Overview
Scenario:
- A company size of
200people seperated into10teams. - Administer can have the company-wide policy to limit GCP account.
- Easy way to switch user to the other team.
- Single login page for user to login
- Each team wants its own access to its resources.
- Also, different environment for specific purpose.
- Sometimes, they need temporarily cooperation between teams.
- For auditing, bills should be seperated by each team.
Solution:
- Google Group to grouping user by team or functionality.
- Nesting group to organize members within the team.
- GCP folder to have hiearchy architecture.
- Set IAM role by Google Group email
- Set Organization Policy on GCP folder limit resource.
- Using seperated GCP folder for different enviroment, producion, staging...... .
Organization
graph LR
R[Organization root] --> A[Team A folder]
R[Organization root] --> B[Team B folder]
A[Company folder] --> A1[Team A production folder]
A[Company folder] --> A2[Team A staging folder]
B[Company folder] --> B1[Team B production folder]
B[Company folder] --> B2[Team B staging folder]
R[Organization root] --> P[playground folder]
Nested Google Group
graph LR
subgraph A [Team A Google Group]
A1[Team A production Google Group]
A2[Team A staging Google Group]
end
IAM relationship between Google Group and Google project
graph LR
A[Team A Google Group] -- Folder Admin/Owner -->AF[Team A folder]
A1[Team A production Google Group] -- Folder Admin/Owner -->A1F[Team A production folder]
A2[Team A production Google Group] -- Folder Admin/Owner -->A2F[Team A staging folder]
P[playground Google Group] -- Folder Admin/Owner -->PF[Team B playground folder]
Terraform
- Seed project (Not Recommanded)
Create service account per GCP project as Terraform repo's credential.
graph LR;
A[A GCP project] --> AT[A Terraform repo];
AT[A Terraform repo] --> A[A GCP project];
B[B GCP project] --> BT[B Terraform repo];
BT[B Terraform repo] --> B[B GCP project];