ResourceManagerPolicy


This resource is able to configure organization policy constraints for a project, folder, or organization. The parent resource is configured by setting one of projectRef, folderRef, or organizationRef.

Property Value
Google Cloud Service Name Cloud Resource Manager
Google Cloud Service Documentation /resource-manager/docs/
Google Cloud REST Resource Name v1.policy
Google Cloud REST Resource Documentation /resource-manager/reference/rest/v1/Policy
Config Connector Resource Short Names gcpresourcemanagerpolicy
gcpresourcemanagerpolicies
resourcemanagerpolicy
Config Connector Service Name cloudresourcemanager.googleapis.com
Config Connector Resource Fully Qualified Name resourcemanagerpolicies.resourcemanager.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/state-into-spec

Spec

Schema

booleanPolicy:
  enforced: boolean
constraint: string
folderRef:
  external: string
  name: string
  namespace: string
listPolicy:
  allow:
    all: boolean
    values:
    - string
  deny:
    all: boolean
    values:
    - string
  inheritFromParent: boolean
  suggestedValue: string
organizationRef:
  external: string
  name: string
  namespace: string
projectRef:
  external: string
  name: string
  namespace: string
restorePolicy:
  default: boolean
version: integer
Fields

booleanPolicy

Optional

object

A boolean policy is a constraint that is either enforced or not.

booleanPolicy.enforced

Required*

boolean

If true, then the Policy is enforced. If false, then any configuration is acceptable.

constraint

Required

string

Immutable. The name of the Constraint the Policy is configuring, for example, serviceuser.services.

folderRef

Optional

object

The folder on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

folderRef.external

Optional

string

Allowed value: The `name` field of a `Folder` resource.

folderRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

folderRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

listPolicy

Optional

object

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. .

listPolicy.allow

Optional

object

One or the other must be set.

listPolicy.allow.all

Optional

boolean

The policy allows or denies all values.

listPolicy.allow.values

Optional

list (string)

The policy can define specific values that are allowed or denied.

listPolicy.allow.values[]

Optional

string

listPolicy.deny

Optional

object

One or the other must be set.

listPolicy.deny.all

Optional

boolean

The policy allows or denies all values.

listPolicy.deny.values

Optional

list (string)

The policy can define specific values that are allowed or denied.

listPolicy.deny.values[]

Optional

string

listPolicy.inheritFromParent

Optional

boolean

If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

listPolicy.suggestedValue

Optional

string

The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

organizationRef

Optional

object

The organization on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

organizationRef.external

Optional

string

Allowed value: The `name` field of an `Organization` resource.

organizationRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

organizationRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

projectRef

Optional

object

The project on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified.

projectRef.external

Optional

string

Allowed value: The `name` field of a `Project` resource.

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

restorePolicy

Optional

object

A restore policy is a constraint to restore the default policy.

restorePolicy.default

Required*

boolean

May only be set to true. If set, then the default Policy is restored.

version

Optional

integer

Version of the Policy. Default version is 0.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
etag: string
observedGeneration: integer
updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

etag

string

The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

updateTime

string

The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Sample YAML(s)

Organization Policy For Folder

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: ResourceManagerPolicy
metadata:
  name: resourcemanagerpolicy-sample-folder
spec:
  folderRef:
    name: resourcemanagerpolicy-dep-folder
  constraint: "constraints/compute.disableSerialPortAccess"
  booleanPolicy:
    enforced: true
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Folder
metadata:
  annotations:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
  name: resourcemanagerpolicy-dep-folder
spec:
  displayName: Organization Policy Sample

Organization Policy For Organization

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: ResourceManagerPolicy
metadata:
  name: resourcemanagerpolicy-sample-org
spec:
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"
  constraint: "constraints/compute.disableSerialPortAccess"
  booleanPolicy:
    enforced: true

Organization Policy For Project

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: ResourceManagerPolicy
metadata:
  name: resourcemanagerpolicy-sample-proj
spec:
  projectRef:
    name: resourcemanagerpolicy-dep-proj
  constraint: "constraints/compute.disableSerialPortAccess"
  booleanPolicy:
    enforced: true
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    # Replace "${ORG_ID?}" with the numeric ID for your folder
    cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
  name: resourcemanagerpolicy-dep-proj
spec:
  name: Org Policy Sample