Classes
Policy
Defines a Cloud Organization Policy
which is used to specify Constraints
for configurations of Cloud Platform resources.
Policy.Types
Container for nested types declared in the Policy message type.
Policy.Types.BooleanPolicy
Used in policy_type
to specify how boolean_policy
will behave at this
resource.
Policy.Types.ListPolicy
Used in policy_type
to specify how list_policy
behaves at this
resource.
ListPolicy
can define specific values and subtrees of Cloud Resource
Manager resource hierarchy (Organizations
, Folders
, Projects
) that
are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the under:
and optional is:
prefixes.
The under:
prefix is used to denote resource subtree values.
The is:
prefix is used to denote specific values, and is required only
if the value contains a ":". Values prefixed with "is:" are treated the
same as values with no prefix.
Ancestry subtrees must be in one of the following formats:
- "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- "folders/<folder-id>", e.g. "folders/1234"
- "organizations/<organization-id>", e.g. "organizations/1234"
The
supports_under
field of the associatedConstraint
defines whether ancestry prefixes can be used. You can setallowed_values
anddenied_values
in the samePolicy
ifall_values
isALL_VALUES_UNSPECIFIED
.ALLOW
orDENY
are used to allow or deny all values. Ifall_values
is set to eitherALLOW
orDENY
,allowed_values
anddenied_values
must be unset.
Policy.Types.ListPolicy.Types
Container for nested types declared in the ListPolicy message type.
Policy.Types.RestoreDefault
Ignores policies set above this resource and restores the
constraint_default
enforcement behavior of the specific Constraint
at
this resource.
Suppose that constraint_default
is set to ALLOW
for the
Constraint
constraints/serviceuser.services
. Suppose that organization
foo.com sets a Policy
at their Organization resource node that restricts
the allowed service activations to deny all service activations. They
could then set a Policy
with the policy_type
restore_default
on
several experimental projects, restoring the constraint_default
enforcement of the Constraint
for only those projects, allowing those
projects to have all services activated.
Enums
Policy.PolicyTypeOneofCase
Enum of possible cases for the "policy_type" oneof.
Policy.Types.ListPolicy.Types.AllValues
This enum can be used to set Policies
that apply to all possible
configuration values rather than specific values in allowed_values
or
denied_values
.
Settting this to ALLOW
will mean this Policy
allows all values.
Similarly, setting it to DENY
will mean no values are allowed. If
set to either ALLOW
or DENY,
allowed_valuesand
denied_valuesmust be unset. Setting this to
ALL_VALUES_UNSPECIFIEDallows for
setting
allowed_valuesand
denied_values`.