Cloud Resource Manager

Google Cloud Resource Manager provides hierarchical management of GCP resources using Organizations, Folders, and Projects. It allows you to organize resources, manage access policies, and set constraints across your entire GCP environment.

Resource Hierarchy:

1. Organization - The root node representing your company. All resources belong to an organization.

2. Folders - Optional grouping mechanism for projects. Represent departments, teams, or environments.

3. Projects - The base-level organizing unit. All GCP resources (VMs, databases, storage) belong to a project.

4. Resources - Individual GCP services like VMs, buckets, databases within projects.

Key Features:

1. IAM inheritance - IAM policies set at higher levels (Org/Folder) are inherited by all child resources.

2. Organization Policies - Set constraints across your entire org (e.g., restrict VM locations, disable service account key creation).

3. Labels and tags - Organize and filter resources using key-value labels for billing, automation, and access control.

The below example shows how to manage the resource hierarchy using gcloud.

It gives the following output,

Folders created:
  Engineering (folders/111111111)
    Production (folders/222222222)

Project created: my-prod-project
Parent: folders/222222222

Org Policy set: constraints/compute.restrictCloudRegions
Allowed: [us-central1, us-east1, europe-west1]

Organization Policy Constraints:

compute.restrictCloudRegions - Restrict VM and resource creation to approved regions only.

iam.disableServiceAccountKeyCreation - Prevent creation of service account keys across the org.

compute.vmExternalIpAccess - Restrict which VMs can have external IP addresses.

storage.uniformBucketLevelAccess - Enforce uniform bucket-level access for all Cloud Storage buckets.