By enabling the following Confidential Computing organization policy constraint, you can ensure that all VM resources created across your organization are Confidential VM instances.
Before you begin
To modify organization policy constraints, you must have a role with appropriate permissions. You need at least the Organization Policy Administrator role to set or change organization policies.
Enable the constraint
To enable the constraint on VM instances, do the following:
Console
- In the Google Cloud console, click the project selector menu at the top of the page. In the project selector, choose the organization to which you want to apply the constraint.
Open Organization policies: Click the Navigation menu , point to IAM & Admin, and then click Organization Policies.
Select Restrict Non-Confidential Computing in the list of organization policies. (You'll probably find it easiest to filter the list by policy name first.)
On the Policy details page for Restrict Non-Confidential Computing, click Edit .
Under Applies to, choose Customize.
Under Policy enforcement, choose whether to merge your new policy setting with that of a parent organization (Merge with parent), or to replace the current policy setting and ignore that of the parent (Replace).
Next, under Policy values, choose Custom, and under Policy type, choose Deny. This choice ensures that all new VM instances created in this organization will be Confidential VM instances.
To the field under Custom values, add the supported API service names you want to enforce this policy on. The list of supported services is provided in the policy description. For example, to enforce this policy on the creation of new virtual machine instances, type
compute.googleapis.com. To enter more than one API service, click New policy value.You can optionally enter a recommendation note to this policy in the Google Cloud console by clicking Set recommendation. When you're done, click Save.
If you've done this correctly, the Policy details screen for Restrict Non-Confidential Computing looks like the following screenshot. Note the service API name under Denied.
gcloud
Use the following gcloud command and replace the PROJECT_ID
placeholder with your project identifier:
gcloud resource-manager org-policies deny \ constraints/compute.restrictNonConfidentialComputing compute.googleapis.com \ --project=PROJECT_ID
By denying the "Restrict Non-Confidential Computing" organization policy, you have specified that all new VM instances will be Confidential VM instances.
Disable the constraint
To disable the constraint, do the following:
Console
- In the Google Cloud console, click the project selector menu at the top of the page. In the project selector, choose the organization to which the constraint has been applied.
Open Organization policies: Click the Navigation menu , point to IAM & Admin, and then click Organization Policies.
Select Restrict Non-Confidential Computing in the list of organization policies. (You'll probably find it easiest to filter the list by policy name first.)
On the Policy details page for Restrict Non-Confidential Computing, click Edit .
Under Policy values, choose Allow all, and then click Save.
gcloud
Use the following gcloud command. Running this command sets the policy back
to the default state for the project. Replace the PROJECT_ID
placeholder with your project identifier:
gcloud resource-manager org-policies delete \ constraints/compute.restrictNonConfidentialComputing \ --project=PROJECT_ID
By allowing the "Restrict Non-Confidential Computing" organization policy, you have re-enabled your organization's ability to create VM instances that are not Confidential VM instances.
Create a policy file
Alternatively, you can create a policy file by using set-policy
commands.
What's next
To learn more about the core concepts of organization policy:
- Read the overview of organization policy.
- Read about what constraints are.
- Read about the available organization policy constraints.
- Read how to use constraints to create organization policies.