Associate units with tenants

In this quickstart, you'll modify your SaaS offering to associate the deployed VM unit with a tenant resource, and provision the VM into a dedicated tenant project owned by your tenant.

This approach enhances resource isolation, which lets you to manage resources for each tenant separately and provide better security and compliance for your SaaS offering.

We'll build upon the scenario from the Deploy a VM with SaaS Runtime quickstart, modifying it to associate the deployed VM unit with a tenant resource and provision the VM into a dedicated project owned by the tenant:

  1. Create a tenant resource in SaaS Runtime.
  2. Associate a VM with the tenant resource.
  3. Configure SaaS Runtime and your Terraform configuration to deploy resources into a separate tenant project.
  4. Address common permission and API enablement issues when deploying cross-project.

By the end of this quickstart, you will create the foundation for a SaaS offering with multiple tenants that lets you set tenant-level configurations and policies by creating tenants and associating them with units.

Before you begin

Before you create tenants or associate them with units, you should have some knowledge of the fundamentals of the SaaS Runtime ecosystem, and create a SaaS offering.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Google Cloud project.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Google Cloud project.

  2. Deploy a VM with SaaS Runtime, including creating Terraform configuration, an Artifact Registry repository, a SaaS offering, unit kind, a unit, and components (including terraform-files.zip).

    • Verify that the APIs listed in the quickstart's Before you begin section are enabled in your producer project.
    • Verify that you have the necessary service accounts and IAM roles granted within the producer project. This includes the user-created service account and the permissions granted to the service-PROJECT-NUMBER@gcp-sa-saasservicemgmt.iam.gserviceaccount.com account on the producer project.

  3. Your producer project and any tenant projects need to be created before you create and associate your tenant resources. For more information, see Set up a tenant project.

Create and associate a tenant resource

You can use tenants to group unit resources. Create a tenant resource in your producer project's SaaS offering to represent your customer:

  1. In Google Cloud console, go to to SaaS Runtime > Tenants.

    Go to Tenants

  2. Click Create.

  3. On the Create tenant page, enter vm-quickstart-tenant in the Tenant name box.

  4. In the SaaS offering box, select vm-quickstart-saas-offering.

  5. In the Region drop-down, select us-central1.

  6. Click Add unit. A New unit section appears.

  7. In the Unit drop-down, select the projects/YOUR-PROJECT-NAME/locations/us-central1/units/vm-quickstart-unit unit.

  8. Click Done to associate your vm-quickstart-unit resource with your vm-quickstart-tenant resource.

  9. Click Create to create your tenant resource. You have successfully created the vm-quickstart-tenant resource and associated it with the vm-quickstart-unit resource. This association primarily serves as an organizational tag within the Google Cloud console, helping you identify which units belong to which tenant.

Create a tenant release

  1. In Google Cloud console, go to to SaaS Runtime > Releases.

    Go to Releases

  2. On the Releases page, click Create.

  3. On the Create Release page, enter vm-quickstart-tenant-release in the Release name box.

  4. In the Unit kind box, select vm-quickstart-unit-kind. Click Next.

  5. On the Select Blueprint step, click the Select an existing image from Artifact Registry toggle.

  6. On the Store Blueprint step, click Browse and select the artifact associated with vm-quickstart-tenant-blueprint. Click Next.

  7. Click Create. You have successfully created the vm-quickstart-tenant-release resource.

Create a tenant project and deploy a unit

In the Deploy a VM with SaaS Runtime quickstart, you provision SaaS Runtime resources into the same project that contains your SaaS offering configuration.

In this quickstart, you direct the resource provisioning into the tenant project instead of the producer project.

You will need to pass a modified variables tenant_project_id and tenant_project_number during unit provisioning.

  1. Create a tenant project where you will deploy the terraform-vm.zip files:

    gcloud projects create quickstart-tenant-project --name="SaaS Tenant A Project"

  2. Enable APIs and grant IAM roles on tenant project. To deploy units into your tenant project, you need to enable the Compute Engine API and grant IAM roles on your tenant project.

Enable APIs in your tenant project

Enable the Compute Engine API in the tenant project using Google Cloud console:

  1. Go to the project selector.

    Go to project selector

  2. Click Select a project.

  3. Select quickstart-tenant-project.

  4. Enable the Compute Engine API.

    Enable the API

  5. Make sure that you have the following role or roles on the project: roles/compute.admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Provision a unit with tenant project variables

From your producer project, provision a new unit with your tenant project's input variables:

  1. Go to the project selector.

    Go to project selector

  2. Click Select a project.

  3. Select your producer project.

  4. Navigate to SaaS Runtime > Units in the Google Cloud console.

    Go to Units

  5. Select vm-quickstart-unit resource.

  6. Click Provision.

  7. Select the vm-quickstart-tenant-release resource.

  8. Select the Actuation service account you granted permissions to in the tenant project.

  9. In the Input Variables section:

    • The tenant_project_id variable is listed as you defined it in variables.tf.
    • In the Tenant Project ID box, enter quickstart-tenant-project.

  10. Click Provision.

SaaS Runtime triggers Infrastructure Manager using the specified actuation service account. Infrastructure Manager reads the tenant_project_id variable and creates the VM inside that tenant project.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. At the prompt, type the project ID, and then click Shut down.

What's next