Understanding Resource Hierarchy in Google Cloud Platform
Understanding Resource Hierarchy in Google Cloud Platform
29 July 2020
A tour to the Google Cloud resource hierarchy and the resources handling using Resource Manager.
Google Cloud Resources
Everything that is being used on Google Cloud Platform is said to be resources. All the Google cloud resources are organized hierarchically like parent-child relationships. In the hierarchy organization node is the root node, projects are the children of the organization, and the other resources are descendants of the projects.
You can set Cloud Identity and Access Management (Cloud IAM) policies at different levels of the resource hierarchy and the resources inherit the policies applied at the parent level. Each resource has exactly one parent.
Google Cloud Resources Lifecycle
The fundamental components that make up all Google Cloud services are said to be resources. Examples: Compute Engine Virtual Machines (VMs),Cloud Storage buckets, App Engine instances, Pub/Sub topics.
Diagram:
Resource hierarchy lifecycle can be understood from the above diagram. As you can see, a company is separated into different departments (Dept x, and Dept y) and the Department is divided into different teams (Team A and Team B) that are called Folders. Where Team is a set of products and products are mapped through GCP projects and GCP resources.
Four Pillars Of Google Cloud Resources
- Organization
- Folders
- Projects
- Resources
Organization resource created using the Resource Manager API contains the following:
- Organization is the hierarchical ancestor of project, resources and folders and it represents the Company.
- IAM access control policies applied to the organization resources are applied through the entire below hierarchy (through folders, projects, and resources).
- Access to the organization resource is not applicable to the personal email.
- Organization level access is given only to the corporate emails.
- Org admin has full power to edit all the permission and orgowner is reserved for G-Suite/ cloud IAM super admin.
- Organization ID, which is a unique identifier for an organization.
- Display name, generated from the primary domain name in G Suite or Cloud Identity.
- Last modified time of Organization and Time of creation
- The owner of the organization. The owner which is specified when creating the Organization resource and it cannot be changed once it is set.
Provided code below shows the structure of an Organization resource:
{ "displayName": "myorganization", "organizationId":"34739118455", "createTime": "2020-02-05T21:59:43.314Z" "owner": { "directoryCustomerId": "C020BA274" } }
Folder Role in GCP:
- Folders are the additional grouping and isolation boundaries between projects
- It contains a collection of projects and other sub folders.
- Granted roles at the highest level folder will be inherited by projects or other folders that exist in that parent folder.
- Folders can be used to model different legal entities, departments, and teams within a company and Each team folder contains additional sub-folders to represent different applications
- If Folder resources exist at organization level and if you have appropriate viewing permissions, then you can view them from the Google Cloud Console.
Provided code below shows the structure of a folder:
{ "name" : "folders/my-folder", "parent" : "organizations/my-organization", "displayName" : "Engineering", "lifecycleState" : "ACTIVE", "createTime": "2020-02-05T21:59:43.314Z" }
Projects Role in GCP:
- Projects are the core organizational component on Google Cloud Platform.
- Organizations and Folders can contain multiple projects and projects are required to use any GCP resource.
- Projects form the basis for creating, enabling, and using Google Cloud services, managing APIs, adding and removing collaborators, enabling billing, and managing permissions. Projects have three identifying attributes
- Project ID – Globally unique and can be chosen by us which is immutable
- Project Name – Need not to be unique and chosen by us and mutable in nature
- Project Number- Globally unique and it is being assigned by GCP and immutable in nature
Provided code below shows the structure of a project:
{ "name": "myproject", "projectId": "my-project-123", "labels": { "my-label": "prod" }, "projectNumber": "464036093014", "lifecycleState": "ACTIVE", "createTime": "2016-01-07T21:59:43.314Z" }
Cloud IAM policy with GCP resources:
- Google cloud provides Cloud IAM and its access policy depends on the different GCP resources. That is Organization level, Folder level, Project level, and Resource level.
- Cloud IAM policies are hierarchical in nature and flow down to the child node Example: If policies are applied at the folder ‘Team B’ then Dev GCP project, Test GCP project and Production GCP project inherits the same policy.
- If we set policy at the Organization level then it is inherited by all its child nodes as Folders, Projects.