GCP Organization, Folders and projects (Road to Google Associate Cloud Engineer 2020 Certification)

The resources on Google Cloud are numerous and they can become hard to manage especially when working in big organizations.

Google has defined a hierarchical organization that looks like a file system where each node has a single parent node.

The levels of the hierarchy are the following (starting from the bottom):

• Resources: the basic services like Storage buckets, Cloud Functions, Compute Engine instances or Cloud Run services
• Projects: it’s the first grouping level and they are the parent of the basic resources. A basic resource can have only a project as parent (and only one). The project are a good way to separate the different environments (Dev, Preprod and Prod) of a product. The projects might have folder as parent nodes.
• Folders: the folders can be organized in different layers. A folder can be parent of a folder and children of another one. They are flexible and they can be used to separate departments, teams inside a same department and distinguish products of the same team. You need to have an organization to create folders.
• Organization: it’s the root node and all the resources are grouped under this node making easier their management and control.

Benefits of having an organization

There are 3 main benefits of creating an organization for the Google Platform:

• Projects belong to the organization: when someone inside the organization create a project, this belongs to the organization itself and if the employee leaves the project will remain and it won’t be deleted;
• The resources are controlled: all the projects can be managed, controlled and monitored by the organization;
• Organization level roles: these roles are inherited at folders and projects level. For example, you might assign the network admin role at organization level to the network team that will be able to have this role across all the organization’s projects. This concept will become clearer once we’ll start the sections about the Identity and Access Management (IAM)

Of course, if you assign the network admin role for a single project to another account (let’s suppose a contractor team), this can manage network resources only in that particular project.

Focus on projects

The first important thing to remember about projects is the command to create one:

gcloud projects create my-project

Alternatively you can use the Web console clicking on the dropdown list next to the “Google Cloud Platform” at top left and then clicking “New Project” on the top right of the popup window that will appear.

When you manage multiple projects it’s a good idea to create separate configurations and switch between them as required (see Road to Google Associate Cloud Engineer 2020 Certification — GCloud SDK and the command line)

Several questions in the dumps have the following scenario: you have a dev project where your application is tested and works ok and you need now to deploy into production. What should you do? Among the different options the only one which is right is always the one that say you that you have to create a new project and deploy in it again the resources. It’s not possible to clone projects.

Enable API in projects

Before using the resources in a project you need to enable the associated APIs. For example, before create a Compute Engine instance you need to enable the Compute Engine API. You can do that from the Web Console or using the command line:

gcloud services enable compute.googleapis.com --project my-project

To enable the API, you need to have 2 roles linked to your account:

• serviceusage.services.enable
• servicemanagement.services.bind

Conclusions

We have seen few simple concepts about the management and the organization of resources in the Google Cloud Platform. They are quite useful to answer without problems some questions that might appear in the exam and they also prepare for the section about IAM that complete the overview on how the access to the resources can be controlled.