Organization structure
The root node for managing resources in Google Cloud is theorganization.The Google Cloud organization provides aresource hierarchythat provides an ownership structure for resources and attachment points fororganization policiesand access controls. The resource hierarchy consists of folders, projects, andresources, and it defines the structure and use of Google Cloud services withinan organization.
Resources lower in the hierarchy inherit policies such as IAM allow policies andorganization policies. All access permissions are denied by default, until youapply allow policies directly to a resource or the resource inherits the allowpolicies from a higher level in the resource hierarchy.
The following diagram shows the folders and projects that are deployed by theblueprint.
The following sections describe the folders and projects in the diagram.
Folders
The blueprint usesfoldersto group projects based on their environment. This logical grouping is used toapply configurations like allow policies and organization policies at the folderlevel and then all resources within the folder inherit the policies. Thefollowing table describes the folders that are part of the blueprint.
| Folder | Description |
|---|---|
bootstrap | Contains the projectsthat are used to deploy foundation components. |
common | Contains projects with resources that are shared by allenvironments. |
production | Contains projects with production resources. |
nonproduction | Contains a copy of the production environment to let you testworkloads before you promote them to production. |
development | Contains the cloud resources that are used for development. |
networking | Contains the networking resources that are shared by allenvironments. |
Projects
The blueprint usesprojectsto group individual resources based on their functionality and intendedboundaries for access control. This following table describes the projects thatare included in the blueprint.
| Folder | Project | Description |
|---|---|---|
bootstrap | prj-b-cicd | Contains the deployment pipeline that's used to build out thefoundation components of the organization. For more information, seedeploymentmethodology. |
prj-b-seed | Contains the Terraform state of your infrastructure and theTerraform service account that is required to run the pipeline. Formore information, seedeployment methodology. | |
common | prj-c-secrets | Contains organization-level secrets. For more information, seestoreapplication credentials with Secret Manager. |
prj-c-logging | Contains the aggregated log sources for audit logs. Formore information, seecentralized logging for security andaudit. | |
prj-c-scc | Contains resources to help configure Security Command Center alerting andother custom security monitoring. For more information, seethreatmonitoring with Security Command Center. | |
prj-c-billing-export | Contains a BigQuery dataset with the organization'sbilling exports. For moreinformation, seeallocatecosts between internal cost centers. | |
prj-c-infra-pipeline | Contains an infrastructure pipeline for deploying resources likeVMs and databases to be used by workloads. For more information, seepipelinelayers. | |
prj-c-kms | Contains encryption keys for encrypting shared services within the common folder. For more information, seemanageencryption keys. | |
networking | prj-net-{env}-svpc | Contains the host project for a Shared VPC network. For more information, seenetworktopology. |
prj-net-hub | Contains the Shared VPC network used as a hub between the on-premises environment and Google Cloud spokes. This project is created in the hub-and-spoke topology only. For more information, seenetworktopology. | |
prj-net-interconnect | Contains the Cloud Interconnect connections that provideconnectivity between your on-premises environment andGoogle Cloud. For more information, seehybridconnectivity. | |
environments: - development (d) | prj-{env}-{workload_name_or_id} | Contains various workload projects in which you create resources forapplications. For more information, seeproject deployment patterns andpipelinelayers. |
prj-{env}-secrets | Contains folder-level secrets. For more information, seestoreand audit application credentials with Secret Manager. | |
prj-{env}-kms | Contains encryption keys for encrypting services within each environment folder. For more information, seemanageencryption keys. |
Governance for resource ownership
We recommend that you apply labels consistently to your projects to assist withgovernance and cost allocation. The following table describes the project labelsthat are added to each project for governance in the blueprint.
| Label | Description |
|---|---|
application | The human-readable name of the application or workload that isassociated with the project. |
businesscode | A short code that describes which business unit owns theproject. The codeshared is used for common projectsthat are not explicitly tied to a business unit. |
billingcode | A code that's used to provide chargeback information. |
primarycontact | The username of the primary contact that is responsible for theproject. Because project labels can't include special characters such as theampersand (@), it is set to the username without the @example.com suffix. |
secondarycontact | The username of the secondary secondary contact that isresponsible for the project. Because project labels can't includespecial characters such as @, set only the username without the@example.com suffix. |
environment | A value that identifies the type of environment, such asbootstrap,common,production,non-production,development, ornetwork. |
envcode | A value that identifies the type of environment, shortened tob,c,p,n,d, ornet. |
vpc | The ID of the VPC network that this project is expected to use. |
Google might occasionally send important notifications such as accountsuspensions or updates to product terms. The blueprint usesEssential Contactsto send those notifications to the groups that you configure during deployment.Essential Contacts is configured at the organization node and inheritedby all projects in the organization. We recommend that you review these groupsand ensure that emails are monitored reliably.
Essential Contacts is used for a different purpose than theprimarycontact andsecondarycontact fields that are configured in projectlabels. The contacts in project labels are intended for internal governance. Forexample, if you identify non-compliant resources in a workload project and needto contact the owners, you could use theprimarycontact field to find theperson or team responsible for that workload.
What's next
- Read aboutnetworking (nextdocument in this series).
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-15 UTC.