1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. orgpolicy
  5. Policy
Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi

gcp.orgpolicy.Policy

Explore with Pulumi AI

Defines an organization policy which is used to specify constraints for configurations of Google Cloud resources.

To get more information about Policy, see:

Example Usage

Org Policy Policy Enforce

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basic = new gcp.organizations.Project("basic", {
    projectId: "id",
    name: "id",
    orgId: "123456789",
    deletionPolicy: "DELETE",
});
const primary = new gcp.orgpolicy.Policy("primary", {
    name: pulumi.interpolate`projects/${basic.projectId}/policies/iam.disableServiceAccountKeyUpload`,
    parent: pulumi.interpolate`projects/${basic.projectId}`,
    spec: {
        rules: [{
            enforce: "FALSE",
        }],
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

basic = gcp.organizations.Project("basic",
    project_id="id",
    name="id",
    org_id="123456789",
    deletion_policy="DELETE")
primary = gcp.orgpolicy.Policy("primary",
    name=basic.project_id.apply(lambda project_id: f"projects/{project_id}/policies/iam.disableServiceAccountKeyUpload"),
    parent=basic.project_id.apply(lambda project_id: f"projects/{project_id}"),
    spec={
        "rules": [{
            "enforce": "FALSE",
        }],
    })
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("id"),
			Name:           pulumi.String("id"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.ProjectId.ApplyT(func(projectId string) (string, error) {
				return fmt.Sprintf("projects/%v/policies/iam.disableServiceAccountKeyUpload", projectId), nil
			}).(pulumi.StringOutput),
			Parent: basic.ProjectId.ApplyT(func(projectId string) (string, error) {
				return fmt.Sprintf("projects/%v", projectId), nil
			}).(pulumi.StringOutput),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var basic = new Gcp.Organizations.Project("basic", new()
    {
        ProjectId = "id",
        Name = "id",
        OrgId = "123456789",
        DeletionPolicy = "DELETE",
    });

    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = basic.ProjectId.Apply(projectId => $"projects/{projectId}/policies/iam.disableServiceAccountKeyUpload"),
        Parent = basic.ProjectId.Apply(projectId => $"projects/{projectId}"),
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    Enforce = "FALSE",
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var basic = new Project("basic", ProjectArgs.builder()
            .projectId("id")
            .name("id")
            .orgId("123456789")
            .deletionPolicy("DELETE")
            .build());

        var primary = new Policy("primary", PolicyArgs.builder()
            .name(basic.projectId().applyValue(_projectId -> String.format("projects/%s/policies/iam.disableServiceAccountKeyUpload", _projectId)))
            .parent(basic.projectId().applyValue(_projectId -> String.format("projects/%s", _projectId)))
            .spec(PolicySpecArgs.builder()
                .rules(PolicySpecRuleArgs.builder()
                    .enforce("FALSE")
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: projects/${basic.projectId}/policies/iam.disableServiceAccountKeyUpload
      parent: projects/${basic.projectId}
      spec:
        rules:
          - enforce: FALSE
  basic:
    type: gcp:organizations:Project
    properties:
      projectId: id
      name: id
      orgId: '123456789'
      deletionPolicy: DELETE
Copy

Org Policy Policy Folder

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basic = new gcp.organizations.Folder("basic", {
    parent: "organizations/123456789",
    displayName: "folder",
    deletionProtection: false,
});
const primary = new gcp.orgpolicy.Policy("primary", {
    name: pulumi.interpolate`${basic.name}/policies/gcp.resourceLocations`,
    parent: basic.name,
    spec: {
        inheritFromParent: true,
        rules: [{
            denyAll: "TRUE",
        }],
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

basic = gcp.organizations.Folder("basic",
    parent="organizations/123456789",
    display_name="folder",
    deletion_protection=False)
primary = gcp.orgpolicy.Policy("primary",
    name=basic.name.apply(lambda name: f"{name}/policies/gcp.resourceLocations"),
    parent=basic.name,
    spec={
        "inherit_from_parent": True,
        "rules": [{
            "deny_all": "TRUE",
        }],
    })
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewFolder(ctx, "basic", &organizations.FolderArgs{
			Parent:             pulumi.String("organizations/123456789"),
			DisplayName:        pulumi.String("folder"),
			DeletionProtection: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("%v/policies/gcp.resourceLocations", name), nil
			}).(pulumi.StringOutput),
			Parent: basic.Name,
			Spec: &orgpolicy.PolicySpecArgs{
				InheritFromParent: pulumi.Bool(true),
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						DenyAll: pulumi.String("TRUE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var basic = new Gcp.Organizations.Folder("basic", new()
    {
        Parent = "organizations/123456789",
        DisplayName = "folder",
        DeletionProtection = false,
    });

    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = basic.Name.Apply(name => $"{name}/policies/gcp.resourceLocations"),
        Parent = basic.Name,
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            InheritFromParent = true,
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    DenyAll = "TRUE",
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Folder;
import com.pulumi.gcp.organizations.FolderArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var basic = new Folder("basic", FolderArgs.builder()
            .parent("organizations/123456789")
            .displayName("folder")
            .deletionProtection(false)
            .build());

        var primary = new Policy("primary", PolicyArgs.builder()
            .name(basic.name().applyValue(_name -> String.format("%s/policies/gcp.resourceLocations", _name)))
            .parent(basic.name())
            .spec(PolicySpecArgs.builder()
                .inheritFromParent(true)
                .rules(PolicySpecRuleArgs.builder()
                    .denyAll("TRUE")
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: ${basic.name}/policies/gcp.resourceLocations
      parent: ${basic.name}
      spec:
        inheritFromParent: true
        rules:
          - denyAll: TRUE
  basic:
    type: gcp:organizations:Folder
    properties:
      parent: organizations/123456789
      displayName: folder
      deletionProtection: false
Copy

Org Policy Policy Organization

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const primary = new gcp.orgpolicy.Policy("primary", {
    name: "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
    parent: "organizations/123456789",
    spec: {
        reset: true,
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

primary = gcp.orgpolicy.Policy("primary",
    name="organizations/123456789/policies/gcp.detailedAuditLoggingMode",
    parent="organizations/123456789",
    spec={
        "reset": True,
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name:   pulumi.String("organizations/123456789/policies/gcp.detailedAuditLoggingMode"),
			Parent: pulumi.String("organizations/123456789"),
			Spec: &orgpolicy.PolicySpecArgs{
				Reset: pulumi.Bool(true),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
        Parent = "organizations/123456789",
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Reset = true,
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var primary = new Policy("primary", PolicyArgs.builder()
            .name("organizations/123456789/policies/gcp.detailedAuditLoggingMode")
            .parent("organizations/123456789")
            .spec(PolicySpecArgs.builder()
                .reset(true)
                .build())
            .build());

    }
}
Copy
resources:
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: organizations/123456789/policies/gcp.detailedAuditLoggingMode
      parent: organizations/123456789
      spec:
        reset: true
Copy

Org Policy Policy Project

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basic = new gcp.organizations.Project("basic", {
    projectId: "id",
    name: "id",
    orgId: "123456789",
    deletionPolicy: "DELETE",
});
const primary = new gcp.orgpolicy.Policy("primary", {
    name: pulumi.interpolate`projects/${basic.projectId}/policies/gcp.resourceLocations`,
    parent: pulumi.interpolate`projects/${basic.projectId}`,
    spec: {
        rules: [
            {
                condition: {
                    description: "A sample condition for the policy",
                    expression: "resource.matchTagId('tagKeys/123', 'tagValues/345')",
                    location: "sample-location.log",
                    title: "sample-condition",
                },
                values: {
                    allowedValues: ["projects/allowed-project"],
                    deniedValues: ["projects/denied-project"],
                },
            },
            {
                allowAll: "TRUE",
            },
        ],
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

basic = gcp.organizations.Project("basic",
    project_id="id",
    name="id",
    org_id="123456789",
    deletion_policy="DELETE")
primary = gcp.orgpolicy.Policy("primary",
    name=basic.project_id.apply(lambda project_id: f"projects/{project_id}/policies/gcp.resourceLocations"),
    parent=basic.project_id.apply(lambda project_id: f"projects/{project_id}"),
    spec={
        "rules": [
            {
                "condition": {
                    "description": "A sample condition for the policy",
                    "expression": "resource.matchTagId('tagKeys/123', 'tagValues/345')",
                    "location": "sample-location.log",
                    "title": "sample-condition",
                },
                "values": {
                    "allowed_values": ["projects/allowed-project"],
                    "denied_values": ["projects/denied-project"],
                },
            },
            {
                "allow_all": "TRUE",
            },
        ],
    })
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("id"),
			Name:           pulumi.String("id"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.ProjectId.ApplyT(func(projectId string) (string, error) {
				return fmt.Sprintf("projects/%v/policies/gcp.resourceLocations", projectId), nil
			}).(pulumi.StringOutput),
			Parent: basic.ProjectId.ApplyT(func(projectId string) (string, error) {
				return fmt.Sprintf("projects/%v", projectId), nil
			}).(pulumi.StringOutput),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Condition: &orgpolicy.PolicySpecRuleConditionArgs{
							Description: pulumi.String("A sample condition for the policy"),
							Expression:  pulumi.String("resource.matchTagId('tagKeys/123', 'tagValues/345')"),
							Location:    pulumi.String("sample-location.log"),
							Title:       pulumi.String("sample-condition"),
						},
						Values: &orgpolicy.PolicySpecRuleValuesArgs{
							AllowedValues: pulumi.StringArray{
								pulumi.String("projects/allowed-project"),
							},
							DeniedValues: pulumi.StringArray{
								pulumi.String("projects/denied-project"),
							},
						},
					},
					&orgpolicy.PolicySpecRuleArgs{
						AllowAll: pulumi.String("TRUE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var basic = new Gcp.Organizations.Project("basic", new()
    {
        ProjectId = "id",
        Name = "id",
        OrgId = "123456789",
        DeletionPolicy = "DELETE",
    });

    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = basic.ProjectId.Apply(projectId => $"projects/{projectId}/policies/gcp.resourceLocations"),
        Parent = basic.ProjectId.Apply(projectId => $"projects/{projectId}"),
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
                    {
                        Description = "A sample condition for the policy",
                        Expression = "resource.matchTagId('tagKeys/123', 'tagValues/345')",
                        Location = "sample-location.log",
                        Title = "sample-condition",
                    },
                    Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
                    {
                        AllowedValues = new[]
                        {
                            "projects/allowed-project",
                        },
                        DeniedValues = new[]
                        {
                            "projects/denied-project",
                        },
                    },
                },
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    AllowAll = "TRUE",
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var basic = new Project("basic", ProjectArgs.builder()
            .projectId("id")
            .name("id")
            .orgId("123456789")
            .deletionPolicy("DELETE")
            .build());

        var primary = new Policy("primary", PolicyArgs.builder()
            .name(basic.projectId().applyValue(_projectId -> String.format("projects/%s/policies/gcp.resourceLocations", _projectId)))
            .parent(basic.projectId().applyValue(_projectId -> String.format("projects/%s", _projectId)))
            .spec(PolicySpecArgs.builder()
                .rules(                
                    PolicySpecRuleArgs.builder()
                        .condition(PolicySpecRuleConditionArgs.builder()
                            .description("A sample condition for the policy")
                            .expression("resource.matchTagId('tagKeys/123', 'tagValues/345')")
                            .location("sample-location.log")
                            .title("sample-condition")
                            .build())
                        .values(PolicySpecRuleValuesArgs.builder()
                            .allowedValues("projects/allowed-project")
                            .deniedValues("projects/denied-project")
                            .build())
                        .build(),
                    PolicySpecRuleArgs.builder()
                        .allowAll("TRUE")
                        .build())
                .build())
            .build());

    }
}
Copy
resources:
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: projects/${basic.projectId}/policies/gcp.resourceLocations
      parent: projects/${basic.projectId}
      spec:
        rules:
          - condition:
              description: A sample condition for the policy
              expression: resource.matchTagId('tagKeys/123', 'tagValues/345')
              location: sample-location.log
              title: sample-condition
            values:
              allowedValues:
                - projects/allowed-project
              deniedValues:
                - projects/denied-project
          - allowAll: TRUE
  basic:
    type: gcp:organizations:Project
    properties:
      projectId: id
      name: id
      orgId: '123456789'
      deletionPolicy: DELETE
Copy

Org Policy Policy Dry Run Spec

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
    name: "custom.disableGkeAutoUpgrade_8270",
    parent: "organizations/123456789",
    displayName: "Disable GKE auto upgrade",
    description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
    actionType: "ALLOW",
    condition: "resource.management.autoUpgrade == false",
    methodTypes: ["CREATE"],
    resourceTypes: ["container.googleapis.com/NodePool"],
});
const primary = new gcp.orgpolicy.Policy("primary", {
    name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
    parent: "organizations/123456789",
    spec: {
        rules: [{
            enforce: "FALSE",
        }],
    },
    dryRunSpec: {
        inheritFromParent: false,
        reset: false,
        rules: [{
            enforce: "FALSE",
        }],
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

constraint = gcp.orgpolicy.CustomConstraint("constraint",
    name="custom.disableGkeAutoUpgrade_8270",
    parent="organizations/123456789",
    display_name="Disable GKE auto upgrade",
    description="Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
    action_type="ALLOW",
    condition="resource.management.autoUpgrade == false",
    method_types=["CREATE"],
    resource_types=["container.googleapis.com/NodePool"])
primary = gcp.orgpolicy.Policy("primary",
    name=constraint.name.apply(lambda name: f"organizations/123456789/policies/{name}"),
    parent="organizations/123456789",
    spec={
        "rules": [{
            "enforce": "FALSE",
        }],
    },
    dry_run_spec={
        "inherit_from_parent": False,
        "reset": False,
        "rules": [{
            "enforce": "FALSE",
        }],
    })
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
			Name:        pulumi.String("custom.disableGkeAutoUpgrade_8270"),
			Parent:      pulumi.String("organizations/123456789"),
			DisplayName: pulumi.String("Disable GKE auto upgrade"),
			Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
			ActionType:  pulumi.String("ALLOW"),
			Condition:   pulumi.String("resource.management.autoUpgrade == false"),
			MethodTypes: pulumi.StringArray{
				pulumi.String("CREATE"),
			},
			ResourceTypes: pulumi.StringArray{
				pulumi.String("container.googleapis.com/NodePool"),
			},
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: constraint.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
			}).(pulumi.StringOutput),
			Parent: pulumi.String("organizations/123456789"),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
			DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
				InheritFromParent: pulumi.Bool(false),
				Reset:             pulumi.Bool(false),
				Rules: orgpolicy.PolicyDryRunSpecRuleArray{
					&orgpolicy.PolicyDryRunSpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
    {
        Name = "custom.disableGkeAutoUpgrade_8270",
        Parent = "organizations/123456789",
        DisplayName = "Disable GKE auto upgrade",
        Description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
        ActionType = "ALLOW",
        Condition = "resource.management.autoUpgrade == false",
        MethodTypes = new[]
        {
            "CREATE",
        },
        ResourceTypes = new[]
        {
            "container.googleapis.com/NodePool",
        },
    });

    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = constraint.Name.Apply(name => $"organizations/123456789/policies/{name}"),
        Parent = "organizations/123456789",
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    Enforce = "FALSE",
                },
            },
        },
        DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
        {
            InheritFromParent = false,
            Reset = false,
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
                {
                    Enforce = "FALSE",
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.orgpolicy.CustomConstraint;
import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicyDryRunSpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()
            .name("custom.disableGkeAutoUpgrade_8270")
            .parent("organizations/123456789")
            .displayName("Disable GKE auto upgrade")
            .description("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.")
            .actionType("ALLOW")
            .condition("resource.management.autoUpgrade == false")
            .methodTypes("CREATE")
            .resourceTypes("container.googleapis.com/NodePool")
            .build());

        var primary = new Policy("primary", PolicyArgs.builder()
            .name(constraint.name().applyValue(_name -> String.format("organizations/123456789/policies/%s", _name)))
            .parent("organizations/123456789")
            .spec(PolicySpecArgs.builder()
                .rules(PolicySpecRuleArgs.builder()
                    .enforce("FALSE")
                    .build())
                .build())
            .dryRunSpec(PolicyDryRunSpecArgs.builder()
                .inheritFromParent(false)
                .reset(false)
                .rules(PolicyDryRunSpecRuleArgs.builder()
                    .enforce("FALSE")
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  constraint:
    type: gcp:orgpolicy:CustomConstraint
    properties:
      name: custom.disableGkeAutoUpgrade_8270
      parent: organizations/123456789
      displayName: Disable GKE auto upgrade
      description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.
      actionType: ALLOW
      condition: resource.management.autoUpgrade == false
      methodTypes:
        - CREATE
      resourceTypes:
        - container.googleapis.com/NodePool
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: organizations/123456789/policies/${constraint.name}
      parent: organizations/123456789
      spec:
        rules:
          - enforce: FALSE
      dryRunSpec:
        inheritFromParent: false
        reset: false
        rules:
          - enforce: FALSE
Copy

Org Policy Policy Parameters Enforce

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basic = new gcp.organizations.Project("basic", {
    projectId: "id",
    name: "id",
    orgId: "123456789",
    deletionPolicy: "DELETE",
});
const primary = new gcp.orgpolicy.Policy("primary", {
    name: pulumi.interpolate`projects/${basic.name}/policies/compute.managed.restrictDiskCreation`,
    parent: pulumi.interpolate`projects/${basic.name}`,
    spec: {
        rules: [{
            enforce: "TRUE",
            parameters: JSON.stringify({
                isSizeLimitCheck: true,
                allowedDiskTypes: [
                    "pd-ssd",
                    "pd-standard",
                ],
            }),
        }],
    },
});
Copy
import pulumi
import json
import pulumi_gcp as gcp

basic = gcp.organizations.Project("basic",
    project_id="id",
    name="id",
    org_id="123456789",
    deletion_policy="DELETE")
primary = gcp.orgpolicy.Policy("primary",
    name=basic.name.apply(lambda name: f"projects/{name}/policies/compute.managed.restrictDiskCreation"),
    parent=basic.name.apply(lambda name: f"projects/{name}"),
    spec={
        "rules": [{
            "enforce": "TRUE",
            "parameters": json.dumps({
                "isSizeLimitCheck": True,
                "allowedDiskTypes": [
                    "pd-ssd",
                    "pd-standard",
                ],
            }),
        }],
    })
Copy
package main

import (
	"encoding/json"
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("id"),
			Name:           pulumi.String("id"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"isSizeLimitCheck": true,
			"allowedDiskTypes": []string{
				"pd-ssd",
				"pd-standard",
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v/policies/compute.managed.restrictDiskCreation", name), nil
			}).(pulumi.StringOutput),
			Parent: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v", name), nil
			}).(pulumi.StringOutput),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce:    pulumi.String("TRUE"),
						Parameters: pulumi.String(json0),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var basic = new Gcp.Organizations.Project("basic", new()
    {
        ProjectId = "id",
        Name = "id",
        OrgId = "123456789",
        DeletionPolicy = "DELETE",
    });

    var primary = new Gcp.OrgPolicy.Policy("primary", new()
    {
        Name = basic.Name.Apply(name => $"projects/{name}/policies/compute.managed.restrictDiskCreation"),
        Parent = basic.Name.Apply(name => $"projects/{name}"),
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    Enforce = "TRUE",
                    Parameters = JsonSerializer.Serialize(new Dictionary<string, object?>
                    {
                        ["isSizeLimitCheck"] = true,
                        ["allowedDiskTypes"] = new[]
                        {
                            "pd-ssd",
                            "pd-standard",
                        },
                    }),
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.orgpolicy.Policy;
import com.pulumi.gcp.orgpolicy.PolicyArgs;
import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var basic = new Project("basic", ProjectArgs.builder()
            .projectId("id")
            .name("id")
            .orgId("123456789")
            .deletionPolicy("DELETE")
            .build());

        var primary = new Policy("primary", PolicyArgs.builder()
            .name(basic.name().applyValue(_name -> String.format("projects/%s/policies/compute.managed.restrictDiskCreation", _name)))
            .parent(basic.name().applyValue(_name -> String.format("projects/%s", _name)))
            .spec(PolicySpecArgs.builder()
                .rules(PolicySpecRuleArgs.builder()
                    .enforce("TRUE")
                    .parameters(serializeJson(
                        jsonObject(
                            jsonProperty("isSizeLimitCheck", true),
                            jsonProperty("allowedDiskTypes", jsonArray(
                                "pd-ssd", 
                                "pd-standard"
                            ))
                        )))
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  primary:
    type: gcp:orgpolicy:Policy
    properties:
      name: projects/${basic.name}/policies/compute.managed.restrictDiskCreation
      parent: projects/${basic.name}
      spec:
        rules:
          - enforce: TRUE
            parameters:
              fn::toJSON:
                isSizeLimitCheck: true
                allowedDiskTypes:
                  - pd-ssd
                  - pd-standard
  basic:
    type: gcp:organizations:Project
    properties:
      projectId: id
      name: id
      orgId: '123456789'
      deletionPolicy: DELETE
Copy

Create Policy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
@overload
def Policy(resource_name: str,
           args: PolicyArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Policy(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           parent: Optional[str] = None,
           dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
           name: Optional[str] = None,
           spec: Optional[PolicySpecArgs] = None)
func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)
type: gcp:orgpolicy:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. PolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. PolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. PolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. PolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. PolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplepolicyResourceResourceFromOrgpolicypolicy = new Gcp.OrgPolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy", new()
{
    Parent = "string",
    DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
    {
        Etag = "string",
        InheritFromParent = false,
        Reset = false,
        Rules = new[]
        {
            new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
            {
                AllowAll = "string",
                Condition = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleConditionArgs
                {
                    Description = "string",
                    Expression = "string",
                    Location = "string",
                    Title = "string",
                },
                DenyAll = "string",
                Enforce = "string",
                Parameters = "string",
                Values = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleValuesArgs
                {
                    AllowedValues = new[]
                    {
                        "string",
                    },
                    DeniedValues = new[]
                    {
                        "string",
                    },
                },
            },
        },
        UpdateTime = "string",
    },
    Name = "string",
    Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
    {
        Etag = "string",
        InheritFromParent = false,
        Reset = false,
        Rules = new[]
        {
            new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
            {
                AllowAll = "string",
                Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
                {
                    Description = "string",
                    Expression = "string",
                    Location = "string",
                    Title = "string",
                },
                DenyAll = "string",
                Enforce = "string",
                Parameters = "string",
                Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
                {
                    AllowedValues = new[]
                    {
                        "string",
                    },
                    DeniedValues = new[]
                    {
                        "string",
                    },
                },
            },
        },
        UpdateTime = "string",
    },
});
Copy
example, err := orgpolicy.NewPolicy(ctx, "examplepolicyResourceResourceFromOrgpolicypolicy", &orgpolicy.PolicyArgs{
	Parent: pulumi.String("string"),
	DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
		Etag:              pulumi.String("string"),
		InheritFromParent: pulumi.Bool(false),
		Reset:             pulumi.Bool(false),
		Rules: orgpolicy.PolicyDryRunSpecRuleArray{
			&orgpolicy.PolicyDryRunSpecRuleArgs{
				AllowAll: pulumi.String("string"),
				Condition: &orgpolicy.PolicyDryRunSpecRuleConditionArgs{
					Description: pulumi.String("string"),
					Expression:  pulumi.String("string"),
					Location:    pulumi.String("string"),
					Title:       pulumi.String("string"),
				},
				DenyAll:    pulumi.String("string"),
				Enforce:    pulumi.String("string"),
				Parameters: pulumi.String("string"),
				Values: &orgpolicy.PolicyDryRunSpecRuleValuesArgs{
					AllowedValues: pulumi.StringArray{
						pulumi.String("string"),
					},
					DeniedValues: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
		},
		UpdateTime: pulumi.String("string"),
	},
	Name: pulumi.String("string"),
	Spec: &orgpolicy.PolicySpecArgs{
		Etag:              pulumi.String("string"),
		InheritFromParent: pulumi.Bool(false),
		Reset:             pulumi.Bool(false),
		Rules: orgpolicy.PolicySpecRuleArray{
			&orgpolicy.PolicySpecRuleArgs{
				AllowAll: pulumi.String("string"),
				Condition: &orgpolicy.PolicySpecRuleConditionArgs{
					Description: pulumi.String("string"),
					Expression:  pulumi.String("string"),
					Location:    pulumi.String("string"),
					Title:       pulumi.String("string"),
				},
				DenyAll:    pulumi.String("string"),
				Enforce:    pulumi.String("string"),
				Parameters: pulumi.String("string"),
				Values: &orgpolicy.PolicySpecRuleValuesArgs{
					AllowedValues: pulumi.StringArray{
						pulumi.String("string"),
					},
					DeniedValues: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
		},
		UpdateTime: pulumi.String("string"),
	},
})
Copy
var examplepolicyResourceResourceFromOrgpolicypolicy = new Policy("examplepolicyResourceResourceFromOrgpolicypolicy", PolicyArgs.builder()
    .parent("string")
    .dryRunSpec(PolicyDryRunSpecArgs.builder()
        .etag("string")
        .inheritFromParent(false)
        .reset(false)
        .rules(PolicyDryRunSpecRuleArgs.builder()
            .allowAll("string")
            .condition(PolicyDryRunSpecRuleConditionArgs.builder()
                .description("string")
                .expression("string")
                .location("string")
                .title("string")
                .build())
            .denyAll("string")
            .enforce("string")
            .parameters("string")
            .values(PolicyDryRunSpecRuleValuesArgs.builder()
                .allowedValues("string")
                .deniedValues("string")
                .build())
            .build())
        .updateTime("string")
        .build())
    .name("string")
    .spec(PolicySpecArgs.builder()
        .etag("string")
        .inheritFromParent(false)
        .reset(false)
        .rules(PolicySpecRuleArgs.builder()
            .allowAll("string")
            .condition(PolicySpecRuleConditionArgs.builder()
                .description("string")
                .expression("string")
                .location("string")
                .title("string")
                .build())
            .denyAll("string")
            .enforce("string")
            .parameters("string")
            .values(PolicySpecRuleValuesArgs.builder()
                .allowedValues("string")
                .deniedValues("string")
                .build())
            .build())
        .updateTime("string")
        .build())
    .build());
Copy
examplepolicy_resource_resource_from_orgpolicypolicy = gcp.orgpolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy",
    parent="string",
    dry_run_spec={
        "etag": "string",
        "inherit_from_parent": False,
        "reset": False,
        "rules": [{
            "allow_all": "string",
            "condition": {
                "description": "string",
                "expression": "string",
                "location": "string",
                "title": "string",
            },
            "deny_all": "string",
            "enforce": "string",
            "parameters": "string",
            "values": {
                "allowed_values": ["string"],
                "denied_values": ["string"],
            },
        }],
        "update_time": "string",
    },
    name="string",
    spec={
        "etag": "string",
        "inherit_from_parent": False,
        "reset": False,
        "rules": [{
            "allow_all": "string",
            "condition": {
                "description": "string",
                "expression": "string",
                "location": "string",
                "title": "string",
            },
            "deny_all": "string",
            "enforce": "string",
            "parameters": "string",
            "values": {
                "allowed_values": ["string"],
                "denied_values": ["string"],
            },
        }],
        "update_time": "string",
    })
Copy
const examplepolicyResourceResourceFromOrgpolicypolicy = new gcp.orgpolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy", {
    parent: "string",
    dryRunSpec: {
        etag: "string",
        inheritFromParent: false,
        reset: false,
        rules: [{
            allowAll: "string",
            condition: {
                description: "string",
                expression: "string",
                location: "string",
                title: "string",
            },
            denyAll: "string",
            enforce: "string",
            parameters: "string",
            values: {
                allowedValues: ["string"],
                deniedValues: ["string"],
            },
        }],
        updateTime: "string",
    },
    name: "string",
    spec: {
        etag: "string",
        inheritFromParent: false,
        reset: false,
        rules: [{
            allowAll: "string",
            condition: {
                description: "string",
                expression: "string",
                location: "string",
                title: "string",
            },
            denyAll: "string",
            enforce: "string",
            parameters: "string",
            values: {
                allowedValues: ["string"],
                deniedValues: ["string"],
            },
        }],
        updateTime: "string",
    },
});
Copy
type: gcp:orgpolicy:Policy
properties:
    dryRunSpec:
        etag: string
        inheritFromParent: false
        reset: false
        rules:
            - allowAll: string
              condition:
                description: string
                expression: string
                location: string
                title: string
              denyAll: string
              enforce: string
              parameters: string
              values:
                allowedValues:
                    - string
                deniedValues:
                    - string
        updateTime: string
    name: string
    parent: string
    spec:
        etag: string
        inheritFromParent: false
        reset: false
        rules:
            - allowAll: string
              condition:
                description: string
                expression: string
                location: string
                title: string
              denyAll: string
              enforce: string
              parameters: string
              values:
                allowedValues:
                    - string
                deniedValues:
                    - string
        updateTime: string
Copy

Policy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Policy resource accepts the following input properties:

Parent
This property is required.
Changes to this property will trigger replacement.
string
The parent of the resource.


DryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
Name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
Spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
Parent
This property is required.
Changes to this property will trigger replacement.
string
The parent of the resource.


DryRunSpec PolicyDryRunSpecArgs
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
Name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
Spec PolicySpecArgs
Basic information about the Organization Policy. Structure is documented below.
parent
This property is required.
Changes to this property will trigger replacement.
String
The parent of the resource.


dryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
name Changes to this property will trigger replacement. String
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
parent
This property is required.
Changes to this property will trigger replacement.
string
The parent of the resource.


dryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
parent
This property is required.
Changes to this property will trigger replacement.
str
The parent of the resource.


dry_run_spec PolicyDryRunSpecArgs
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
name Changes to this property will trigger replacement. str
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
spec PolicySpecArgs
Basic information about the Organization Policy. Structure is documented below.
parent
This property is required.
Changes to this property will trigger replacement.
String
The parent of the resource.


dryRunSpec Property Map
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
name Changes to this property will trigger replacement. String
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
spec Property Map
Basic information about the Organization Policy. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

Etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Id string
The provider-assigned unique ID for this managed resource.
Etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Id string
The provider-assigned unique ID for this managed resource.
etag String
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id String
The provider-assigned unique ID for this managed resource.
etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id string
The provider-assigned unique ID for this managed resource.
etag str
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id str
The provider-assigned unique ID for this managed resource.
etag String
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id String
The provider-assigned unique ID for this managed resource.

Look up Existing Policy Resource

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
        etag: Optional[str] = None,
        name: Optional[str] = None,
        parent: Optional[str] = None,
        spec: Optional[PolicySpecArgs] = None) -> Policy
func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
resources:  _:    type: gcp:orgpolicy:Policy    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
DryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
Etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
Parent Changes to this property will trigger replacement. string
The parent of the resource.


Spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
DryRunSpec PolicyDryRunSpecArgs
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
Etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
Parent Changes to this property will trigger replacement. string
The parent of the resource.


Spec PolicySpecArgs
Basic information about the Organization Policy. Structure is documented below.
dryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
etag String
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
name Changes to this property will trigger replacement. String
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
parent Changes to this property will trigger replacement. String
The parent of the resource.


spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
dryRunSpec PolicyDryRunSpec
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
etag string
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
name Changes to this property will trigger replacement. string
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
parent Changes to this property will trigger replacement. string
The parent of the resource.


spec PolicySpec
Basic information about the Organization Policy. Structure is documented below.
dry_run_spec PolicyDryRunSpecArgs
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
etag str
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
name Changes to this property will trigger replacement. str
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
parent Changes to this property will trigger replacement. str
The parent of the resource.


spec PolicySpecArgs
Basic information about the Organization Policy. Structure is documented below.
dryRunSpec Property Map
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
etag String
Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
name Changes to this property will trigger replacement. String
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
parent Changes to this property will trigger replacement. String
The parent of the resource.


spec Property Map
Basic information about the Organization Policy. Structure is documented below.

Supporting Types

PolicyDryRunSpec
, PolicyDryRunSpecArgs

Etag string
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
InheritFromParent bool
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
Reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
Rules List<PolicyDryRunSpecRule>
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
UpdateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
Etag string
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
InheritFromParent bool
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
Reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
Rules []PolicyDryRunSpecRule
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
UpdateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
etag String
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
inheritFromParent Boolean
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
reset Boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules List<PolicyDryRunSpecRule>
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime String
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
etag string
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
inheritFromParent boolean
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
reset boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules PolicyDryRunSpecRule[]
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
etag str
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
inherit_from_parent bool
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules Sequence[PolicyDryRunSpecRule]
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
update_time str
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
etag String
(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
inheritFromParent Boolean
Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
reset Boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules List<Property Map>
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime String
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.

PolicyDryRunSpecRule
, PolicyDryRunSpecRuleArgs

AllowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
Condition PolicyDryRunSpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
DenyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
Enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
Parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
Values PolicyDryRunSpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
AllowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
Condition PolicyDryRunSpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
DenyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
Enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
Parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
Values PolicyDryRunSpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll String
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicyDryRunSpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll String
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce String
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters String
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicyDryRunSpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicyDryRunSpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicyDryRunSpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allow_all str
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicyDryRunSpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
deny_all str
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce str
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters str
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicyDryRunSpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll String
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition Property Map
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll String
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce String
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters String
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values Property Map
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

PolicyDryRunSpecRuleCondition
, PolicyDryRunSpecRuleConditionArgs

Description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax.
Location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax.
Location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax.
location String
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression string
Textual representation of an expression in Common Expression Language syntax.
location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description str
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression str
Textual representation of an expression in Common Expression Language syntax.
location str
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title str
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax.
location String
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

PolicyDryRunSpecRuleValues
, PolicyDryRunSpecRuleValuesArgs

AllowedValues List<string>
List of values allowed at this resource.
DeniedValues List<string>
List of values denied at this resource.
AllowedValues []string
List of values allowed at this resource.
DeniedValues []string
List of values denied at this resource.
allowedValues List<String>
List of values allowed at this resource.
deniedValues List<String>
List of values denied at this resource.
allowedValues string[]
List of values allowed at this resource.
deniedValues string[]
List of values denied at this resource.
allowed_values Sequence[str]
List of values allowed at this resource.
denied_values Sequence[str]
List of values denied at this resource.
allowedValues List<String>
List of values allowed at this resource.
deniedValues List<String>
List of values denied at this resource.

PolicySpec
, PolicySpecArgs

Etag string
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
InheritFromParent bool
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
Reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
Rules List<PolicySpecRule>
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
UpdateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
Etag string
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
InheritFromParent bool
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
Reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
Rules []PolicySpecRule
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
UpdateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
etag String
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
inheritFromParent Boolean
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
reset Boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules List<PolicySpecRule>
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime String
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
etag string
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
inheritFromParent boolean
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
reset boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules PolicySpecRule[]
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime string
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
etag str
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
inherit_from_parent bool
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
reset bool
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules Sequence[PolicySpecRule]
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
update_time str
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
etag String
(Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
inheritFromParent Boolean
Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
reset Boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
rules List<Property Map>
In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
updateTime String
(Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.

PolicySpecRule
, PolicySpecRuleArgs

AllowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
Condition PolicySpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
DenyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
Enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
Parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
Values PolicySpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
AllowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
Condition PolicySpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
DenyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
Enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
Parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
Values PolicySpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll String
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicySpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll String
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce String
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters String
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicySpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll string
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicySpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll string
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce string
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters string
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicySpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allow_all str
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition PolicySpecRuleCondition
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
deny_all str
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce str
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters str
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values PolicySpecRuleValues
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
allowAll String
Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
condition Property Map
A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
denyAll String
Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
enforce String
If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
parameters String
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { "allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }
values Property Map
List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

PolicySpecRuleCondition
, PolicySpecRuleConditionArgs

Description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax.
Location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax.
Location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax.
location String
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description string
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression string
Textual representation of an expression in Common Expression Language syntax.
location string
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title string
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description str
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression str
Textual representation of an expression in Common Expression Language syntax.
location str
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title str
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax.
location String
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

PolicySpecRuleValues
, PolicySpecRuleValuesArgs

AllowedValues List<string>
List of values allowed at this resource.
DeniedValues List<string>
List of values denied at this resource.
AllowedValues []string
List of values allowed at this resource.
DeniedValues []string
List of values denied at this resource.
allowedValues List<String>
List of values allowed at this resource.
deniedValues List<String>
List of values denied at this resource.
allowedValues string[]
List of values allowed at this resource.
deniedValues string[]
List of values denied at this resource.
allowed_values Sequence[str]
List of values allowed at this resource.
denied_values Sequence[str]
List of values denied at this resource.
allowedValues List<String>
List of values allowed at this resource.
deniedValues List<String>
List of values denied at this resource.

Import

Policy can be imported using any of these accepted formats:

  • {{parent}}/policies/{{name}}

When using the pulumi import command, Policy can be imported using one of the formats above. For example:

$ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}}
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.