Implementing Policies for Customer Use Cases

This tutorial shows how to implement many of the concepts that are discussed in Policy Design for Customers. It is based on the startup example in Policy Design for Startup Customers.

This tutorial assumes that no existing identity management system is in place.

Objectives

  • Map your organization to Google Cloud Platform (GCP) services.
  • Configure your organization using Cloud Identity.
  • Set up a billing account and permissions.
  • Configure the Resource Manager hierarchy.
  • Automate project creation.
  • Grant permissions to users and groups.
  • Configure your development resources.

Costs

This tutorial creates folders, projects, and associated network resources in your organization. Although the resources that you create in this tutorial are not billable, it's a good idea to clean them up at the end of the tutorial.

Use the Pricing Calculator to generate a cost estimate that is based on your projected usage.

Before you begin

Ensure you have an email address that you can use to provision Cloud Identity.

Creating a domain

Before starting the tutorial, you must set up a domain that you will use to create your Cloud Identity. You, or an administrator of your domain, will need to add a TXT verification record to your domain's DNS records as part of the Cloud Identity onboarding flow.

Verifying the domain

  1. Verify that you own the domain by using the Search Console verification process.
  2. In the GCP Console, go to the Domain verification tab on the Credentials page.

    Go to the Credentials page

  3. Click Add domain.
  4. In the Configure webhook notifications dialog, enter the domain to verify.
  5. Click Add domain.

    To troubleshoot domain verification:

    • The domain must be registered in the Search Console with an https:// URL or have been verified with the Domain name provider verification method.
    • Make sure you are either an owner or editor for the GCP Console project (see Project members and permissions) and you are a site owner of the domain that will receive notifications. If you are not a site owner of the domain, contact the domain owner to get added as a verified owner (see Add or remove owners).
    • You can use the Google API Explorer for Webmaster Tools to list sites on the domain, and in particular, see if the domain's siteUrl property starts with https://.

Planning

During the planning stage, you need to map your organization to GCP. A planning checklist can help you track what you need to do. For naming your projects and buckets, you can follow the provided naming convention or substitute your own.

You then need to define users and groups and map IAM roles to a functional group map.

Map your organization to GCP

This tutorial addresses the following requirements, which are outlined in Policy Design for Startup Customers:

  • Use G Suite to manage identities and provide office productivity tools. (Note: For the purposes of this tutorial, reference Cloud Identity.)
  • Optimize for team autonomy and velocity.
  • Permit developers to choose their own tools, create their own resources and environments, experiment, and so on.
  • Use private repositories and registries.
  • Implement guardrails to help protect security compliance, and so on.
  • Alert for expenditures above a soft limit.
  • Assume good intention, but have some high-level controls and be sure to issue an alert for any violation of newly added security controls.
  • Give developers access to a shared set of resources.
  • Design the GCP environment to grow smoothly.

Planning checklist

Use the requirements to complete a checklist to help design your GCP organization. A completed checklist looks similar to this:

Identity management Y/N, comments Action to take
Identity system in place? N If no identity system is in place, configure Cloud Identity.
Existing LDAP and Active Directory federation and sync? N Configure Cloud Identity and Cloud directory sync.
Users identified who need access to GCP? Devteam 1
Devteam 2
Central functions
Create groups that are named to reflect their functions, and place identities in the appropriate groups.
Projects and folders setup
Departments and teams autonomous? Y Arrange your GCP organization so each department has a dedicated folder under which the department's projects are located.
Dedicated folder for each organizational unit (OU)? n/a Arrange your GCP organization so each OU has a dedicated folder under which the OU projects are located.
Default permissions inherited across groups of projects? Y Create folders to organize groups of related projects.
Cross-charging and cost tracking per team or app? Y Create folders and use labels to organize projects for each team or each app.
Multiple services per team? Y Use folder hierarchies to encapsulate projects that belong to each team, and use a folder under each team to encapsulate projects that are related to a single service.
Policy working or shared across teams, such as security, networks, and shared resources? Y Determine which functional roles are organization-wide and which are delegated further down the hierarchy. Use folders to organize where the wider organization permissions should be assigned.
Dev, test, QA, and production separated per app? Unknown, possibly in the future Use projects as the trust boundary; use folders and separate projects for each environment per app under a single folder.
Hierarchical policy assignment
Dedicated teams are separated to enforce network and security policies? Not now Use a shared virtual private cloud (VPC) and set up a group for network and security admins.
Restricted access to multiple production environments (multiple projects)? Unknown Use folders and groups to manage who has permissions to use production resources.
Restricted access to specific services and apps per dev team (how apps are developed in terms of teams working together)? Too small to understand how this will evolve today Use folders and groups to manage who is authorized to access resources with which permissions.

Define a naming convention

Before you create the organizational structure and give permissions to your developers, settle on a naming standard for folders, projects, labels, and service accounts. Naming projects and Cloud Storage buckets in particular requires careful thought.

Projects

A project has a project number and a universally unique project ID, which is a short string of lowercase letters, digits, and dashes. When creating a project, you can specify the project ID. Google assigns the project number automatically. The project ID and project number cannot be changed.

To further identify a project, you can attach a label to it. Just be aware that anyone can modify labels. Read the guidance on using labels.

Buckets

Each Cloud Storage bucket is unique across the platform and must follow the naming guidelines detailed in Bucket name requirements.

Don't include your organization's name as part of any bucket name. Buckets can inadvertently be made publicly accessible, so giving one an easily identifiable name might reveal more about your organization than you intended.

The following naming convention is defined for this tutorial.

Resource Naming convention
Top-level folder Development
Team folders team-xx-nn (where xx and nn indicate a unique combination of numbers and characters per folder)
App folders appname-xx-nn
Projects appname-[test|qa|prod]
Label: team-xx-nn-[test|qa|prod]
Label: App description
Label: userid

team-xx-nn-userid
shared-resources
project-creation
Service accounts function-srv-acc (shared services accounts)
appname-srv-[test|qa|prod]
Buckets appname-input-[test|qa|prod]
appname-output-[test|qa|prod]
appname-resources-[test|qa|prod]

Define users and groups

StartupExampleOrganization is small and their developers fill a lot of overlapping functional roles. To provide flexibility, you must create separate functional groups for use with GCP. Note that some users are members of multiple groups.

Group name Description Users
OrgAdmins@example.org GCP organization admins joe@example.org
alice@example.org
NetworkAdmins@example.org Users who can make changes to network and security controls alice@example.org
jens@example.org
OrgSecurityAdmins@example.org Users who can set identity and access management (IAM) policies and organization policies joe@example.org
alice@example.org
Devteam1@example.org Members of Dev team 1 dan@example.org
tom@example.org
anees@example.org
jens@example.org
grace@example.org
Devteam2@example.org Members of Dev team 2 mari@example.org
fereshteh@example.org
alice@example.org
rez@example.org
finance@example.org Ability to manage payments alice@example.org
joe@example.org

Map IAM roles to functional groups

Before you create any users in the GCP organization, create an IAM-to–functional group map.

The following table describes the initial required IAM policies.

Functional role Resource IAM roles Members
Full control of Dev Team 1 projects Folder: team-01-01 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam1@example.org
Full control of Dev Team 2 projects Folder: team-02-02 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam2@example.org
Admin for network and security controls for entire organization Organization Network Admin
Security Admin
NetworkAdmins@example.org
Admin for security controls for entire organization Organization Organization Admin
Policy Admin
OrgAdmins@example.org
OrgSecurityAdmins@example.org
Ability to manage payments Organization Billing Admin finance@example.org
ProjectCreation service account

Configuring the organization

Configuring your organization involves the following tasks:

  • Configuring Cloud Identity
  • Creating users and groups
  • Configuring GCP organization admin users

Configure Cloud Identity

This tutorial uses Cloud Identity to manage users.

  1. Complete the steps in the sign-up wizard. The first user that you need to create is one of the GCP organization administrators. In the sign-up wizard, references to organization administrator are for managing your Cloud Identity accounts.

  2. When prompted for your organization administrator, enter Alice as the username and choose an appropriate password. Make a note of the password because you need it later.

    The sign-up process takes you to the Create users and groups page, but you cannot create any users or groups until you accept the terms and conditions.

  3. Return to your email account and accept the terms and conditions.

Create users and groups

Using the user and group table that you created in the planning section earlier, create users and groups, replacing @example.org with your domain.

Group name Description Users
OrgAdmins@example.org GCP organization admins joe@example.org
alice@example.org
NetworkAdmins@example.org Users who can make changes to network and security controls alice@example.org
jens@example.org
OrgSecurityAdmins@example.org Ability to set IAM policies and organization policies rez@example.org
grace@example.org
Devteam1@example.org Members of Dev team 1 dan@example.org
tom@example.org
anees@example.org
jens@example.org
grace@example.org
Devteam2@example.org Members of Dev team 2 mari@example.org
fereshteh@example.org
alice@example.org
rez@example.org
finance@example.org Ability to manage payments alice@example.org
joe@example.org

Using the preceding table:

  1. Create Cloud Identity user accounts.

  2. Create groups and add users.

The Organization Administrators group (OrgAdmins) that you created in Cloud Identity is for those users that have been or will be assigned the organization administration role within GCP.

Configure GCP organization admin users

At this stage of the configuration, the users in the Organization Administrators group have no permissions to access the GCP organization.

You need to assign the organization admin role to the same users that you added to the Cloud Identity OrgAdmins group. The organization admin role has the ability to grant IAM permissions.

  1. In the GCP Console, sign in using Alice's credentials. If you are using Chrome, you might want to sign in from an incognito tab to ensure you start from a clean state.

    GO TO THE GCP Console

    Alice's Cloud Identity account is designated as the Cloud Identity super administrator.

  2. At the top of the page, in the Organization drop-down list, select your organization.

  3. In the IAM & admin navigation menu, click IAM.

  4. On the IAM page, click Add.

  5. In the Add member dialog, in the Members field, add the group OrgAdmins@example.org.

  6. In the Roles drop-down list, select Resource Manager, select Organization Administrator, and then click Add.

By default, everyone in your Cloud Identity domain is granted Billing Account Creator and Project Creator IAM permissions. The organization administrator might want to implement more restrictive policies.

To remove those permissions from the domain through the console:

  1. At the top of the page, in the Organization drop-down list, select your organization.

  2. In the text box, type Project Creator.

  3. In the View by box, select Roles. A list of members in the Project Creator role appears.

    Members in the Project Creator role

  4. In the Multiple drop-down list, clear the selected Billing Account Creator and Project Creator roles, and then click Save.

    multiple roles drop-down

Setting up a billing account and its permissions

  1. If you aren't signed in to the console, sign back in as Alice.

    GO TO THE GCP Console

  2. Open the console left-side menu and click Billing.

  3. Click New billing account.

  4. Enter the name of the billing account and your billing information. The options that you see depend on the country of your billing address. Note that for accounts in the U.S., you cannot change tax status after you create the account.

  5. Click Submit and enable billing.

  6. Assign the billing administrator role to the finance group that you created earlier.

  7. In the console left-side menu, click Billing.

  8. Ensure you are in your organization, and then click Permissions.

  9. In the Add members box, type finance@example.org.

  10. In the Select a role drop-down list, select Billing Account Administrator, and then click Add.

    Billing Account Admin

Configuring the Resource Manager hierarchy

After you have set up organization admins within the Organization node, you can configure the organization so that you can create projects and other resources automatically.

Assign IAM roles at the organization level

  1. If you are not still signed in to the console, sign back in as Alice.

    GO TO THE GCP Console

    At the organization level, you assign the IAM roles Folder Admin and Project Owner to the Organization Admin group, which in this example is OrgAdmins@example.org. You replace example.org with your domain name.

  2. From the Organization drop-down list, select your organization.

  3. Click IAM.

  4. To add new members to the organization, click Add member, and assign the Folder Admin and Project Owner roles to the Organization Admin group.

Create your folders and assign IAM roles

  1. To create an initial folder, in the GCP Console, open the Manage Resources page.

    GO TO THE MANAGE RESOURCES PAGE

    Verify that your organization is selected in the drop-down.

  2. Click the Create Folder icon, and verify that your organization is in the destination box.

  3. Using the Naming convention table that you created earlier, in the Folder Name box, type Development, and then click Create.

    The folder you create contains each development team's folder along with the project that will hold resources that are shared across teams.

  4. On the Create Folder page, in the Destination text box, verify that the Development folder is listed.

  5. To create Dev team 1's initial team folder under the Development folder, in the Folder Name text box, enter team-01-01, and then click Create.

  6. To create Dev team 2's initial team folder under the Development folder, in the Folder Name text box, enter team-02-01, and then click Create.

  7. At the folder level, assign the Project Creator role to each Development team group for their allotted folder.

  8. Open the IAM console page.

    GO TO THE IAM CONSOLE

  9. From the drop-down list, select the folder team-01-01, and then click Add.

  10. In the Add member dialog, in the Members field, add the group Devteam1@[YOUR_DOMAIN], replacing [YOUR_DOMAIN] with your domain name.

  11. In the Roles drop-down list, select the Resource Manager and Project Creator roles, and then click Add.

  12. From the drop-down list, select the folder team-02-01, and then click Add.

  13. In the Add member dialog, in the Members field, add the group Devteam2@[YOUR_DOMAIN], replacing [YOUR_DOMAIN] with your domain name.

  14. In the Roles drop-down list, select the Resource Manager and Project Creator roles, and then click Add.

Creating centralized projects

Create a project called ProjectCreation at the organization level.

  1. In the GCP Console, open the Manage Resources page.

    GO TO THE MANAGE RESOURCES PAGE

  2. From the Organization drop-down list, select your organization.

  3. Click Create Project, and type ProjectCreation as the project name.

  4. In the Location box, confirm that the organization is selected.

  5. Click Create.

You can use this project to create other projects in an automated, repeatable manner by using Deployment Manager templates.

Create a shared resources project named SharedResources under the top-level Development folder.

  1. In the GCP Console, open the Manage Resources page.

    GO TO THE Google Cloud Platform Console

  2. From the Organization drop-down list, select your organization.

  3. Click Create Project, and type SharedResources as the project name.

  4. To select the Development folder under which you want to create the project, in the Location box, click Browse .

  5. Click Create.

Automating project creation

To automate project creation when using Deployment Manager, you need to use the ProjectCreation project and customize the configuration files.

  1. To create the Deployment Manager project creation templates, open a Cloud Shell session that clones the GitHub repository.

    OPEN CLOUD SHELL

    Verify that you are running in the correct project.

  2. Set the working project, replacing [PROJECT_ID] with your project ID.

    gcloud config set project [PROJECT_ID]

  3. Change folders to the Deployment Manager project.

    cd ~/deploymentmanager-samples/examples/v2/project_creation/

  4. Follow the instructions in the Prerequisites section of the README file, starting with step 2. (You can start at step 2 because you did step 1 in the previous section.)

  5. Activate the APIs that are indicated in the preceding README. To do this, ensure that you are in the ProjectCreation project. From the left navigation menu, click APIs and services > Dashboard, and then click Enable APIs and Services. Search for each API that you need, and if it is not enabled, click Enable.

  6. After you configure the ProjectCreation project, follow the steps in the Using the templates section of the README to configure a project called testapp-[ENTER_DATE_STAMP], replacing [ENTER_DATE_STAMP] with the actual date stamp.

Granting permissions

You can now apply the permissions that you defined when mapping IAM roles to functional groups.

Resource IAM roles Members
Folder: team-01-01 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam1@example.org
Folder: team-02-02 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam2@example.org
Organization Network Admin
Security Admin
NetworkAdmins@example.org
Organization Organization Admin
Policy Admin
OrgAdmins@example.org
OrgSecurityAdmins@example.org
Organization Billing Admin finance@example.org
ProjectCreation service account
  1. In the GCP Console, open the IAM & Admin page:

    GO TO THE IAM & ADMIN PAGE

  2. From the drop-down list, select the hierarchy resource level: Organizations, Folder, or Project. Then click Add.

  3. In the Add member dialog, in the Members field, add the members, replacing example.org with your domain suffix.

  4. From the Roles drop-down list, select the IAM roles for each member, and then click Add.

  5. Repeat steps 1–4 for each set of permissions listed in the preceding table.

Configuring development resources

In the SharedResources project, create a repository for the configuration templates and scripts.

  1. In the GCP Console, open the Source Repositories view:

    GO TO THE SOURCE VIEW IN THE CONSOLE

  2. In the left navigation menu, click Repositories.

  3. Click Create Repository.

  4. When prompted, enter the name shared_resources for the repository, and click Create.

  5. In the GCP Console, open the IAM & Admin page:

    GO TO THE IAM & ADMIN PAGE

  6. Select the SharedResources project, and click Continue.

  7. Add each group from the groups list, with the exception of finance@example.org, and assign Editor roles.

Cleaning up

After you've finished the current tutorial, you can clean up the resources you created on Google Cloud Platform so you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.

Remove the deployments

  1. In the GCP Console, open the Deployments page.

    GO TO THE DEPLOYMENTS PAGE

  2. In the list of deployments, select the check boxes for the deployment(s) that you created as part of the tutorial.

  3. Click Delete.

Delete the projects

The easiest way to eliminate billing is to delete the project you created for the tutorial.

To delete the project:

  1. In the GCP Console, go to the Projects page.

    Go to the Projects page

  2. In the project list, select the project you want to delete and click Delete project. After selecting the checkbox next to the project name, click
      Delete project
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next

This tutorial guided you through configuring a base GCP environment as described in Policy Design for Startup Customers.

  • If you decide to keep this configuration for actual production, at a minimum be sure you:

    • Configure a shared VPC and follow the best practices for managing your user accounts.
    • Configure audit logging for the organization by following the instructions that are outlined in Configuring Data Access Logs.
    • Assign the logging.privatelogviewer role to the group that needs to view audit logs.
  • After you determine your naming strategy, including labels, set up a billing dashboard. The instructions guide you through the required task of setting up the export of your billing data to BigQuery.

  • Set up a continuous integration and continuous deployment (CI/CD) environment so you can incorporate the configuration-as-code approach as part of your usual deployment processes. Decide which approach suits your development and operational processes. GCP has a number of articles that cover various CI/CD solutions.

  • For an optional advanced step, create the shared VPC configuration by extending the project creation templates.
  • For a security scanning and enforcement solution, you can set up Forseti Security.
  • Try out other Google Cloud Platform features for yourself. Have a look at our tutorials.
Was this page helpful? Let us know how we did:

Send feedback about...