Policy Simulator for Organization Policy lets you preview the impact of a new custom constraint or organization policy that enforces a custom constraint before it is enforced on your production environment. Policy Simulator provides a list of resources that violate the proposed policy before it is enforced, allowing you to reconfigure those resources, request exceptions, or change the scope of your organization policy, all without disrupting your developers or bringing down your environment.
This page describes how to test a change to an organization policy using Policy Simulator. It also explains how to interpret the results of the simulation and how to apply the tested organization policy if you so choose.
Before you begin
-
If you are using the Google Cloud CLI, set the project you want to use for making API calls:
gcloud config set project PROJECT_IDReplace
PROJECT_IDwith the name or ID of the project. -
Enable the Policy Simulator and Resource Manager APIs.
- Optional: Get an introduction to the Organization Policy Service.
Required roles
To get the permissions that you need to run and access simulations,
ask your administrator to grant you the
OrgPolicy Simulator Admin (roles/policysimulator.orgPolicyAdmin) IAM role on the organization.
For more information about granting roles, see Manage access.
This predefined role contains the permissions required to run and access simulations. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to run and access simulations:
-
orgpolicy.constraints.list -
orgpolicy.customConstraints.get -
orgpolicy.policies.list -
cloudasset.assets.searchAllResources -
cloudasset.assets.listResource -
cloudasset.assets.listOrgPolicy -
policysimulator.orgPolicyViolationsPreviews.list -
policysimulator.orgPolicyViolationsPreviews.get -
policysimulator.orgPolicyViolationsPreviews.create -
policysimulator.orgPolicyViolations.list
You might also be able to get these permissions with custom roles or other predefined roles.
Test a policy change
You can test a change to a custom constraint, an organization policy that enforces a custom constraint, or both at the same time.
Console
In the Google Cloud console, go to the Organization policies page.
Select the project picker at the top of the page.
From the project picker, select the resource for which you want to test changes to an organization policy. To test changes to a custom constraint, you must select an organization resource.
If you want to test a new custom constraint, click Custom constraint. If you want to make changes to an existing custom constraint, select it from the list on the Organization policies page, and then click Edit constraint.
Create or update the custom constraint you want to test.
For example, to define a custom constraint that restricts the creation of Google Kubernetes Engine cluster resources where Binary Authorization is not enabled, do the following:
In the Resource type box, select
container.googleapis.com/Cluster.Under Enforcement method, select Enforce on create.
Click Edit condition.
In the Add condition panel, enter
resource.binaryAuthorization.enabled == true.Click Save.
Under Action, select Allow.
For more information, see Creating and managing custom constraints.
Click Test constraint.
If this is a new constraint or a constraint not enforced by an organization policy, you must define the organization policy.
In the Select scope box, select the resource for which you want to test this custom constraint.
Click Customize.
Click Add a rule.
Under Enforcement, select On, and then click Done.
Click Continue.
The Simulation history page appears, with a list of simulations performed by you in the last 14 days. See Policy Simulator results on this page for more information.
gcloud
To test a custom constraint, create a JSON or YAML file that defines the custom constraint you want to test.
For example, a custom constraint that restricts the creation of Google Kubernetes Engine cluster resources where Binary Authorization is not enabled is similar to the following:
name: "organizations/ORGANIZATION_ID/customConstraints/custom.EnforceGKEBinaryAuthz" resource_types: "container.googleapis.com/Cluster" method_types: CREATE condition: "resource.binaryAuthorization.enabled == true" action_type: ALLOWReplace
ORGANIZATION_IDwith your organization ID, such as1234567890123.For more information about how to create custom constraints, see Creating and managing custom constraints.
To test an organization policy that conditionally enforces a custom constraint based on the existence of a particular tag, create a JSON or YAML file that defines the organization policy you want to test.
For example, the following organization policy restricts the creation of Google Kubernetes Engine cluster resources where Binary Authorization is not enabled, except on resources that have the tag
env=devattached.name: "organizations/ORGANIZATION_ID/policies/custom.EnforceGKEBinaryAuthz" spec: rules: - condition: expression: resource.matchTag('env', 'dev') enforce: false - enforce: trueReplace
ORGANIZATION_IDwith your organization ID, such as1234567890123.For more information about conditional organization policies, see Setting an organization policy with tags.
To test an organization policy that enforces a custom constraint, create a JSON or YAML file that defines the organization policy you want to test.
For example, an organization policy that restricts the creation of Google Kubernetes Engine cluster resources where Binary Authorization is not enabled is similar to the following:
name: "organizations/ORGANIZATION_ID/policies/custom.EnforceGKEBinaryAuthz" spec: rules: - enforce: trueReplace
ORGANIZATION_IDwith your organization ID, such as1234567890123.To test the deletion of an organization policy that enforces a custom constraint, create a JSON or YAML file that defines the organization policy but sets no rules, and inherits the policy from its parent resource.
For example, the following organization policy would simulate deleting an existing
custom.EnforceGKEBinaryAuthzcustom constraint.name: "organizations/ORGANIZATION_ID/policies/custom.EnforceGKEBinaryAuthz" spec: inheritFromParent: trueRun the following command to simulate the change to the custom constraint, organization policy, or both:
gcloud beta policy-intelligence simulate orgpolicy \ --organization=ORGANIZATION_ID \ --custom-constraints=CONSTRAINT_PATH \ --policies=POLICY_PATH
Replace the following:
ORGANIZATION_ID: your organization ID, such as1234567890123. Simulating changes over multiple organizations is not supported.CONSTRAINT_PATH: the full path to the custom constraint you have created or updated. For example,tmp/constraint.yamlIf you set the--policiesflag, you don't need to set the--custom-constraintsflag.POLICY_PATH: the full path to the organization policy you have created or updated. For example,tmp/policy.yamlIf you set the--custom-constraintsflag, you don't need to set the--policiesflag.
After several minutes, the command prints a list of resources that would violate the changes to the custom constraint, the organization policy, or both.
Results are also viewable in the Google Cloud console. See Policy Simulator results on this page to learn how to read the results.
The following is a sample response for an organization policy simulation.
This simulation involves a custom constraint that restricts the creation of
Google Kubernetes Engine cluster resources where Binary Authorization is not enabled. In this
case, if the proposed change were applied, two cluster resources would
violate the policy: orgpolicy-test-cluster under the project
simulator-test-project, and autopilot-cluster-1 under the project
orgpolicy-test-0.
Waiting for operation [organizations/012345678901/locations/global/orgPolic
yViolationsPreviews/85be9a2d-8c49-470d-a65a-d0cb9ffa8f83/operations/1883a83
c-c448-42e5-a7c5-10a850928f06] to complete...done.
---
customConstraint:
actionType: ALLOW
condition: resource.binaryAuthorization.enabled == true
methodTypes:
- CREATE
name: organizations/012345678901/customConstraints/custom.EnforceGKEBinaryAuthz
resourceTypes:
- container.googleapis.com/Cluster
name: organizations/012345678901/locations/global/orgPolicyViolationsPreviews/3dd47fd3-6df1-4156-8f10-413a3fc0ed83/orgPolicyViolations/b9fd23a5-7163-46de-9fec-7b9aa6af1113
resource:
ancestors:
- organizations/012345678901
- projects/456789012345
assetType: container.googleapis.com/Cluster
resource: //container.googleapis.com/projects/simulator-test-project/locations/us-central1/clusters/orgpolicy-test-cluster
---
customConstraint:
actionType: ALLOW
condition: resource.binaryAuthorization.enabled == true
methodTypes:
- CREATE
name: organizations/012345678901/customConstraints/custom.EnforceGKEBinaryAuthz
resourceTypes:
- container.googleapis.com/Cluster
name: organizations/012345678901/locations/global/orgPolicyViolationsPreviews/3dd47fd3-6df1-4156-8f10-413a3fc0ed83/orgPolicyViolations/e73896e6-7613-4a8d-8436-5df7a6455121
resource:
ancestors:
- organizations/012345678901
- folders/789012345678
- projects/456789012345
assetType: container.googleapis.com/Cluster
resource: //container.googleapis.com/projects/orgpolicy-test-0/locations/us-central1/clusters/autopilot-cluster-1
Policy Simulator results
Policy Simulator reports the results of a change in a custom constraint or organization policy as a list of violations of the simulated policy. The Google Cloud console stores results of simulations generated by you in the last 14 days.
To view simulation results, go to the Simulation history page.
Select a simulation to see details. On the Simulation report page, you can see the preview of violations, which lists the number of total violations caused by the new custom constraint or organization policy, the number of resources that were checked in the scope of the simulation, and the time at which the simulation completed.
If you simulated a custom constraint, you can click Constraint details to see the specific configuration that was simulated. If you simulated an organization policy, the Policy details tab shows the configuration that was simulated.
All violations are listed in the table of resources. Each resource that violates the new custom constraint or organization policy is listed with a link to the resource entry in Cloud Asset Inventory. Project, folder, and organization resources are displayed with the sum total of resources below them in the hierarchy that violate the new custom constraint or organization policy.
Apply a tested policy change
After you have tested your custom constraint, organization policy, or both, you can set up the custom constraint and enforce the organization policy. You can see all Policy Simulator results in the Google Cloud console, regardless of how they were generated. If your simulation report includes changes to no more than one organization policy, you can enforced the organization policy directly through the simulation results. To enforce test changes in multiple organization policies, use the Google Cloud CLI.
Console
To enforce a custom constraint Policy Simulator results, go to the Simulation history page.
Select the simulation report for the custom constraint or organization policy you want to apply.
If this simulation report includes a custom constraint, click Save constraint.
If this simulation report includes changes to no more than one organization policy, you can apply that organization policy as a dry-run policy to monitor behavior in production without introducing risk by selecting Set dry run policy. The Policy details page for the new organization policy page appears.
You can enforce the organization policy immediately by clicking and then selecting Set policy.
gcloud
To enforce a custom constraint, you must set it up to make it available for organization policies in your organization. To set up a custom constraint, use the gcloud org-policies set-custom-constraint command:
gcloud org-policies set-custom-constraint CONSTRAINT_PATHReplace
CONSTRAINT_PATHwith the full path to your custom constraint file. For example,/home/user/customconstraint.yaml.After this is completed, your custom constraint is available in your list of Google Cloud organization policies.
To enforce an organization policy containing a custom constraint, use the gcloud org-policies set-policy command:
gcloud org-policies set-policy POLICY_PATHReplace
POLICY_PATHwith the full path to your organization policy YAML file.The policy takes up to 15 minutes to take effect.
Save simulation results
Console
If you are using the Google Cloud console, you can save Policy Simulator results as a CSV file.
To save Policy Simulator results, go to the Simulation history page.
Select the simulation report you want to save.
Click Export full results.
gcloud
If you are using the gcloud CLI, you can save Policy Simulator results as JSON or YAML files.
By default, test results in the Google Cloud CLI are output in YAML format. To
save a test result as a YAML file, redirect the output of the
simulate orgpolicy command when running the simulation:
> FILENAME
Replace FILENAME with a name for the output file.
To save a test result as a JSON file, add the following flag
to the simulate orgpolicy command when running the simulation:
--format=json > FILENAME
Replace FILENAME with a name for the output file.
What's next
- Learn about constraints in-depth.
- Read about the additional options you can use to customize your policies.
- Learn how to set organization policies based on Tags.