1. Managing domain restricted sharing within GCP organization

    TypeScript

    To manage domain-restricted sharing within a Google Cloud Platform (GCP) organization, you can utilize Organization Policies. These policies provide centralized and programmatic control over your organization's cloud resources. Specifically, you can set policies that restrict resource sharing to only users within your organization's domain.

    The gcp.organizations.Policy resource from Pulumi's GCP provider is what you'll need to define an organization policy. By using this resource, you can specify constraints, such as domain-restricted sharing, which prevents resources from being shared outside the allowed domains.

    Below is a TypeScript Pulumi program that demonstrates how to create an organization policy to manage domain-restricted sharing for a GCP organization:

    import * as gcp from "@pulumi/gcp"; // Replace '<org-id>' with your GCP organization ID const orgId = '<org-id>'; const policyId = 'constraints/compute.restrictXpnProjectLienRemoval'; // Organization Policy to restrict sharing to domain const domainRestrictedSharingPolicy = new gcp.organizations.Policy("domainRestrictedSharingPolicy", { orgId: orgId, constraint: policyId, listPolicy: { // Replace 'your-domain.com' with the domain you want to allow allow: { values: [`allowed-domains:your-domain.com`] } } }); export const policyName = domainRestrictedSharingPolicy.name;

    Before running this program, make sure to replace <org-id> with your actual GCP organization ID and your-domain.com with the domain you wish to allow. The constraint constraints/compute.restrictXpnProjectLienRemoval is an example and should be replaced with the actual constraint that applies to domain-restricted sharing (you may need to refer to the GCP Resource Manager documentation for the specific constraint ID).

    The listPolicy object is where you define the policy behavior. Use the allow property to specify which domains can have resources shared with them. You can also use deny to explicitly prohibit certain domains.

    This program defines an organization policy that will manage the sharing settings across your GCP organization, effectively restricting them to a specified domain. The policy is exported so you can easily retrieve its name for reference.

    After you set up your Pulumi stack and have the correct GCP credentials configured, you can deploy this policy by running pulumi up from your command line. This will prompt Pulumi to perform the deployment, and the changes will be applied to your GCP organization.