Quickstart Using Boolean Constraints

This guide will walk you through setting up and organization policy based on a boolean constraint.

In this exercise, the organization policy will prevent serial port access to the virtual machines in your organization. It will then show how to set up exemption to the rule on a per project basis.

Before you begin

Sign in to your Google account.

If you don't already have one, sign up for a new account.

  • You'll need an Organization resource to complete these exercises. If you're an existing G Suite customer, Google automatically creates an Organization resource for you the first time someone in your G Suite domain creates a project or a billing account. If you're not a G Suite customer and wish to create an Organization resource, contact our sales team to verify your domain for Google Cloud and create the Organization resource.
  • You are assigned the roles/orgpolicy.PolicyAdmin role for your organization.

Set up enforcement on the organization resource

  1. Run the gcloud command line tool describe command to get the current policy on the organization.

    gcloud alpha resource-manager org-policies describe \
      --organization [ORGANIZATION_ID] compute.disableSerialPortAccess
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below. Since no policy is set, an incomplete policy is returned.

    constraint: "constraints/compute.disableSerialPortAccess"
    
  2. Set the policy to enforce on the organization using the enable-enforce command.

    gcloud alpha resource-manager org-policies enable-enforce \
      --organization [ORGANIZATION_ID] compute.disableSerialPortAccess
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    booleanPolicy:
        enforced: true
    constraint: constraints/compute.disableSerialPortAccess
    etag: BwVJitxdiwY=
    
  3. Viewing current effective policy using describe --effective as shown below.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --organization [ORGANIZATION_ID] compute.disableSerialPortAccess
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    booleanPolicy:
      enforced: true
    constraint: constraints/compute.disableSerialPortAccess
    

Override the organization policy for a project

This will allow serial port connections to all VMs below the project.

  1. Get the current policy on project to show it's empty.

    gcloud alpha resource-manager org-policies describe \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: "constraints/compute.disableSerialPortAccess"
    
  2. Get the effective policy on the project, which shows enforcement is true.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    booleanPolicy:
      enforced: true
    constraint: constraints/compute.disableSerialPortAccess
    
  3. Set the policy on the project to not enforce, using thedisable-enforce command.

    gcloud alpha resource-manager org-policies disable-enforce \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    booleanPolicy: {}
    constraint: constraints/compute.disableSerialPortAccess
    etag: BwVJivdnXvM=
    
  4. Get the effective policy to show that it's not enforced on the project.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    booleanPolicy: {}
    constraint: constraints/compute.disableSerialPortAccess
    

Clean up

Now you will clear the policy from the organization and project.

These steps will allow all attempts to establish serial port connections to succeed for VMs in projects that don't have a policy stating otherwise.

  1. Delete the policy from the org using the delete command.

    gcloud alpha resource-manager org-policies delete \
      --organization [ORGANIZATION_ID] compute.disableSerialPortAccess
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  2. Get the effective policy on the organization to show it's not enforced.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --organization [ORGANIZATION_ID] compute.disableSerialPortAccess
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    booleanPolicy: {}
    constraint: constraints/compute.disableSerialPortAccess
    
  3. Delete the policy from the project using the delete command.

    gcloud alpha resource-manager org-policies delete \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  4. Get the effective policy on the project to show it's not enforced.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] compute.disableSerialPortAccess
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    booleanPolicy: {}
    constraint: constraints/compute.disableSerialPortAccess
    

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Google Cloud Resource Manager
Google Cloud Resource Manager