10;    session_range                   &#61; string&#10;    vpn_gateway_interface           &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1 &#61; &#123;&#10;    adv &#61; &#123;&#10;      default &#61; false&#10;      custom &#61; &#91;&#10;        &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10;      &#93;&#10;    &#125;&#10;    peer_external_gateway &#61; &#123;&#10;      redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10;      interfaces &#61; &#91;&#10;        &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10;      &#93;&#10;    &#125;&#10;    tunnels &#61; &#91;&#10;      &#123;&#10;        peer_asn                        &#61; 65534&#10;        peer_external_gateway_interface &#61; 0&#10;        secret                          &#61; &#34;foobar&#34;&#10;        session_range                   &#61; &#34;169.254.1.0&#47;30&#34;&#10;        vpn_gateway_interface           &#61; 0&#10;      &#125;,&#10;      &#123;&#10;        peer_asn                        &#61; 65534&#10;        peer_external_gateway_interface &#61; 0&#10;        secret                          &#61; &#34;foobar&#34;&#10;        session_range                   &#61; &#34;169.254.1.4&#47;30&#34;&#10;        vpn_gateway_interface           &#61; 1&#10;      &#125;&#10;    &#93;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map&#40;object&#40;&#123;&#10;  default &#61; bool&#10;  custom  &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  landing-ew1 &#61; &#123;&#10;    default &#61; false&#10;    custom  &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10;  &#125;&#10;  landing-ew4 &#61; &#123;&#10;    default &#61; false&#10;    custom  &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10;  &#125;&#10;  dev-ew1 &#61; &#123;&#10;    default &#61; false&#10;    custom  &#61; &#91;&#34;gcp_dev&#34;&#93;&#10;  &#125;&#10;  prod-ew1 &#61; &#123;&#10;    default &#61; false&#10;    custom  &#61; &#91;&#34;gcp_prod&#34;&#93;&#10;  &#125;&#10;  prod-ew4 &#61; &#123;&#10;    default &#61; false&#10;    custom  &#61; &#91;&#34;gcp_prod&#34;&#93;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index 1ae1be2d..19aaeba7 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-dev,
     local.service_accounts.project-factory-dev,
-    local.service_accounts.gke-multitenant-dev,
+    local.service_accounts.gke-dev,
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
index 3b009daa..19a79030 100644
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   members = compact([
     local.service_accounts.data-platform-prod,
     local.service_accounts.project-factory-prod,
-    local.service_accounts.gke-multitenant-prod,
+    local.service_accounts.gke-prod,
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf
index 77ef3884..018e3983 100644
--- a/fast/stages/02-networking-vpn/variables.tf
+++ b/fast/stages/02-networking-vpn/variables.tf
@@ -187,8 +187,8 @@ variable "service_accounts" {
   type = object({
     data-platform-dev    = string
     data-platform-prod   = string
-    gke-multitenant-dev  = string
-    gke-multitenant-prod = string
+    gke-dev              = string
+    gke-prod             = string
     project-factory-dev  = string
     project-factory-prod = string
   })
diff --git a/fast/stages/03-gke-multitenant/dev/gke-hub.tf b/fast/stages/03-gke-multitenant/dev/gke-hub.tf
index 59a4ffce..b1e24a9f 100644
--- a/fast/stages/03-gke-multitenant/dev/gke-hub.tf
+++ b/fast/stages/03-gke-multitenant/dev/gke-hub.tf
@@ -27,7 +27,7 @@ module "gke-hub" {
       config_sync = {
         gcp_service_account_email = null
         https_proxy               = null
-        policy_dir                = "fast/stages/03-gke-multitenant/config"
+        policy_dir                = "fast/stages/03-gke/config"
         secret_type               = "none"
         source_format             = "hierarchy"
         sync_branch               = "fast-dev-gke-marzi"
diff --git a/fast/stages/03-gke-multitenant/dev/main.tf b/fast/stages/03-gke-multitenant/dev/main.tf
index cc27ed97..c4fad5de 100644
--- a/fast/stages/03-gke-multitenant/dev/main.tf
+++ b/fast/stages/03-gke-multitenant/dev/main.tf
@@ -25,7 +25,7 @@ module "gke-project-0" {
   source          = "../../../../modules/project"
   billing_account = var.billing_account.id
   name            = "dev-gke-clusters-0"
-  parent          = var.folder_ids.gke-multitenant-dev
+  parent          = var.folder_ids.gke-dev
   prefix          = var.prefix
   labels          = local.labels
   services = [
diff --git a/fast/stages/03-gke-multitenant/dev/variables.tf b/fast/stages/03-gke-multitenant/dev/variables.tf
index 608ad51b..552dec50 100644
--- a/fast/stages/03-gke-multitenant/dev/variables.tf
+++ b/fast/stages/03-gke-multitenant/dev/variables.tf
@@ -113,7 +113,7 @@ variable "folder_ids" {
   # tfdoc:variable:source 01-resman
   description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created."
   type = object({
-    gke-multitenant-dev = string
+    gke-dev = string
   })
 }