Custom
data class CustomConstraintArgs(val actionType: Output<String>? = null, val condition: Output<String>? = null, val description: Output<String>? = null, val displayName: Output<String>? = null, val methodTypes: Output<List<String>>? = null, val name: Output<String>? = null, val parent: Output<String>? = null, val resourceTypes: Output<List<String>>? = null) : ConvertibleToJava<CustomConstraintArgs>
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. To get more information about CustomConstraint, see:
Example Usage
Org Policy Custom Constraint Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
name: "custom.disableGkeAutoUpgrade",
parent: "organizations/123456789",
actionType: "ALLOW",
condition: "resource.management.autoUpgrade == false",
methodTypes: [
"CREATE",
"UPDATE",
],
resourceTypes: ["container.googleapis.com/NodePool"],
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
constraint = gcp.orgpolicy.CustomConstraint("constraint",
name="custom.disableGkeAutoUpgrade",
parent="organizations/123456789",
action_type="ALLOW",
condition="resource.management.autoUpgrade == false",
method_types=[
"CREATE",
"UPDATE",
],
resource_types=["container.googleapis.com/NodePool"])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
{
Name = "custom.disableGkeAutoUpgrade",
Parent = "organizations/123456789",
ActionType = "ALLOW",
Condition = "resource.management.autoUpgrade == false",
MethodTypes = new[]
{
"CREATE",
"UPDATE",
},
ResourceTypes = new[]
{
"container.googleapis.com/NodePool",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
Name: pulumi.String("custom.disableGkeAutoUpgrade"),
Parent: pulumi.String("organizations/123456789"),
ActionType: pulumi.String("ALLOW"),
Condition: pulumi.String("resource.management.autoUpgrade == false"),
MethodTypes: pulumi.StringArray{
pulumi.String("CREATE"),
pulumi.String("UPDATE"),
},
ResourceTypes: pulumi.StringArray{
pulumi.String("container.googleapis.com/NodePool"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.CustomConstraint;
import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()
.name("custom.disableGkeAutoUpgrade")
.parent("organizations/123456789")
.actionType("ALLOW")
.condition("resource.management.autoUpgrade == false")
.methodTypes(
"CREATE",
"UPDATE")
.resourceTypes("container.googleapis.com/NodePool")
.build());
}
}Content copied to clipboard
resources:
constraint:
type: gcp:orgpolicy:CustomConstraint
properties:
name: custom.disableGkeAutoUpgrade
parent: organizations/123456789
actionType: ALLOW
condition: resource.management.autoUpgrade == false
methodTypes:
- CREATE
- UPDATE
resourceTypes:
- container.googleapis.com/NodePoolContent copied to clipboard
Org Policy Custom Constraint Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
name: "custom.disableGkeAutoUpgrade",
parent: "organizations/123456789",
displayName: "Disable GKE auto upgrade",
description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
actionType: "ALLOW",
condition: "resource.management.autoUpgrade == false",
methodTypes: [
"CREATE",
"UPDATE",
],
resourceTypes: ["container.googleapis.com/NodePool"],
});
const bool = new gcp.orgpolicy.Policy("bool", {
name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
parent: "organizations/123456789",
spec: {
rules: [{
enforce: "TRUE",
}],
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
constraint = gcp.orgpolicy.CustomConstraint("constraint",
name="custom.disableGkeAutoUpgrade",
parent="organizations/123456789",
display_name="Disable GKE auto upgrade",
description="Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
action_type="ALLOW",
condition="resource.management.autoUpgrade == false",
method_types=[
"CREATE",
"UPDATE",
],
resource_types=["container.googleapis.com/NodePool"])
bool = gcp.orgpolicy.Policy("bool",
name=constraint.name.apply(lambda name: f"organizations/123456789/policies/{name}"),
parent="organizations/123456789",
spec={
"rules": [{
"enforce": "TRUE",
}],
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
{
Name = "custom.disableGkeAutoUpgrade",
Parent = "organizations/123456789",
DisplayName = "Disable GKE auto upgrade",
Description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
ActionType = "ALLOW",
Condition = "resource.management.autoUpgrade == false",
MethodTypes = new[]
{
"CREATE",
"UPDATE",
},
ResourceTypes = new[]
{
"container.googleapis.com/NodePool",
},
});
var @bool = new Gcp.OrgPolicy.Policy("bool", new()
{
Name = constraint.Name.Apply(name => $"organizations/123456789/policies/{name}"),
Parent = "organizations/123456789",
Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
{
Rules = new[]
{
new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
{
Enforce = "TRUE",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
Name: pulumi.String("custom.disableGkeAutoUpgrade"),
Parent: pulumi.String("organizations/123456789"),
DisplayName: pulumi.String("Disable GKE auto upgrade"),
Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
ActionType: pulumi.String("ALLOW"),
Condition: pulumi.String("resource.management.autoUpgrade == false"),
MethodTypes: pulumi.StringArray{
pulumi.String("CREATE"),
pulumi.String("UPDATE"),
},
ResourceTypes: pulumi.StringArray{
pulumi.String("container.googleapis.com/NodePool"),
},
})
if err != nil {
return err
}
_, err = orgpolicy.NewPolicy(ctx, "bool", &orgpolicy.PolicyArgs{
Name: constraint.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
}).(pulumi.StringOutput),
Parent: pulumi.String("organizations/123456789"),
Spec: &orgpolicy.PolicySpecArgs{
Rules: orgpolicy.PolicySpecRuleArray{
&orgpolicy.PolicySpecRuleArgs{
Enforce: pulumi.String("TRUE"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.CustomConstraint;
import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()
.name("custom.disableGkeAutoUpgrade")
.parent("organizations/123456789")
.displayName("Disable GKE auto upgrade")
.description("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.")
.actionType("ALLOW")
.condition("resource.management.autoUpgrade == false")
.methodTypes(
"CREATE",
"UPDATE")
.resourceTypes("container.googleapis.com/NodePool")
.build());
var bool = new Policy("bool", PolicyArgs.builder()
.name(constraint.name().applyValue(name -> String.format("organizations/123456789/policies/%s", name)))
.parent("organizations/123456789")
.spec(PolicySpecArgs.builder()
.rules(PolicySpecRuleArgs.builder()
.enforce("TRUE")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
constraint:
type: gcp:orgpolicy:CustomConstraint
properties:
name: custom.disableGkeAutoUpgrade
parent: organizations/123456789
displayName: Disable GKE auto upgrade
description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.
actionType: ALLOW
condition: resource.management.autoUpgrade == false
methodTypes:
- CREATE
- UPDATE
resourceTypes:
- container.googleapis.com/NodePool
bool:
type: gcp:orgpolicy:Policy
properties:
name: organizations/123456789/policies/${constraint.name}
parent: organizations/123456789
spec:
rules:
- enforce: TRUEContent copied to clipboard
Import
CustomConstraint can be imported using any of these accepted formats:
{{parent}}/customConstraints/{{name}}When using thepulumi importcommand, CustomConstraint can be imported using one of the formats above. For example:
$ pulumi import gcp:orgpolicy/customConstraint:CustomConstraint default {{parent}}/customConstraints/{{name}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(actionType: Output<String>? = null, condition: Output<String>? = null, description: Output<String>? = null, displayName: Output<String>? = null, methodTypes: Output<List<String>>? = null, name: Output<String>? = null, parent: Output<String>? = null, resourceTypes: Output<List<String>>? = null)
Properties
Link copied to clipboard
The action to take if the condition is met. Possible values are: ALLOW, DENY.
Link copied to clipboard
A CEL condition that refers to a supported service resource, for example resource.management.autoUpgrade == false. For details about CEL usage, see Common Expression Language.
Link copied to clipboard
A human-friendly description of the constraint to display as an error message when the policy is violated.
Link copied to clipboard
A human-friendly name for the constraint.
Link copied to clipboard
A list of RESTful methods for which to enforce the constraint. Can be CREATE, UPDATE, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.
Link copied to clipboard
Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, container.googleapis.com/NodePool.