{"id":816,"date":"2026-04-16T06:29:33","date_gmt":"2026-04-16T06:29:33","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-resource-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T06:29:33","modified_gmt":"2026-04-16T06:29:33","slug":"google-cloud-resource-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-resource-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud Resource Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Google Cloud <strong>Resource Manager<\/strong> is the control-plane service that lets you <strong>organize<\/strong>, <strong>govern<\/strong>, and <strong>administer access<\/strong> to Google Cloud resources using a consistent hierarchy (Organization \u2192 Folders \u2192 Projects) and policy model (IAM).<\/p>\n\n\n\n<p>In simple terms: Resource Manager is where you decide <strong>how your cloud is structured<\/strong> (which teams own what), and <strong>who can do what<\/strong> at each level\u2014before anyone deploys workloads.<\/p>\n\n\n\n<p>Technically, Resource Manager provides APIs and console workflows to manage the <strong>resource hierarchy<\/strong>, <strong>project lifecycle<\/strong> (create, move, delete\/undelete), and <strong>policy attachments<\/strong> (such as IAM policies and tags) that are inherited through that hierarchy. It is foundational for <strong>Security<\/strong> because it defines the boundaries where permissions, guardrails, and auditability start.<\/p>\n\n\n\n<p>The problem it solves: without a well-governed hierarchy and centralized administration, cloud environments become difficult to secure\u2014projects proliferate, permissions sprawl, and it becomes hard to enforce consistent standards, isolate environments, and demonstrate compliance.<\/p>\n\n\n\n<blockquote>\n<p>Naming note: In Google Cloud documentation and APIs you will often see <strong>\u201cCloud Resource Manager\u201d<\/strong> (for example, the <code>cloudresourcemanager.googleapis.com<\/code> API). In this tutorial, we use the service name exactly as requested: <strong>Resource Manager<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Resource Manager?<\/h2>\n\n\n\n<p>Resource Manager is a <strong>global Google Cloud service<\/strong> that manages the <strong>logical structure and administrative controls<\/strong> of your Google Cloud environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose (what it\u2019s for)<\/h3>\n\n\n\n<p>Resource Manager exists to:\n&#8211; Provide a <strong>resource hierarchy<\/strong> (Organization, Folders, Projects) for grouping and isolating cloud resources.\n&#8211; Provide <strong>administrative lifecycle management<\/strong> for projects (create, update, delete, restore, move).\n&#8211; Provide consistent points to apply <strong>IAM policies<\/strong> and <strong>tags<\/strong> so that governance can be standardized and inherited.<\/p>\n\n\n\n<p>Official docs entry point: https:\/\/cloud.google.com\/resource-manager\/docs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resource hierarchy management<\/strong><\/li>\n<li>Organizations, Folders, Projects<\/li>\n<li>Moving projects between folders (where applicable)<\/li>\n<li><strong>Project lifecycle<\/strong><\/li>\n<li>Create projects, set metadata, mark for deletion, undelete (within retention window)<\/li>\n<li><strong>Policy attachment points<\/strong><\/li>\n<li>Attach and manage <strong>IAM policies<\/strong> at organization\/folder\/project (via Resource Manager interfaces; IAM is a separate product, but Resource Manager is a key attachment point)<\/li>\n<li><strong>Resource tagging<\/strong><\/li>\n<li>Tags are a governance construct used for conditional access and organization (see Resource Manager tags docs: https:\/\/cloud.google.com\/resource-manager\/docs\/tags\/tags-overview)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it represents<\/th>\n<th>Typical use<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Organization<\/td>\n<td>Top-level container tied to a Cloud Identity \/ Google Workspace domain<\/td>\n<td>Central governance for an enterprise<\/td>\n<\/tr>\n<tr>\n<td>Folder<\/td>\n<td>Intermediate grouping unit under an organization<\/td>\n<td>Separate teams, environments, business units<\/td>\n<\/tr>\n<tr>\n<td>Project<\/td>\n<td>The main isolation boundary for most Google Cloud services<\/td>\n<td>Workloads, billing, quotas, IAM boundaries<\/td>\n<\/tr>\n<tr>\n<td>Tags<\/td>\n<td>Key\/value-like governance objects and bindings<\/td>\n<td>Access control conditions, inventory, policy targeting<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Service type and scope<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service type:<\/strong> Control plane \/ governance service (not a data plane runtime service).<\/li>\n<li><strong>Scope:<\/strong> <strong>Global<\/strong> (resource containers are global constructs).<\/li>\n<li><strong>Applies to:<\/strong> Google Cloud environment administration across organizations\/folders\/projects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n<p>Resource Manager sits at the center of cloud governance:\n&#8211; <strong>IAM (Identity and Access Management):<\/strong> Permissions are typically granted at the org\/folder\/project level. Resource Manager is where that hierarchy lives.\n&#8211; <strong>Cloud Logging &amp; Cloud Audit Logs:<\/strong> Admin actions (like project creation, IAM changes) generate audit logs.\n&#8211; <strong>Organization Policy Service:<\/strong> Policy constraints (guardrails) are applied at org\/folder\/project and inherited.\n&#8211; <strong>Cloud Asset Inventory:<\/strong> Inventory and change history rely on the hierarchy to reason about ownership and scope.\n&#8211; <strong>Security Command Center:<\/strong> Security findings, posture management, and org-wide views rely on organization\/folder\/project structure.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Resource Manager?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Clear ownership and accountability:<\/strong> Align folders\/projects to business units, cost centers, and product teams.<\/li>\n<li><strong>Faster audits and reporting:<\/strong> A consistent hierarchy simplifies compliance evidence and access reviews.<\/li>\n<li><strong>Reduced risk of misconfiguration:<\/strong> Standard patterns reduce \u201csnowflake\u201d projects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Strong isolation boundary:<\/strong> Projects provide a primary boundary for many services (quotas, IAM, service enablement).<\/li>\n<li><strong>Inheritance model:<\/strong> Apply policies once at a folder\/org to cover many projects.<\/li>\n<li><strong>Automatable control plane:<\/strong> Manage structure and lifecycle via APIs\/CLI and IaC tooling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standard naming and metadata:<\/strong> Labels\/tags support inventory and operations at scale.<\/li>\n<li><strong>Lifecycle control:<\/strong> You can decommission projects cleanly and reduce resource sprawl.<\/li>\n<li><strong>Delegation:<\/strong> Central platform teams define structure; app teams operate within well-scoped projects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege at the right level:<\/strong> Grant permissions at the folder level for teams; reserve org-level privileges for a small admin group.<\/li>\n<li><strong>Separation of environments:<\/strong> Distinct folders\/projects for prod vs non-prod reduces blast radius.<\/li>\n<li><strong>Auditability:<\/strong> Administrative actions are logged and attributable to identities.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scales organizationally:<\/strong> Thousands of projects are manageable when structured consistently.<\/li>\n<li><strong>Reduces administrative overhead:<\/strong> Inheritance means fewer per-project changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Use Resource Manager when you need:\n&#8211; Multi-team or multi-environment governance\n&#8211; Standardized access control boundaries\n&#8211; Centralized project provisioning and lifecycle\n&#8211; Compliance-aligned hierarchy (business unit, region, data sensitivity)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When they should not choose it<\/h3>\n\n\n\n<p>Resource Manager is not a workload runtime and should not be treated as:\n&#8211; A deployment service (use Cloud Build, Cloud Deploy, Terraform, etc.)\n&#8211; A security scanning product (use Security Command Center, Web Security Scanner, etc.)\n&#8211; A policy engine by itself (use IAM Conditions, Organization Policy Service, VPC Service Controls where applicable)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Resource Manager used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial services:<\/strong> Strong separation of duties, environment segregation, and auditability.<\/li>\n<li><strong>Healthcare:<\/strong> Compliance-driven hierarchy and access boundaries.<\/li>\n<li><strong>Retail\/e-commerce:<\/strong> Multi-team workloads with tight prod controls.<\/li>\n<li><strong>SaaS\/technology:<\/strong> Rapid project creation with guardrails.<\/li>\n<li><strong>Public sector:<\/strong> Org-wide governance and standardized provisioning.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering \/ Cloud Center of Excellence (CCoE)<\/li>\n<li>Security engineering and governance\/risk\/compliance (GRC)<\/li>\n<li>DevOps\/SRE teams managing multiple environments<\/li>\n<li>IT administrators managing enterprise Google Cloud estates<\/li>\n<li>Application teams consuming pre-provisioned projects<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices platforms (many projects by domain\/team)<\/li>\n<li>Data platforms (separate projects for raw\/curated\/analytics)<\/li>\n<li>Multi-tenant SaaS (projects per tenant or per tier, depending on model)<\/li>\n<li>Regulated workloads (projects dedicated to compliance boundaries)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central \u201clanding zone\u201d with org\/folders and standardized projects<\/li>\n<li>Hub-and-spoke networking with shared VPC hosted in central projects<\/li>\n<li>Multi-environment CI\/CD with separate projects for dev\/test\/stage\/prod<\/li>\n<li>Multi-region and multi-geo hierarchies (folders by geography)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> Strict org\/folder policies, controlled project creation, audited IAM changes.<\/li>\n<li><strong>Dev\/test:<\/strong> More flexible projects but still governed by folder-level constraints.<\/li>\n<li><strong>Sandboxes:<\/strong> Isolated folders\/projects with time-limited access.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Resource Manager is directly useful.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Enterprise landing zone hierarchy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams create projects inconsistently, with unclear ownership and ad-hoc access.<\/li>\n<li><strong>Why Resource Manager fits:<\/strong> It provides org\/folder\/project structure with inheritance.<\/li>\n<li><strong>Scenario:<\/strong> A platform team creates folders for <code>prod<\/code>, <code>nonprod<\/code>, <code>shared<\/code>, and business-unit folders under them, then provisions projects into the right place.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Environment isolation (prod vs non-prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Non-prod testing accidentally impacts production resources.<\/li>\n<li><strong>Why it fits:<\/strong> Separate projects and folder-level IAM\/policies isolate environments.<\/li>\n<li><strong>Scenario:<\/strong> All prod projects are under a <code>Prod<\/code> folder where only a release group has deploy permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Delegated administration for large teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Central IT becomes a bottleneck for access requests and project changes.<\/li>\n<li><strong>Why it fits:<\/strong> Folder-level admin roles allow delegation without granting org-wide power.<\/li>\n<li><strong>Scenario:<\/strong> Each department gets folder admins who can manage projects and IAM in their area.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Controlled project creation (\u201cno more random projects\u201d)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Uncontrolled project sprawl increases cost and risk.<\/li>\n<li><strong>Why it fits:<\/strong> Project creation permissions can be restricted; structure enforces placement.<\/li>\n<li><strong>Scenario:<\/strong> Only a provisioning pipeline service account has <code>Project Creator<\/code>; teams request projects via approved workflow.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Cost center alignment and chargeback\/showback<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Costs are hard to attribute across teams and products.<\/li>\n<li><strong>Why it fits:<\/strong> Projects map naturally to cost centers; tags\/labels help reporting.<\/li>\n<li><strong>Scenario:<\/strong> A <code>cost_center=fin-ops<\/code> label\/tag is required for all projects in a folder.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) M&amp;A \/ multi-subsidiary governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> New acquired teams must be integrated while keeping separation.<\/li>\n<li><strong>Why it fits:<\/strong> Folders provide containment and controlled inheritance.<\/li>\n<li><strong>Scenario:<\/strong> Create a folder per subsidiary; central security policies inherited from org, but local admins manage their projects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Policy-based access using tags (attribute-based governance)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Role grants per-project are too manual and error-prone.<\/li>\n<li><strong>Why it fits:<\/strong> Tags provide consistent metadata for governance patterns (often combined with IAM Conditions).<\/li>\n<li><strong>Scenario:<\/strong> Projects tagged <code>data_classification=restricted<\/code> get stricter access conditions and review workflows (implementation details depend on your broader policy tooling).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Incident response scoping and blast-radius reduction<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During an incident, responders need fast visibility and limited privileges.<\/li>\n<li><strong>Why it fits:<\/strong> Folder-level structure allows scoped permissions and inventory targeting.<\/li>\n<li><strong>Scenario:<\/strong> IR team gets read-only access to a <code>Prod<\/code> folder and elevated access to a specific affected project for a limited time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Multi-team shared services vs application projects<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Shared networking\/logging\/security resources need stronger control than app workloads.<\/li>\n<li><strong>Why it fits:<\/strong> Dedicated folders\/projects with distinct IAM boundaries.<\/li>\n<li><strong>Scenario:<\/strong> A <code>Shared<\/code> folder contains central projects for networking and logging; app projects live in <code>Prod<\/code> and <code>Nonprod<\/code> folders.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Compliance audits and access reviews<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Auditors need evidence of least privilege and change tracking.<\/li>\n<li><strong>Why it fits:<\/strong> Hierarchy clarifies scope; Audit Logs capture admin events; IAM is attachable at each level.<\/li>\n<li><strong>Scenario:<\/strong> Export audit logs for project creation and IAM changes; demonstrate permissions are granted at folder level with controlled membership.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Resource Manager is mostly about <strong>structure, lifecycle, and governance attachment points<\/strong>. Key features include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 1: Resource hierarchy (Organization \u2192 Folders \u2192 Projects)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Organizes resources into a tree that supports inheritance.<\/li>\n<li><strong>Why it matters:<\/strong> Governance is manageable only when structure is consistent.<\/li>\n<li><strong>Practical benefit:<\/strong> Apply IAM\/policies at a folder and automatically cover many projects.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Folders require an <strong>Organization<\/strong>; personal Gmail-based setups may only use projects without an organization.<\/li>\n<\/ul>\n\n\n\n<p>Official overview: https:\/\/cloud.google.com\/resource-manager\/docs\/cloud-platform-resource-hierarchy<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 2: Project creation and lifecycle management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Create, update metadata, delete, and undelete projects.<\/li>\n<li><strong>Why it matters:<\/strong> Projects are the default boundary for workloads and billing association.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardize how projects are created (naming, labels, placement).<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Project IDs are globally unique. Deletion is typically recoverable only for a limited retention period (verify current window in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 3: Move projects between folders (within an organization)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Reparents a project to another folder in the same organization.<\/li>\n<li><strong>Why it matters:<\/strong> Reorganizations happen; you need a safe control-plane move.<\/li>\n<li><strong>Practical benefit:<\/strong> Align projects to new teams without rebuilding workloads.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Moving projects can impact inherited IAM\/policies; plan and validate effective access after moves.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 4: IAM policy attachment points for orgs\/folders\/projects<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets administrators set and retrieve IAM policies at container levels (via console\/CLI\/APIs).<\/li>\n<li><strong>Why it matters:<\/strong> Central to Security; defines who can administer what.<\/li>\n<li><strong>Practical benefit:<\/strong> Least privilege and separation of duties at scale.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> IAM is a separate service; be clear whether you are using predefined roles, custom roles, or IAM Conditions.<\/li>\n<\/ul>\n\n\n\n<p>IAM overview: https:\/\/cloud.google.com\/iam\/docs\/overview<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 5: Search and listing of containers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enumerate projects\/folders\/orgs and query by attributes (capability depends on API versions and permissions).<\/li>\n<li><strong>Why it matters:<\/strong> Inventory is foundational to governance.<\/li>\n<li><strong>Practical benefit:<\/strong> Enables automated checks (e.g., \u201cfind all projects under folder X\u201d).<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Results depend on caller permissions; \u201cmissing\u201d resources often indicates IAM scoping issues rather than absence.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 6: Tags (governance tags and bindings)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Creates and manages tags (TagKeys\/TagValues) and binds them to resources for governance.<\/li>\n<li><strong>Why it matters:<\/strong> Tags enable consistent metadata for automation and policy targeting.<\/li>\n<li><strong>Practical benefit:<\/strong> Standard classification across thousands of resources\/projects.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Tags are not the same as labels. Tag governance typically requires organizational planning. Verify current tag limits in official docs.<\/li>\n<\/ul>\n\n\n\n<p>Tags overview: https:\/\/cloud.google.com\/resource-manager\/docs\/tags\/tags-overview<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 7: Liens (deletion protection for projects) <em>(if enabled\/used in your org)<\/em><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Prevents accidental deletion of a project by placing a lien (a \u201cdo not delete\u201d lock).<\/li>\n<li><strong>Why it matters:<\/strong> Deleting a project can be catastrophic and time-consuming to recover from.<\/li>\n<li><strong>Practical benefit:<\/strong> Protects critical projects (e.g., prod shared services) from deletion.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Operational overhead\u2014liens must be removed intentionally. Availability and management workflows can vary; verify current docs for liens before adopting broadly.<\/li>\n<\/ul>\n\n\n\n<p>(If you plan to use liens, verify current documentation under Resource Manager.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 8: Consistent control-plane API surface<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Exposes REST APIs and is supported through <code>gcloud<\/code> for automation.<\/li>\n<li><strong>Why it matters:<\/strong> Enables repeatable, auditable provisioning pipelines.<\/li>\n<li><strong>Practical benefit:<\/strong> Integrates with Terraform, CI\/CD, and internal provisioning tools.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> API quotas\/rate limits exist; design automation with retries and backoff.<\/li>\n<\/ul>\n\n\n\n<p>API reference entry point: https:\/\/cloud.google.com\/resource-manager\/reference\/rest<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Resource Manager is a <strong>global control-plane<\/strong> API. It stores and serves metadata about:\n&#8211; Resource containers (org\/folders\/projects)\n&#8211; Hierarchical parent\/child relationships\n&#8211; Associated policies\/metadata (e.g., IAM policies, tags)<\/p>\n\n\n\n<p>It does not run your workloads; it controls how your environment is structured so other services can operate within those boundaries.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request \/ control flow<\/h3>\n\n\n\n<p>Typical flows:\n1. An admin or automation (Terraform\/CI) authenticates to Google Cloud (OAuth 2.0 \/ service account).\n2. The client calls Resource Manager (via console, <code>gcloud<\/code>, or REST).\n3. Resource Manager validates permissions using IAM.\n4. Resource Manager writes or reads control-plane metadata (e.g., create project, move project, set tags).\n5. Actions generate <strong>Cloud Audit Logs<\/strong> entries for governance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Resource Manager frequently works alongside:\n&#8211; <strong>Cloud IAM:<\/strong> roles, permissions, service accounts (https:\/\/cloud.google.com\/iam)\n&#8211; <strong>Organization Policy Service:<\/strong> guardrails and constraints (https:\/\/cloud.google.com\/resource-manager\/docs\/organization-policy\/overview)\n&#8211; <strong>Cloud Asset Inventory:<\/strong> inventory, search, and change history (https:\/\/cloud.google.com\/asset-inventory\/docs\/overview)\n&#8211; <strong>Cloud Logging \/ Audit Logs:<\/strong> audit trails for admin activity (https:\/\/cloud.google.com\/logging\/docs\/audit)\n&#8211; <strong>Security Command Center:<\/strong> org-wide security visibility (https:\/\/cloud.google.com\/security-command-center)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<p>To use organization\/folder features you typically need:\n&#8211; <strong>Cloud Identity or Google Workspace<\/strong> domain to create an <strong>Organization<\/strong> node.\n&#8211; Proper IAM roles at the organization level.<\/p>\n\n\n\n<p>Projects can exist without an organization (common for small\/personal setups), but enterprise governance is significantly better with an organization.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication uses standard Google Cloud identity (user accounts, groups, service accounts, workforce identity federation, workload identity federation).<\/li>\n<li>Authorization is via IAM roles and permissions, often inherited from org\/folder\/project.<\/li>\n<li>Admin actions are recorded in audit logs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager is accessed via Google APIs over HTTPS.<\/li>\n<li>No VPC is required to call it, but enterprises may route Google API traffic using controlled egress patterns (for example, Private Google Access or restricted VIPs). Verify your organization\u2019s network\/security standards and supported services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Audit Logs<\/strong> are your primary operational record:<\/li>\n<li>Admin Activity logs for changes like project creation, IAM policy updates.<\/li>\n<li>Data Access logs may apply to certain read operations depending on service and configuration\u2014verify in docs for your environment.<\/li>\n<li>Use log sinks to export audit logs to a SIEM or central logging project.<\/li>\n<li>Use Cloud Asset Inventory (or policy-as-code tooling) to detect drift in hierarchy, tags, and IAM.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (conceptual)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Admin \/ CI Pipeline] --&gt;|gcloud \/ Console \/ REST| RM[Resource Manager]\n  RM --&gt; IAM[Cloud IAM Authorization]\n  RM --&gt; H[Resource Hierarchy&lt;br\/&gt;Org \/ Folders \/ Projects]\n  RM --&gt; AL[Cloud Audit Logs]\n  H --&gt; P[Projects]\n  P --&gt; S[Google Cloud Services&lt;br\/&gt;(Compute, GKE, BigQuery, ...)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (enterprise governance)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Identity\n    CI[Cloud Identity \/ Google Workspace]\n    GRP[Groups]\n    SA[Service Accounts]\n  end\n\n  subgraph Governance\n    RM[Resource Manager&lt;br\/&gt;Hierarchy + Tags]\n    IAM[Cloud IAM]\n    OP[Organization Policy Service]\n    CAI[Cloud Asset Inventory]\n    SCC[Security Command Center]\n    LOG[Cloud Logging + Audit Logs]\n  end\n\n  subgraph Org[\"Organization\"]\n    FProd[Folder: Prod]\n    FNon[Folder: Nonprod]\n    FShared[Folder: Shared Services]\n    FSec[Folder: Security]\n    PNet[Project: network-host]\n    PLog[Project: logging-central]\n    PApps[Projects: app-*]\n  end\n\n  CI --&gt; GRP --&gt; IAM\n  SA --&gt; IAM\n\n  RM --&gt; Org\n  IAM &lt;--&gt; RM\n  OP --&gt; RM\n  RM --&gt; CAI\n  RM --&gt; LOG\n  IAM --&gt; LOG\n  CAI --&gt; SCC\n  LOG --&gt; SCC\n\n  FShared --&gt; PNet\n  FSec --&gt; PLog\n  FProd --&gt; PApps\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>To follow the hands-on lab and understand Resource Manager in practice, you need:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account \/ organization requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>Google Cloud account<\/strong> with access to the Cloud Console.<\/li>\n<li>For folder\/organization labs:<\/li>\n<li>An <strong>Organization<\/strong> node (usually via Cloud Identity \/ Google Workspace).<\/li>\n<li>If you do not have an Organization, you can still complete the project-level parts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>At minimum (varies by what you do):\n&#8211; To create projects: <code>roles\/resourcemanager.projectCreator<\/code>\n&#8211; To view projects: <code>roles\/viewer<\/code> or <code>roles\/browser<\/code> (scope dependent)\n&#8211; To manage IAM on a project: <code>roles\/resourcemanager.projectIamAdmin<\/code> (or broader roles like Project Owner, not recommended)\n&#8211; To create\/manage folders: <code>roles\/resourcemanager.folderAdmin<\/code> (organization scope)\n&#8211; To view organization: <code>roles\/resourcemanager.organizationViewer<\/code> (organization scope)<\/p>\n\n\n\n<p>If you don\u2019t have these permissions, you can still learn by using an existing project and reading hierarchy metadata, but you may not be able to create\/move projects.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager itself typically does not have a direct usage cost.<\/li>\n<li>Some actions (like enabling certain APIs or using other services) can require a billing account.<\/li>\n<li>For this tutorial\u2019s lab, <strong>billing is optional<\/strong> unless your organization requires it for project creation or API enablement. If you hit billing-related errors, you\u2019ll need:<\/li>\n<li>A Cloud Billing account and permission to link it (often <code>roles\/billing.user<\/code> on the billing account), and\/or<\/li>\n<li>Organization policy allowances.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Google Cloud CLI (<code>gcloud<\/code>)<\/strong>: https:\/\/cloud.google.com\/sdk\/docs\/install<\/li>\n<li><strong>Cloud Shell<\/strong> (recommended for beginners; already authenticated and includes <code>gcloud<\/code>)<\/li>\n<li>Optional: <code>curl<\/code> for direct REST API calls<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager is <strong>global<\/strong>. Your projects and resources may be regional, but the hierarchy is not.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas \/ limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API rate limits apply to Resource Manager API methods and project creation.<\/li>\n<li>Organizations may set additional constraints via Organization Policy.<\/li>\n<li>Exact quotas can change; <strong>verify in official docs<\/strong>:<\/li>\n<li>API: https:\/\/cloud.google.com\/resource-manager\/reference\/rest<\/li>\n<li>Quotas are typically documented per API\/service in Google Cloud console under Quotas, but availability can vary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None required to understand hierarchy.<\/li>\n<li>For some workflows you may need APIs enabled (most often <code>cloudresourcemanager.googleapis.com<\/code>), but many CLI operations handle this implicitly. If you encounter \u201cAPI not enabled,\u201d enable it explicitly (shown in the lab).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (accurate and practical)<\/h3>\n\n\n\n<p>Resource Manager is a <strong>control-plane governance service<\/strong>. In general:\n&#8211; <strong>There is no separate line-item charge<\/strong> for using Resource Manager APIs to manage hierarchy, projects, and tags.<br\/>\n&#8211; Costs usually come from <strong>what you create and run inside projects<\/strong>, not from Resource Manager itself.<\/p>\n\n\n\n<p>Because pricing and billing presentation can change, treat this as a model explanation and <strong>verify<\/strong> on official sources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what could affect cost)<\/h3>\n\n\n\n<p>Direct costs:\n&#8211; Typically <strong>none<\/strong> for Resource Manager API usage itself.<\/p>\n\n\n\n<p>Indirect \/ related costs:\n&#8211; <strong>Cloud Audit Logs storage and export<\/strong>: Audit logs are generated for admin actions. Logging ingestion\/pricing depends on your logging configuration, retention, and sinks. See: https:\/\/cloud.google.com\/logging\/pricing\n&#8211; <strong>Cloud Asset Inventory<\/strong> exports \/ feeds (if used): may have costs depending on usage pattern\u2014verify current pricing docs for Asset Inventory.\n&#8211; <strong>Automation infrastructure<\/strong>: CI runners, Cloud Build, or other systems making calls.\n&#8211; <strong>Projects you create<\/strong>: any enabled services and resources (compute, storage, etc.) will incur normal charges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager itself is generally \u201cno additional cost,\u201d rather than a metered free tier.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs to watch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Project sprawl<\/strong>: More projects can mean more operational overhead and potentially more logging\/monitoring configuration.<\/li>\n<li><strong>Centralized log sinks<\/strong>: Exporting logs to BigQuery or Cloud Storage adds storage\/query cost.<\/li>\n<li><strong>Mis-scoped IAM<\/strong>: Security incidents can become the most expensive \u201ccost\u201d of weak governance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager API calls are small control-plane requests; network egress costs are typically negligible compared to data-plane services.<\/li>\n<li>If you export logs or assets to other regions\/projects, those services may incur network\/storage costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical guidance)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid unnecessary project creation; use a request\/approval process.<\/li>\n<li>Use folder-level inheritance to reduce repeated per-project configuration work.<\/li>\n<li>Tune logging sinks and retention thoughtfully (centralize audit logs, but avoid unnecessary data duplication).<\/li>\n<li>Apply tags\/labels to support cost allocation and cleanup automation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate<\/h3>\n\n\n\n<p>A low-cost learning setup can be:\n&#8211; One existing project\n&#8211; Use Resource Manager operations (list\/describe projects, add labels)\n&#8211; No compute resources deployed<br\/>\n<strong>Expected cost:<\/strong> typically $0 incremental for Resource Manager itself (but verify logging and any enabled services).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, focus less on Resource Manager API cost and more on:\n&#8211; Central logging and long retention (Cloud Logging \/ SIEM)\n&#8211; Asset inventory feeds\n&#8211; Time and tooling to maintain governance (IaC pipelines, policy-as-code)\n&#8211; Risk reduction (incident and compliance costs)<\/p>\n\n\n\n<p>Official pricing references:\n&#8211; Pricing calculator: https:\/\/cloud.google.com\/products\/calculator\n&#8211; Cloud Logging pricing: https:\/\/cloud.google.com\/logging\/pricing<br\/>\n(Resource Manager may not have a standalone pricing page; verify in official docs if this changes.)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Build a secure, well-governed baseline using Resource Manager by:\n1. Creating (or selecting) a project\n2. Applying consistent metadata (labels)\n3. Managing least-privilege access (IAM at the project level)\n4. (Optional) Exploring folder\/org placement if you have an Organization\n5. Validating changes through <code>gcloud<\/code> and the Resource Manager API\n6. Cleaning up safely<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will use <strong>Cloud Shell<\/strong> and <code>gcloud<\/code> to perform Resource Manager tasks. The lab is designed to be low-risk and low-cost because it focuses on control-plane operations.<\/p>\n\n\n\n<p><strong>What you will create\/change:<\/strong>\n&#8211; A new project (if permitted), OR reuse an existing one\n&#8211; One IAM binding (viewer role) for a test principal you choose\n&#8211; A couple of project labels<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; You can list and describe projects via Resource Manager-backed CLI calls.\n&#8211; The project has labels you can query.\n&#8211; The specified principal has the intended access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Open Cloud Shell and set variables<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the Google Cloud Console.<\/li>\n<li>Start <strong>Cloud Shell<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>Set environment variables:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Choose a globally-unique project ID if you will create a new project\nexport PROJECT_ID=\"rm-lab-$(date +%y%m%d)-$RANDOM\"\nexport PROJECT_NAME=\"resource-manager-lab\"\n\n# Your user email (or another principal) for IAM binding\n# Replace with a real principal you control (user, group, or service account).\nexport PRINCIPAL=\"user:YOUR_EMAIL_ADDRESS\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; Variables are set for the rest of the lab.<\/p>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"PROJECT_ID=$PROJECT_ID\"\necho \"PROJECT_NAME=$PROJECT_NAME\"\necho \"PRINCIPAL=$PRINCIPAL\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a project (or choose an existing one)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Option A (recommended): Create a new project<\/h4>\n\n\n\n<p>Try creating a project:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects create \"$PROJECT_ID\" --name=\"$PROJECT_NAME\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; A new project is created.<\/p>\n\n\n\n<p>If you see a permissions error (common in enterprise orgs), use Option B.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: Use an existing project<\/h4>\n\n\n\n<p>List projects you can access:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects list --format=\"table(projectId,name,projectNumber)\"\n<\/code><\/pre>\n\n\n\n<p>Pick a project ID you can administer and set:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_EXISTING_PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; You have a usable project ID for the lab.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Set the active project and confirm Resource Manager access<\/h3>\n\n\n\n<p>Set project:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud config set project \"$PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>Describe the project (this uses Resource Manager-backed metadata):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects describe \"$PROJECT_ID\" --format=\"yaml\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; You see the project\u2019s metadata (project number, lifecycle state, parent if any).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Ensure the Resource Manager API is enabled (if needed)<\/h3>\n\n\n\n<p>In many environments it\u2019s already enabled or not required explicitly. If you get \u201cAPI not enabled\u201d errors during API calls, enable it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable cloudresourcemanager.googleapis.com\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; API enabled successfully (or it reports already enabled).<\/p>\n\n\n\n<p>Verify enabled services (optional):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --filter=\"name:cloudresourcemanager.googleapis.com\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Add governance metadata with labels<\/h3>\n\n\n\n<p>Labels are a practical way to standardize inventory and operations (note: <strong>labels<\/strong> are different from Resource Manager <strong>tags<\/strong>).<\/p>\n\n\n\n<p>Add labels:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects update \"$PROJECT_ID\" \\\n  --update-labels=env=lab,owner=platform-security\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; Project labels are updated.<\/p>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects describe \"$PROJECT_ID\" --format=\"yaml(labels)\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Grant least-privilege access with IAM (project-level)<\/h3>\n\n\n\n<p>Grant a read-only role (Viewer) to the principal you set earlier:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects add-iam-policy-binding \"$PROJECT_ID\" \\\n  --member=\"$PRINCIPAL\" \\\n  --role=\"roles\/viewer\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; IAM policy binding updated.<\/p>\n\n\n\n<p>Verify by viewing policy (you need permission to view IAM policy):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects get-iam-policy \"$PROJECT_ID\" \\\n  --flatten=\"bindings[].members\" \\\n  --filter=\"bindings.members:$PRINCIPAL\" \\\n  --format=\"table(bindings.role, bindings.members)\"\n<\/code><\/pre>\n\n\n\n<p>Security note:\n&#8211; Prefer granting access to <strong>groups<\/strong> rather than individuals in production.\n&#8211; Avoid broad roles like Owner except for break-glass patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7 (Optional): Discover where the project sits in the hierarchy<\/h3>\n\n\n\n<p>If your environment has an Organization and folders, check the project\u2019s parent:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects describe \"$PROJECT_ID\" --format=\"value(parent.type,parent.id)\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; You see something like <code>folder 1234567890<\/code> or <code>organization 1234567890<\/code>, or nothing if there is no parent\/organization in your setup.<\/p>\n\n\n\n<p>If you have permission and want to list folders (organization setups only):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud resource-manager folders list --organization=\"ORG_ID\"\n<\/code><\/pre>\n\n\n\n<p>If you don\u2019t know your ORG_ID, you can sometimes discover it via:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud organizations list\n<\/code><\/pre>\n\n\n\n<p>If these commands return nothing or permission denied, that\u2019s normal in restricted environments\u2014hierarchy browsing is commonly limited.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Validate via direct Resource Manager REST API call (optional but useful)<\/h3>\n\n\n\n<p>This step confirms you can call the API directly.<\/p>\n\n\n\n<p>Get an access token:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ACCESS_TOKEN=\"$(gcloud auth print-access-token)\"\n<\/code><\/pre>\n\n\n\n<p>Call the Resource Manager API to fetch project metadata (v1 endpoint commonly used for projects):<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -sS -H \"Authorization: Bearer ${ACCESS_TOKEN}\" \\\n  \"https:\/\/cloudresourcemanager.googleapis.com\/v1\/projects\/${PROJECT_ID}\" | head\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; JSON output that includes <code>projectId<\/code>, <code>projectNumber<\/code>, and <code>lifecycleState<\/code>.<\/p>\n\n\n\n<p>If you get a 403:\n&#8211; You may lack permission such as <code>resourcemanager.projects.get<\/code>, even if you can see the project via other means.\n&#8211; Confirm your current identity: <code>gcloud auth list<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Project exists and is accessible<\/strong>\n<code>bash\n   gcloud projects describe \"$PROJECT_ID\" --format=\"value(projectId,name,lifecycleState)\"<\/code><\/p>\n<\/li>\n<li>\n<p><strong>Labels were applied<\/strong>\n<code>bash\n   gcloud projects describe \"$PROJECT_ID\" --format=\"yaml(labels)\"<\/code><\/p>\n<\/li>\n<li>\n<p><strong>IAM binding exists for the principal<\/strong>\n<code>bash\n   gcloud projects get-iam-policy \"$PROJECT_ID\" \\\n     --flatten=\"bindings[].members\" \\\n     --filter=\"bindings.members:$PRINCIPAL\" \\\n     --format=\"table(bindings.role, bindings.members)\"<\/code><\/p>\n<\/li>\n<li>\n<p><strong>API call works (optional)<\/strong>\n<code>bash\n   curl -sS -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n     \"https:\/\/cloudresourcemanager.googleapis.com\/v1\/projects\/${PROJECT_ID}\" | grep -E \"projectId|projectNumber|lifecycleState\"<\/code><\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong><code>PERMISSION_DENIED<\/code> when creating a project<\/strong>\n   &#8211; Cause: You lack <code>roles\/resourcemanager.projectCreator<\/code> at the organization\/folder scope.\n   &#8211; Fix: Use an existing project or ask an admin for the role (ideally granted to a provisioning service account, not individual users).<\/p>\n<\/li>\n<li>\n<p><strong><code>Requested entity already exists<\/code> (project ID collision)<\/strong>\n   &#8211; Cause: Project IDs are globally unique.\n   &#8211; Fix: Choose another project ID and retry.<\/p>\n<\/li>\n<li>\n<p><strong>Cannot list organizations\/folders<\/strong>\n   &#8211; Cause: You are not in an org-backed account, or you lack org-level viewer permissions.\n   &#8211; Fix: Skip organization\/folder steps. Continue with project-level governance.<\/p>\n<\/li>\n<li>\n<p><strong><code>API ... is not enabled<\/code><\/strong>\n   &#8211; Fix:\n     <code>bash\n     gcloud services enable cloudresourcemanager.googleapis.com<\/code><\/p>\n<\/li>\n<li>\n<p><strong>IAM policy binding command fails<\/strong>\n   &#8211; Cause: Missing <code>resourcemanager.projects.setIamPolicy<\/code> permission.\n   &#8211; Fix: Ask for <code>roles\/resourcemanager.projectIamAdmin<\/code> (or use an admin-run workflow). Avoid using Owner as a workaround in production.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>If you created a project specifically for this lab, delete it to avoid accidental future usage:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects delete \"$PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; The project moves to a <strong>DELETE_REQUESTED<\/strong> state.<\/p>\n\n\n\n<p>Notes:\n&#8211; Google Cloud typically allows undeletion for a limited time (retention window). Verify current behavior in official docs if this matters operationally.\n&#8211; If you used an existing project, consider removing the IAM binding you added:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects remove-iam-policy-binding \"$PROJECT_ID\" \\\n  --member=\"$PRINCIPAL\" \\\n  --role=\"roles\/viewer\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design a hierarchy aligned to how you operate:<\/li>\n<li>Common patterns: by <strong>environment<\/strong> (<code>prod\/nonprod<\/code>), by <strong>business unit<\/strong>, by <strong>application domain<\/strong>, or combinations.<\/li>\n<li>Keep shared services in dedicated folders\/projects:<\/li>\n<li>Networking host projects, logging projects, security tooling projects.<\/li>\n<li>Use folders as governance boundaries, not just a visual grouping:<\/li>\n<li>Assign folder admins, apply policies at folders, standardize project placement.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM \/ security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>groups<\/strong> over individual users for access grants.<\/li>\n<li>Grant at the <strong>highest safe level<\/strong> (folder) to reduce repeated project IAM changes.<\/li>\n<li>Keep org-level admin roles extremely limited; use:<\/li>\n<li>Break-glass accounts with strong controls<\/li>\n<li>Separate admin workstations and MFA<\/li>\n<li>Use separate roles for:<\/li>\n<li>Project creation<\/li>\n<li>IAM administration<\/li>\n<li>Billing association<\/li>\n<li>Review permissions regularly (quarterly is common).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Control project sprawl:<\/li>\n<li>Restrict project creation to a small set of principals<\/li>\n<li>Use a request workflow and naming standards<\/li>\n<li>Standardize labels\/tags for cost allocation and automated cleanup.<\/li>\n<li>Centralize audit logs, but avoid unnecessary duplication across sinks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices (control-plane)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For automation, implement:<\/li>\n<li>Retries with exponential backoff for transient API errors<\/li>\n<li>Idempotent operations (treat \u201calready exists\u201d as success where appropriate)<\/li>\n<li>Batch inventory operations using dedicated inventory tooling (Cloud Asset Inventory) rather than repeatedly listing projects at scale.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat hierarchy changes as \u201cproduction changes\u201d:<\/li>\n<li>Use change management for moves between folders<\/li>\n<li>Validate effective IAM\/policies before and after changes<\/li>\n<li>Use infrastructure-as-code for repeatability where possible (Terraform or internal tools), but keep human-readable documentation for the hierarchy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Export and retain <strong>Admin Activity audit logs<\/strong> centrally.<\/li>\n<li>Implement alerts for high-risk actions:<\/li>\n<li>Project deletion requests<\/li>\n<li>IAM policy changes at org\/folder<\/li>\n<li>New project creation outside approved automation<\/li>\n<li>Maintain a registry of:<\/li>\n<li>Folder purpose<\/li>\n<li>Owner group<\/li>\n<li>Allowed services \/ policy constraints<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance \/ tagging \/ naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create naming standards:<\/li>\n<li>Project ID pattern, e.g., <code>bu-app-env-region-###<\/code><\/li>\n<li>Folder naming patterns, e.g., <code>Prod<\/code>, <code>Nonprod<\/code>, <code>Shared<\/code><\/li>\n<li>Require baseline metadata:<\/li>\n<li><code>env<\/code>, <code>owner<\/code>, <code>cost_center<\/code>, <code>data_classification<\/code><\/li>\n<li>Understand difference:<\/li>\n<li><strong>Labels:<\/strong> lightweight metadata mainly for filtering and billing reports<\/li>\n<li><strong>Tags:<\/strong> governance objects for consistent policy targeting (more structured, typically org-managed)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<p>Resource Manager is directly part of your <strong>Security<\/strong> posture because it defines administrative boundaries.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM policies can be attached at org, folder, and project.<\/li>\n<li>Permissions inherit downward (org \u2192 folder \u2192 project), unless restricted by explicit policy design.<\/li>\n<li>Use least privilege:<\/li>\n<li>Avoid <code>roles\/owner<\/code> for daily operations.<\/li>\n<li>Create narrow admin roles for platform provisioning if needed (custom roles may help, but verify permissions carefully).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager stores metadata in Google-managed systems.<\/li>\n<li>Encryption at rest and in transit is handled by Google Cloud\u2019s platform controls (verify current encryption statements in Google Cloud security documentation).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager is accessed via Google APIs over HTTPS.<\/li>\n<li>Control admin access through:<\/li>\n<li>Strong identity (MFA)<\/li>\n<li>Context-aware access (if your org uses it)<\/li>\n<li>Controlled admin workstations and egress routes<\/li>\n<li>Consider organization-level controls (for example, restricting where admin actions can be performed from). Implementation depends on your identity and access posture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store service account keys in repos to automate Resource Manager.<\/li>\n<li>Prefer:<\/li>\n<li>Workload Identity Federation for external CI<\/li>\n<li>Service account impersonation (<code>gcloud --impersonate-service-account<\/code>)<\/li>\n<li>Secret Manager for any required secrets (and minimize secrets altogether)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure Cloud Audit Logs are retained and exported appropriately:<\/li>\n<li>Org\/folder\/project-level Admin Activity logs are critical for governance.<\/li>\n<li>Monitor:<\/li>\n<li>IAM policy changes<\/li>\n<li>Project lifecycle events (create\/delete\/undelete)<\/li>\n<li>Tag creation and tag bindings (if used)<\/li>\n<\/ul>\n\n\n\n<p>Audit logs overview: https:\/\/cloud.google.com\/logging\/docs\/audit<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A well-designed hierarchy supports:<\/li>\n<li>Separation of duties (SoD)<\/li>\n<li>Environment isolation<\/li>\n<li>Principle of least privilege<\/li>\n<li>Audit readiness and evidence collection<\/li>\n<li>Combine Resource Manager with:<\/li>\n<li>Organization Policy Service constraints<\/li>\n<li>VPC Service Controls (where applicable; verify supported services for your use case)<\/li>\n<li>Security Command Center for posture and findings<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granting org-level admin roles too broadly.<\/li>\n<li>Using individual accounts instead of groups.<\/li>\n<li>Allowing ad-hoc project creation with no naming\/metadata standards.<\/li>\n<li>Moving projects without reviewing inherited IAM\/policies.<\/li>\n<li>Not centralizing audit logs (or not reviewing them).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement a \u201clanding zone\u201d approach:<\/li>\n<li>Root org policies + folder policies<\/li>\n<li>Standard folder structure<\/li>\n<li>Controlled project creation pipeline<\/li>\n<li>Establish break-glass procedures and logging for emergency access.<\/li>\n<li>Document and automate hierarchy changes with approvals.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ common constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Organization required for folders:<\/strong> Without Cloud Identity\/Workspace organization, you may not have folder-level governance.<\/li>\n<li><strong>Project ID uniqueness:<\/strong> Global uniqueness can complicate naming.<\/li>\n<li><strong>Policy inheritance surprises:<\/strong> Moving projects changes what they inherit (IAM and policies).<\/li>\n<li><strong>Permission visibility:<\/strong> Listing and searching resources depends on the caller\u2019s IAM scope; \u201cnot found\u201d often means \u201cno permission.\u201d<\/li>\n<li><strong>Eventual consistency:<\/strong> Some control-plane changes can take time to propagate; automation should retry.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API calls and project creation are subject to quotas and organization policy constraints.<\/li>\n<li>Exact values change; <strong>verify current quotas<\/strong> in:<\/li>\n<li>Google Cloud console \u2192 IAM &amp; Admin \/ Quotas (service-specific)<\/li>\n<li>Official API docs: https:\/\/cloud.google.com\/resource-manager\/reference\/rest<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hierarchy is global, but other services you deploy may have regional constraints. Don\u2019t confuse the two.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Manager itself is not typically the cost driver; surprises usually come from:<\/li>\n<li>Logging exports and long retention<\/li>\n<li>Asset inventory exports<\/li>\n<li>Unused projects with enabled services\/resources<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tooling differences:<\/li>\n<li>Console vs <code>gcloud<\/code> vs REST API versions may expose different features at different times.<\/li>\n<li>Some advanced governance patterns require coordination with IAM, Organization Policy Service, and security tooling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reorganizing a live environment is mostly about:<\/li>\n<li>Refactoring IAM to avoid unintended access<\/li>\n<li>Updating automation that assumes old folder paths<\/li>\n<li>Updating documentation and ownership maps<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud projects are fundamental administrative units; many service configurations and quotas are tied to projects. Plan project boundaries carefully.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Resource Manager is unique because it is the <strong>native hierarchy and container governance<\/strong> system for Google Cloud. You can complement it, but you can\u2019t realistically replace it if you operate at scale.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Resource Manager (Google Cloud)<\/strong><\/td>\n<td>Organizing org\/folders\/projects; governance attachment points<\/td>\n<td>Native hierarchy, IAM inheritance, project lifecycle, tags<\/td>\n<td>Not a deployment tool; requires org for folders; hierarchy design needs planning<\/td>\n<td>Always for serious Google Cloud governance<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud IAM (Google Cloud)<\/strong><\/td>\n<td>Identity and authorization<\/td>\n<td>Fine-grained permissions, conditions, service accounts<\/td>\n<td>Needs Resource Manager hierarchy to scale; can sprawl if unmanaged<\/td>\n<td>Use with Resource Manager for access control<\/td>\n<\/tr>\n<tr>\n<td><strong>Organization Policy Service (Google Cloud)<\/strong><\/td>\n<td>Guardrails and constraints<\/td>\n<td>Enforce security standards at org\/folder\/project<\/td>\n<td>Not a hierarchy manager; needs Resource Manager structure<\/td>\n<td>Use to enforce baseline controls<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Asset Inventory (Google Cloud)<\/strong><\/td>\n<td>Inventory and asset search<\/td>\n<td>Org-wide inventory\/search\/history<\/td>\n<td>Not a container manager<\/td>\n<td>Use for inventory, compliance evidence, drift detection<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Organizations (AWS)<\/strong><\/td>\n<td>Multi-account governance on AWS<\/td>\n<td>Strong account hierarchy and SCPs<\/td>\n<td>Different model; not applicable inside Google Cloud<\/td>\n<td>Choose when governing AWS environments<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Management Groups + Azure Resource Manager (Azure)<\/strong><\/td>\n<td>Subscription hierarchy and deployments<\/td>\n<td>Strong governance constructs and ARM templates<\/td>\n<td>Different cloud model<\/td>\n<td>Choose when governing Azure environments<\/td>\n<\/tr>\n<tr>\n<td><strong>Terraform \/ IaC (self-managed tooling)<\/strong><\/td>\n<td>Automation of hierarchy and IAM<\/td>\n<td>Repeatability, version control<\/td>\n<td>Still uses Resource Manager underneath; requires strong processes<\/td>\n<td>Choose for automation, not as a replacement<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated financial services landing zone<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Hundreds of engineers need cloud access, but regulators require strict separation of prod\/non-prod, auditable changes, and least privilege.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Organization (root)<\/li>\n<li>Folders:<ul>\n<li><code>Prod<\/code> (restricted deploy\/admin)<\/li>\n<li><code>Nonprod<\/code> (broader access, still governed)<\/li>\n<li><code>Shared<\/code> (network\/logging projects)<\/li>\n<li><code>Security<\/code> (security tooling and log sinks)<\/li>\n<\/ul>\n<\/li>\n<li>Projects:<ul>\n<li><code>shared-network-host<\/code>, <code>central-logging<\/code>, <code>scc-admin<\/code><\/li>\n<li>application projects under <code>Prod<\/code> and <code>Nonprod<\/code><\/li>\n<\/ul>\n<\/li>\n<li>IAM:<ul>\n<li>Platform team has folder-level admin within <code>Shared<\/code><\/li>\n<li>App teams have folder-level access only to their domain subfolders<\/li>\n<\/ul>\n<\/li>\n<li>Audit:<ul>\n<li>Centralized audit log sinks to a security project<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Resource Manager was chosen:<\/strong><\/li>\n<li>It is the native way to implement org\/folder\/project governance and inheritance.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster audits (clear boundaries and ownership)<\/li>\n<li>Reduced risk (controlled project creation and consistent policy inheritance)<\/li>\n<li>Operational scalability (delegated folder admins)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: clean separation with minimal overhead<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup wants basic security hygiene without heavy enterprise process; they need dev\/prod separation and cost visibility.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>If no organization: two projects <code>app-dev<\/code> and <code>app-prod<\/code><\/li>\n<li>If organization exists: a simple folder structure <code>Prod<\/code> and <code>Nonprod<\/code><\/li>\n<li>Labels:<ul>\n<li><code>env=prod|dev<\/code>, <code>owner=team-a<\/code><\/li>\n<\/ul>\n<\/li>\n<li>IAM:<ul>\n<li>Developers have Editor in dev, Viewer in prod<\/li>\n<li>A small admin group manages prod deploy permissions<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Resource Manager was chosen:<\/strong><\/li>\n<li>Even minimal structure prevents common mistakes (like deploying test changes into prod).<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Lower risk and clearer billing<\/li>\n<li>Easier onboarding and access reviews<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Resource Manager the same as \u201cCloud Resource Manager\u201d?<\/strong><br\/>\n   Resource Manager is commonly referred to in docs and APIs as <strong>Cloud Resource Manager<\/strong>. The service and API endpoints (<code>cloudresourcemanager.googleapis.com<\/code>) reflect that naming.<\/p>\n<\/li>\n<li>\n<p><strong>Is Resource Manager a security service?<\/strong><br\/>\n   It\u2019s a governance\/control-plane service that is foundational to <strong>Security<\/strong> because it defines hierarchy and access boundaries where IAM and policies are applied.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need an Organization to use Resource Manager?<\/strong><br\/>\n   You can manage projects without an Organization, but <strong>folders and enterprise hierarchy<\/strong> require an Organization (usually via Cloud Identity\/Google Workspace).<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the difference between projects, folders, and organizations?<\/strong><br\/>\n   Organization is the root container, folders group projects, and projects are where most cloud resources live and where billing\/services are typically enabled.<\/p>\n<\/li>\n<li>\n<p><strong>Can I move a project to a different folder?<\/strong><br\/>\n   Yes, if you are in an org-based environment and have the required permissions. Plan carefully because inherited IAM\/policies can change.<\/p>\n<\/li>\n<li>\n<p><strong>Does moving a project change its project ID or project number?<\/strong><br\/>\n   Typically, moving changes the parent relationship, not the identity. Always verify behavior and downstream dependencies in your environment before reorganizing.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the best practice: IAM at project level or folder level?<\/strong><br\/>\n   Prefer <strong>folder-level<\/strong> grants for team access, with minimal project-specific exceptions. Use project-level for unique cases.<\/p>\n<\/li>\n<li>\n<p><strong>How do I prevent accidental project deletion?<\/strong><br\/>\n   Use strong IAM controls to restrict who can delete projects, and consider deletion protection mechanisms such as liens if your organization uses them (verify current official docs).<\/p>\n<\/li>\n<li>\n<p><strong>Are tags and labels the same thing in Google Cloud?<\/strong><br\/>\n   No. Labels are lightweight metadata; Resource Manager <strong>tags<\/strong> are governance constructs with their own lifecycle and bindings.<\/p>\n<\/li>\n<li>\n<p><strong>Does Resource Manager have a direct cost?<\/strong><br\/>\n   Typically there is no separate charge for Resource Manager operations. Costs usually come from related services (logging exports, assets, and resources created in projects).<\/p>\n<\/li>\n<li>\n<p><strong>Why can\u2019t I list all projects in my organization?<\/strong><br\/>\n   Because listing and visibility depend on IAM permissions. You may only see projects you have access to.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the safest way to automate project creation?<\/strong><br\/>\n   Use a dedicated service account with limited privileges, an approval workflow, consistent naming\/labels, and centralized logging. Avoid distributing <code>Project Creator<\/code> broadly.<\/p>\n<\/li>\n<li>\n<p><strong>How does Resource Manager relate to Organization Policy Service?<\/strong><br\/>\n   Resource Manager provides the hierarchy. Organization Policy Service applies constraints at org\/folder\/project levels and relies on that hierarchy.<\/p>\n<\/li>\n<li>\n<p><strong>What logs should I monitor for Resource Manager activity?<\/strong><br\/>\n   Cloud Audit Logs (Admin Activity) for project lifecycle events and IAM policy changes, exported to a central logging destination.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s a good starter hierarchy for a new org?<\/strong><br\/>\n   Common starter: <code>Prod<\/code>, <code>Nonprod<\/code>, <code>Shared<\/code>, <code>Security<\/code>. Then create domain\/team subfolders as you scale.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use Terraform with Resource Manager?<\/strong><br\/>\n   Yes\u2014Terraform typically calls Google APIs (including Resource Manager) to create and manage projects, folders, and IAM. Treat Terraform as automation on top of Resource Manager, not a replacement.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Resource Manager<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Resource Manager docs https:\/\/cloud.google.com\/resource-manager\/docs<\/td>\n<td>Primary, up-to-date overview and how-to guides<\/td>\n<\/tr>\n<tr>\n<td>Official concept guide<\/td>\n<td>Resource hierarchy overview https:\/\/cloud.google.com\/resource-manager\/docs\/cloud-platform-resource-hierarchy<\/td>\n<td>Explains org\/folder\/project design and inheritance<\/td>\n<\/tr>\n<tr>\n<td>Official API reference<\/td>\n<td>Resource Manager REST reference https:\/\/cloud.google.com\/resource-manager\/reference\/rest<\/td>\n<td>Exact methods, request\/response fields, auth requirements<\/td>\n<\/tr>\n<tr>\n<td>Official CLI reference<\/td>\n<td><code>gcloud resource-manager<\/code> command group https:\/\/cloud.google.com\/sdk\/gcloud\/reference\/resource-manager<\/td>\n<td>Practical CLI workflows for folders\/orgs\/tags (where available)<\/td>\n<\/tr>\n<tr>\n<td>Official tags guide<\/td>\n<td>Tags overview https:\/\/cloud.google.com\/resource-manager\/docs\/tags\/tags-overview<\/td>\n<td>Governance tagging concepts and lifecycle<\/td>\n<\/tr>\n<tr>\n<td>Official IAM overview<\/td>\n<td>IAM docs https:\/\/cloud.google.com\/iam\/docs\/overview<\/td>\n<td>Required for understanding policy attachment and permissions<\/td>\n<\/tr>\n<tr>\n<td>Official audit logging<\/td>\n<td>Cloud Audit Logs https:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\n<td>How to audit admin actions and access patterns<\/td>\n<\/tr>\n<tr>\n<td>Official policy guardrails<\/td>\n<td>Organization Policy overview https:\/\/cloud.google.com\/resource-manager\/docs\/organization-policy\/overview<\/td>\n<td>How to enforce constraints using hierarchy<\/td>\n<\/tr>\n<tr>\n<td>Official pricing tool<\/td>\n<td>Google Cloud Pricing Calculator https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Estimate costs for related services (logging, SIEM sinks, etc.)<\/td>\n<\/tr>\n<tr>\n<td>Official learning (broad)<\/td>\n<td>Google Cloud Skills Boost https:\/\/www.cloudskillsboost.google\/<\/td>\n<td>Hands-on labs that often include governance\/IAM concepts<\/td>\n<\/tr>\n<tr>\n<td>Official YouTube<\/td>\n<td>Google Cloud Tech YouTube https:\/\/www.youtube.com\/@googlecloudtech<\/td>\n<td>Architecture\/security\/governance videos (search within channel)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>(Neutral listing; verify latest offerings directly on each site.)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; <strong>Suitable audience:<\/strong> DevOps engineers, SREs, platform teams, cloud engineers<br\/>\n   &#8211; <strong>Likely learning focus:<\/strong> DevOps and cloud operations practices; may include Google Cloud governance\/security tracks<br\/>\n   &#8211; <strong>Mode:<\/strong> Check website<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>ScmGalaxy.com<\/strong><br\/>\n   &#8211; <strong>Suitable audience:<\/strong> DevOps and automation learners, beginners to intermediate<br\/>\n   &#8211; <strong>Likely learning focus:<\/strong> DevOps tooling, CI\/CD, cloud basics (offerings vary)<br\/>\n   &#8211; <strong>Mode:<\/strong> Check website<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n<li>\n<p><strong>CLoudOpsNow.in<\/strong><br\/>\n   &#8211; <strong>Suitable audience:<\/strong> Cloud operations practitioners, administrators, engineers<br\/>\n   &#8211; <strong>Likely learning focus:<\/strong> Cloud ops and governance-related training (verify current catalog)<br\/>\n   &#8211; <strong>Mode:<\/strong> Check website<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/cloudopsnow.in\/<\/p>\n<\/li>\n<li>\n<p><strong>SreSchool.com<\/strong><br\/>\n   &#8211; <strong>Suitable audience:<\/strong> SREs, operations teams, reliability-focused engineers<br\/>\n   &#8211; <strong>Likely learning focus:<\/strong> Reliability engineering practices; may relate to governance and operational controls<br\/>\n   &#8211; <strong>Mode:<\/strong> Check website<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/sreschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>AiOpsSchool.com<\/strong><br\/>\n   &#8211; <strong>Suitable audience:<\/strong> Operations, monitoring, automation teams exploring AIOps<br\/>\n   &#8211; <strong>Likely learning focus:<\/strong> AIOps concepts, monitoring\/automation (verify if Google Cloud governance is included)<br\/>\n   &#8211; <strong>Mode:<\/strong> Check website<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>(Neutral listing as training resource platforms\/sites.)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RajeshKumar.xyz<\/strong><br\/>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps\/cloud training content (verify current topics)<br\/>\n   &#8211; <strong>Suitable audience:<\/strong> Beginners to intermediate practitioners<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n<li>\n<p><strong>devopstrainer.in<\/strong><br\/>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps tooling, cloud, automation training (verify current offerings)<br\/>\n   &#8211; <strong>Suitable audience:<\/strong> DevOps engineers and learners<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/devopstrainer.in\/<\/p>\n<\/li>\n<li>\n<p><strong>devopsfreelancer.com<\/strong><br\/>\n   &#8211; <strong>Likely specialization:<\/strong> Freelance DevOps services\/training resources (verify scope)<br\/>\n   &#8211; <strong>Suitable audience:<\/strong> Teams seeking targeted enablement or support<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/devopsfreelancer.com\/<\/p>\n<\/li>\n<li>\n<p><strong>devopssupport.in<\/strong><br\/>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps support and training (verify current programs)<br\/>\n   &#8211; <strong>Suitable audience:<\/strong> Ops\/DevOps teams needing practical help<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>(Neutral listing; descriptions are general and should be validated directly with the provider.)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>cotocus.com<\/strong><br\/>\n   &#8211; <strong>Likely service area:<\/strong> Cloud\/DevOps consulting and engineering services (verify exact offerings)<br\/>\n   &#8211; <strong>Where they may help:<\/strong> Google Cloud governance design, IAM structure, operational setup<br\/>\n   &#8211; <strong>Consulting use case examples:<\/strong> Landing zone planning; folder\/project hierarchy design; centralized audit logging strategy<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/cotocus.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; <strong>Likely service area:<\/strong> DevOps enablement, training, consulting (verify scope)<br\/>\n   &#8211; <strong>Where they may help:<\/strong> Governance operating model, DevOps\/SRE process alignment, platform practices<br\/>\n   &#8211; <strong>Consulting use case examples:<\/strong> CI\/CD and provisioning workflows; IAM and access review process; infrastructure automation design<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DEVOPSCONSULTING.IN<\/strong><br\/>\n   &#8211; <strong>Likely service area:<\/strong> DevOps and cloud consulting services (verify offerings)<br\/>\n   &#8211; <strong>Where they may help:<\/strong> Cloud operations and governance implementations, security posture improvements<br\/>\n   &#8211; <strong>Consulting use case examples:<\/strong> Project provisioning pipelines; audit log export architecture; org\/folder policy baselines<br\/>\n   &#8211; <strong>Website:<\/strong> https:\/\/devopsconsulting.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Resource Manager<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud fundamentals:<\/li>\n<li>Projects, APIs, service accounts, billing basics<\/li>\n<li>IAM fundamentals:<\/li>\n<li>Roles vs permissions, policy inheritance, groups<\/li>\n<li>Basic cloud networking concepts (helpful context, though Resource Manager is not networked like workloads)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Resource Manager<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Organization Policy Service<\/strong> (guardrails and constraints)<\/li>\n<li><strong>Cloud Logging &amp; Audit Logs<\/strong> (governance and SIEM export)<\/li>\n<li><strong>Cloud Asset Inventory<\/strong> (inventory, drift detection, compliance evidence)<\/li>\n<li><strong>Security Command Center<\/strong> (posture management and findings)<\/li>\n<li>Automation\/IaC:<\/li>\n<li>Terraform, CI\/CD integration, policy-as-code patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud architect<\/li>\n<li>Platform engineer<\/li>\n<li>Security engineer \/ cloud security architect<\/li>\n<li>DevOps engineer \/ SRE<\/li>\n<li>Cloud administrator<\/li>\n<li>GRC \/ cloud governance specialist (technical)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Google Cloud)<\/h3>\n\n\n\n<p>Google Cloud certifications that benefit from Resource Manager knowledge include:\n&#8211; Associate Cloud Engineer\n&#8211; Professional Cloud Architect\n&#8211; Professional Cloud Security Engineer<\/p>\n\n\n\n<p>Verify current certification details: https:\/\/cloud.google.com\/learn\/certification<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Design a folder structure for a hypothetical enterprise with 3 business units and 3 environments.<\/li>\n<li>Implement a project provisioning script that:\n   &#8211; Creates a project\n   &#8211; Applies labels\n   &#8211; Assigns a group viewer role\n   &#8211; Writes an audit record (e.g., ticket ID label)<\/li>\n<li>Create a tagging strategy:\n   &#8211; Define TagKeys\/TagValues for data classification and environment\n   &#8211; Bind tags to projects and validate inventory searches (may require additional tooling)<\/li>\n<li>Build an access review checklist:\n   &#8211; Who has folder admin?\n   &#8211; Who can create projects?\n   &#8211; Who can set IAM policy?<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resource Manager:<\/strong> Google Cloud service for managing resource hierarchy, project lifecycle, and governance constructs like tags.<\/li>\n<li><strong>Organization:<\/strong> Root node in Google Cloud hierarchy, usually tied to a Cloud Identity\/Workspace domain.<\/li>\n<li><strong>Folder:<\/strong> A grouping container under an organization used to organize and apply inherited policy.<\/li>\n<li><strong>Project:<\/strong> Core container for Google Cloud resources; often the primary isolation boundary for workloads, quotas, and service enablement.<\/li>\n<li><strong>IAM:<\/strong> Identity and Access Management; defines who can do what on which resources.<\/li>\n<li><strong>IAM policy:<\/strong> A binding of roles to principals (users, groups, service accounts) at a resource level.<\/li>\n<li><strong>Principal:<\/strong> An identity (user, group, service account) referenced in IAM policies.<\/li>\n<li><strong>Labels:<\/strong> Simple key\/value metadata on resources, commonly used for filtering and billing reporting.<\/li>\n<li><strong>Tags (Resource Manager tags):<\/strong> Governance objects (TagKeys\/TagValues) that can be bound to resources for consistent classification.<\/li>\n<li><strong>Inheritance:<\/strong> The propagation of policies from organization \u2192 folders \u2192 projects.<\/li>\n<li><strong>Cloud Audit Logs:<\/strong> Logs that record administrative and data access actions for Google Cloud services.<\/li>\n<li><strong>Organization Policy Service:<\/strong> A service to enforce constraints (guardrails) on resource configurations.<\/li>\n<li><strong>Landing zone:<\/strong> A standardized baseline environment design for secure cloud adoption (hierarchy, IAM, networking, logging).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Resource Manager in Google Cloud is the <strong>foundation for secure, scalable cloud governance<\/strong>. It provides the <strong>resource hierarchy<\/strong> (organization, folders, projects), supports <strong>project lifecycle management<\/strong>, and supplies the structure where <strong>IAM policies and governance tags<\/strong> are applied and inherited.<\/p>\n\n\n\n<p>It matters because most real Security, compliance, and operational scalability problems start with poor structure: uncontrolled project sprawl, inconsistent access control, and weak auditability. Resource Manager helps prevent that by giving you the control-plane building blocks to implement a clean, enforceable operating model.<\/p>\n\n\n\n<p>Cost-wise, Resource Manager itself typically doesn\u2019t add direct charges, but it strongly influences indirect costs like logging, inventory, and the operational overhead of managing many projects. Security-wise, it is central: hierarchy and IAM boundaries determine your blast radius and your audit story.<\/p>\n\n\n\n<p>Use Resource Manager whenever you need multi-team governance, consistent access boundaries, and controlled project provisioning. Next, deepen the design by learning <strong>Organization Policy Service<\/strong>, <strong>Cloud Audit Logs<\/strong>, and <strong>Cloud Asset Inventory<\/strong>, then automate your governance with repeatable pipelines and infrastructure-as-code.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-816","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=816"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/816\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}