The gcp:folder/organizationPolicy:OrganizationPolicy resource, part of the Pulumi GCP provider, applies organization policies to Google Cloud folders, controlling which services and features can be used by resources within those folders. This guide focuses on three capabilities: boolean constraint enforcement, list constraint allow/deny rules, and policy restoration.
This resource has been superseded by gcp.orgpolicy.Policy, which uses Organization Policy API V2 and supports tags and conditions. The examples are intentionally small. Combine them with your own folder hierarchy and constraint requirements.
Enforce a boolean constraint on folder resources
Organizations often enforce security policies across folders, such as disabling serial port access to prevent unauthorized console access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const serialPortPolicy = new gcp.folder.OrganizationPolicy("serial_port_policy", {
folder: "folders/123456789",
constraint: "compute.disableSerialPortAccess",
booleanPolicy: {
enforced: true,
},
});
import pulumi
import pulumi_gcp as gcp
serial_port_policy = gcp.folder.OrganizationPolicy("serial_port_policy",
folder="folders/123456789",
constraint="compute.disableSerialPortAccess",
boolean_policy={
"enforced": True,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "serial_port_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("compute.disableSerialPortAccess"),
BooleanPolicy: &folder.OrganizationPolicyBooleanPolicyArgs{
Enforced: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var serialPortPolicy = new Gcp.Folder.OrganizationPolicy("serial_port_policy", new()
{
Folder = "folders/123456789",
Constraint = "compute.disableSerialPortAccess",
BooleanPolicy = new Gcp.Folder.Inputs.OrganizationPolicyBooleanPolicyArgs
{
Enforced = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyBooleanPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serialPortPolicy = new OrganizationPolicy("serialPortPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("compute.disableSerialPortAccess")
.booleanPolicy(OrganizationPolicyBooleanPolicyArgs.builder()
.enforced(true)
.build())
.build());
}
}
resources:
serialPortPolicy:
type: gcp:folder:OrganizationPolicy
name: serial_port_policy
properties:
folder: folders/123456789
constraint: compute.disableSerialPortAccess
booleanPolicy:
enforced: true
The booleanPolicy property enforces binary constraints. When enforced is true, the constraint blocks the specified behavior across all resources in the folder. The constraint property identifies which policy to apply; here, compute.disableSerialPortAccess prevents serial port access on compute instances.
Allow all values for a list constraint
Some constraints control which services can be used. A permissive policy allows teams to use any service without restriction.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
listPolicy: {
allow: {
all: true,
},
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
list_policy={
"allow": {
"all": True,
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
ListPolicy: &folder.OrganizationPolicyListPolicyArgs{
Allow: &folder.OrganizationPolicyListPolicyAllowArgs{
All: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
ListPolicy = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyArgs
{
Allow = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyAllowArgs
{
All = true,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyAllowArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.listPolicy(OrganizationPolicyListPolicyArgs.builder()
.allow(OrganizationPolicyListPolicyAllowArgs.builder()
.all(true)
.build())
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
listPolicy:
allow:
all: true
The listPolicy property manages constraints that accept multiple values. Setting allow.all to true permits all services. This is useful when you want to remove restrictions inherited from parent organizations.
Block specific services with a deny list
Organizations may need to prevent certain services while allowing others, such as blocking Cloud Resource Manager API access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
listPolicy: {
suggestedValue: "compute.googleapis.com",
deny: {
values: ["cloudresourcemanager.googleapis.com"],
},
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
list_policy={
"suggested_value": "compute.googleapis.com",
"deny": {
"values": ["cloudresourcemanager.googleapis.com"],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
ListPolicy: &folder.OrganizationPolicyListPolicyArgs{
SuggestedValue: pulumi.String("compute.googleapis.com"),
Deny: &folder.OrganizationPolicyListPolicyDenyArgs{
Values: pulumi.StringArray{
pulumi.String("cloudresourcemanager.googleapis.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
ListPolicy = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyArgs
{
SuggestedValue = "compute.googleapis.com",
Deny = new Gcp.Folder.Inputs.OrganizationPolicyListPolicyDenyArgs
{
Values = new[]
{
"cloudresourcemanager.googleapis.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyListPolicyDenyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.listPolicy(OrganizationPolicyListPolicyArgs.builder()
.suggestedValue("compute.googleapis.com")
.deny(OrganizationPolicyListPolicyDenyArgs.builder()
.values("cloudresourcemanager.googleapis.com")
.build())
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
listPolicy:
suggestedValue: compute.googleapis.com
deny:
values:
- cloudresourcemanager.googleapis.com
The deny block within listPolicy specifies services to block. The suggestedValue property recommends an alternative service when the denied service is requested. This configuration blocks cloudresourcemanager.googleapis.com while suggesting compute.googleapis.com.
Restore the default organization policy
When a custom policy is no longer needed, restoring the default removes folder-level overrides and inherits settings from the parent organization.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const servicesPolicy = new gcp.folder.OrganizationPolicy("services_policy", {
folder: "folders/123456789",
constraint: "serviceuser.services",
restorePolicy: {
"default": true,
},
});
import pulumi
import pulumi_gcp as gcp
services_policy = gcp.folder.OrganizationPolicy("services_policy",
folder="folders/123456789",
constraint="serviceuser.services",
restore_policy={
"default": True,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewOrganizationPolicy(ctx, "services_policy", &folder.OrganizationPolicyArgs{
Folder: pulumi.String("folders/123456789"),
Constraint: pulumi.String("serviceuser.services"),
RestorePolicy: &folder.OrganizationPolicyRestorePolicyArgs{
Default: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var servicesPolicy = new Gcp.Folder.OrganizationPolicy("services_policy", new()
{
Folder = "folders/123456789",
Constraint = "serviceuser.services",
RestorePolicy = new Gcp.Folder.Inputs.OrganizationPolicyRestorePolicyArgs
{
Default = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.OrganizationPolicy;
import com.pulumi.gcp.folder.OrganizationPolicyArgs;
import com.pulumi.gcp.folder.inputs.OrganizationPolicyRestorePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var servicesPolicy = new OrganizationPolicy("servicesPolicy", OrganizationPolicyArgs.builder()
.folder("folders/123456789")
.constraint("serviceuser.services")
.restorePolicy(OrganizationPolicyRestorePolicyArgs.builder()
.default_(true)
.build())
.build());
}
}
resources:
servicesPolicy:
type: gcp:folder:OrganizationPolicy
name: services_policy
properties:
folder: folders/123456789
constraint: serviceuser.services
restorePolicy:
default: true
The restorePolicy property removes custom policies and reverts to inherited behavior. Setting default to true clears any folder-specific configuration. In the UI, this appears as the constraint being ‘Inherited’.
Beyond these examples
These snippets focus on specific organization policy features: boolean constraints for binary enforcement, list constraints with allow/deny rules, and policy restoration and inheritance. They’re intentionally minimal rather than full governance frameworks.
The examples reference pre-existing infrastructure such as Google Cloud folders with numeric IDs. They focus on policy configuration rather than folder provisioning.
To keep things focused, common policy patterns are omitted, including:
- Policy versioning (version property)
- Optimistic concurrency control (etag)
- Constraint discovery and validation
- Organization-level vs folder-level policy differences
These omissions are intentional: the goal is to illustrate how each policy type is wired, not provide drop-in governance modules. See the Folder Organization Policy resource reference for all available configuration options.
Let's manage GCP Organization Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Migration & Deprecation
Should I use this resource for new projects?
No, this resource has been superseded by
gcp.orgpolicy.Policy, which uses Organization Policy API V2 and supports additional features like tags and conditions.Policy Types & Configuration
What's the difference between the three policy types?
You can set one of three policy types:
booleanPolicy (enforced or not), listPolicy (allow/deny specific values or all values), or restorePolicy (restore default policy). Only one type can be defined per policy.Why does my policy show as 'Inherited' in the console?
If none of
booleanPolicy, listPolicy, or restorePolicy are defined, the policy is effectively unset and inherits from the parent organization.How do I enforce a boolean constraint?
Use
booleanPolicy with enforced: true. For example, to disable serial port access, set constraint: "compute.disableSerialPortAccess" with booleanPolicy.enforced: true.How do I control which services are allowed or denied?
Use
listPolicy with either allow.all: true to allow all services, or deny.values with an array of service names like ["cloudresourcemanager.googleapis.com"] to deny specific services.How do I restore the default organization policy?
Set
restorePolicy.default: true to restore the default policy for a given constraint.Immutability & Updates
What happens if I change the constraint or folder?
Both
constraint and folder are immutable. Changing either property forces resource replacement (destroy and recreate).What is the etag field used for?
The
etag is a computed field used for optimistic concurrency control to prevent simultaneous updates from overwriting each other.