Restrict new deployments by product version
Cloud Run functions offers two product versions:
Cloud Run functions (1st gen) and Cloud Run functions created through the
Google Cloud Functions v2 APIs. If your organization wants to enforce a
restriction specifying that only one of the versions can be used to deploy new
functions, you can define a new
organization policy
with the
constraint
constraints/cloudfunctions.restrictAllowedGenerations. You use this constraint
to specify the generation (version) you want to allow or deny in the folder or
project the policy is applied to.
The restriction will only apply to new functions being deployed for the first time. You will still be able to redeploy existing functions even if they don't comply with the policy.
Before you begin
To create or change organization policies, your account must have the
role
roles/orgpolicy.policyAdmin.
Use a policy to set and enforce restrictions
You can use Google Cloud CLI to create a policy restricting new Cloud Run functions from being deployed for the first time within a given organization to the specified environment.
Note that setting a policy does not apply to existing functions. All functions that were deployed before the policy can be redeployed, updated, or deleted without restriction.
To create a policy that restricts new Cloud Run functions, run the following command:
gcloud resource-manager org-policies \ allow cloudfunctions.restrictAllowedGenerations \ --organization=ORGANIZATION_NUMBER VERSION
where ORGANIZATION_NUMBER is the number of the
organization to which you want to apply the policy, and
VERSION is the Cloud Run functions version that must be
used for new deployments. VERSION can be one of the
following:
1stGen: Allow the use of Cloud Run functions (1st gen) only.2ndGen: Allow the use of Cloud Run functions (2nd gen) only.- To explicitly allow both environments, specify
1stGenand2ndGentogether. By default, both environments are allowed when no policy is set.