This page describes how to create, set up, and manage custom constraints on Cloud SQL instances. For an overview of custom organization policies, see custom organization policies.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Add the Organization Policy Administrator role
(
roles/orgpolicy.policyAdmin
) to your user or service account from the IAM & Admin page. - See Restrictions before performing this procedure.
Supported fields for custom constraints
You can set custom constraints on the following fields:
Field | Example use case |
SqlDatabaseVersion | Enforce the use of specific database versions |
region | Restrict the creation of instances to specific regions |
availabilityType | Enforce high availability |
ipConfiguration > pscConfig > allowedConsumerProjects | Restrict the allowlisting of consumer projects in PSC to specific projects |
ipConfiguration > sslMode | Enforce SSL mode to be ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED . You can't choose SSL mode while creating a Cloud SQL instance in Google Cloud console. So, if you create this custom organization policy, you need to create a Cloud SQL instance using gcloud CLI, API, or Terraform.
|
dataDiskType | Enforce the use of either SSD or HDD |
backupConfiguration > location | Restrict automated backup locations to specific locations |
backupConfiguration > pointInTimeRecoveryEnabled | Enforce all instances to enable PITR |
backupConfiguration > transactionLogRetentionDays | Enforce all instances to use a specific retention period for transaction log retention |
backupConfiguration > backupRetentionSettings > retentionUnit | Enforce the retention days on all backups |
passwordValidationPolicy > minLength | Enforce the password policy for a minimum length |
passwordValidationPolicy > complexity | Enforce the password policy for complexity |
passwordValidationPolicy > reuseInterval | Enforce the password policy for specific re-use interval |
passwordValidationPolicy > disallowUsernameSubstring | Enforce the password policy for not allowing username as the password |
Edition | Enforce all instances to use the Enterprise Plus edition |
connectorEnforcement | Require all connections to use Cloud SQL connectors |
dataCacheConfig | Require all instances to use Data Cache |
Create and set up a custom constraint
A custom constraint is defined in a YAML file using the resources, methods, conditions, and actions that are supported by the service on which you are enforcing the organization policy. Conditions for your custom constraints are defined using Common Expression Language (CEL). For more information about how to build conditions in custom constraints using CEL, see Common Expression Language.
Console
In the Google Cloud console, go to the Organization policies page.
Select the project picker at the top of the page.
From the project picker, select the resource for which you want to set the organization policy.
Click
Custom constraint.In the Display name box, enter a name for the constraint. This field has a maximum length of 200 characters.
In the Constraint ID box, enter the name you want for your new custom constraint. A custom constraint must start with
custom.
, and can only include uppercase letters, lowercase letters, or numbers, for example,custom.requireCloudSqlPasswordMinLength
. The maximum length of this field is 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom.
.In the Description box, enter a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.
In the Resource type box, select the name of the Google Cloud REST resource containing the object and field you want to restrict—for example,
sqladmin.googleapis.com/Instance
. There is a maximum of 20 custom constraints per resource type. If you try to create a custom constraint for a resource type that already has 20 custom constraints, the operation fails.Under Enforcement method, select whether to enforce the constraint on a REST
CREATE
method, or on bothCREATE
andUPDATE
methods.Edit condition and do the following:
In the Add condition panel, create a CEL condition that refers to a supported service resource, for example
resource.settings.passwordValidationPolicy.minLength > 10
. This field has a maximum length of 1000 characters. For details about CEL usage, see Common Expression Language. For more information about the service resources you can use in your custom constraints, see Custom constraint supported services.Click Save.
Under Action, select whether to allow or deny the evaluated method if the earlier condition is met.
Deny blocks operations to create or update the resource if the condition evaluates to true.
Allow permits operations to create or update the resource if the condition evaluates to true. Every other case except the ones explicitly listed in the condition is blocked.
Click Create constraint.
When you have entered a value into each field, the equivalent YAML configuration for this custom constraint appears on the right.
gcloud
To create a YAML file for a custom constraint, use the following format:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- container.googleapis.com/RESOURCE_NAME
methodTypes:
- CREATE
- UPDATE
condition: "CONDITION"
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION
Replace the following:
ORGANIZATION_ID
: your organization ID, such as123456789
.CONSTRAINT_NAME
: the name you want for your new custom constraint. A custom constraint must start withcustom.
, and can only include uppercase letters, lowercase letters, or numbers, for example, custom.enableGkeAutopilot. The maximum length of this field is 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom
.RESOURCE_NAME
: the name (not the URI) of the GKE API REST resource containing the object and field you want to restrict. For example,Cluster
.CONDITION
: a CEL condition that is written against a representation of a supported service resource. This field has a maximum length of 1000 characters.ACTION
: the action to take if thecondition
is met. This can be eitherALLOW
orDENY
.Deny blocks operations to create or update the resource if the condition evaluates to true.
Allow permits operations to create or update the resource if the condition evaluates to true. Every other case except the ones explicitly listed in the condition is blocked.
DISPLAY_NAME
: a name for the constraint. This field has a maximum length of 200 characters.DESCRIPTION
: a description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.
gcloud org-policies set-custom-constraint
command:
gcloud org-policies set-custom-constraint CONSTRAINT_PATHReplace
CONSTRAINT_PATH
with the full path to your
custom constraint file. For example, /home/user/customconstraint.yaml
.
Once completed, you will find your custom constraints as available organization policies
in your list of Google Cloud organization policies.
To verify that the custom constraint exists, use the
gcloud org-policies list-custom-constraints
command:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_IDReplace
ORGANIZATION_ID
with the ID of your organization resource.
For more information, see
Viewing organization policies.Enforce a custom organization policy
Once a custom constraint has been set up, it operates identically to predefined boolean constraints. Google Cloud checks custom constraints first when evaluating if a user request is allowed. If any of the custom organization policies deny the request, the request is rejected. Then, Google Cloud checks for predefined organization policies enforced on that resource.
You can enforce a boolean constraint by creating an organization policy that references it, and applying that organization policy to a Google Cloud resource.Console
To enforce a boolean constraint:
- In the Google Cloud console, go to the Organization policies page.
- Select the project picker at the top of the page.
- From the project picker, select the project for which you want to set the organization policy.
- Select your constraint from the list on the Organization policies page. The Policy details page for that constraint should appear.
- To configure the organization policy for this resource, click Manage policy.
- On the Edit policy page, select Override parent's policy.
- Click Add a rule.
- Under Enforcement, select whether enforcement of this organization policy should be on or off.
- Optionally, to make the organization policy conditional on a tag, click Add condition. Note that if you add a conditional rule to an organization policy, you must add at least one unconditional rule or the policy cannot be saved. For more details, see Setting an organization policy with tags.
- If this is a custom constraint, you can click Test changes to simulate the effect of this organization policy. For more information, see Test organization policy changes with Policy Simulator.
- To finish and apply the organization policy, click Set policy. The policy will take up to 15 minutes to take effect.
gcloud
To create an organization policy that enforces a boolean constraint, create a policy YAML file that references the constraint:
name: projects/PROJECT_ID/policies/CONSTRAINT_NAME spec: rules: - enforce: true
Replace the following:
-
PROJECT_ID
: the project on which you want to enforce your constraint. -
CONSTRAINT_NAME
: the name you defined for your custom constraint. For example,custom.enableGkeAutopilot
.
To enforce the organization policy containing the constraint, run the following command:
gcloud org-policies set-policy POLICY_PATH
Replace POLICY_PATH
with the full path to your organization policy
YAML file. The policy will take up to 15 minutes to take effect.
Update a custom constraint
You can update a custom constraint by editing the constraint in the
Google Cloud console, or by creating a new YAML file and using the
set-custom-constraint
gcloud CLI command again. There is no
versioning of custom constraints, so this overwrites the existing custom
constraint. If the custom constraint is already enforced, the updated custom
constraint takes effect immediately.
Console
In the Google Cloud console, go to the Organization policies page.
Select the project picker at the top of the page.
From the project picker, select the resource for which you want to update the organization policy.
Select the constraint you want to edit from the list on the Organization policies page. The Policy details page for that constraint should appear.
Click
Edit constraint.Make changes to the display name, description, enforcement method, condition, and action. You can't change the constraint ID or resource type once the constraint is created.
Click Save changes.
gcloud
To edit an existing custom constraint using gcloud CLI, create a new YAML file containing the changes you want to make:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- RESOURCE_NAME
methodTypes:
- METHOD1
- METHOD2
condition: "CONDITION"
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION
Replace the following:
ORGANIZATION_ID
: your organization ID, such as123456789
.CONSTRAINT_NAME
: the name you want for your new custom constraint. A custom constraint must start withcustom.
, and can only include uppercase letters, lowercase letters, or numbers, for example,custom.disableGkeAutoUpgrade
. The maximum length of this field is 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom.
.RESOURCE_NAME
: the fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example,container.googleapis.com/NodePool
. For more information about the service resources you can use in your custom constraints, see Custom constraint supported services.METHOD1,METHOD2
: a list of RESTful methods for which to enforce the constraint. Can beCREATE
orCREATE
andUPDATE
. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.CONDITION
: a CEL condition that refers to a supported service resource, for example"resource.management.autoUpgrade == false"
. This field has a maximum length of 1000 characters. For details about CEL usage, see Common Expression Language.ACTION
: the action to take if thecondition
is met. This can be eitherALLOW
orDENY
.DISPLAY_NAME
: a name for the constraint. This field has a maximum length of 200 characters.DESCRIPTION
: a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.
After you have created a new custom constraint using the gcloud CLI, you must set it up to make
it available for organization policies in your organization. To set up a custom constraint, use
the gcloud org-policies set-custom-constraint
command:
gcloud org-policies set-custom-constraint CONSTRAINT_PATHReplace
CONSTRAINT_PATH
with the full path to your
custom constraint file. For example, /home/user/customconstraint.yaml
.
Once completed, you will find your custom constraints as available organization policies
in your list of Google Cloud organization policies.
To verify that the custom constraint exists, use the
gcloud org-policies list-custom-constraints
command:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_IDReplace
ORGANIZATION_ID
with the ID of your organization resource.
For more information, see
Viewing organization policies.Delete a custom constraint
You can delete a custom constraint using the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Organization policies page.
Select the project picker at the top of the page.
From the project picker, select the resource for which you want to delete the organization policy.
Select the constraint you want to delete from the list on the Organization policies page. The Policy details page for that constraint should appear.
Click
Delete.To confirm you want to delete the constraint, click Delete.
gcloud
To delete a custom constraint, use the org-policies delete-custom-constraint
gcloud CLI command:
gcloud org-policies delete-custom-constraint custom.CONSTRAINT_NAME \
--organization=ORGANIZATION_ID
Replace the following:
ORGANIZATION_ID
: your organization ID, such as123456789
.CONSTRAINT_NAME
: the name of your custom constraint. For example,
.custom.disableGkeAutoUpgrade
The output is similar to the following:
Deleted custom constraint [organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade
]
If you delete a custom constraint, any policies that have been created using that constraint continue to exist, but are ignored. You can't create another custom constraint with the same name as a deleted custom constraint.
Example: Use a custom constraint to enforce the use of SSD instead of HDD
Create the
dataDiskType.yaml
file, as follows:name: organizations/651333429324/customConstraints/custom.dataDiskType resourceTypes: - sqladmin.googleapis.com/Instance methodTypes: - CREATE - UPDATE condition: resource.settings.dataDiskType == "PD_SSD" actionType: ALLOW displayName: dataDiskType must be PD_SDD description: dataDiskType must be PD_SSD
This ensures that all
CREATE
andUPDATE
methods on an instance meet the constraint ofdataDiskType
beingSSD
. As a result, any instances that involveHDD
are rejected.Set up the custom constraint at the organization level:
gcloud org-policies set-custom-constraint dataDiskType.yaml
Create `enforceDataDiskType.yaml' as follows:
name: projects/custom-constraints-cloudsql3/policies/custom.dataDiskType spec: rules: - enforce: true
Enforce the custom constraint at the project level:
gcloud org-policies set-policy enforceDataDiskType.yaml
What's next
- Learn about Organization policies.
- Learn about how private IP works with Cloud SQL.
- Learn how to configure private IP for Cloud SQL.
- Learn about the organization policy service.
- Learn about organization policy constraints.
- Learn about creating and managing custom organization policies