This template:

1. Creates a new project.
2. Sets a billing account for the new project
3. Sets IAM permissions in the new project
4. Turns on a set of APIs in the new project
5. Creates service accounts for the new project
6. Creates a usage export Cloud Storage bucket for the new project
7. Removed default networks, firewalls
8. Removes default Service Account
9. Creates VPC host or attached VPC service project

Following are the prerequisites for creating a project via Deployment Manager. You can perform some of the steps via the Cloud Console at https://console.cloud.google.com/. The gcloud command line tool is used to deploy the configs.

Note: Permission changes can take up to 20 minutes to propagate. If you run commands before the propagation is completed, you may receive errors regarding the user not having permissions.

Note: "If you have Shared VPC Admin role at the folder level, you need to use gcloud beta or the beta API." Some version of the Project Factory is using the GA API, which means SharedVPC features may result a permission error. See Issue #403

1. Install gcloud.

2. Create a project that will create and own the deployments (henceforth referred to as DM Creation Project). See: https://cloud.google.com/resource-manager/docs/creating-managing-organization.

   Important: Because of the special permissions granted to the DM Creation Project, it should not be used for any purpose other than creating other projects.

3. Activate the following APIs for the DM Creation Project:

   • Google Cloud Deployment Manager V2 API
   • Google Cloud Resource Manager API
   • Google Cloud Billing API
   • Google Identity and Access Management (IAM) API
   • Google Service Management API

   You may use the gcloud services enable command to do this:

   gcloud services enable deploymentmanager.googleapis.com
   gcloud services enable cloudresourcemanager.googleapis.com
   gcloud services enable cloudbilling.googleapis.com
   gcloud services enable iam.googleapis.com
   gcloud services enable servicemanagement.googleapis.com

4. Find the Cloud Services service account associated with the DM Creation Project.

   It is formatted as <project_number>@cloudservices.gserviceaccount.com, and is listed under IAM & Admin in Google Cloud Console. This account is henceforth referred to as the DM Service Account. See https://cloud.google.com/resource-manager/docs/access-control-proj.

5. Create an Organization node.

   If you do not already have an Organization node under which you can create projects, create that node following these instructions.

6. Grant the DM Service Account the following permissions on the Organization node:

   • roles/resourcemanager.projectCreator
   • roles/serviceusage.serviceUsageAdmin

   This is visible in the Cloud Console's IAM permissions in Resource Manager -> Project Creator and Resource Manager -> Service Usage Admin. See https://cloud.google.com/resource-manager/docs/access-control-proj.

7. Create/find the Billing Account associated with the Organization. See: https://cloud.google.com/support/billing/. Take note of the Billing Account's ID, which is formatted as follows:00E12A-0AB8B2-078CE8.

8. Give the DM Service Account the following permissions on the Billing Account: roles/billing.user. This is visible in Cloud Console's IAM permissions in Billing -> Billing Account User.

9. If the project is a VPC host or guest project, give the DM Service Account the following permissions: roles/compute.xpnAdmin.

• cloudresourcemanager.v1.project
• deploymentmanager.v2.virtual.projectBillingInfo
• iam.v1.serviceAccount
• deploymentmanager.v2.virtual.enableService
• ../iam_member CFT template
• gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
• gcp-types/storage-v1:buckets
• gcp-types/compute-v1:compute.projects.setUsageExportBucket
• compute.beta.xpnResource
• compute.beta.xpnHost
• gcp-types/compute-v1:compute.firewalls.delete
• gcp-types/compute-v1:compute.networks.delete
• gcp-types/iam-v1:iam.projects.serviceAccounts.delete

See the properties section in the schema file(s):

• project

1. Clone the Deployment Manager Samples repository:

    git clone https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit

2. Go to the dm directory:

    cd dm

3. Copy the example DM config to be used as a model for the deployment; in this case, examples/project_standalone.yaml:

    cp templates/project/examples/project_standalone.yaml my_project.yaml

4. Change the values in the config file to match your specific GCP setup (for properties, refer to the schema files listed above):

    vim my_project.yaml  # <== change values to match your GCP setup

5. Create your deployment (replace <YOUR_DEPLOYMENT_NAME> with the relevant deployment name):

    gcloud deployment-manager deployments create <YOUR_DEPLOYMENT_NAME> \
        --config my_project.yaml

6. In case you need to delete your deployment:

    gcloud deployment-manager deployments delete <YOUR_DEPLOYMENT_NAME>

• Standalone project
• VPC host project
• VPC consumer project