Set up tenant projects and resources

This guide explains how to use SaaS Runtime tenants to organize your deployed units and how to deploy resources into separate tenant projects to isolate and manage your resources.

For an overview of tenants and tenant projects, see Tenants and tenant projects.

Before you begin

Before you create tenant projects or resources:

  1. Create a Terraform configuration, an Artifact Registry repository, and create an artifact containing your SaaS application in your producer project. See deploy a service instance with SaaS Runtime to learn how to set up a SaaS offering.

  2. Enable the APIs required by SaaS Runtime.

    Enable the APIs

  3. Verify that you have the necessary service accounts and Identity and Access Management roles granted within the producer project. This includes the user-created service account and the permissions granted to the service-PROJECT-NUMBER@gcp-sa-saasservicemgmt.iam.gserviceaccount.com account on the producer project.

Set up a tenant project

When you provision your tenant's resources into separate projects, your resources, IAM policies, quotas, and network configurations are separated for each of your tenants, making it less likely for breaches or misconfigurations with one tenant to affect your others.

You'll need:

  • one producer project, and

  • one tenant project for each of your tenants.

Console

To set up tenant and producer projects using Google Cloud console:

  1. Create a producer project, and a tenant project for each of your tenants.
  2. Enable billing on your tenant and producer projects.

  3. Enable the APIs required by SaaS Runtime in your tenant projects.

    Enable the APIs

  4. Verify that your tenant projects have actuation service accounts with the required permissions.

    For details, see SaaS Runtime service accounts.

You've successfully set up your tenant and producer projects. Once you've created and enabled billing for your producer and tenant projects, you can create tenant resources and associate units with tenants.

gcloud

To set up a producer and tenant projects using Google Cloud CLI:

  1. Create your producer project, and a tenant project for each of your tenants:

    gcloud projects create PRODUCER_PROJECT_ID --name="SaaS producer project" [--folder=folder-id]
gcloud projects create TENANT_PROJECT_ID --name="SaaS tenant A project" [--folder=folder-id]

    Replace:

    • PRODUCER_PROJECT_ID: A string identifier representing the producer project ID.
    • TENANT_PROJECT_ID: A string identifier representing the tenant project ID.

  2. Enable billing for your tenant and producer projects:

     gcloud beta billing projects link PRODUCER_PROJECT_ID --billing-account=BILLING_ACCOUNT_ID
 gcloud beta billing projects link TENANT_PROJECT_ID --billing-account=BILLING_ACCOUNT_ID

    Replace:

    • PRODUCER_PROJECT_ID: A string identifier representing the producer project ID.
    • TENANT_PROJECT_ID: A string identifier representing the tenant project ID.
    • BILLING_ACCOUNT_ID: The ID of the billing account you want to associate with the specified project.

  3. Grant the actuation service account the necessary Identity and Access Management roles for each tenant project:

     gcloud projects add-iam-policy-binding TENANT_PROJECT_ID \
 --member='serviceAccount:SERVICE_ACCOUNT@PRODUCER_PROJECT_ID.iam.gserviceaccount.com' \
 --role=ROLE

    Replace:

    • TENANT_PROJECT_ID: A string identifier representing the tenant project ID.
    • PRODUCER_PROJECT_ID: A string identifier representing the producer project ID.
    • SERVICE_ACCOUNT: The service account you want to grant roles to within the specified project.

    • ROLE: The Identity and Access Management role to grant.

      You'll need to run gcloud projects add-iam-policy-binding for each role you want to grant to the specified service account (--role='roles/compute.admin', for example).

You've successfully set-up your tenant and producer projects. Once you've created and enabled billing for your producer and tenant projects, you can create tenant resources and associate units with tenants.

Create a tenant resource

Create a tenant resource in your SaaS offering to represent your customer:

  1. In Google Cloud console, go to to SaaS Runtime > Tenants.

    Go to Tenants

  2. Click Create.

  3. In the Tenant name box, enter a name for your tenant resource.

  4. Optional: In the Customer resource box, provide a consumer resource with consumer-defined settings for integration.

  5. In the SaaS offering box, select the SaaS offering you want to associate your tenant with.

  6. In the Region drop-down, select a region where tenant metadata will be stored.

  7. Optional: Click Add label to add a key-value pair label to your tenant.

  8. Click Create to create your tenant resource.

You have successfully created a tenant resource.

Associate a unit with a tenant

After you create a tenant and deploy a unit, you can link them to each other. This association primarily serves as an organizational tag that helps you organize which units belong to which tenant.

For more information about deploying units, see Deploy a VM with SaaS Runtime.

To associate a unit with a tenant:

  1. In Google Cloud console, go to SaaS Runtime > Tenants.

    Go to Tenants

  2. Click the name of the tenant you want to associate to a unit.

  3. Click Edit.

  4. In the Associated units section, click Add Unit.

  5. Select the units you want to associate with this tenant.

  6. Click Done.

  7. Click Save.

The selected units are associated with the indicated tenant.

Provision a new unit with tenant project variables

When you provision a unit associated with a tenant, you must provide the tenant_project_id variable.

  1. Navigate to SaaS Runtime > Units in the Google Cloud console.

    Go to Units

  2. Create a new unit associated with your unit kind.

  3. Click Provision.

  4. Select the Release to provision to your tenant unit.

  5. Select the Actuation service account you granted permissions to in your tenant project. You should follow the principle of least privilege and grant only the necessary roles for the resources being managed.

  6. In the Input Variables section:

    1. Verify that the tenant_project_id variable listed as you defined it in your Terraform configuration variables.tf file.
    2. In the Tenant Project ID box, provide the name of your tenant project.
    3. Provide input variables defined in your Terraform configuration. If you haven't defined other variables in your Terraform configuration, skip this step.

  7. Click Provision.

SaaS Runtime triggers Infrastructure Manager using the specified actuation service account. Infrastructure Manager reads the tenant_project_id variable and creates the VM inside that tenant project.

Re-provision a unit with a new release

When you re-provision an existing unit with a new release, you must provide the tenant_project_id variable.

  1. Navigate to SaaS Runtime > Units in the Google Cloud console.

    Go to Units

  2. Select the unit associated with your unit kind.

  3. Click Edit Provisioning.

  4. Select the Release you created with the updated Terraform configuration.

  5. Select the Actuation service account you granted permissions to in your tenant project. You should follow the principle of least privilege and grant only the necessary roles for the resources being managed.

  6. In the Input Variables section:

    1. Verify that the tenant_project_id variable listed as you defined it in your Terraform configuration variables.tf file.
    2. In the Tenant Project ID box, provide the name of your tenant project.
    3. Provide input variables defined in your Terraform configuration. If you haven't defined other variables in your Terraform configuration, skip this step.

  7. Click Update.

SaaS Runtime triggers Infrastructure Manager using the specified actuation service account. Infrastructure Manager reads the tenant_project_id variable and creates the VM inside that tenant project.

What's next