Policy
data class PolicyArgs(val dryRunSpec: Output<PolicyDryRunSpecArgs>? = null, val name: Output<String>? = null, val parent: Output<String>? = null, val spec: Output<PolicySpecArgs>? = null) : ConvertibleToJava<PolicyArgs>
An organization policy gives you programmatic control over your organization's cloud resources. Using Organization Policies, you will be able to configure constraints across your entire resource hierarchy. For more information, see:
Example Usage
Enforce_policy
A test of an enforce orgpolicy policy for a project
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basic = new gcp.organizations.Project("basic", {
projectId: "id",
name: "id",
orgId: "123456789",
});
const primary = new gcp.orgpolicy.Policy("primary", {
name: pulumi.interpolate`projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload`,
parent: pulumi.interpolate`projects/${basic.name}`,
spec: {
rules: [{
enforce: "FALSE",
}],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
basic = gcp.organizations.Project("basic",
project_id="id",
name="id",
org_id="123456789")
primary = gcp.orgpolicy.Policy("primary",
name=basic.name.apply(lambda name: f"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
parent=basic.name.apply(lambda name: f"projects/{name}"),
spec=gcp.orgpolicy.PolicySpecArgs(
rules=[gcp.orgpolicy.PolicySpecRuleArgs(
enforce="FALSE",
)],
))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basic = new Gcp.Organizations.Project("basic", new()
{
ProjectId = "id",
Name = "id",
OrgId = "123456789",
});
var primary = new Gcp.OrgPolicy.Policy("primary", new()
{
Name = basic.Name.Apply(name => $"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
Parent = basic.Name.Apply(name => $"projects/{name}"),
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
Enforce = "FALSE",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
ProjectId: pulumi.String("id"),
Name: pulumi.String("id"),
OrgId: pulumi.String("123456789"),
})
if err != nil {
return err
}
_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
Name: basic.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v/policies/iam.disableServiceAccountKeyUpload", name), nil
}).(pulumi.StringOutput),
Parent: basic.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v", name), nil
}).(pulumi.StringOutput),
Spec: &orgpolicy.PolicySpecArgs{
Rules: orgpolicy.PolicySpecRuleArray{
&orgpolicy.PolicySpecRuleArgs{
Enforce: pulumi.String("FALSE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basic = new Project("basic", ProjectArgs.builder()
.projectId("id")
.name("id")
.orgId("123456789")
.build());
var primary = new Policy("primary", PolicyArgs.builder()
.name(basic.name().applyValue(name -> String.format("projects/%s/policies/iam.disableServiceAccountKeyUpload", name)))
.parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
.spec(PolicySpecArgs.builder()
.rules(PolicySpecRuleArgs.builder()
.enforce("FALSE")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:orgpolicy:Policy
properties:
name: projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload
parent: projects/${basic.name}
spec:
rules:
- enforce: FALSE
basic:
type: gcp:organizations:Project
properties:
projectId: id
name: id
orgId: '123456789'Content copied to clipboard
Folder_policy
A test of an orgpolicy policy for a folder
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basic = new gcp.organizations.Folder("basic", {
parent: "organizations/123456789",
displayName: "folder",
});
const primary = new gcp.orgpolicy.Policy("primary", {
name: pulumi.interpolate`${basic.name}/policies/gcp.resourceLocations`,
parent: basic.name,
spec: {
inheritFromParent: true,
rules: [{
denyAll: "TRUE",
}],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
basic = gcp.organizations.Folder("basic",
parent="organizations/123456789",
display_name="folder")
primary = gcp.orgpolicy.Policy("primary",
name=basic.name.apply(lambda name: f"{name}/policies/gcp.resourceLocations"),
parent=basic.name,
spec=gcp.orgpolicy.PolicySpecArgs(
inherit_from_parent=True,
rules=[gcp.orgpolicy.PolicySpecRuleArgs(
deny_all="TRUE",
)],
))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basic = new Gcp.Organizations.Folder("basic", new()
{
Parent = "organizations/123456789",
DisplayName = "folder",
});
var primary = new Gcp.OrgPolicy.Policy("primary", new()
{
Name = basic.Name.Apply(name => $"{name}/policies/gcp.resourceLocations"),
Parent = basic.Name,
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
InheritFromParent = true,
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
DenyAll = "TRUE",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basic, err := organizations.NewFolder(ctx, "basic", &organizations.FolderArgs{
Parent: pulumi.String("organizations/123456789"),
DisplayName: pulumi.String("folder"),
})
if err != nil {
return err
}
_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
Name: basic.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("%v/policies/gcp.resourceLocations", name), nil
}).(pulumi.StringOutput),
Parent: basic.Name,
Spec: &orgpolicy.PolicySpecArgs{
InheritFromParent: pulumi.Bool(true),
Rules: orgpolicy.PolicySpecRuleArray{
&orgpolicy.PolicySpecRuleArgs{
DenyAll: pulumi.String("TRUE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Folder;
import com.pulumi.gcp.organizations.FolderArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basic = new Folder("basic", FolderArgs.builder()
.parent("organizations/123456789")
.displayName("folder")
.build());
var primary = new Policy("primary", PolicyArgs.builder()
.name(basic.name().applyValue(name -> String.format("%s/policies/gcp.resourceLocations", name)))
.parent(basic.name())
.spec(PolicySpecArgs.builder()
.inheritFromParent(true)
.rules(PolicySpecRuleArgs.builder()
.denyAll("TRUE")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:orgpolicy:Policy
properties:
name: ${basic.name}/policies/gcp.resourceLocations
parent: ${basic.name}
spec:
inheritFromParent: true
rules:
- denyAll: TRUE
basic:
type: gcp:organizations:Folder
properties:
parent: organizations/123456789
displayName: folderContent copied to clipboard
Organization_policy
A test of an orgpolicy policy for an organization
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.orgpolicy.Policy("primary", {
name: "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
parent: "organizations/123456789",
spec: {
reset: true,
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
primary = gcp.orgpolicy.Policy("primary",
name="organizations/123456789/policies/gcp.detailedAuditLoggingMode",
parent="organizations/123456789",
spec=gcp.orgpolicy.PolicySpecArgs(
reset=True,
))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.OrgPolicy.Policy("primary", new()
{
Name = "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
Parent = "organizations/123456789",
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
Reset = true,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
Name: pulumi.String("organizations/123456789/policies/gcp.detailedAuditLoggingMode"),
Parent: pulumi.String("organizations/123456789"),
Spec: &orgpolicy.PolicySpecArgs{
Reset: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Policy("primary", PolicyArgs.builder()
.name("organizations/123456789/policies/gcp.detailedAuditLoggingMode")
.parent("organizations/123456789")
.spec(PolicySpecArgs.builder()
.reset(true)
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:orgpolicy:Policy
properties:
name: organizations/123456789/policies/gcp.detailedAuditLoggingMode
parent: organizations/123456789
spec:
reset: trueContent copied to clipboard
Project_policy
A test of an orgpolicy policy for a project
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basic = new gcp.organizations.Project("basic", {
projectId: "id",
name: "id",
orgId: "123456789",
});
const primary = new gcp.orgpolicy.Policy("primary", {
name: pulumi.interpolate`projects/${basic.name}/policies/gcp.resourceLocations`,
parent: pulumi.interpolate`projects/${basic.name}`,
spec: {
rules: [
{
condition: {
description: "A sample condition for the policy",
expression: "resource.matchLabels('labelKeys/123', 'labelValues/345')",
location: "sample-location.log",
title: "sample-condition",
},
values: {
allowedValues: ["projects/allowed-project"],
deniedValues: ["projects/denied-project"],
},
},
{
allowAll: "TRUE",
},
],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
basic = gcp.organizations.Project("basic",
project_id="id",
name="id",
org_id="123456789")
primary = gcp.orgpolicy.Policy("primary",
name=basic.name.apply(lambda name: f"projects/{name}/policies/gcp.resourceLocations"),
parent=basic.name.apply(lambda name: f"projects/{name}"),
spec=gcp.orgpolicy.PolicySpecArgs(
rules=[
gcp.orgpolicy.PolicySpecRuleArgs(
condition=gcp.orgpolicy.PolicySpecRuleConditionArgs(
description="A sample condition for the policy",
expression="resource.matchLabels('labelKeys/123', 'labelValues/345')",
location="sample-location.log",
title="sample-condition",
),
values=gcp.orgpolicy.PolicySpecRuleValuesArgs(
allowed_values=["projects/allowed-project"],
denied_values=["projects/denied-project"],
),
),
gcp.orgpolicy.PolicySpecRuleArgs(
allow_all="TRUE",
),
],
))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basic = new Gcp.Organizations.Project("basic", new()
{
ProjectId = "id",
Name = "id",
OrgId = "123456789",
});
var primary = new Gcp.OrgPolicy.Policy("primary", new()
{
Name = basic.Name.Apply(name => $"projects/{name}/policies/gcp.resourceLocations"),
Parent = basic.Name.Apply(name => $"projects/{name}"),
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
{
Description = "A sample condition for the policy",
Expression = "resource.matchLabels('labelKeys/123', 'labelValues/345')",
Location = "sample-location.log",
Title = "sample-condition",
},
Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
{
AllowedValues = new[]
{
"projects/allowed-project",
},
DeniedValues = new[]
{
"projects/denied-project",
},
},
},
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
AllowAll = "TRUE",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
ProjectId: pulumi.String("id"),
Name: pulumi.String("id"),
OrgId: pulumi.String("123456789"),
})
if err != nil {
return err
}
_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
Name: basic.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v/policies/gcp.resourceLocations", name), nil
}).(pulumi.StringOutput),
Parent: basic.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v", name), nil
}).(pulumi.StringOutput),
Spec: &orgpolicy.PolicySpecArgs{
Rules: orgpolicy.PolicySpecRuleArray{
&orgpolicy.PolicySpecRuleArgs{
Condition: &orgpolicy.PolicySpecRuleConditionArgs{
Description: pulumi.String("A sample condition for the policy"),
Expression: pulumi.String("resource.matchLabels('labelKeys/123', 'labelValues/345')"),
Location: pulumi.String("sample-location.log"),
Title: pulumi.String("sample-condition"),
},
Values: &orgpolicy.PolicySpecRuleValuesArgs{
AllowedValues: pulumi.StringArray{
pulumi.String("projects/allowed-project"),
},
DeniedValues: pulumi.StringArray{
pulumi.String("projects/denied-project"),
},
},
},
&orgpolicy.PolicySpecRuleArgs{
AllowAll: pulumi.String("TRUE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basic = new Project("basic", ProjectArgs.builder()
.projectId("id")
.name("id")
.orgId("123456789")
.build());
var primary = new Policy("primary", PolicyArgs.builder()
.name(basic.name().applyValue(name -> String.format("projects/%s/policies/gcp.resourceLocations", name)))
.parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
.spec(PolicySpecArgs.builder()
.rules(
PolicySpecRuleArgs.builder()
.condition(PolicySpecRuleConditionArgs.builder()
.description("A sample condition for the policy")
.expression("resource.matchLabels('labelKeys/123', 'labelValues/345')")
.location("sample-location.log")
.title("sample-condition")
.build())
.values(PolicySpecRuleValuesArgs.builder()
.allowedValues("projects/allowed-project")
.deniedValues("projects/denied-project")
.build())
.build(),
PolicySpecRuleArgs.builder()
.allowAll("TRUE")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:orgpolicy:Policy
properties:
name: projects/${basic.name}/policies/gcp.resourceLocations
parent: projects/${basic.name}
spec:
rules:
- condition:
description: A sample condition for the policy
expression: resource.matchLabels('labelKeys/123', 'labelValues/345')
location: sample-location.log
title: sample-condition
values:
allowedValues:
- projects/allowed-project
deniedValues:
- projects/denied-project
- allowAll: TRUE
basic:
type: gcp:organizations:Project
properties:
projectId: id
name: id
orgId: '123456789'Content copied to clipboard
Dry_run_spec
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
name: "custom.disableGkeAutoUpgrade_2067",
parent: "organizations/123456789",
displayName: "Disable GKE auto upgrade",
description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
actionType: "ALLOW",
condition: "resource.management.autoUpgrade == false",
methodTypes: ["CREATE"],
resourceTypes: ["container.googleapis.com/NodePool"],
});
const primary = new gcp.orgpolicy.Policy("primary", {
name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
parent: "organizations/123456789",
spec: {
rules: [{
enforce: "FALSE",
}],
},
dryRunSpec: {
inheritFromParent: false,
reset: false,
rules: [{
enforce: "FALSE",
}],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
constraint = gcp.orgpolicy.CustomConstraint("constraint",
name="custom.disableGkeAutoUpgrade_2067",
parent="organizations/123456789",
display_name="Disable GKE auto upgrade",
description="Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
action_type="ALLOW",
condition="resource.management.autoUpgrade == false",
method_types=["CREATE"],
resource_types=["container.googleapis.com/NodePool"])
primary = gcp.orgpolicy.Policy("primary",
name=constraint.name.apply(lambda name: f"organizations/123456789/policies/{name}"),
parent="organizations/123456789",
spec=gcp.orgpolicy.PolicySpecArgs(
rules=[gcp.orgpolicy.PolicySpecRuleArgs(
enforce="FALSE",
)],
),
dry_run_spec=gcp.orgpolicy.PolicyDryRunSpecArgs(
inherit_from_parent=False,
reset=False,
rules=[gcp.orgpolicy.PolicyDryRunSpecRuleArgs(
enforce="FALSE",
)],
))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
{
Name = "custom.disableGkeAutoUpgrade_2067",
Parent = "organizations/123456789",
DisplayName = "Disable GKE auto upgrade",
Description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
ActionType = "ALLOW",
Condition = "resource.management.autoUpgrade == false",
MethodTypes = new[]
{
"CREATE",
},
ResourceTypes = new[]
{
"container.googleapis.com/NodePool",
},
});
var primary = new Gcp.OrgPolicy.Policy("primary", new()
{
Name = constraint.Name.Apply(name => $"organizations/123456789/policies/{name}"),
Parent = "organizations/123456789",
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
Enforce = "FALSE",
},
},
},
DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
{
InheritFromParent = false,
Reset = false,
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
{
Enforce = "FALSE",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
Name: pulumi.String("custom.disableGkeAutoUpgrade_2067"),
Parent: pulumi.String("organizations/123456789"),
DisplayName: pulumi.String("Disable GKE auto upgrade"),
Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
ActionType: pulumi.String("ALLOW"),
Condition: pulumi.String("resource.management.autoUpgrade == false"),
MethodTypes: pulumi.StringArray{
pulumi.String("CREATE"),
},
ResourceTypes: pulumi.StringArray{
pulumi.String("container.googleapis.com/NodePool"),
},
})
if err != nil {
return err
}
_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
Name: constraint.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
}).(pulumi.StringOutput),
Parent: pulumi.String("organizations/123456789"),
Spec: &orgpolicy.PolicySpecArgs{
Rules: orgpolicy.PolicySpecRuleArray{
&orgpolicy.PolicySpecRuleArgs{
Enforce: pulumi.String("FALSE"),
},
},
},
DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
InheritFromParent: pulumi.Bool(false),
Reset: pulumi.Bool(false),
Rules: orgpolicy.PolicyDryRunSpecRuleArray{
&orgpolicy.PolicyDryRunSpecRuleArgs{
Enforce: pulumi.String("FALSE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.CustomConstraint;
import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicyDryRunSpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()
.name("custom.disableGkeAutoUpgrade_2067")
.parent("organizations/123456789")
.displayName("Disable GKE auto upgrade")
.description("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.")
.actionType("ALLOW")
.condition("resource.management.autoUpgrade == false")
.methodTypes("CREATE")
.resourceTypes("container.googleapis.com/NodePool")
.build());
var primary = new Policy("primary", PolicyArgs.builder()
.name(constraint.name().applyValue(name -> String.format("organizations/123456789/policies/%s", name)))
.parent("organizations/123456789")
.spec(PolicySpecArgs.builder()
.rules(PolicySpecRuleArgs.builder()
.enforce("FALSE")
.build())
.build())
.dryRunSpec(PolicyDryRunSpecArgs.builder()
.inheritFromParent(false)
.reset(false)
.rules(PolicyDryRunSpecRuleArgs.builder()
.enforce("FALSE")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
constraint:
type: gcp:orgpolicy:CustomConstraint
properties:
name: custom.disableGkeAutoUpgrade_2067
parent: organizations/123456789
displayName: Disable GKE auto upgrade
description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.
actionType: ALLOW
condition: resource.management.autoUpgrade == false
methodTypes:
- CREATE
resourceTypes:
- container.googleapis.com/NodePool
primary:
type: gcp:orgpolicy:Policy
properties:
name: organizations/123456789/policies/${constraint.name}
parent: organizations/123456789
spec:
rules:
- enforce: FALSE
dryRunSpec:
inheritFromParent: false
reset: false
rules:
- enforce: FALSEContent copied to clipboard
Import
Policy can be imported using any of these accepted formats:
{{parent}}/policies/{{name}}When using thepulumi importcommand, Policy can be imported using one of the formats above. For example:
$ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(dryRunSpec: Output<PolicyDryRunSpecArgs>? = null, name: Output<String>? = null, parent: Output<String>? = null, spec: Output<PolicySpecArgs>? = null)
Properties
Link copied to clipboard
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
Link copied to clipboard
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
Link copied to clipboard
Basic information about the Organization Policy.