Namespace Google.Cloud.OrgPolicy.V1

Classes

Policy

Defines a Cloud Organization Policy which is used to specify Constraints for configurations of Cloud Platform resources.

Policy.Types

Container for nested types declared in the Policy message type.

Policy.Types.BooleanPolicy

Used in policy_type to specify how boolean_policy will behave at this resource.

Policy.Types.ListPolicy

Used in policy_type to specify how list_policy behaves at this resource.

ListPolicy can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied by setting the allowed_values and denied_values fields. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats:

  • "projects/<project-id>", e.g. "projects/tokyo-rain-123"
  • "folders/<folder-id>", e.g. "folders/1234"
  • "organizations/<organization-id>", e.g. "organizations/1234" The supports_under field of the associated Constraint defines whether ancestry prefixes can be used. You can set allowed_values and denied_values in the same Policy if all_values is ALL_VALUES_UNSPECIFIED. ALLOW or DENY are used to allow or deny all values. If all_values is set to either ALLOW or DENY, allowed_values and denied_values must be unset.

Policy.Types.ListPolicy.Types

Container for nested types declared in the ListPolicy message type.

Policy.Types.RestoreDefault

Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource.

Suppose that constraint_default is set to ALLOW for the Constraint constraints/serviceuser.services. Suppose that organization foo.com sets a Policy at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a Policy with the policy_type restore_default on several experimental projects, restoring the constraint_default enforcement of the Constraint for only those projects, allowing those projects to have all services activated.

Enums

Policy.PolicyTypeOneofCase

Enum of possible cases for the "policy_type" oneof.

Policy.Types.ListPolicy.Types.AllValues

This enum can be used to set Policies that apply to all possible configuration values rather than specific values in allowed_values or denied_values.

Settting this to ALLOW will mean this Policy allows all values. Similarly, setting it to DENY will mean no values are allowed. If set to either ALLOW or DENY,allowed_valuesanddenied_valuesmust be unset. Setting this toALL_VALUES_UNSPECIFIEDallows for settingallowed_valuesanddenied_values`.