Quickstart Using List Constraints

This page explains how to use a list constraint to create and enforce an organization policy.

In this exercise, you will set up an organization policy that prevents all projects below it from having the APIs compute.googleapis.com and deploymentmanager.googleapis.com enabled. It is important to know that projects that already have this API enabled will not have it disabled, because enforcement of this policy happens at activation time. You will then use replace and merge semantics to layer policy within your hierarchy.

Before you begin

Sign in to your Google Account.

If you don't already have one, sign up for a new account.

  • You'll need an Organization resource to complete these exercises. If you're an existing G Suite or Cloud Identity customer, Google automatically creates an Organization resource for you the first time someone in your domain creates a project or a billing account.

  • You are assigned the roles/orgpolicy.PolicyAdmin role for your organization.

Get the API service name used for enforcement

To define this organization policy, you need the service name of the API you want to restrict. This quickstart includes an API service name as an example. To get the API service name of a different service, view the Available Constraints table, find the APIs and Services constraint, and choose from the list of accepted values.

Set up enforcement on the organization node

Note: This step will prevent any activations of the compute.googleapis.com API on all projects in this organization.

  1. Get the current policy on the organization using the describe command.

    gcloud beta resource-manager org-policies describe \
      --organization [ORGANIZATION_ID] serviceuser.services
    

    where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below. Since no policy is set an incomplete policy is returned.

    constraint: "constraints/serviceuser.services"
    
  2. Add denied activation value for compute.googleapis.com using the deny command.

    gcloud beta resource-manager org-policies deny \
      --organization [ORGANIZATION_ID] \
      serviceuser.services compute.googleapis.com
    

    where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVJi0OOESU=
    listPolicy:
      deniedValues:
        - compute.googleapis.com
    
  3. View the current effective policy using describe --effective.

    gcloud beta resource-manager org-policies describe --effective \
     --organization [ORGANIZATION_ID] serviceuser.services
    

    where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services 
    listPolicy:
      deniedValues:
        - compute.googleapis.com
    

Merge the organization policy on a project

Next you will merge the policy on a project to disallow the compute.googleapis.com and deploymentmanager.googleapis.com.

This will "merge" the org policy on a project, denying APIs compute.googleapis.com and deploymentmanager.googleapis.com.

  1. Get the current policy on project and show it's empty.

    gcloud beta resource-manager org-policies describe \
     --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below. Since no policy is set, an incomplete policy is returned.

    constraint: "constraints/serviceuser.services"
    
  2. Get the effective policy on the project.

    gcloud beta resource-manager org-policies describe --effective \
     --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - compute.googleapis.com
    
  3. Set the policy on the project using the set-policy command. Create temp file /tmp/policy.yaml with:

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - deploymentmanager.googleapis.com
      inheritFromParent: true
    

    Then, run the set-policy command.

    gcloud beta resource-manager org-policies set-policy \
      --project [PROJECT_ID] /tmp/policy.yaml
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVLO2timxY=
    listPolicy:
      deniedValues:
        - deploymentmanager.googleapis.com
      inheritFromParent: true
    
  4. Get the effective policy to show merged policy.

    gcloud beta resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
      listPolicy:
        deniedValues:
          - deploymentmanager.googleapis.com
          - compute.googleapis.com
    

Restore the default policy

Finally, you will replace the organization policy on the project, restoring the default to allow all activations.

This step will replace the organization policy on the project allowing the API compute.googleapis.com as well as all other apis to be enabled.

  1. Get the effective policy on the project to show merged policy.

    gcloud beta resource-manager org-policies describe \
      --effective serviceuser.services \
      --project [PROJECT_ID]
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - deploymentmanager.googleapis.com
        - compute.googleapis.com
    
  2. Replace with policy that allows all on the project. Create a temp file /tmp/restore-policy.yaml with:

    restoreDefault: {}
    constraint: constraints/serviceuser.services
    

    Then, run the command.

    gcloud beta resource-manager org-policies set-policy \
      --project [PROJECT_ID] /tmp/restore-policy.yaml
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVJi9D3VLY=
    restoreDefault: {}
    
  3. Get the effective policy to show everything is allowed.

    gcloud beta resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    Constraint: constraints/serviceuser.services
    listPolicy:
      allValues: ALLOW
    

Clean up

Next, you will clear the policies set during this quickstart guide leaving no restrictions in the hierarchy.

  1. Delete the policy from the org using delete.

    gcloud beta resource-manager org-policies delete \
      --organization [ORGANIZATION_ID] serviceuser.services
    

    where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  2. Get the effective policy on the organization to show it's not enforced.

    gcloud beta resource-manager org-policies describe \
      --effective \
      --organization [ORGANIZATION_ID] serviceuser.services
    

    where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      allValues: ALLOW
    
  3. Delete the policy from the project using the delete command.

    gcloud beta resource-manager org-policies delete \
      --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  4. Get the effective policy on the project to show it's not enforced.

    gcloud beta resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services \
    listPolicy: \
      allValues: ALLOW
    

What's next

Send feedback about...

Resource Manager