Tenants and tenant projects

This guide provides an overview of SaaS Runtime tenants and how you can use them to organize your SaaS offering.

Tenants and tenant projects

A SaaS Runtime tenant resource represents a logical customer, client, or tenant of your SaaS offering. It acts primarily as an organizational tool that helps you to group the units belonging to a specific tenant.

If your SaaS offering has multiple tenants, we recommend that you provision each of your tenant's resources into a separate Google Cloud project. To separate your tenant resources into dedicated Google Cloud projects, you'll need to create at least two projects:

  • Producer project: The project where your SaaS offering is configured. You only need one producer project for your SaaS application.
  • Tenant projects: The projects with SaaS Runtime resources for a specific tenant. We recommend that you make one project for each of your tenants.

Using separate projects for each tenant lets you set configurations (IAM policies, or network peering, for example) within tenant projects, and helps you track costs and manage resources for each tenant.

Actuation service accounts in a tenant project

The actuation service account needs permissions in the tenant project to create and manage the resources defined in your Terraform configuration. We recommend that you set up a separate actuation account for each of your tenants.

For more information about actuation service accounts and its potentially required permissions, see actuation service account.

APIs in a tenant project

When SaaS Runtime (via Infrastructure Manager and the actuation service account) attempts to create resources (a VM, for example) in a tenant project, the necessary APIs must be enabled in that tenant project. Otherwise, provisioning will fail.

You must enable APIs for all resource types your Terraform configuration uses within a tenant project.

Use a provisional unit kind to automate your tenant set-up

Manually creating projects, enabling APIs, and configuring IAM for each new tenant is time consuming and prone to errors. You can automate the tenant set up process using SaaS Runtime by creating a provisional unit kind containing a Terraform configuration that:

  • Creates a new Google Cloud project for the tenant.
  • Enables the necessary APIs within that new project.
  • Creates a dedicated actuation service account for the provisioned tenant (either in the producer project or the tenant project).
  • Grants the necessary IAM permissions to service accounts within the tenant project.
  • Sets up networking, logging, or other baseline infrastructure.

Your provisional unit kind should:

  • Define Terraform output variables for the tenant_project_id, tenant_project_number, and the actuation_sa email it creates.
  • Receive the tenant_id as an input variable.

Configure your application unit kind to depend on the provisional unit kind and map the output variables to the corresponding input variables of the application unit.

After you configure your unit kind dependencies, SaaS Runtime verifies that the underlying tenant infrastructure unit is provisioned (creating a tenant project and setting up its permissions) before the unit containing your application is provisioned.

See Manage dependencies between units and use variables for more details on implementing this pattern.

What's next