This template:
- Creates a new project.
- Sets a billing account for the new project
- Sets IAM permissions in the new project
- Turns on a set of APIs in the new project
- Creates service accounts for the new project
- Creates an usage export Cloud Storage bucket for the new projec
Following are the prerequisites for creating a project via Deployment Manager. You can perform some of the steps via the Cloud Console at https://console.cloud.google.com/. The gcloud
command line tool is used to deploy the configs.
Note:
Permission changes can take up to 20 minutes to propagate. If you run commands before the propagation is completed, you may receive errors regarding the user not having permissions.
-
Install gcloud.
-
Create a project that will create and own the deployments (henceforth referred to as DM Creation Project). See: https://cloud.google.com/resource-manager/docs/creating-managing-organization.
Important:
Because of the special permissions granted to the DM Creation Project, it should not be used for any purpose other than creating other projects. -
Activate the following APIs for the DM Creation Project:
- Google Cloud Deployment Manager V2 API
- Google Cloud Resource Manager API
- Google Cloud Billing API
- Google Identity and Access Management (IAM) API
- Google Service Management API
You may use the
gcloud services enable
command to do this:gcloud services enable deploymentmanager.googleapis.com gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudbilling.googleapis.com gcloud services enable iam.googleapis.com gcloud services enable servicemanagement.googleapis.com
-
Find the Cloud Services service account associated with the DM Creation Project.
It is formatted as
<project_number>@cloudservices.gserviceaccount.com
, and is listed under IAM & Admin in Google Cloud Console. This account is henceforth referred to as the DM Service Account. See https://cloud.google.com/resource-manager/docs/access-control-proj. -
Create an Organization node.
If you do not already have an Organization node under which you can create projects, create that node following these instructions.
-
Grant the DM Service Account the following permissions on the Organization node:
roles/resourcemanager.projectCreator
. This is visible in the Cloud Console's IAM permissions in Resource Manager -> Project Creator. See https://cloud.google.com/resource-manager/docs/access-control-proj. -
Create/find the Billing Account associated with the Organization. See: https://cloud.google.com/support/billing/. Take note of the Billing Account's ID, which is formatted as follows:
00E12A-0AB8B2-078CE8
. -
Give the DM Service Account the following permissions on the Billing Account:
roles/billing.user
. This is visible in Cloud Console's IAM permissions in Billing -> Billing Account User. -
If the project is a VPC host project, give the DM Service Account the following permissions:
roles/compute.xpnAdmin
.
- cloudresourcemanager.v1.project
- deploymentmanager.v2.virtual.projectBillingInfo
- iam.v1.serviceAccount
- deploymentmanager.v2.virtual.enableService
- gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
- gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
- gcp-types/storage-v1:buckets
- gcp-types/compute-v1:compute.projects.setUsageExportBucket
- compute.beta.xpnResource
- compute.beta.xpnHost
- gcp-types/compute-beta:compute.firewalls.delete
- gcp-types/compute-beta:compute.networks.delete
- gcp-types/iam-v1:iam.projects.serviceAccounts.delete
See the properties
section in the schema file(s):
- Clone the Deployment Manager Samples repository:
git clone https://github.com/GoogleCloudPlatform/deploymentmanager-samples
- Go to the community/cloud-foundation directory:
cd community/cloud-foundation
- Copy the example DM config to be used as a model for the deployment; in this case, examples/project.yaml:
cp templates/project/examples/project.yaml my_project.yaml
- Change the values in the config file to match your specific GCP setup (for properties, refer to the schema files listed above):
vim my_project.yaml # <== change values to match your GCP setup
- Create your deployment (replace <YOUR_DEPLOYMENT_NAME> with the relevant deployment name):
gcloud deployment-manager deployments create <YOUR_DEPLOYMENT_NAME> \
--config my_project.yaml
- In case you need to delete your deployment:
gcloud deployment-manager deployments delete <YOUR_DEPLOYMENT_NAME>