GCP resource hierarchy in detail
Resources – Everything’s a Resource
At the lowest level, resources are the fundamental components that make up all GCP services. Examples of resources include Compute Engine Virtual Machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, App Engine instances. All these lower level resources can only be parented by projects, which represent the first grouping mechanism of the GCP resource hierarchy.
What to consider when mapping your organization to GCP Orgs
- Isolation: Where do you want to establish trust boundaries: at the department and team level, at the application or service level, or between production, test and dev environments? Use Folders with their nested hierarchy and Projects to create isolation between your cloud resources. Set IAM policies at the different levels of the hierarchy to determine who has access to which resources.
- Delegation: How do you balance autonomy with centralized control? Folders and IAM help you establish compartments where you can allow more freedom for developers to create and experiment, and reserve areas with stricter control. You can for example create a Development Folder where users are allowed to create Projects, spin up virtual machines (VMs) and enable services. You can also safeguard your production workflows by collecting them in dedicated Projects and Folders where least privilege is enforced through IAM.
- Inheritance: How can inheritance optimize policy management? As we mentioned, you can define policies at every node of the hierarchy and propagate them down. IAM policies are additive. If, for example, bob@myorganization.com is granted Compute Engine instanceAdmin role for a Folder, he will be able to start VMs in each Project under that Folder.
- Shared resources: Are there resources that need to be shared across your organization, like networks, VM images, service accounts? Use Projects and Folders to build central repositories for your shared resources and limit administrative privileges over these resources to only selected users. Use least privilege principle to allow access to other users.
Folders for Cloud Identity and GSuite Customers
G Suite and Cloud Identity customers have access to additional features of the GCP resource hierarchy that provide benefits such as centralized visibility and control, and further grouping mechanisms, such as folders.
Organizations are Root Nodes
The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node. This provides central visibility and control over every resource that belongs to an organization.
Leave a Reply