Index
Policy
(message)Policy.BooleanPolicy
(message)Policy.ListPolicy
(message)Policy.ListPolicy.AllValues
(enum)Policy.RestoreDefault
(message)
Policy
Defines a Cloud Organization Policy
which is used to specify Constraints
for configurations of Cloud Platform resources.
Fields | |
---|---|
version |
Version of the |
constraint |
The name of the A list of available constraints is available. Immutable after creation. |
etag |
An opaque tag indicating the current version of the When the When the When the |
update_time |
The time stamp the |
Union field A Providing a *_policy that is incompatible with the Attempting to set a |
|
list_policy |
List of values either allowed or disallowed. |
boolean_policy |
For boolean |
restore_default |
Restores the default behavior of the constraint; independent of |
BooleanPolicy
Used in policy_type
to specify how boolean_policy
will behave at this resource.
Fields | |
---|---|
enforced |
If Suppose you have a The following examples demonstrate the different possible layerings: Example 1 (nearest Example 2 (enforcement gets replaced): Example 3 (RestoreDefault): |
ListPolicy
Used in policy_type
to specify how list_policy
behaves at this resource.
ListPolicy
can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations
, Folders
, Projects
) that are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/supports_under
field of the associated Constraint
defines whether ancestry prefixes can be used. You can set allowed_values
and denied_values
in the same Policy
if all_values
is ALL_VALUES_UNSPECIFIED
. ALLOW
or DENY
are used to allow or deny all values. If all_values
is set to either ALLOW
or DENY
, allowed_values
and denied_values
must be unset.
Fields | |
---|---|
allowed_values[] |
List of values allowed at this resource. Can only be set if |
denied_values[] |
List of values denied at this resource. Can only be set if |
all_values |
The policy all_values state. |
suggested_value |
Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this |
inherit_from_parent |
Determines the inheritance behavior for this By default, a Setting For example, suppose you have a The following examples demonstrate different possible layerings for Example 1 (no inherited values): Example 2 (inherited values): Example 3 (inheriting both allowed and denied values): Example 4 (RestoreDefault): Example 5 (no policy inherits parent policy): Example 6 (ListConstraint allowing all): Example 7 (ListConstraint allowing none): Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
AllValues
This enum can be used to set Policies
that apply to all possible configuration values rather than specific values in allowed_values
or denied_values
.
Setting this to ALLOW
will mean this Policy
allows all values. Similarly, setting it to DENY
will mean no values are allowed. If set to either ALLOW
or DENY,
allowed_valuesand
denied_values
must be unset. Setting this to
ALL_VALUES_UNSPECIFIEDallows for
setting
allowed_valuesand
denied_values`.
Enums | |
---|---|
ALL_VALUES_UNSPECIFIED |
Indicates that allowed_values or denied_values must be set. |
ALLOW |
A policy with this set allows all values. |
DENY |
A policy with this set denies all values. |
RestoreDefault
This type has no fields.
Ignores policies set above this resource and restores the constraint_default
enforcement behavior of the specific Constraint
at this resource.
Suppose that constraint_default
is set to ALLOW
for the Constraint
constraints/serviceuser.services
. Suppose that organization foo.com sets a Policy
at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a Policy
with the policy_type
restore_default
on several experimental projects, restoring the constraint_default
enforcement of the Constraint
for only those projects, allowing those projects to have all services activated.