Google Cloud Resource Management

This tutorial is adapted from Web Age course Google Cloud Platform Fundamentals.

1.1 The Cloud Resource Manager Hierarchy

Google Cloud Resource Manager is a service that allows users to group, hierarchically organize, and manage resources by the organization, folder, and project from a single point for control. This hierarchy allows you to map your enterprise’s operational structure to Google Cloud, and then to manage access control and permissions for groups of related lower-level resources, such as VMs, Cloud Storage buckets, App Engine instances, etc. All lower-level resources can only be parented by projects (not folders or organizations). Resource Manager offers API for managing resources.

Notes:

Follow this guide (https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations) for best practices on establishing your organization’s cloud presence.

1.2 A Simplified Google Cloud Resource Hierarchy Diagram

Source: https://cloud.google.com/resource-manager/img/gsuite-organization-mapping.png

1.3 An Extended Google Cloud Resource Hierarchy Diagram

Source: https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy

1.4 Creating a Project Programmatically with gcloud

Create a stand-alone project (not attached to an organization):

gcloud projects create PROJECT_ID

Create a project with an organization as its parent:

gcloud projects create PROJECT_ID --organization=ORG_ID

For more information on creating projects, visit https://cloud.google.com/resource-manager/docs/creating-managing-projects

1.5 Creating a Project with Web API

POST https://cloudresourcemanager.googleapis.com/v1/projects/
Authorization: *************
Content-Type: application/json
{
    "projectId": "your_project_id",
    "name": "your project name "
}

Notes:

Here is part of functionally equivalent Python code for creating a project:

from googleapiclient import discovery
from oauth2client.client import OAuth2Credentials as creds
crm = discovery.build(
    'cloudresourcemanager', 'v1', http=creds.authorize(httplib2.Http()))
operation = crm.projects().create(
body={
    'project_id': 'your_project_id',
    'name': 'your project name'
}).execute()

1.6 Resource Manager Features and Components 

• Organization
  • Represents an organization such as your company and is the root node in the GCP resource hierarchy
• Organization policies
  • Programmatically restrict configurations across your entire cloud resource hierarchy
• Cloud IAM policies
  • Create and manage IAM access control policies for your organization and projects dealing with VM management, logs, etc.
• Asset inventory
  • A fully-managed metadata inventory service that helps to monitor all your GCP and Anthos resources and policies. Supports resource metadata analysis, audit, and compliance tasks
• Create, update, delete projects
  • Create, update, and delete projects that belong to your organization. You can also undelete projects in the “pending deletion” state; you can also obtain a list of all projects in the organization
• Cloud folders
  • Cloud folders help organize your resources and configure IAM policies that will apply to all child resources under those folders
• Cloud console and API access
  • Resource Manager can be accessed through the GCP Console in the Admin section, via Resource Manager API, or using the gcloud command-line tool

Google Workspace and Cloud Identity customers have access to additional features of the resource hierarchy with an added benefits such as centralized visibility and control, and further grouping mechanisms, such as folders.

1.7 Quotas and Capacity Planning

Google Cloud projects are assigned quotas that apply hard limits on the consumption of a particular resource or API and help protect cloud customers from overspending their cloud budgets because of insufficiently reserved capacity. Make sure you provide sufficient capacity by setting your own resource limits for your projects in advance to avoid unexpected resource throttling. If the allocated project quotas are insufficient, use the Quotas section of the Cloud Console. If you require a capacity beyond the maximum allowed quotas, contact your Google Cloud sales team.

1.8 Understanding Quotas

A quota limit represents a specific countable resource, such as the number of API calls made per day

Quotas fall under two categories:

• Rate quotas, such as the number of API requests per day. This quota gets reset after a service-specific time interval
• Allocation quotas, such as the number of VM instances, the size of a GKE cluster, or load balancers used by your project. These quotas do not get reset over time

For more information, visit https://cloud.google.com/docs/quota

1.9 Getting Quotas Using gcloud ( Alpha)

Listing quotas for your current project

gcloud alpha services quota list \
    --service=YOUR_SERVICE_NAME.googleapis.com \
    --consumer=projects/YOUR_PROJECT_ID

Replace the last line in the above command with

 --consumer=organizations/YOUR_ORG_ID

to get the quotas for the entire organization.

1.10 Understanding Resource Labels

A label is a key-value pair that is attached to a resource. Labels help users organize and better manage their Google Cloud resources. The billing system is aware of the labels assigned to resources, so you can break down your billing charges by the label.

Resource filtering by labels is supported

For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels

1.11 Common Uses of Labels

Google recommends the following uses cases for labels:

• Environment or stage labels
  • E.g., env:prod
• Team or cost center labels
  • E.g. group:analytics. This type of labeling can help with cost accounting or budgeting
• System component labels
  • E.g. web_component:frontend
• State labels
  • E.g. state:active
• VM labels:
  • A label can be attached to a virtual machine. Virtual machine tags that you defined in the past will appear as a label without a value

1.12 Creating a Label with the Resource Manager API

POST https://cloudresourcemanager.googleapis.com/v1beta1/projects
{
 "labels": {
  "team": "dream"
 },
 "name": "our_project_name",
 "projectId": "our_project_id"
}

1.13 Budget Alerts

Budgets provide transparency, accountability, and granular control of cloud costs incurred by various parts of your organization. Google Cloud budgets and alerts features are part of the cost monitoring toolkit that allows users to set their target spending and get alerts in case getting off track. Budget alerts allow users to plan, monitor, and control their cloud costs. Budget alerts can be applied to a Cloud Billing account, to one or more Google Cloud projects, as well as to one or more products.

1.14 Budget Alerts Diagram

Source: https://cloud.google.com/billing/docs/how-to/budgets

1.15 Creating a Budget

You can create a new budget (for the entire organization or specific project(s)) that you need to monitor and get alerts using the Cloud Console (the Budgets and Alerts page) and the new Budget API (in beta, 2021). The budget includes such items as the amount (or base the budget amount on the previous month’s spend). You can also set the threshold rules to trigger email alert notifications to the recipients you specify. Rules may check if the actual (or forecasted) costs have exceeded a percentage of your budget.

1.16 The Budget API

The Budget API (in beta, 2021) allows users to create, view, and manage budgets by using the Budget API’s RESTful endpoint:

https://billingbudgets.googleapis.com

1.17 Setting Up Alert Threshold Rules in the Cloud Console

Source: https://cloud.google.com/blog/products/management-tools/monitor-cloud-costs-and-create-budgets-at-scale

1.18 Summary

In this tutorial, we discussed the following topics:

• Cloud Resource Manager Hierarchy
• Understanding quotas
• Budget alerts