The gcp:folder/organizationPolicy:OrganizationPolicy resource, part of the Pulumi GCP provider, applies organization policies to Google Cloud folders, controlling which services and features are allowed or denied. This resource uses the Cloud Resource Manager API V1 and has been superseded by gcp.orgpolicy.Policy, which supports additional features like tags and conditions. This guide focuses on three capabilities: boolean constraint enforcement, list-based service rules, and policy restoration.
Organization policies target existing folders by ID and require IAM permissions to modify policies. The examples are intentionally small. Combine them with your own folder hierarchy and governance requirements.
Enforce a boolean constraint on folder resources
Organizations often enforce security policies across folders, such as disabling serial port access to prevent unauthorized console access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const serialPortPolicy = new gcp.folder.OrganizationPolicy("serial_port_policy", {
folder: "folders/123456789",
constraint: "compute.disableSerialPortAccess",
booleanPolicy: {
enforced: true,
},
});
import pulumi
import pulumi_gcp as gcp
serial_port_policy = gcp.folder.OrganizationPolicy("serial_port_policy",
folder="folders/123456789",
constraint="compute.disableSerialPortAccess",
boolean_policy={
"enforced": True,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "serial_port_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("compute.disableSerialPortAccess"),
BooleanPolicy: &folder.OrganizationPolicyBooleanPolicyArgs{
Enforced: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var serialPortPolicy = new Gcp.Folder.OrganizationPolicy("serial_port_policy", new()
{
Folder = "folders/123456789",
Constraint = "compute.disableSerialPortAccess",
BooleanPolicy = new Gcp.Folder.Inputs.OrganizationPolicyBooleanPolicyArgs
{
Enforced = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyBooleanPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serialPortPolicy = new OrganizationPolicy("serialPortPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("compute.disableSerialPortAccess")
.booleanPolicy(OrganizationPolicyBooleanPolicyArgs.builder()
.enforced(true)
.build())
.build());
}
}
resources:
serialPortPolicy:
type: gcp:folder:OrganizationPolicy
name: serial_port_policy
properties:
folder: folders/123456789
constraint: compute.disableSerialPortAccess
booleanPolicy:
enforced: true
The booleanPolicy property enforces binary constraints. When enforced is true, the constraint blocks the specified behavior across all resources in the folder. The constraint property identifies which policy to apply; here, compute.disableSerialPortAccess prevents serial port access on compute instances.
Allow all services with a list constraint
Some folders need unrestricted API access during development or for workloads requiring broad service availability.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
listPolicy: {
allow: {
all: true,
},
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
list_policy={
"allow": {
"all": True,
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
ListPolicy: &folder.OrganizationPolicyListPolicyArgs{
Allow: &folder.OrganizationPolicyListPolicyAllowArgs{
All: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
ListPolicy = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyArgs
{
Allow = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyAllowArgs
{
All = true,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyAllowArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.listPolicy(OrganizationPolicyListPolicyArgs.builder()
.allow(OrganizationPolicyListPolicyAllowArgs.builder()
.all(true)
.build())
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
listPolicy:
allow:
all: true
The listPolicy property controls which services are allowed or denied. Setting allow.all to true permits all Google Cloud services in the folder. This is useful for development environments where service restrictions would slow iteration.
Block specific services with a deny list
Organizations often restrict certain APIs for compliance or cost control while suggesting alternatives.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
listPolicy: {
suggestedValue: "compute.googleapis.com",
deny: {
values: ["cloudresourcemanager.googleapis.com"],
},
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
list_policy={
"suggested_value": "compute.googleapis.com",
"deny": {
"values": ["cloudresourcemanager.googleapis.com"],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
ListPolicy: &folder.OrganizationPolicyListPolicyArgs{
SuggestedValue: pulumi.String("compute.googleapis.com"),
Deny: &folder.OrganizationPolicyListPolicyDenyArgs{
Values: pulumi.StringArray{
pulumi.String("cloudresourcemanager.googleapis.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
ListPolicy = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyArgs
{
SuggestedValue = "compute.googleapis.com",
Deny = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyDenyArgs
{
Values = new[]
{
"cloudresourcemanager.googleapis.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyDenyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.listPolicy(OrganizationPolicyListPolicyArgs.builder()
.suggestedValue("compute.googleapis.com")
.deny(OrganizationPolicyListPolicyDenyArgs.builder()
.values("cloudresourcemanager.googleapis.com")
.build())
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
listPolicy:
suggestedValue: compute.googleapis.com
deny:
values:
- cloudresourcemanager.googleapis.com
The deny.values array lists services to block. The suggestedValue property recommends an alternative service when users attempt to enable a denied API. This configuration prevents cloudresourcemanager.googleapis.com while suggesting compute.googleapis.com as an alternative.
Restore the default organization policy
When custom policies are no longer needed, teams can restore the inherited organization-level policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
restorePolicy: {
"default": true,
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
restore_policy={
"default": True,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
RestorePolicy: &folder.OrganizationPolicyRestorePolicyArgs{
Default: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
RestorePolicy = new Gcp.Folder.Inputs.OrganizationPolicyRestorePolicyArgs
{
Default = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyRestorePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.restorePolicy(OrganizationPolicyRestorePolicyArgs.builder()
.default_(true)
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
restorePolicy:
default: true
The restorePolicy property removes custom folder policies and inherits from the parent organization. Setting default to true clears any folder-specific overrides. If none of booleanPolicy, listPolicy, or restorePolicy are defined, the policy is effectively unset and shown as ‘Inherited’ in the console.
Beyond these examples
These snippets focus on specific folder policy features: boolean constraints for binary enforcement, list constraints with allow/deny rules, and policy restoration to inherit defaults. They’re intentionally minimal rather than full governance frameworks.
The examples reference pre-existing infrastructure such as Google Cloud folders with numeric IDs, and IAM permissions to set organization policies. They focus on policy configuration rather than folder provisioning or permission management.
To keep things focused, common policy patterns are omitted, including:
- Policy versioning (version property)
- Etag-based optimistic concurrency control
- Constraint discovery and validation
- Migration to gcp.orgpolicy.Policy (V2 API)
These omissions are intentional: the goal is to illustrate how each policy type is wired, not provide drop-in governance modules. See the Folder Organization Policy resource reference for all available configuration options.
Let's manage GCP Organization Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Migration & Deprecation
Should I use this resource for new implementations?
No, this resource has been superseded by
gcp.orgpolicy.Policy, which uses Organization Policy API V2 and supports additional features like tags and conditions.Policy Types & Configuration
What are the three types of organization policies I can set?
You can set
booleanPolicy (enforced or not), listPolicy (allow/deny specific values), or restorePolicy (restore default). Only one type should be defined per policy.How do I enforce a boolean constraint like disabling serial port access?
Set
booleanPolicy with enforced: true. For example, to disable serial port access, use constraint compute.disableSerialPortAccess with booleanPolicy.enforced: true.How do I allow or deny specific services with a list constraint?
Use
listPolicy with either allow.all: true to allow all services, or deny.values with an array of service names like ["cloudresourcemanager.googleapis.com"] to deny specific services.How do I restore the default organization policy for a folder?
Set
restorePolicy with default: true to restore the default policy.Policy Behavior & Inheritance
What does it mean when a policy shows as 'Inherited' in the UI?
If none of
booleanPolicy, listPolicy, or restorePolicy are defined, the policy is effectively unset and inherits from the parent organization. This appears as ‘Inherited’ in the Google Cloud Console.What is the etag field used for?
The
etag is a computed field used for optimistic concurrency control to prevent simultaneous updates from overwriting each other.Immutability & Updates
What properties can't I change after creating the policy?
Both
constraint and folder are immutable. Changing either property will force resource replacement.