1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. orgpolicy
  5. Policy
Google Cloud Classic v7.32.0 published on Tuesday, Jul 16, 2024 by Pulumi

gcp.orgpolicy.Policy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.32.0 published on Tuesday, Jul 16, 2024 by Pulumi

    Defines an organization policy which is used to specify constraints for configurations of Google Cloud resources.

    To get more information about Policy, see:

    Example Usage

    Org Policy Policy Enforce

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Project("basic", {
        projectId: "id",
        name: "id",
        orgId: "123456789",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload`,
        parent: pulumi.interpolate`projects/${basic.name}`,
        spec: {
            rules: [{
                enforce: "FALSE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Project("basic",
        project_id="id",
        name="id",
        org_id="123456789")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
        parent=basic.name.apply(lambda name: f"projects/{name}"),
        spec={
            "rules": [{
                "enforce": "FALSE",
            }],
        })
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
    			ProjectId: pulumi.String("id"),
    			Name:      pulumi.String("id"),
    			OrgId:     pulumi.String("123456789"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v/policies/iam.disableServiceAccountKeyUpload", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v", name), nil
    			}).(pulumi.StringOutput),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Project("basic", new()
        {
            ProjectId = "id",
            Name = "id",
            OrgId = "123456789",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"projects/{name}/policies/iam.disableServiceAccountKeyUpload"),
            Parent = basic.Name.Apply(name => $"projects/{name}"),
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Project("basic", ProjectArgs.builder()
                .projectId("id")
                .name("id")
                .orgId("123456789")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()
                .name(basic.name().applyValue(name -> String.format("projects/%s/policies/iam.disableServiceAccountKeyUpload", name)))
                .parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
                .spec(PolicySpecArgs.builder()
                    .rules(PolicySpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: projects/${basic.name}/policies/iam.disableServiceAccountKeyUpload
          parent: projects/${basic.name}
          spec:
            rules:
              - enforce: FALSE
      basic:
        type: gcp:organizations:Project
        properties:
          projectId: id
          name: id
          orgId: '123456789'
    

    Org Policy Policy Folder

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Folder("basic", {
        parent: "organizations/123456789",
        displayName: "folder",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`${basic.name}/policies/gcp.resourceLocations`,
        parent: basic.name,
        spec: {
            inheritFromParent: true,
            rules: [{
                denyAll: "TRUE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Folder("basic",
        parent="organizations/123456789",
        display_name="folder")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"{name}/policies/gcp.resourceLocations"),
        parent=basic.name,
        spec={
            "inheritFromParent": True,
            "rules": [{
                "denyAll": "TRUE",
            }],
        })
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewFolder(ctx, "basic", &organizations.FolderArgs{
    			Parent:      pulumi.String("organizations/123456789"),
    			DisplayName: pulumi.String("folder"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("%v/policies/gcp.resourceLocations", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name,
    			Spec: &orgpolicy.PolicySpecArgs{
    				InheritFromParent: pulumi.Bool(true),
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						DenyAll: pulumi.String("TRUE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Folder("basic", new()
        {
            Parent = "organizations/123456789",
            DisplayName = "folder",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"{name}/policies/gcp.resourceLocations"),
            Parent = basic.Name,
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                InheritFromParent = true,
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        DenyAll = "TRUE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Folder;
    import com.pulumi.gcp.organizations.FolderArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Folder("basic", FolderArgs.builder()
                .parent("organizations/123456789")
                .displayName("folder")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()
                .name(basic.name().applyValue(name -> String.format("%s/policies/gcp.resourceLocations", name)))
                .parent(basic.name())
                .spec(PolicySpecArgs.builder()
                    .inheritFromParent(true)
                    .rules(PolicySpecRuleArgs.builder()
                        .denyAll("TRUE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: ${basic.name}/policies/gcp.resourceLocations
          parent: ${basic.name}
          spec:
            inheritFromParent: true
            rules:
              - denyAll: TRUE
      basic:
        type: gcp:organizations:Folder
        properties:
          parent: organizations/123456789
          displayName: folder
    

    Org Policy Policy Organization

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
        parent: "organizations/123456789",
        spec: {
            reset: true,
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    primary = gcp.orgpolicy.Policy("primary",
        name="organizations/123456789/policies/gcp.detailedAuditLoggingMode",
        parent="organizations/123456789",
        spec={
            "reset": True,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name:   pulumi.String("organizations/123456789/policies/gcp.detailedAuditLoggingMode"),
    			Parent: pulumi.String("organizations/123456789"),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Reset: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
            Parent = "organizations/123456789",
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Reset = true,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var primary = new Policy("primary", PolicyArgs.builder()
                .name("organizations/123456789/policies/gcp.detailedAuditLoggingMode")
                .parent("organizations/123456789")
                .spec(PolicySpecArgs.builder()
                    .reset(true)
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: organizations/123456789/policies/gcp.detailedAuditLoggingMode
          parent: organizations/123456789
          spec:
            reset: true
    

    Org Policy Policy Project

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const basic = new gcp.organizations.Project("basic", {
        projectId: "id",
        name: "id",
        orgId: "123456789",
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`projects/${basic.name}/policies/gcp.resourceLocations`,
        parent: pulumi.interpolate`projects/${basic.name}`,
        spec: {
            rules: [
                {
                    condition: {
                        description: "A sample condition for the policy",
                        expression: "resource.matchLabels('labelKeys/123', 'labelValues/345')",
                        location: "sample-location.log",
                        title: "sample-condition",
                    },
                    values: {
                        allowedValues: ["projects/allowed-project"],
                        deniedValues: ["projects/denied-project"],
                    },
                },
                {
                    allowAll: "TRUE",
                },
            ],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    basic = gcp.organizations.Project("basic",
        project_id="id",
        name="id",
        org_id="123456789")
    primary = gcp.orgpolicy.Policy("primary",
        name=basic.name.apply(lambda name: f"projects/{name}/policies/gcp.resourceLocations"),
        parent=basic.name.apply(lambda name: f"projects/{name}"),
        spec={
            "rules": [
                {
                    "condition": {
                        "description": "A sample condition for the policy",
                        "expression": "resource.matchLabels('labelKeys/123', 'labelValues/345')",
                        "location": "sample-location.log",
                        "title": "sample-condition",
                    },
                    "values": {
                        "allowedValues": ["projects/allowed-project"],
                        "deniedValues": ["projects/denied-project"],
                    },
                },
                {
                    "allowAll": "TRUE",
                },
            ],
        })
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
    			ProjectId: pulumi.String("id"),
    			Name:      pulumi.String("id"),
    			OrgId:     pulumi.String("123456789"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v/policies/gcp.resourceLocations", name), nil
    			}).(pulumi.StringOutput),
    			Parent: basic.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("projects/%v", name), nil
    			}).(pulumi.StringOutput),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Condition: &orgpolicy.PolicySpecRuleConditionArgs{
    							Description: pulumi.String("A sample condition for the policy"),
    							Expression:  pulumi.String("resource.matchLabels('labelKeys/123', 'labelValues/345')"),
    							Location:    pulumi.String("sample-location.log"),
    							Title:       pulumi.String("sample-condition"),
    						},
    						Values: &orgpolicy.PolicySpecRuleValuesArgs{
    							AllowedValues: pulumi.StringArray{
    								pulumi.String("projects/allowed-project"),
    							},
    							DeniedValues: pulumi.StringArray{
    								pulumi.String("projects/denied-project"),
    							},
    						},
    					},
    					&orgpolicy.PolicySpecRuleArgs{
    						AllowAll: pulumi.String("TRUE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var basic = new Gcp.Organizations.Project("basic", new()
        {
            ProjectId = "id",
            Name = "id",
            OrgId = "123456789",
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = basic.Name.Apply(name => $"projects/{name}/policies/gcp.resourceLocations"),
            Parent = basic.Name.Apply(name => $"projects/{name}"),
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
                        {
                            Description = "A sample condition for the policy",
                            Expression = "resource.matchLabels('labelKeys/123', 'labelValues/345')",
                            Location = "sample-location.log",
                            Title = "sample-condition",
                        },
                        Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
                        {
                            AllowedValues = new[]
                            {
                                "projects/allowed-project",
                            },
                            DeniedValues = new[]
                            {
                                "projects/denied-project",
                            },
                        },
                    },
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        AllowAll = "TRUE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var basic = new Project("basic", ProjectArgs.builder()
                .projectId("id")
                .name("id")
                .orgId("123456789")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()
                .name(basic.name().applyValue(name -> String.format("projects/%s/policies/gcp.resourceLocations", name)))
                .parent(basic.name().applyValue(name -> String.format("projects/%s", name)))
                .spec(PolicySpecArgs.builder()
                    .rules(                
                        PolicySpecRuleArgs.builder()
                            .condition(PolicySpecRuleConditionArgs.builder()
                                .description("A sample condition for the policy")
                                .expression("resource.matchLabels('labelKeys/123', 'labelValues/345')")
                                .location("sample-location.log")
                                .title("sample-condition")
                                .build())
                            .values(PolicySpecRuleValuesArgs.builder()
                                .allowedValues("projects/allowed-project")
                                .deniedValues("projects/denied-project")
                                .build())
                            .build(),
                        PolicySpecRuleArgs.builder()
                            .allowAll("TRUE")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: projects/${basic.name}/policies/gcp.resourceLocations
          parent: projects/${basic.name}
          spec:
            rules:
              - condition:
                  description: A sample condition for the policy
                  expression: resource.matchLabels('labelKeys/123', 'labelValues/345')
                  location: sample-location.log
                  title: sample-condition
                values:
                  allowedValues:
                    - projects/allowed-project
                  deniedValues:
                    - projects/denied-project
              - allowAll: TRUE
      basic:
        type: gcp:organizations:Project
        properties:
          projectId: id
          name: id
          orgId: '123456789'
    

    Org Policy Policy Dry Run Spec

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
        name: "custom.disableGkeAutoUpgrade_40785",
        parent: "organizations/123456789",
        displayName: "Disable GKE auto upgrade",
        description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
        actionType: "ALLOW",
        condition: "resource.management.autoUpgrade == false",
        methodTypes: ["CREATE"],
        resourceTypes: ["container.googleapis.com/NodePool"],
    });
    const primary = new gcp.orgpolicy.Policy("primary", {
        name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
        parent: "organizations/123456789",
        spec: {
            rules: [{
                enforce: "FALSE",
            }],
        },
        dryRunSpec: {
            inheritFromParent: false,
            reset: false,
            rules: [{
                enforce: "FALSE",
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    constraint = gcp.orgpolicy.CustomConstraint("constraint",
        name="custom.disableGkeAutoUpgrade_40785",
        parent="organizations/123456789",
        display_name="Disable GKE auto upgrade",
        description="Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
        action_type="ALLOW",
        condition="resource.management.autoUpgrade == false",
        method_types=["CREATE"],
        resource_types=["container.googleapis.com/NodePool"])
    primary = gcp.orgpolicy.Policy("primary",
        name=constraint.name.apply(lambda name: f"organizations/123456789/policies/{name}"),
        parent="organizations/123456789",
        spec={
            "rules": [{
                "enforce": "FALSE",
            }],
        },
        dry_run_spec={
            "inheritFromParent": False,
            "reset": False,
            "rules": [{
                "enforce": "FALSE",
            }],
        })
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/orgpolicy"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
    			Name:        pulumi.String("custom.disableGkeAutoUpgrade_40785"),
    			Parent:      pulumi.String("organizations/123456789"),
    			DisplayName: pulumi.String("Disable GKE auto upgrade"),
    			Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
    			ActionType:  pulumi.String("ALLOW"),
    			Condition:   pulumi.String("resource.management.autoUpgrade == false"),
    			MethodTypes: pulumi.StringArray{
    				pulumi.String("CREATE"),
    			},
    			ResourceTypes: pulumi.StringArray{
    				pulumi.String("container.googleapis.com/NodePool"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
    			Name: constraint.Name.ApplyT(func(name string) (string, error) {
    				return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
    			}).(pulumi.StringOutput),
    			Parent: pulumi.String("organizations/123456789"),
    			Spec: &orgpolicy.PolicySpecArgs{
    				Rules: orgpolicy.PolicySpecRuleArray{
    					&orgpolicy.PolicySpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    			DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
    				InheritFromParent: pulumi.Bool(false),
    				Reset:             pulumi.Bool(false),
    				Rules: orgpolicy.PolicyDryRunSpecRuleArray{
    					&orgpolicy.PolicyDryRunSpecRuleArgs{
    						Enforce: pulumi.String("FALSE"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var constraint = new Gcp.OrgPolicy.CustomConstraint("constraint", new()
        {
            Name = "custom.disableGkeAutoUpgrade_40785",
            Parent = "organizations/123456789",
            DisplayName = "Disable GKE auto upgrade",
            Description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
            ActionType = "ALLOW",
            Condition = "resource.management.autoUpgrade == false",
            MethodTypes = new[]
            {
                "CREATE",
            },
            ResourceTypes = new[]
            {
                "container.googleapis.com/NodePool",
            },
        });
    
        var primary = new Gcp.OrgPolicy.Policy("primary", new()
        {
            Name = constraint.Name.Apply(name => $"organizations/123456789/policies/{name}"),
            Parent = "organizations/123456789",
            Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
            {
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
            DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
            {
                InheritFromParent = false,
                Reset = false,
                Rules = new[]
                {
                    new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
                    {
                        Enforce = "FALSE",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.orgpolicy.CustomConstraint;
    import com.pulumi.gcp.orgpolicy.CustomConstraintArgs;
    import com.pulumi.gcp.orgpolicy.Policy;
    import com.pulumi.gcp.orgpolicy.PolicyArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicySpecArgs;
    import com.pulumi.gcp.orgpolicy.inputs.PolicyDryRunSpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var constraint = new CustomConstraint("constraint", CustomConstraintArgs.builder()
                .name("custom.disableGkeAutoUpgrade_40785")
                .parent("organizations/123456789")
                .displayName("Disable GKE auto upgrade")
                .description("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.")
                .actionType("ALLOW")
                .condition("resource.management.autoUpgrade == false")
                .methodTypes("CREATE")
                .resourceTypes("container.googleapis.com/NodePool")
                .build());
    
            var primary = new Policy("primary", PolicyArgs.builder()
                .name(constraint.name().applyValue(name -> String.format("organizations/123456789/policies/%s", name)))
                .parent("organizations/123456789")
                .spec(PolicySpecArgs.builder()
                    .rules(PolicySpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .dryRunSpec(PolicyDryRunSpecArgs.builder()
                    .inheritFromParent(false)
                    .reset(false)
                    .rules(PolicyDryRunSpecRuleArgs.builder()
                        .enforce("FALSE")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      constraint:
        type: gcp:orgpolicy:CustomConstraint
        properties:
          name: custom.disableGkeAutoUpgrade_40785
          parent: organizations/123456789
          displayName: Disable GKE auto upgrade
          description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.
          actionType: ALLOW
          condition: resource.management.autoUpgrade == false
          methodTypes:
            - CREATE
          resourceTypes:
            - container.googleapis.com/NodePool
      primary:
        type: gcp:orgpolicy:Policy
        properties:
          name: organizations/123456789/policies/${constraint.name}
          parent: organizations/123456789
          spec:
            rules:
              - enforce: FALSE
          dryRunSpec:
            inheritFromParent: false
            reset: false
            rules:
              - enforce: FALSE
    

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               parent: Optional[str] = None,
               dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
               name: Optional[str] = None,
               spec: Optional[PolicySpecArgs] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: gcp:orgpolicy:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplepolicyResourceResourceFromOrgpolicypolicy = new Gcp.OrgPolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy", new()
    {
        Parent = "string",
        DryRunSpec = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecArgs
        {
            Etag = "string",
            InheritFromParent = false,
            Reset = false,
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleArgs
                {
                    AllowAll = "string",
                    Condition = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleConditionArgs
                    {
                        Description = "string",
                        Expression = "string",
                        Location = "string",
                        Title = "string",
                    },
                    DenyAll = "string",
                    Enforce = "string",
                    Values = new Gcp.OrgPolicy.Inputs.PolicyDryRunSpecRuleValuesArgs
                    {
                        AllowedValues = new[]
                        {
                            "string",
                        },
                        DeniedValues = new[]
                        {
                            "string",
                        },
                    },
                },
            },
            UpdateTime = "string",
        },
        Name = "string",
        Spec = new Gcp.OrgPolicy.Inputs.PolicySpecArgs
        {
            Etag = "string",
            InheritFromParent = false,
            Reset = false,
            Rules = new[]
            {
                new Gcp.OrgPolicy.Inputs.PolicySpecRuleArgs
                {
                    AllowAll = "string",
                    Condition = new Gcp.OrgPolicy.Inputs.PolicySpecRuleConditionArgs
                    {
                        Description = "string",
                        Expression = "string",
                        Location = "string",
                        Title = "string",
                    },
                    DenyAll = "string",
                    Enforce = "string",
                    Values = new Gcp.OrgPolicy.Inputs.PolicySpecRuleValuesArgs
                    {
                        AllowedValues = new[]
                        {
                            "string",
                        },
                        DeniedValues = new[]
                        {
                            "string",
                        },
                    },
                },
            },
            UpdateTime = "string",
        },
    });
    
    example, err := orgpolicy.NewPolicy(ctx, "examplepolicyResourceResourceFromOrgpolicypolicy", &orgpolicy.PolicyArgs{
    	Parent: pulumi.String("string"),
    	DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
    		Etag:              pulumi.String("string"),
    		InheritFromParent: pulumi.Bool(false),
    		Reset:             pulumi.Bool(false),
    		Rules: orgpolicy.PolicyDryRunSpecRuleArray{
    			&orgpolicy.PolicyDryRunSpecRuleArgs{
    				AllowAll: pulumi.String("string"),
    				Condition: &orgpolicy.PolicyDryRunSpecRuleConditionArgs{
    					Description: pulumi.String("string"),
    					Expression:  pulumi.String("string"),
    					Location:    pulumi.String("string"),
    					Title:       pulumi.String("string"),
    				},
    				DenyAll: pulumi.String("string"),
    				Enforce: pulumi.String("string"),
    				Values: &orgpolicy.PolicyDryRunSpecRuleValuesArgs{
    					AllowedValues: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					DeniedValues: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    		UpdateTime: pulumi.String("string"),
    	},
    	Name: pulumi.String("string"),
    	Spec: &orgpolicy.PolicySpecArgs{
    		Etag:              pulumi.String("string"),
    		InheritFromParent: pulumi.Bool(false),
    		Reset:             pulumi.Bool(false),
    		Rules: orgpolicy.PolicySpecRuleArray{
    			&orgpolicy.PolicySpecRuleArgs{
    				AllowAll: pulumi.String("string"),
    				Condition: &orgpolicy.PolicySpecRuleConditionArgs{
    					Description: pulumi.String("string"),
    					Expression:  pulumi.String("string"),
    					Location:    pulumi.String("string"),
    					Title:       pulumi.String("string"),
    				},
    				DenyAll: pulumi.String("string"),
    				Enforce: pulumi.String("string"),
    				Values: &orgpolicy.PolicySpecRuleValuesArgs{
    					AllowedValues: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    					DeniedValues: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    		UpdateTime: pulumi.String("string"),
    	},
    })
    
    var examplepolicyResourceResourceFromOrgpolicypolicy = new Policy("examplepolicyResourceResourceFromOrgpolicypolicy", PolicyArgs.builder()
        .parent("string")
        .dryRunSpec(PolicyDryRunSpecArgs.builder()
            .etag("string")
            .inheritFromParent(false)
            .reset(false)
            .rules(PolicyDryRunSpecRuleArgs.builder()
                .allowAll("string")
                .condition(PolicyDryRunSpecRuleConditionArgs.builder()
                    .description("string")
                    .expression("string")
                    .location("string")
                    .title("string")
                    .build())
                .denyAll("string")
                .enforce("string")
                .values(PolicyDryRunSpecRuleValuesArgs.builder()
                    .allowedValues("string")
                    .deniedValues("string")
                    .build())
                .build())
            .updateTime("string")
            .build())
        .name("string")
        .spec(PolicySpecArgs.builder()
            .etag("string")
            .inheritFromParent(false)
            .reset(false)
            .rules(PolicySpecRuleArgs.builder()
                .allowAll("string")
                .condition(PolicySpecRuleConditionArgs.builder()
                    .description("string")
                    .expression("string")
                    .location("string")
                    .title("string")
                    .build())
                .denyAll("string")
                .enforce("string")
                .values(PolicySpecRuleValuesArgs.builder()
                    .allowedValues("string")
                    .deniedValues("string")
                    .build())
                .build())
            .updateTime("string")
            .build())
        .build());
    
    examplepolicy_resource_resource_from_orgpolicypolicy = gcp.orgpolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy",
        parent="string",
        dry_run_spec={
            "etag": "string",
            "inheritFromParent": False,
            "reset": False,
            "rules": [{
                "allowAll": "string",
                "condition": {
                    "description": "string",
                    "expression": "string",
                    "location": "string",
                    "title": "string",
                },
                "denyAll": "string",
                "enforce": "string",
                "values": {
                    "allowedValues": ["string"],
                    "deniedValues": ["string"],
                },
            }],
            "updateTime": "string",
        },
        name="string",
        spec={
            "etag": "string",
            "inheritFromParent": False,
            "reset": False,
            "rules": [{
                "allowAll": "string",
                "condition": {
                    "description": "string",
                    "expression": "string",
                    "location": "string",
                    "title": "string",
                },
                "denyAll": "string",
                "enforce": "string",
                "values": {
                    "allowedValues": ["string"],
                    "deniedValues": ["string"],
                },
            }],
            "updateTime": "string",
        })
    
    const examplepolicyResourceResourceFromOrgpolicypolicy = new gcp.orgpolicy.Policy("examplepolicyResourceResourceFromOrgpolicypolicy", {
        parent: "string",
        dryRunSpec: {
            etag: "string",
            inheritFromParent: false,
            reset: false,
            rules: [{
                allowAll: "string",
                condition: {
                    description: "string",
                    expression: "string",
                    location: "string",
                    title: "string",
                },
                denyAll: "string",
                enforce: "string",
                values: {
                    allowedValues: ["string"],
                    deniedValues: ["string"],
                },
            }],
            updateTime: "string",
        },
        name: "string",
        spec: {
            etag: "string",
            inheritFromParent: false,
            reset: false,
            rules: [{
                allowAll: "string",
                condition: {
                    description: "string",
                    expression: "string",
                    location: "string",
                    title: "string",
                },
                denyAll: "string",
                enforce: "string",
                values: {
                    allowedValues: ["string"],
                    deniedValues: ["string"],
                },
            }],
            updateTime: "string",
        },
    });
    
    type: gcp:orgpolicy:Policy
    properties:
        dryRunSpec:
            etag: string
            inheritFromParent: false
            reset: false
            rules:
                - allowAll: string
                  condition:
                    description: string
                    expression: string
                    location: string
                    title: string
                  denyAll: string
                  enforce: string
                  values:
                    allowedValues:
                        - string
                    deniedValues:
                        - string
            updateTime: string
        name: string
        parent: string
        spec:
            etag: string
            inheritFromParent: false
            reset: false
            rules:
                - allowAll: string
                  condition:
                    description: string
                    expression: string
                    location: string
                    title: string
                  denyAll: string
                  enforce: string
                  values:
                    allowedValues:
                        - string
                    deniedValues:
                        - string
            updateTime: string
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Policy resource accepts the following input properties:

    Parent string
    The parent of the resource.


    DryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    Parent string
    The parent of the resource.


    DryRunSpec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Spec PolicySpecArgs
    Basic information about the Organization Policy. Structure is documented below.
    parent String
    The parent of the resource.


    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    parent string
    The parent of the resource.


    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    parent str
    The parent of the resource.


    dry_run_spec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    name str
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec PolicySpecArgs
    Basic information about the Organization Policy. Structure is documented below.
    parent String
    The parent of the resource.


    dryRunSpec Property Map
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    spec Property Map
    Basic information about the Organization Policy. Structure is documented below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    Id string
    The provider-assigned unique ID for this managed resource.
    Etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    Id string
    The provider-assigned unique ID for this managed resource.
    etag String
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    id String
    The provider-assigned unique ID for this managed resource.
    etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    id string
    The provider-assigned unique ID for this managed resource.
    etag str
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    id str
    The provider-assigned unique ID for this managed resource.
    etag String
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            dry_run_spec: Optional[PolicyDryRunSpecArgs] = None,
            etag: Optional[str] = None,
            name: Optional[str] = None,
            parent: Optional[str] = None,
            spec: Optional[PolicySpecArgs] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    DryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    Etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Parent string
    The parent of the resource.


    Spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    DryRunSpec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    Etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    Name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    Parent string
    The parent of the resource.


    Spec PolicySpecArgs
    Basic information about the Organization Policy. Structure is documented below.
    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    etag String
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent String
    The parent of the resource.


    spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    dryRunSpec PolicyDryRunSpec
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    etag string
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    name string
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent string
    The parent of the resource.


    spec PolicySpec
    Basic information about the Organization Policy. Structure is documented below.
    dry_run_spec PolicyDryRunSpecArgs
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    etag str
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    name str
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent str
    The parent of the resource.


    spec PolicySpecArgs
    Basic information about the Organization Policy. Structure is documented below.
    dryRunSpec Property Map
    Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.
    etag String
    Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
    name String
    Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * projects/{project_number}/policies/{constraint_name} * folders/{folder_id}/policies/{constraint_name} * organizations/{organization_id}/policies/{constraint_name} For example, "projects/123/policies/compute.disableSerialPortAccess". Note: projects/{project_id}/policies/{constraint_name} is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
    parent String
    The parent of the resource.


    spec Property Map
    Basic information about the Organization Policy. Structure is documented below.

    Supporting Types

    PolicyDryRunSpec, PolicyDryRunSpecArgs

    Etag string
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules List<PolicyDryRunSpecRule>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    UpdateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    Etag string
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules []PolicyDryRunSpecRule
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    UpdateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag String
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<PolicyDryRunSpecRule>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime String
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag string
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules PolicyDryRunSpecRule[]
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag str
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inherit_from_parent bool
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules Sequence[PolicyDryRunSpecRule]
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    update_time str
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.
    etag String
    (Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<Property Map>
    In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime String
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.

    PolicyDryRunSpecRule, PolicyDryRunSpecRuleArgs

    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicyDryRunSpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicyDryRunSpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allow_all str
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicyDryRunSpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    deny_all str
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce str
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicyDryRunSpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition Property Map
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values Property Map
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

    PolicyDryRunSpecRuleCondition, PolicyDryRunSpecRuleConditionArgs

    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description str
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    location str
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title str
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    PolicyDryRunSpecRuleValues, PolicyDryRunSpecRuleValuesArgs

    AllowedValues List<string>
    List of values allowed at this resource.
    DeniedValues List<string>
    List of values denied at this resource.
    AllowedValues []string
    List of values allowed at this resource.
    DeniedValues []string
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.
    allowedValues string[]
    List of values allowed at this resource.
    deniedValues string[]
    List of values denied at this resource.
    allowed_values Sequence[str]
    List of values allowed at this resource.
    denied_values Sequence[str]
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.

    PolicySpec, PolicySpecArgs

    Etag string
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules List<PolicySpecRule>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    UpdateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    Etag string
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    InheritFromParent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    Reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    Rules []PolicySpecRule
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    UpdateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag String
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<PolicySpecRule>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime String
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag string
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules PolicySpecRule[]
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime string
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag str
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inherit_from_parent bool
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset bool
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules Sequence[PolicySpecRule]
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    update_time str
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.
    etag String
    (Output) An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.
    inheritFromParent Boolean
    Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
    reset Boolean
    Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.
    rules List<Property Map>
    Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.
    updateTime String
    (Output) Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy.

    PolicySpecRule, PolicySpecRuleArgs

    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicySpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    AllowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    Condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    DenyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    Enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    Values PolicySpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll string
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll string
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce string
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allow_all str
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition PolicySpecRuleCondition
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    deny_all str
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce str
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values PolicySpecRuleValues
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.
    allowAll String
    Setting this to "TRUE" means that all values are allowed. This field can be set only in Policies for list constraints.
    condition Property Map
    A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.
    denyAll String
    Setting this to "TRUE" means that all values are denied. This field can be set only in Policies for list constraints.
    enforce String
    If "TRUE", then the Policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
    values Property Map
    List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

    PolicySpecRuleCondition, PolicySpecRuleConditionArgs

    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description string
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    location string
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title string
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description str
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    location str
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title str
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    description String
    Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    location String
    Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    PolicySpecRuleValues, PolicySpecRuleValuesArgs

    AllowedValues List<string>
    List of values allowed at this resource.
    DeniedValues List<string>
    List of values denied at this resource.
    AllowedValues []string
    List of values allowed at this resource.
    DeniedValues []string
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.
    allowedValues string[]
    List of values allowed at this resource.
    deniedValues string[]
    List of values denied at this resource.
    allowed_values Sequence[str]
    List of values allowed at this resource.
    denied_values Sequence[str]
    List of values denied at this resource.
    allowedValues List<String>
    List of values allowed at this resource.
    deniedValues List<String>
    List of values denied at this resource.

    Import

    Policy can be imported using any of these accepted formats:

    • {{parent}}/policies/{{name}}

    When using the pulumi import command, Policy can be imported using one of the formats above. For example:

    $ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.32.0 published on Tuesday, Jul 16, 2024 by Pulumi