1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. orgpolicy
  5. Policy
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.orgpolicy.Policy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    An organization policy gives you programmatic control over your organization’s cloud resources. Using Organization Policies, you will be able to configure constraints across your entire resource hierarchy.

    For more information, see:

    Example Usage

    Enforce_policy

    A test of an enforce orgpolicy policy for a project

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Project("basic", {
        projectId: "id",
        name: "id",
        orgId: "123456789",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload`,
        parent: pulumi.interpolate`projects/${basic.name}`,
        spec: {
            rules: [{
                enforce: "FALSE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Project("basic",
        project_id="id",
        name="id",
        org_id="123456789")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
        parent=basic.name.apply(lambda name: f"projects/{name}"),
        spec=gcp.orgpolicy.PolicySpecArgs(
            rules=[gcp.orgpolicy.PolicySpecRuleArgs(
                enforce="FALSE",
            )],
        ))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
    			ProjectId: pulumi.String("id"),
    			Name:      pulumi.String("id"),
    			OrgId:     pulumi.String("123456789"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v/policies/iam.disableServiceAccountKeyUpload", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v", name), nil
    			}).(pulumi.StringOutput),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Project("basic", new()
        {
            ProjectId = "id",
            Name = "id",
            OrgId = "123456789",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
            Parent = basic.Name.Apply(name => $"projects/{name}"),
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Project("basic", ProjectArgs.builder()        
                .projectId("id")
                .name("id")
                .orgId("123456789")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()        
                .name(basic.name().applyValue(name -> String.format("projects/%s/policies/iam.disableServiceAccountKeyUpload", name)))
                .parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
                .spec(PolicySpecArgs.builder()
                    .rules(PolicySpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload
          parent: projects/${basic.name}
          spec:
            rules:
              - enforce: FALSE
      basic:
        type: gcp:organizations:Project
        properties:
          projectId: id
          name: id
          orgId: '123456789'
    

    Folder_policy

    A test of an orgpolicy policy for a folder

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Folder("basic", {
        parent: "organizations/123456789",
        displayName: "folder",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`${basic.name}/policies/gcp.resourceLocations`,
        parent: basic.name,
        spec: {
            inheritFromParent: true,
            rules: [{
                denyAll: "TRUE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Folder("basic",
        parent="organizations/123456789",
        display_name="folder")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"{name}/policies/gcp.resourceLocations"),
        parent=basic.name,
        spec=gcp.orgpolicy.PolicySpecArgs(
            inherit_from_parent=True,
            rules=[gcp.orgpolicy.PolicySpecRuleArgs(
                deny_all="TRUE",
            )],
        ))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewFolder(ctx, "basic", &organizations.FolderArgs{
    			Parent:      pulumi.String("organizations/123456789"),
    			DisplayName: pulumi.String("folder"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("%v/policies/gcp.resourceLocations", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name,
    			Spec: &orgpolicy.PolicySpecArgs{
    				InheritFromParent: pulumi.Bool(true),
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						DenyAll: pulumi.String("TRUE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Folder("basic", new()
        {
            Parent = "organizations/123456789",
            DisplayName = "folder",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"{name}/policies/gcp.resourceLocations"),
            Parent = basic.Name,
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                InheritFromParent = true,
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        DenyAll = "TRUE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Folder;
    import com.pulumi.gcp.organizations.FolderArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Folder("basic", FolderArgs.builder()        
                .parent("organizations/123456789")
                .displayName("folder")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()        
                .name(basic.name().applyValue(name -> String.format("%s/policies/gcp.resourceLocations", name)))
                .parent(basic.name())
                .spec(PolicySpecArgs.builder()
                    .inheritFromParent(true)
                    .rules(PolicySpecRuleArgs.builder()
                        .denyAll("TRUE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: ${basic.name}/policies/gcp.resourceLocations
          parent: ${basic.name}
          spec:
            inheritFromParent: true
            rules:
              - denyAll: TRUE
      basic:
        type: gcp:organizations:Folder
        properties:
          parent: organizations/123456789
          displayName: folder
    

    Organization_policy

    A test of an orgpolicy policy for an organization

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
        parent: "organizations/123456789",
        spec: {
            reset: true,
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    primary = gcp.orgpolicy.Policy("primary",
        name="organizations/123456789/policies/gcp.detailedAuditLoggingMode",
        parent="organizations/123456789",
        spec=gcp.orgpolicy.PolicySpecArgs(
            reset=True,
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name:   pulumi.String("organizations/123456789/policies/gcp.detailedAuditLoggingMode"),
    			Parent: pulumi.String("organizations/123456789"),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Reset: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
            Parent = "organizations/123456789",
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Reset = true,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var primary = new Policy("primary", PolicyArgs.builder()        
                .name("organizations/123456789/policies/gcp.detailedAuditLoggingMode")
                .parent("organizations/123456789")
                .spec(PolicySpecArgs.builder()
                    .reset(true)
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: organizations/123456789/policies/gcp.detailedAuditLoggingMode
          parent: organizations/123456789
          spec:
            reset: true
    

    Project_policy

    A test of an orgpolicy policy for a project

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Project("basic", {
        projectId: "id",
        name: "id",
        orgId: "123456789",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`projects/${basic.name}/policies/gcp.resourceLocations`,
        parent: pulumi.interpolate`projects/${basic.name}`,
        spec: {
            rules: [
                {
                    condition: {
                        description: "A sample condition for the policy",
                        expression: "resource.matchLabels('labelKeys/123', 'labelValues/345')",
                        location: "sample-location.log",
                        title: "sample-condition",
                    },
                    values: {
                        allowedValues: ["projects/allowed-project"],
                        deniedValues: ["projects/denied-project"],
                    },
                },
                {
                    allowAll: "TRUE",
                },
            ],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Project("basic",
        project_id="id",
        name="id",
        org_id="123456789")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"projects/{name}/policies/gcp.resourceLocations"),
        parent=basic.name.apply(lambda name: f"projects/{name}"),
        spec=gcp.orgpolicy.PolicySpecArgs(
            rules=[
                gcp.orgpolicy.PolicySpecRuleArgs(
                    condition=gcp.orgpolicy.PolicySpecRuleConditionArgs(
                        description="A sample condition for the policy",
                        expression="resource.matchLabels('labelKeys/123', 'labelValues/345')",
                        location="sample-location.log",
                        title="sample-condition",
                    ),
                    values=gcp.orgpolicy.PolicySpecRuleValuesArgs(
                        allowed_values=["projects/allowed-project"],
                        denied_values=["projects/denied-project"],
                    ),
                ),
                gcp.orgpolicy.PolicySpecRuleArgs(
                    allow_all="TRUE",
                ),
            ],
        ))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
    			ProjectId: pulumi.String("id"),
    			Name:      pulumi.String("id"),
    			OrgId:     pulumi.String("123456789"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v/policies/gcp.resourceLocations", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v", name), nil
    			}).(pulumi.StringOutput),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Condition: &orgpolicy.PolicySpecRuleConditionArgs{
    							Description: pulumi.String("A sample condition for the policy"),
    							Expression:  pulumi.String("resource.matchLabels('labelKeys/123', 'labelValues/345')"),
    							Location:    pulumi.String("sample-location.log"),
    							Title:       pulumi.String("sample-condition"),
    						},
    						Values: &orgpolicy.PolicySpecRuleValuesArgs{
    							AllowedValues: pulumi.StringArray{
    								pulumi.String("projects/allowed-project"),
    							},
    							DeniedValues: pulumi.StringArray{
    								pulumi.String("projects/denied-project"),
    							},
    						},
    					},
    					&orgpolicy.PolicySpecRuleArgs{
    						AllowAll: pulumi.String("TRUE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Project("basic", new()
        {
            ProjectId = "id",
            Name = "id",
            OrgId = "123456789",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"projects/{name}/policies/gcp.resourceLocations"),
            Parent = basic.Name.Apply(name => $"projects/{name}"),
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
                        {
                            Description = "A sample condition for the policy",
                            Expression = "resource.matchLabels('labelKeys/123', 'labelValues/345')",
                            Location = "sample-location.log",
                            Title = "sample-condition",
                        },
                        Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
                        {
                            AllowedValues = new[]
                            {
                                "projects/allowed-project",
                            },
                            DeniedValues = new[]
                            {
                                "projects/denied-project",
                            },
                        },
                    },
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        AllowAll = "TRUE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Project("basic", ProjectArgs.builder()        
                .projectId("id")
                .name("id")
                .orgId("123456789")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()        
                .name(basic.name().applyValue(name -> String.format("projects/%s/policies/gcp.resourceLocations", name)))
                .parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
                .spec(PolicySpecArgs.builder()
                    .rules(                
                        PolicySpecRuleArgs.builder()
                            .condition(PolicySpecRuleConditionArgs.builder()
                                .description("A sample condition for the policy")
                                .expression("resource.matchLabels('labelKeys/123', 'labelValues/345')")
                                .location("sample-location.log")
                                .title("sample-condition")
                                .build())
                            .values(PolicySpecRuleValuesArgs.builder()
                                .allowedValues("projects/allowed-project")
                                .deniedValues("projects/denied-project")
                                .build())
                            .build(),
                        PolicySpecRuleArgs.builder()
                            .allowAll("TRUE")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: projects/${basic.name}/policies/gcp.resourceLocations
          parent: projects/${basic.name}
          spec:
            rules:
              - condition:
                  description: A sample condition for the policy
                  expression: resource.matchLabels('labelKeys/123', 'labelValues/345')
                  location: sample-location.log
                  title: sample-condition
                values:
                  allowedValues:
                    - projects/allowed-project
                  deniedValues:
                    - projects/denied-project
              - allowAll: TRUE
      basic:
        type: gcp:organizations:Project
        properties:
          projectId: id
          name: id
          orgId: '123456789'
    

    Dry_run_spec

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
        name: "custom.disableGkeAutoUpgrade_41819",
        parent: "organizations/123456789",
        displayName: "Disable GKE auto upgrade",
        description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
        actionType: "ALLOW",
        condition: "resource.management.autoUpgrade == false",
        methodTypes: ["CREATE"],
        resourceTypes: ["container.googleapis.com/NodePool"],
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
        parent: "organizations/123456789",
        spec: {
            rules: [{
                enforce: "FALSE",
            }],
        },
        dryRunSpec: {
            inheritFromParent: false,
            reset: false,
            rules: [{
                enforce: "FALSE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    constraint = gcp.orgpolicy.CustomConstraint("constraint",
        name="custom.disableGkeAutoUpgrade_41819",
        parent="organizations/123456789",
        display_name="Disable GKE auto upgrade",
        description="Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
        action_type="ALLOW",
        condition="resource.management.autoUpgrade == false",
        method_types=["CREATE"],
        resource_types=["container.googleapis.com/NodePool"])
    primary = gcp.orgpolicy.Policy("primary",
        name=constraint.name.apply(lambda name: f"organizations/123456789/policies/{name}"),
        parent="organizations/123456789",
        spec=gcp.orgpolicy.PolicySpecArgs(
            rules=[gcp.orgpolicy.PolicySpecRuleArgs(
                enforce="FALSE",
            )],
        ),
        dry_run_spec=gcp.orgpolicy.PolicyDryRunSpecArgs(
            inherit_from_parent=False,
            reset=False,
            rules=[gcp.orgpolicy.PolicyDryRunSpecRuleArgs(
                enforce="FALSE",
            )],
        ))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
    			Name:        pulumi.String("custom.disableGkeAutoUpgrade_41819"),
    			Parent:      pulumi.String("organizations/123456789"),
    			DisplayName: pulumi.String("Disable GKE auto upgrade"),
    			Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
    			ActionType:  pulumi.String("ALLOW"),
    			Condition:   pulumi.String("resource.management.autoUpgrade == false"),
    			MethodTypes: pulumi.StringArray{
    				pulumi.String("CREATE"),
    			},
    			ResourceTypes: pulumi.StringArray{
    				pulumi.String("container.googleapis.com/NodePool"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: constraint.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
    			}).(pulumi.StringOutput),
    			Parent: pulumi.String("organizations/123456789"),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    			DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
    				InheritFromParent: pulumi.Bool(false),
    				Reset:             pulumi.Bool(false),
    				Rules: orgpolicy.PolicyDryRunSpecRuleArray{
    					&orgpolicy.PolicyDryRunSpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
        {
            Name = "custom.disableGkeAutoUpgrade_41819",
            Parent = "organizations/123456789",
            DisplayName = "Disable GKE auto upgrade",
            Description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
            ActionType = "ALLOW",
            Condition = "resource.management.autoUpgrade == false",
            MethodTypes = new[]
            {
                "CREATE",
            },
            ResourceTypes = new[]
            {
                "container.googleapis.com/NodePool",
            },
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = constraint.Name.Apply(name => $"organizations/123456789/policies/{name}"),
            Parent = "organizations/123456789",
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
            DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
            {
                InheritFromParent = false,
                Reset = false,
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.orgpolicy.CustomConstraint;
    import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicyDryRunSpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()        
                .name("custom.disableGkeAutoUpgrade_41819")
                .parent("organizations/123456789")
                .displayName("Disable GKE auto upgrade")
                .description("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.")
                .actionType("ALLOW")
                .condition("resource.management.autoUpgrade == false")
                .methodTypes("CREATE")
                .resourceTypes("container.googleapis.com/NodePool")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()        
                .name(constraint.name().applyValue(name -> String.format("organizations/123456789/policies/%s", name)))
                .parent("organizations/123456789")
                .spec(PolicySpecArgs.builder()
                    .rules(PolicySpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .dryRunSpec(PolicyDryRunSpecArgs.builder()
                    .inheritFromParent(false)
                    .reset(false)
                    .rules(PolicyDryRunSpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      constraint:
        type: gcp:orgpolicy:CustomConstraint
        properties:
          name: custom.disableGkeAutoUpgrade_41819
          parent: organizations/123456789
          displayName: Disable GKE auto upgrade
          description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.
          actionType: ALLOW
          condition: resource.management.autoUpgrade == false
          methodTypes:
            - CREATE
          resourceTypes:
            - container.googleapis.com/NodePool
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: organizations/123456789/policies/${constraint.name}
          parent: organizations/123456789
          spec:
            rules:
              - enforce: FALSE
          dryRunSpec:
            inheritFromParent: false
            reset: false
            rules:
              - enforce: FALSE
    

    Create Policy Resource

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
               name: Optional[str] = None,
               parent: Optional[str] = None,
               spec: Optional[PolicySpecArgs] = None)
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: gcp:orgpolicy:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Policy resource accepts the following input properties:

    Parent string
    The parent of the resource.


    DryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Spec PolicySpec
    Basic information about the Organization Policy.
    Parent string
    The parent of the resource.


    DryRunSpec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Spec PolicySpecArgs
    Basic information about the Organization Policy.
    parent String
    The parent of the resource.


    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpec
    Basic information about the Organization Policy.
    parent string
    The parent of the resource.


    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpec
    Basic information about the Organization Policy.
    parent str
    The parent of the resource.


    dry_run_spec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    name str
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpecArgs
    Basic information about the Organization Policy.
    parent String
    The parent of the resource.


    dryRunSpec Property Map
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec Property Map
    Basic information about the Organization Policy.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    Id string
    The provider-assigned unique ID for this managed resource.
    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    Id string
    The provider-assigned unique ID for this managed resource.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    id String
    The provider-assigned unique ID for this managed resource.
    etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    id string
    The provider-assigned unique ID for this managed resource.
    etag str
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    id str
    The provider-assigned unique ID for this managed resource.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
            etag: Optional[str] = None,
            name: Optional[str] = None,
            parent: Optional[str] = None,
            spec: Optional[PolicySpecArgs] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    DryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Parent string
    The parent of the resource.


    Spec PolicySpec
    Basic information about the Organization Policy.
    DryRunSpec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Parent string
    The parent of the resource.


    Spec PolicySpecArgs
    Basic information about the Organization Policy.
    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent String
    The parent of the resource.


    spec PolicySpec
    Basic information about the Organization Policy.
    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent string
    The parent of the resource.


    spec PolicySpec
    Basic information about the Organization Policy.
    dry_run_spec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    etag str
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    name str
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent str
    The parent of the resource.


    spec PolicySpecArgs
    Basic information about the Organization Policy.
    dryRunSpec Property Map
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent String
    The parent of the resource.


    spec Property Map
    Basic information about the Organization Policy.

    Supporting Types

    PolicyDryRunSpec, PolicyDryRunSpecArgs

    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules List<PolicyDryRunSpecRule>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    UpdateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    Etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules []PolicyDryRunSpecRule
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    UpdateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<PolicyDryRunSpecRule>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    updateTime String
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag string
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules PolicyDryRunSpecRule[]
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    updateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag str
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inherit_from_parent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules Sequence[PolicyDryRunSpecRule]
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    update_time str
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag String
    An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<Property Map>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
    updateTime String
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.

    PolicyDryRunSpecRule, PolicyDryRunSpecRuleArgs

    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicyDryRunSpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicyDryRunSpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allow_all str
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    deny_all str
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce str
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition Property Map
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values Property Map
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.

    PolicyDryRunSpecRuleCondition, PolicyDryRunSpecRuleConditionArgs

    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description str
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    location str
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title str
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    PolicyDryRunSpecRuleValues, PolicyDryRunSpecRuleValuesArgs

    AllowedValues List<string>
    List of values allowed at this resource.
    DeniedValues List<string>
    List of values denied at this resource.
    AllowedValues []string
    List of values allowed at this resource.
    DeniedValues []string
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.
    allowedValues string[]
    List of values allowed at this resource.
    deniedValues string[]
    List of values denied at this resource.
    allowed_values Sequence[str]
    List of values allowed at this resource.
    denied_values Sequence[str]
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.

    PolicySpec, PolicySpecArgs

    Etag string
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules List<PolicySpecRule>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    UpdateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    Etag string
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules []PolicySpecRule
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    UpdateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag String
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<PolicySpecRule>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    updateTime String
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag string
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules PolicySpecRule[]
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    updateTime string
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag str
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inherit_from_parent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules Sequence[PolicySpecRule]
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    update_time str
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag String
    An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<Property Map>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
    updateTime String
    Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.

    PolicySpecRule, PolicySpecRuleArgs

    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicySpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicySpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allow_all str
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    deny_all str
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce str
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition Property Map
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values Property Map
    List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints.

    PolicySpecRuleCondition, PolicySpecRuleConditionArgs

    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description str
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    location str
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title str
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    PolicySpecRuleValues, PolicySpecRuleValuesArgs

    AllowedValues List<string>
    List of values allowed at this resource.
    DeniedValues List<string>
    List of values denied at this resource.
    AllowedValues []string
    List of values allowed at this resource.
    DeniedValues []string
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.
    allowedValues string[]
    List of values allowed at this resource.
    deniedValues string[]
    List of values denied at this resource.
    allowed_values Sequence[str]
    List of values allowed at this resource.
    denied_values Sequence[str]
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.

    Import

    Policy can be imported using any of these accepted formats:

    • {{parent}}/policies/{{name}}

    When using the pulumi import command, Policy can be imported using one of the formats above. For example:

    $ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}}
    

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi