This document describes the prerequisites for using the Guided Deployment Automation tool in Workload Manager.
In addition, you must meet the following prerequisites that are specific to the application you're deploying:
- Prerequisites for deploying an SAP S/4HANA application
- Prerequisites for deploying a SQL Server workload
| Prerequisite | Description |
|---|---|
| Google Cloud billing account | You must have a Google Cloud account that is part of your organization with active billing. For more information, see Create a new billing account. |
| Google Cloud project |
A Google Cloud project in which you want to deploy the application. See Create and manage projects. Make sure that the project is linked to the billing account. |
| Enable APIs | Enable the following APIs in your project: During the deployment process, Workload Manager automatically enables additional required APIs if they're not enabled in your project. |
| Grant IAM roles to Workload Manager service account | Workload Manager uses a service agent that needs to be granted the required roles before you can deploy an application. For more information, see Workload Manager service account. |
| Grant IAM roles to a user-managed service account | Create a service account and grant all the required roles for deploying your application. For more information, see User-managed service account. |
| IAM roles and permissions | Users who deploy a workload using the Guided Deployment Automation tool must have or be granted the required roles and permissions to configure the deployment. These users also need permissions to create the necessary service accounts during deployment. For more information, see IAM roles and permissions. |
| Cloud Build private pool | Optional. If your organization enforces VPC Service Controls perimeter settings for protecting Workload Manager resources and data, then set up a Cloud Build private worker pool to use in your deployment environment. For more information, see Use a Cloud Build private worker pool. |
| Quotas | Make sure that you have sufficient resource quota in your project to deploy the workload. For more information, see Quotas. |
Workload Manager service account
The Guided Deployment Automation tool uses a service agent for deploying applications.
When you create a deployment, Workload Manager prompts you to grant the required roles to this service account if they're not already granted. If you don't have the permission to grant these roles, ask an administrator to grant the following roles to the Workload Manager service account before creating a deployment.
| Service account | Required roles |
|---|---|
| Service-PROJECT_ID@gcp-sa-workloadmanager.iam.gserviceaccount.com |
|
User-managed service account
Workload Manager uses the service account attached to your deployment to call other APIs and services for creating resources required for the deployment.
You can either attach an existing service account or create a service account when you configure the deployment. Depending on your application and configuration, Workload Manager prompts you to grant any of the missing roles to your service account.
For more information about granting roles to service accounts, see Manage access to service accounts.
IAM roles and permissions
Access control in Workload Manager is controlled using
Identity and Access Management (IAM). Workload Manager provides a specific set of predefined IAM roles
where each role contains a set of permissions. IAM lets you adopt the
security principle of least privilege,
so you grant only the necessary access to your resources.
The following permission is required to enable the Workload Manager API
in the selected project. This task only needs to be performed once in each project.
An administrator or another user with the permission can enable the API and after that
other users can access Workload Manager.
| Action | Permission Required | Example Role |
|---|---|---|
| Enable Workload Manager API | serviceusage.services.enable |
roles/editorroles/service.Usage.Admin |
Workload Manager also has roles to control who can access the deployment features and determine who can deploy, manage, and view deployments. Each role has the necessary permissions to perform the stated tasks.
For more information, see Access control with IAM. When granting IAM roles to principals, Google recommends that you apply the principle of least privilege.
| Role | Deployment task |
|---|---|
| Workload Manager Deployment AdminAlpha | Create, modify, deploy, and view deployments. |
| Workload Manager Deployment ViewerAlpha | View deployments. |
Use a Cloud Build private worker pool
If your organization enforces VPC Service Controls compliance, then you must use a private worker pool for your deployment.
Private pools are hosted in a Google-owned Virtual Private Cloud network called the service producer network. Before creating a private pool, set up a private connection between the service producer network and the VPC network that contains your resources.
To create and use a Cloud Build private pool, follow the instructions in Create and manage private pools.
Consider the following requirements when you set up a private worker pool to use with Workload Manager:
- You must use a Cloud Build private worker pool for the deployment. You cannot use the default Cloud Build worker pool. For more information, see Limitations in the Cloud Build documentation.
- To download the Terraform configuration, the Cloud Build private pool must have public internet calls enabled.
You must also ensure that the following resources are in the same VPC Service Controls service perimeter:
- Cloud Build private worker pool.
- Workload Manager service account.
- The Cloud Storage bucket that Workload Manager uses for deployment.
Quotas
Google Cloud uses quotas to protect and control the number of resources that a particular account or organization can use. The supported applications often consume a large portion of resources. Given the size of the databases and applications, you might experience quota issues during the deployment process.
To avoid quota issues, do the following:
- View available resource quota for your project.
- If needed, request a higher quota limit or contact your project administrator.
What's next
- Learn how to prepare SAP installation files for deployment.
- Learn how to deploy a SAP S/4HANA workload.