ResourceManagerPolicy

This resource is able to configure organization policy constraints for a project, folder, or organization. The parent resource is configured by setting one of projectRef, folderRef, or organizationRef.

Property Value
Google Cloud Service Name Cloud Resource Manager
Google Cloud Service Documentation /resource-manager/docs/
Google Cloud REST Resource Name v1.policy
Google Cloud REST Resource Documentation /resource-manager/reference/rest/v1/policy
Config Connector Resource Short Names gcpresourcemanagerpolicy
gcpresourcemanagerpolicies
resourcemanagerpolicy
Config Connector Service Name cloudresourcemanager.googleapis.com
Config Connector Resource Fully Qualified Name resourcemanagerpolicies.resourcemanager.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Spec

Schema

  booleanPolicy:
    enforced: boolean
  constraint: string
  folderRef:
    external: string
    name: string
    namespace: string
  listPolicy:
    allow:
      all: boolean
      values:
      - string
    deny:
      all: boolean
      values:
      - string
    inheritFromParent: boolean
    suggestedValue: string
  organizationRef:
    external: string
    name: string
    namespace: string
  projectRef:
    external: string
    name: string
    namespace: string
  restorePolicy:
    default: boolean
  version: integer
Fields

booleanPolicy

Optional

object

A boolean policy is a constraint that is either enforced or not.

booleanPolicy.enforced

Required*

boolean

If true, then the Policy is enforced. If false, then any configuration is acceptable.

constraint

Required

string

Immutable. The name of the Constraint the Policy is configuring, for example, serviceuser.services.

folderRef

Optional

object

The folder on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

folderRef.external

Optional

string

The name of a Folder.

folderRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

folderRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

listPolicy

Optional

object

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values.

listPolicy.allow

Optional

object

One or the other must be set.

listPolicy.allow.all

Optional

boolean

The policy allows or denies all values.

listPolicy.allow.values

Optional

list (string)

The policy can define specific values that are allowed or denied.

listPolicy.allow.values.[]

Optional

string

listPolicy.deny

Optional

object

One or the other must be set.

listPolicy.deny.all

Optional

boolean

The policy allows or denies all values.

listPolicy.deny.values

Optional

list (string)

The policy can define specific values that are allowed or denied.

listPolicy.deny.values.[]

Optional

string

listPolicy.inheritFromParent

Optional

boolean

If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

listPolicy.suggestedValue

Optional

string

The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

organizationRef

Optional

object

The organization on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

organizationRef.external

Optional

string

The name of an Organization.

organizationRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

organizationRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

projectRef

Optional

object

The project on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

projectRef.external

Optional

string

The name of a Project.

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

restorePolicy

Optional

object

A restore policy is a constraint to restore the default policy.

restorePolicy.default

Required*

boolean

May only be set to true. If set, then the default Policy is restored.

version

Optional

integer

Version of the Policy. Default version is 0.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  etag: string
  updateTime: string
Fields
conditions

list (object)

Conditions represents the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

etag

string

The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

updateTime

string

The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Sample YAML(s)

Organization Policy For Folder

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: ResourceManagerPolicy
  metadata:
    name: resourcemanagerpolicy-sample-folder
  spec:
    folderRef:
      name: resourcemanagerpolicy-dep-folder
    constraint: "constraints/compute.disableSerialPortAccess"
    booleanPolicy:
      enforced: true
  ---
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: Folder
  metadata:
    annotations:
      # Replace "${ORG_ID?}" with the numeric ID for your organization
      cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
    name: resourcemanagerpolicy-dep-folder
  spec:
    displayName: Org Policy Sample

Organization Policy For Organization

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: ResourceManagerPolicy
  metadata:
    name: resourcemanagerpolicy-sample-org
  spec:
    organizationRef:
      # Replace "${ORG_ID?}" with the numeric ID for your organization
      external: "${ORG_ID?}"
    constraint: "constraints/compute.disableSerialPortAccess"
    booleanPolicy:
      enforced: true

Organization Policy For Project

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: ResourceManagerPolicy
  metadata:
    name: resourcemanagerpolicy-sample-project
  spec:
    projectRef:
      name: resourcemanagerpolicy-dep-project
    constraint: "constraints/compute.disableSerialPortAccess"
    booleanPolicy:
      enforced: true
  ---
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: Project
  metadata:
    annotations:
      # Replace "${ORG_ID?}" with the numeric ID for your folder
      cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
    name: resourcemanagerpolicy-dep-project
  spec:
    name: Org Policy Sample
    billingAccountRef:
      # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
      external: "${BILLING_ACCOUNT_ID?}"