Enforce organization policy by using Resource Manager

This guide describes how to set an organization policy that includes the resource locations constraint, and how to test that constraint after it is applied in the Google Cloud console.

Before you begin

  1. Make sure that billing is enabled for your Google Cloud project.

  2. Enable the Compute Engine and Resource Manager APIs.

    Enable the APIs

  3. Make sure that you have the following role or roles on the organization: Organization Policy > Organization Policy Administrator, Compute Engine > Compute Storage Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. In the Principal column, find the row that has your email address.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. Click Grant access.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Create new Project

To create a Project resource, follow the steps below:

To create a new project, do the following:

  1. Go to the Manage resources page in the Google Cloud console.

    Go to Manage Resources

    The remaining steps will appear automatically in the Google Cloud console.

  2. On the Select organization drop-down list at the top of the page, select the organization resource in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
  5. Enter the parent organization or folder resource in the Location box. That resource will be the hierarchical parent of the new project. If No organization is an option, you can select it to create your new project as the top level of its own resource hierarchy.
  6. When you're finished entering new project details, click Create.

After you create the Project, the Owner role is assigned to you. This role includes all of the permissions you need for the following quickstart. For more information about permissions, see Granting, changing, and revoking access to resources.

Create a Compute Engine disk

To test the functionality of the resource locations constraint, set up Compute Engine regional persistent disks. When you create a regional persistent disk, you must specify the location where it will reside. For more information about creating Compute Engine regional persistent disks, see Create and manage regional Persistent Disk volumes.

  1. In the Google Cloud console, go to the Disks page.

    Go to Disks

  2. Select the Project you created previously.

    1. If you are prompted to link a billing account to your Project, do so now. For more information about enabling billing, see Modify a Project's Billing Settings.
  3. Click Create Disk.

  4. Specify a Name for your disk.

  5. Select Replicate this disk within region.

  6. Under Region, select europe-north1 (Finland).

  7. Under Zones, select europe-north1-a and europe-north1-b.

  8. Click Create.

When the disk is successfully created, a green check mark appears next to the name.

Set the organization policy

To set an organization policy on the Project you created:

  1. In the Google Cloud console, go to the Organization policies page.

    Go to Organization policies

  2. Click Select.

  3. Select the Project you created.

  4. Click Google Cloud Platform - Define Resource Locations, and then click Edit.

  5. Under Applies to, select Customize.

  6. Under Policy values, select Custom.

  7. Under Policy type, select Allow.

  8. In the Policy value box, enter in:asia-locations.

  9. Click Save. A notification appears to confirm the policy update.

asia-locations is a value group that is curated by Google to include every location in a particular geographic region. In this case, every region in Asia is defined as an allowed location for any resources created after this point. Note that the regional persistent disk you created above is not affected by this new policy, because the policy is not retroactive.

Testing the organization policy

Now that the organization policy is in effect, you cannot create resources in regions that were not specified as part of the organization policy. To test this, try to create a regional persistent disk in an invalid location:

  1. In the Google Cloud console, go to the Disks page.

    Go to Disks

  2. Select the Project you created above.

  3. Click Create Disk.

  4. Specify a Name for your disk.

  5. Select Replicate this disk within region.

  6. Under Region, select europe-north1 (Finland).

  7. Under Zones, select europe-north1-a and europe-north1-b.

  8. Click Create.

A red exclamation point appears next to the name, and an error notification displays:

Location ZONE:europe-north1-a violates constraint
constraints/gcp.resourceLocations on the resource RESOURCE_ID

Where RESOURCE_ID is the full resource path of your Project and disk. The disk is not created.

Create regional persistent disk in valid location

The organization policy constraint blocks the creation of resources unless you specify a valid location:

  1. In the Google Cloud console, go to the Disks page.

    Go to Disks

  2. Select the Project you created previously.

  3. Click Create Disk.

  4. Specify a Name for your disk.

  5. Select Replicate this disk within region.

  6. Under Region, select asia-east2 (Hong Kong).

  7. Under Zones, select asia-east2-a and asia-east2-b.

  8. Click Create.

The resource is created successfully because all zones under asia-east2 are within the asia-locations value group.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete regional persistent disks

Delete the regional persistent disks you created for this quickstart:

  1. In the Google Cloud console, go to the Disks page.

    Go to Disks

  2. In the list that appears, select both of the disks that you created.

  3. To the right of the Create Disk button, click Delete.

  4. In the confirmation dialog that appears, click Delete.

A notification dialog appears to confirm the disks were deleted.

Delete the Project

Delete the Project you created for this quickstart:

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the drop-down at the top of the page, select the Organization in which you created the quickstart Project.

  3. In the list of Project resources that appears, select the Project that you created, then click Delete.

  4. On the Shut down project dialog that appears, enter the Project ID, and then click Shut down.

What's next