REST Resource: organizations.customConstraints

Resource: CustomConstraint

A custom constraint defined by customers which can only be applied to the given resource types and organization.

By creating a custom constraint, customers can apply policies of this custom constraint. Creating a custom constraint itself does NOT apply any policy enforcement.

JSON representation
{
  "name": string,
  "resourceTypes": [
    string
  ],
  "methodTypes": [
    enum (MethodType)
  ],
  "condition": string,
  "actionType": enum (ActionType),
  "displayName": string,
  "description": string,
  "updateTime": string
}
Fields
name

string

Immutable. Name of the constraint. This is unique within the organization. Format of the name should be

  • organizations/{organization_id}/customConstraints/{custom_constraint_id}

Example: organizations/123/customConstraints/custom.createOnlyE2TypeVms

The max length is 70 characters and the minimum length is 1. Note that the prefix organizations/{organization_id}/customConstraints/ is not counted.

resourceTypes[]

string

Immutable. The resource instance type on which this policy applies. Format will be of the form : <service name>/<type> Example:

  • compute.googleapis.com/Instance.
methodTypes[]

enum (MethodType)

All the operations being applied for this constraint.

condition

string

A Common Expression Language (CEL) condition which is used in the evaluation of the constraint. For example: resource.instanceName.matches("[production|test]_.*_(\d)+") or, resource.management.auto_upgrade == true

The max length of the condition is 1000 characters.

actionType

enum (ActionType)

Allow or deny type.

displayName

string

One line display name for the UI. The max length of the displayName is 200 characters.

description

string

Detailed information about this custom policy constraint. The max length of the description is 2000 characters.

updateTime

string (Timestamp format)

Output only. The last time this custom constraint was updated. This represents the last time that the customConstraints.create or customConstraints.patch methods were called.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

MethodType

The operation for which this constraint will be applied. To apply this constraint only when creating new resources, the methodTypes should be CREATE only. To apply this constraint when creating or deleting resources, the methodTypes should be CREATE and DELETE.

UPDATE only custom constraints are not supported. Use CREATE or CREATE, UPDATE.

Enums
METHOD_TYPE_UNSPECIFIED This is only used for distinguishing unset values and should never be used. Results in an error.
CREATE Constraint applied when creating the resource.
UPDATE Constraint applied when updating the resource.
DELETE Constraint applied when deleting the resource. Not currently supported.
REMOVE_GRANT Constraint applied when removing an IAM grant.
GOVERN_TAGS Constraint applied when enforcing forced tagging.

ActionType

Allow or deny type.

Enums
ACTION_TYPE_UNSPECIFIED This is only used for distinguishing unset values and should never be used. Results in an error.
ALLOW Allowed action type.
DENY Deny action type.

Methods

create

Creates a custom constraint.

delete

Deletes a custom constraint.

get

Gets a custom or managed constraint.

list

Retrieves all of the custom constraints that exist on a particular organization resource.

patch

Updates a custom constraint.