Managing applications in a folder

This page describes how to to configure a folder for application management.

Overview

An app-enabled folder is a folder within the Google Cloud resource hierarchy that has been configured for application management. This folder lets you define and manage App Hub applications. These applications are functional groupings of services and workloads that span multiple projects within that folder and its descendant projects.

App-enabled folders streamline application management by:

  • Organizing workloads: They group related applications and services, defined within App Hub, into a single manageable unit.
  • Providing centralized monitoring and management: Instead of tracking individual components across different projects or products, you can monitor and manage the overall health and performance of your applications at the folder level.
  • Simplifying administration: By designating a folder as app-enabled, you create an administrative boundary that simplifies creating and managing applications within your organization.
  • Providing an application-centric view: They shift the focus from individual resources to the application itself, providing a holistic view of its performance.

Configure a folder for app management

You can enable application management on both new and existing folders. Once enabled, application management can't be disabled. Test application management within a newly created, dedicated folder. This allows safe experimentation before applying it to existing critical folders.

Within an app-enabled folder, authorized users can aggregate workloads and services from any project directly within that folder.

Consider a resource hierarchy with the following structure:

Folder F1 contains the following three items:

  • Projects P10 and P11
  • Folder F2

Folder F2 contains the following two items:

  • Project P20 and P21

Enable application management on folder F1 to create an application that includes resources from multiple folder levels. For example, an application can include resources from projects p10 and p20.

An application with projects P10 and P20, spanning folder levels

If you enable application management only on folder F2, then project P10 is unavailable for creating applications. To create applications in project P10, move project P10 under folder F2.

An application with projects P10 and P20, but P10 has moved under folder F2

Consider your organizational structure, team responsibilities, and resources when planning your application management strategy. The way that your teams and resources are structured has a direct impact on how you use app-enabled folders.

Overview of management projects

A management project is a Google Cloud project that the system generates within an app-enabled folder, designed exclusively for application management. It provides the infrastructure for Application Libraries and related APIs, including billing, quotas, and access control. The management project can also discover resources within the app-enabled folder's resource hierarchy.

Enabling application management on a folder automatically provisions a management project. Each folder can contain only one management project.

Enabling application management and APIs on a folder

This section describes how to enable a folder for application management.

Required roles

To get the permissions that you need to enable application management and grant access to resources, ask your administrator to grant you the Folder Admin (resourcemanager.folderAdmin) IAM role on the parent resource. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable application APIs

You can enable application management on both new and existing folders. To create a new folder, see Creating folders. The following steps are for an existing folder:

  1. In the Google Cloud console, open the Manage resources page.

    Open the Manage Resources page

  2. In the list of projects and folders, locate the folder that you want to configure. Then, click the Options menu at the end of its row, and select Settings.

  3. In the Settings page, go to the App-enablement section, and click Enable. The Enable application APIs on this folder panel opens.

    When you enable application management on a folder, two actions occur:

    1. Google creates a Google-managed project in the folder. You cannot move or delete a management project.
    2. The system enables the required APIs for application management on that project.

  4. Review the list of APIs on the panel. Some APIs have associated costs. To learn about pricing for a service, click the API name.

  5. If you are ready to enable application management, click Enable.

When the enablement is finished, the Settings page displays the name of the management project with the prefix google-mpf.

Link a billing account to the management project

To link a billing account to the management project, do the following:

  1. Ensure that you have the permissions required for this task.

  2. If you need to create a Cloud Billing account, see Create a new Cloud Billing account.

  3. On the Settings page of your app-enabled folder, click Manage Billing.

  4. In the My projects tab, find the management project.

  5. To enable billing for the project, see How to enable billing on an existing project.

Assign application users permissions on the project

  1. On the Settings page of your app-enabled folder, click Manage IAM.

  2. Set up IAM roles and permissions for all application management services.

    In particular, ensure that you can aggregate your telemetry data (logs, metrics, and traces) from Google Cloud services and grant the necessary permissions to view this data.

Create applications

  1. Set up App Hub and create your applications.