Enforcing organization policy constraints

By enabling the following Confidential Computing organization policy constraint, you can ensure that all VM resources created across your organization are Confidential VM instances.

Before you begin

To modify organization policy constraints, you must have a role with appropriate permissions. You need at least the Organization Policy Administrator role to set or change organization policies.

Enable the constraint

To enable the constraint on VM instances, do the following:

Console

  1. In the Google Cloud Console, click the project selector menu at the top of the page. In the project selector, choose the organization to which you want to apply the constraint.
  2. Open Organization policies: Click the Navigation menu , point to IAM & Admin, and then click Organization Policies.

    Open Organization policies

  3. Select Restrict Non-Confidential Computing in the list of organization policies. (You'll probably find it easiest to filter the list by policy name first.)

  4. On the Policy details page for Restrict Non-Confidential Computing, click Edit .

    Screen shot of Policy details screen before
procedure

  5. Under Applies to, choose Customize.

  6. Under Policy enforcement, choose whether to merge your new policy setting with that of a parent organization (Merge with parent), or to replace the current policy setting and ignore that of the parent (Replace).

  7. Next, under Policy values, choose Custom, and under Policy type, choose Deny. This choice ensures that all new VM instances created in this organization will be Confidential VM instances.

  8. To the field under Custom values, add the supported API service names you want to enforce this policy on. The list of supported services is provided in the policy description. For example, to enforce this policy on the creation of new virtual machine instances, type compute.googleapis.com. To enter more than one API service, click New policy value.

  9. You can optionally enter a recommendation note to this policy in the Cloud Console by clicking Set recommendation. When you're done, click Save.

If you've done this correctly, the Policy details screen for Restrict Non-Confidential Computing looks like the following screenshot. Note the service API name under Denied.

Screen shot of Policy details screen after
procedure

gcloud

Use the following gcloud command and replace the PROJECT_ID placeholder with your project identifier:

gcloud resource-manager org-policies deny \
  constraints/compute.restrictNonConfidentialComputing compute.googleapis.com \
  --project=PROJECT_ID

By denying the "Restrict Non-Confidential Computing" organization policy, you have specified that all new VM instances will be Confidential VM instances.

Disable the constraint

To disable the constraint, do the following:

Console

  1. In the Google Cloud Console, click the project selector menu at the top of the page. In the project selector, choose the organization to which the constraint has been applied.
  2. Open Organization policies: Click the Navigation menu , point to IAM & Admin, and then click Organization Policies.

    Open Organization policies

  3. Select Restrict Non-Confidential Computing in the list of organization policies. (You'll probably find it easiest to filter the list by policy name first.)

  4. On the Policy details page for Restrict Non-Confidential Computing, click Edit .

  5. Under Policy values, choose Allow all, and then click Save.

gcloud

Use the following gcloud command. Running this command sets the policy back to the default state for the project. Replace the PROJECT_ID placeholder with your project identifier:

gcloud resource-manager org-policies delete \
  constraints/compute.restrictNonConfidentialComputing \
  --project=PROJECT_ID

By allowing the "Restrict Non-Confidential Computing" organization policy, you have re-enabled your organization's ability to create VM instances that are not Confidential VM instances.

Create a policy file

Alternatively, you can create a policy file by using set-policy commands.

What's next

To learn more about the core concepts of organization policy: