Google Cloud Build

 

• Build, test, and deploy on Google Cloud Platform’s serverless CI/CD platform.

Features

• Cloud build is a fully serverless platform that helps you build your custom development workflows for building, testing, and deploying.
• Cloud Build can import source code from:
  • Cloud Storage
  • Cloud Source Repositories
  • GitHub
  • Bitbucket
• Supports Native Docker.
  • You can import your existing Docker file.
  • Push images directly to Docker image storage repositories such as Docker Hub and Container Registry.
• You can also automate deployments to Google Kubernetes Engine (GKE) or Cloud Run for continuous delivery.
• Automatically performs package vulnerability scanning for vulnerable images based on policies set by DevSecOps.
• You can package source into containers or non-container artifacts like Maven, Gradle, Go, or Bazel.

Pricing

• The first 120 build-minutes per day is free.
• The succeeding time is charged.

Google Container Registry

 

• Container Registry is a container image repository to manage Docker images, perform vulnerability analysis, and define fine-grained access control.

Features

• Automatically build and push images to a private registry when you commit code to Cloud Source Repositories, GitHub, or Bitbucket.
• You can push and pull Docker images to your private Container Registry utilizing the standard Docker command-line interface.
• The system creates a Cloud Storage bucket to store all of your images the first time you push an image to Container Registry
• You have the ability to maintain control over who can access, view, or download images.

Pricing

• Container Registry charges for the following:
  • Storing images on Cloud Storage
  • Network egress for containers stored in the registry.
• Network ingress is free.
• If the Container Scanning API is enabled in either Container Registry, vulnerability scanning is turned on and billed for both products.

GCP Developer Tools

 

• A fully managed git repository where you can securely manage your code.

Features

• You will be able to extend your git workflow with Cloud Source Repositories. Set up a repository as a Git remote. Push, pull, clone, log, and perform other Git operations as required by your workflow.
• You can create multiple repositories for a single Google Cloud project. This allows you to organize the code associated with your cloud project in the best way.
• View repository files from within the Cloud Source Repositories using Source Browser. You can filter your view to focus on a specific branch, tag, or commit.
• Private repositories are for free.
• Can be automatically synced with Github and Bitbucket repositories.
• Integrates with Cloud Build to automatically build and test an image when changes are pushed to Cloud Source Repositories.
• You can get insights on actions performed on your repository with Cloud Audit Logs.

Pricing

• Cloud Source Repositories charges based on:
  • Per user
  • Storage
  • Egress network

Google Cloud Deployment Manager

 

• Google Cloud Deployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources.

Features

• You can write template and configuration files and utilize them to create deployments that have a variety of Google Cloud services working together, such as:
  • Cloud Storage
  • Compute Engine
  • Cloud SQL
• A configuration defines the structure of your deployment. You must specify a configuration on a YAML file to create a deployment. It contains the following:
  • type and properties of the resources that are part of the deployment
  • any templates the configuration should use
  • additional subfiles that can be executed to create your final configuration.
• It is recommended that you break your configuration into templates to simplify your deployment and make it easier to replicate and troubleshoot. A template is a separate file that defines a set of resources. You can reuse templates across different deployments, to help you manage complex deployments consistently.
• Creating a deployment creates the resources that you defined in a configuration.

Deployment Management Roles

• Deployment Manager Editor
  • Provides the permissions to create and manage deployments.
• Deployment Manager Type Editor
  • Provides read and write access to all Type Registry resources.
• Deployment Manager Type Viewer
  • Provides read-only access to all Type Registry resources.
• Deployment Manager Viewer
  • Provides read-only access to all Deployment Manager-related resources.

Pricing

• You only pay for the resources that you provision. Deployment Manager has no additional charge to Google Cloud Platform customers.

Google Cloud Monitoring

 

• Cloud Monitoring collects metrics, events, and metadata, hosted uptime probes, and application instrumentation to gain visibility into the performance, availability, and health of your applications and infrastructure.

Features

• Collect metrics from multicloud and hybrid infrastructure in real time.
• Metrics, events, and metadata are displayed with rich query language that helps identify issues and uncover significant patterns.
• Reduces time spent navigating between systems with one integrated service for metrics, uptime monitoring, dashboards, and alerts.

Workspaces

• Cloud Monitoring utilizes workspaces to organize and manage its information.
• A Workspace can manage the monitoring data for a single Google Cloud project, or it can manage the data for multiple Google Cloud projects and AWS accounts.
• But, a Google Cloud project or an AWS account can only be associated with one Workspace at a time.
• You must have at least one of the following IAM role name for the Google Cloud project to create a Workspace:
  • Monitoring Editor
  • Monitoring Admin
  • Project Owner

Cloud Monitoring Agent

• The Cloud Monitoring agent is a collectd-based daemon that collects application and system metrics from virtual machine (VM) instances.
• The Monitoring agent collects disk, network, CPU, and process metrics by default.
• You can configure the Monitoring agent to monitor third-party applications.

Pricing

• Monitoring charges only for the volume of ingested metric data and Cloud Monitoring API read calls that exceed the free monthly allotment.
• Non-chargeable metrics and Cloud Monitoring API write calls don’t count towards the allotment limit.

Google Cloud Logging

 

• An exabyte-scale, fully managed service for real-time log management.
• Helps you to securely store, search, analyze, and alert on all of your log data and events.

Features

• Write any custom log, from any source, into Cloud Logging using the public write APIs.
• You can search, sort, and query logs through query statements, along with rich histogram visualizations, simple field explorers, and the ability to save the queries.
• Integrates with Cloud Monitoring to set alerts on the logs events and logs-based metrics you have defined.
• You can export data in real-time to BigQuery to perform advanced analytics and SQL-like query tasks.
• Cloud Logging helps you see the problems with your mountain of data using Error Reporting. It helps you automatically analyze your logs for exceptions and intelligently aggregate them into meaningful error groups.

Cloud Audit Logs

Cloud Audit Logs maintains audit logs for each Cloud project, folder, and organization. There are four types of logs you can use:

1. Admin Activity audit logs

• Contains log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
• You must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
• Admin Activity audit logs are always written and you can’t configure or disable them in any way.

2. Data Access audit logs

• Contains API calls that read the configuration or metadata of resources, including user-driven API calls that create, modify, or read user-provided resource data.
• You must have the IAM roles Logging/Private Logs Viewer or Project/Owner to view these logs.
• You must explicitly enable Data Access audit logs to be written. They are disabled by default because they are large.

3. System Event audit logs

• Contains log entries for administrative actions taken by Google Cloud that modify the configuration of resources.
• You must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
• System Event audit logs are always written so you can’t configure or disable them.
• There is no additional charge for your System Event audit logs.

4. Policy Denied audit logs

• Contains logs when a Google Cloud service denies access to a user or service account triggered by a security policy violation.
• You must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
• Policy Denied audit logs are generated by default. Your cloud project is charged for the logs storage.

Exporting Audit Logs

• Log entries received by Logging can be exported to Cloud Storage buckets, BigQuery datasets, and Pub/Sub topics.
• To export audit log entries outside of Logging:
  • Create a logs sink.
  • Give the sink a query that specifies the audit log types you want to export.
• If you want to export audit log entries for a Google Cloud organization, folder, or billing account, review Aggregated sinks.

Pricing

• All features of Cloud Logging are free to use, and the charge is only applicable for ingested log volume over the free allotment. Free usage allotments do not come with upfront fees or commitments.

Google Cloud Billing

 

• You can configure billing on Google Cloud in a variety of ways to meet different needs.
• To use Google Cloud services, you must have a valid Cloud Billing account,

Features

• If you have a project that is not linked to a Cloud Billing account, you will have limited use of products and services available for your project.

Cloud Billing Account & Payments Profile

• Cloud Billing Account
  • It is set up in Google Cloud and is used to define who pays for a given set of Google Cloud resources and Google Maps Platform APIs.
  • Access control to a Cloud Billing account is established by IAM roles.
  • A Cloud Billing account is connected to a Google payments profile.
• Google Payments Profile
  • Stores your payment instrument like credit cards and debit cards, to which costs are charged.
  • Stores information about who is responsible for the profile.
  • This serves as a document center where you can view invoices and payment history.

Cloud Billing Reports

• The Cloud Billing Reports page allows you to view your Google Cloud usage costs at a glance and discover and analyze trends.
• It shows a chart that plots usage costs for all projects linked to a Cloud Billing account.
• You can select a date range, specify a time range, configure the chart filters, and group by project, service, SKU, or location to filter how you view your report.
• Moreover, you can also forecast future costs using the Cloud Billing Reports to check out how much you are projected to spend, up to 12 months in the future.

Cloud Billing Budgets

• You can define the scope of the budget to apply in:
  • Entire Cloud Billing account
  • One or more projects
  • One or more products
  • Other budget filters applicable to your Cloud Billing account.
• You can specify the budget amount to your requirement, or base the budget amount on the previous month’s spend.
• Moreover, you can also specify email alerts and declare the recipients in the following ways:
  • Using the role-based option (default), where you can send email alerts to billing admins and users on the Cloud Billing account.
  • Using Cloud Monitoring, where you can enlist other people in your organization (for example, project managers) to receive budget alert emails.
  • You can also use Pub/Sub for a more programmatic notification approach.

Overview of Cloud Billing roles in IAM

The following predefined Cloud Billing IAM roles are designed to allow you to use access control to enforce separation of duties in managing your billing:

• Billing Account Creator (roles/billing.creator)
  • Create new self-serve (online) billing accounts.
  • Assigned at organization Level
  • Use this role for initial billing setup or to allow the creation of additional billing accounts. Users must have this role to sign up for Google Cloud with a credit card using their corporate identity.
• Billing Account Administrator (roles/billing.admin)
  • Manage billing accounts (but not create them).
  • Can be assigned at the organization level or billing account.
  • This role is an owner role for a billing account. Use it to manage payment instruments, configure billing exports, view cost information, link and unlink projects, and manage other user roles on the billing account.
• Billing Account User (roles/billing.user)
  • Link projects to billing accounts.
  • Can be assigned at the organization level or billing account.
  • This role has very restricted permissions, so you can grant it broadly, typically in combination with Project Creator. These two roles allow a user to create new projects linked to the billing account on which the role is granted.
• Billing Account Viewer
  • View billing account cost information and transactions.
  • Can be assigned at the organization level or billing account.
  • Billing Account Viewer access would usually be granted to finance teams. It provides access to spend information but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account.
• Project Billing Manager (roles/billing.projectManager)
  • Link/unlink the project to/from a billing account.
  • Can be assigned at the organization level or billing account.
  • This role allows a user to attach the project to the billing account, but does not grant any rights over resources. Project Owners can use this role to allow someone else to manage the billing for the project without granting them resource access.