Comprehensive and Detailed Explanation From General Google Cloud IAM and Organization Policy Knowledge:
The core requirement is to prevent accidental deletion of a Shared VPC host project, even by project owners, by ensuring that only users with a specific permission at the organization level can remove the lien that protects the project.
A lien (resourcemanager.projects.delete) has already been placed on the project. This prevents its deletion. The challenge is to prevent the removal of this lien by project-level administrators.
The permission to remove a lien is resourcemanager.projectLiens.update (or resourcemanager.projects.updateLiens as stated in the question, which implies a broader update capability including liens).
Option A (Enable VPC Service Controls for the container.googleapis.com API service): VPC Service Controls are for data exfiltration prevention by creating service perimeters. They do not directly control IAM permissions for lien management or project deletion.
Option B (Revoke the resourcemanager.projects.updateLiens permission from all users associated with the project): While this would prevent project-level users from removing the lien, it doesn't enforce therequirement that only users with this permission at the organization level can remove it. A project owner could potentially re-grant themselves this permission at the project level if not otherwise restricted. The goal is a stronger, centrally enforced restriction.
Option C (Enable the compute.restrictXpnProjectLienRemoval organization policy constraint): This is specifically designed for the scenario described.Organization Policies allow centralized control over resource configurations across the organization.
The compute.restrictXpnProjectLienRemoval constraint, when enforced (set to True), restricts the removal of liens on Shared VPC host projects. Only users who have the resourcemanager.projectLiens.update permission (or resourcemanager.projects.updateLiens) granted at the organization level can then remove such liens. This prevents project owners or other project-level principals from removing the lien unless they also have this specific permission at the org level.
Option D (Instruct teams to only perform IAM permission management as code with Terraform): While Infrastructure as Code (IaC) is a good practice for managing IAM, it's an operational guideline and doesn't technically enforce the restriction on lien removal. A user with sufficient project-level IAM permissions could still manually remove the lien via the console or gcloud if not prevented by an organization policy.
Therefore, enabling the compute.restrictXpnProjectLienRemoval organization policy is the direct and most effective way to meet the requirement.
Reference (Based on Google Cloud Organization Policy and Shared VPC documentation):
Google Cloud documentation on Resource Manager Liens: https://cloud.google.com/resource-manager/docs/project-liens
Google Cloud documentation on Organization Policy Constraints: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
Specifically, the compute.restrictXpnProjectLienRemoval constraint: "When set to true, liens on Shared VPC host projects can only be removed by users that have resourcemanager.projectLiens.update permission on the organization." (or similar wording indicating org-level permission is required). This constraint ensures that the protection afforded by the lien on a critical Shared VPC host project cannot be easily circumvented at the project level.
