So far in our journey in the Google Cloud Platform (GCP) world, we created our organization and associated it with our tenant. After that, we configured several components of your cloud environment, including billing, core groups that will manage the environment.
Understanding the organization structure
Before continuing to the steps that we have been executing and learning about GCP along the way, at this stage, it is a good point for us to understand the concept of organization, folders, and projects.
In the following diagram (provided by Google’s official documentation), we can see all of them in a single picture, Google uses the term Google Cloud resource hierarchy.
The idea behind this is to help to organize and bill resources accordingly. It integrates with access control and policies. The rule of thumb is that an object has a single parent, and we have one organization per GCP environment, and we can map an organization to a valid domain.
The folders are used to represent the logical view of the organization. We can use per department, environment, or specific workloads. There is no right or wrong, and we need to make sure that the folders will accommodate the business needs.
The project is where we use the Google Cloud resources hierarchy (computer, storage, and so forth), we will assign settings and permissions. The idea is that when a project represents an application/workload, the communication among components on the same project flows easily. Without a shared VPC/VPC, peering resources between projects are not accessible.
A project can have a single application or several. The project is based on your cloud architecture. The golden rule is to have a single project per application and environment. This idea is that if we want to retire an application, we remove the project, and everything related to that application goes away.
When creating a new project, we need to define a name, ID, and project number (automatically provided by GCP).
A project is similar to a resource group in Microsoft Azure in several aspects, and the hierarchy is similar to Management Groups.
Step 4: Set up billing
(Just a quick reminder: Steps 1-3 on our journey can be found here.) Billing is a crucial component of any cloud strategy that you are planning in your corporation. In this step, we will assign billing permissions to the group we created in the second step.
The first step is to assign permissions, copy the group name, and click on Grant Access. In the new blade, paste the group name and click on Save. Finally, click on Continue to go to the next step to complete the billing process.
The second step is to define who is going to pay for your projects. We could create a new billing account (the same process of adding the credit card in the first article will be repeated), use an invoice (the corporation must meet some requirements), or migrate the existing account.
Since we are creating an organization from scratch, the decision was to create a new billing account (Item 1) and go through the steps again by clicking on Create Billing Account (Item 2). Click on Mark Task as Completed (Item 3) to finish this important step.
When you configure a billing account, the email address provided will receive an email from Google asking acceptance to use a payments profile. Check your inbox and accept it to start receiving invoices and account statements.
Step 5: Set up the Google Cloud resource hierarchy
In this step, the first step is just a description of the resource hierarchy. In the second step, click on Go to the management resources page (Item 1), and you will be redirected to a new page where you can configure the structure of your organization.
We can either create projects (Item 1) or folders (Item 2) and start organizing them in a structure that matches the design and business requirements to support your organization's cloud strategy.
When creating a new folder, you select the organization and the location, which helps when creating tiers.
In the datacenter folder, we added a new project called Datacenter Servers. We added four environments: sandbox, production, dev, and datacenter. The final result is depicted in the image below.
Back to the main task list, we should see the new projects that we have just created (Item 1) and click on Mark Task as Completed (Item 2).
Note: If you don’t see it, refresh the entire page. It seems to do the trick.
Step 6: Set up access control for your resource hierarchy
Now that we have a better understanding of how an organization, folder, and projects interact. We have enough knowledge to complete Step 6.
We will be integrating the core groups created in the first steps of this article series, and now we will assign them to either organization, folder, or project level.
The first step in this section is to grant some roles to the core groups that we defined. There are a couple of ways to do that, and the easier one is using the wizard. The procedure is simple, and we should copy (there is a button to copy at the end of the field) the name of the group on each section, then click on Add Member.
On the new blade, we should paste the group name that we copied from the previous step. Click on Save, and we should repeat that for each entry listed in the wizard.
We could do the same process without the help of a wizard. Just click on Manage Resources, located in the IAM & Admin area of the console. We can select which level we want (Item 1) and then grant/validate the permissions (Item 2).
If necessary, assign permissions to folders or projects, although that is not required.
Step 7: Set up support
This is the easiest step so far. We need to click on View Support Offerings, and on the new page, select the support plan to support your organization. When complete, go back to the tasks and click on Mark Tasks as Completed.
Google Cloud Platform journey: Just a few more steps to go
We are almost there! We created the hierarchy that we will use in GCP moving forward, and we are aware that a cloud is a dynamic place so that changes will happen in the feature, and we need to be ready and prepared to make those changes.
In our next article, we will be completing the remaining steps to complete the organization’s creation. See you there!
Featured image: Shutterstock
More Google Cloud Platform Journey articles
- Google Cloud Platform journey: Logs, monitoring, and security settings
- Google Cloud Platform journey: Validating your domain
- Google Cloud Platform journey: Setting up an organization with Cloud Identity
- Google Cloud Platform journey by a longtime Azure Guy