1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. organizations
  5. Policy
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.organizations.Policy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    Allows management of Organization Policies for a Google Cloud Organization.

    Warning: This resource has been superseded by gcp.orgpolicy.Policy. gcp.orgpolicy.Policy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions.

    To get more information about Organization Policies, see:

    Example Usage

    To set policy with a boolean constraint:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const serialPortPolicy = new gcp.organizations.Policy("serial_port_policy", {
        orgId: "123456789",
        constraint: "compute.disableSerialPortAccess",
        booleanPolicy: {
            enforced: true,
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    serial_port_policy = gcp.organizations.Policy("serial_port_policy",
        org_id="123456789",
        constraint="compute.disableSerialPortAccess",
        boolean_policy={
            "enforced": True,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := organizations.NewPolicy(ctx, "serial_port_policy", &organizations.PolicyArgs{
    			OrgId:      pulumi.String("123456789"),
    			Constraint: pulumi.String("compute.disableSerialPortAccess"),
    			BooleanPolicy: &organizations.PolicyBooleanPolicyArgs{
    				Enforced: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var serialPortPolicy = new Gcp.Organizations.Policy("serial_port_policy", new()
        {
            OrgId = "123456789",
            Constraint = "compute.disableSerialPortAccess",
            BooleanPolicy = new Gcp.Organizations.Inputs.PolicyBooleanPolicyArgs
            {
                Enforced = true,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Policy;
    import com.pulumi.gcp.organizations.PolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyBooleanPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var serialPortPolicy = new Policy("serialPortPolicy", PolicyArgs.builder()
                .orgId("123456789")
                .constraint("compute.disableSerialPortAccess")
                .booleanPolicy(PolicyBooleanPolicyArgs.builder()
                    .enforced(true)
                    .build())
                .build());
    
        }
    }
    
    resources:
      serialPortPolicy:
        type: gcp:organizations:Policy
        name: serial_port_policy
        properties:
          orgId: '123456789'
          constraint: compute.disableSerialPortAccess
          booleanPolicy:
            enforced: true
    

    To set a policy with a list constraint:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const servicesPolicy = new gcp.organizations.Policy("services_policy", {
        orgId: "123456789",
        constraint: "serviceuser.services",
        listPolicy: {
            allow: {
                all: true,
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    services_policy = gcp.organizations.Policy("services_policy",
        org_id="123456789",
        constraint="serviceuser.services",
        list_policy={
            "allow": {
                "all": True,
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := organizations.NewPolicy(ctx, "services_policy", &organizations.PolicyArgs{
    			OrgId:      pulumi.String("123456789"),
    			Constraint: pulumi.String("serviceuser.services"),
    			ListPolicy: &organizations.PolicyListPolicyArgs{
    				Allow: &organizations.PolicyListPolicyAllowArgs{
    					All: pulumi.Bool(true),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var servicesPolicy = new Gcp.Organizations.Policy("services_policy", new()
        {
            OrgId = "123456789",
            Constraint = "serviceuser.services",
            ListPolicy = new Gcp.Organizations.Inputs.PolicyListPolicyArgs
            {
                Allow = new Gcp.Organizations.Inputs.PolicyListPolicyAllowArgs
                {
                    All = true,
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Policy;
    import com.pulumi.gcp.organizations.PolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyListPolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyListPolicyAllowArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var servicesPolicy = new Policy("servicesPolicy", PolicyArgs.builder()
                .orgId("123456789")
                .constraint("serviceuser.services")
                .listPolicy(PolicyListPolicyArgs.builder()
                    .allow(PolicyListPolicyAllowArgs.builder()
                        .all(true)
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      servicesPolicy:
        type: gcp:organizations:Policy
        name: services_policy
        properties:
          orgId: '123456789'
          constraint: serviceuser.services
          listPolicy:
            allow:
              all: true
    

    Or to deny some services, use the following instead:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const servicesPolicy = new gcp.organizations.Policy("services_policy", {
        orgId: "123456789",
        constraint: "serviceuser.services",
        listPolicy: {
            suggestedValue: "compute.googleapis.com",
            deny: {
                values: ["cloudresourcemanager.googleapis.com"],
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    services_policy = gcp.organizations.Policy("services_policy",
        org_id="123456789",
        constraint="serviceuser.services",
        list_policy={
            "suggested_value": "compute.googleapis.com",
            "deny": {
                "values": ["cloudresourcemanager.googleapis.com"],
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := organizations.NewPolicy(ctx, "services_policy", &organizations.PolicyArgs{
    			OrgId:      pulumi.String("123456789"),
    			Constraint: pulumi.String("serviceuser.services"),
    			ListPolicy: &organizations.PolicyListPolicyArgs{
    				SuggestedValue: pulumi.String("compute.googleapis.com"),
    				Deny: &organizations.PolicyListPolicyDenyArgs{
    					Values: pulumi.StringArray{
    						pulumi.String("cloudresourcemanager.googleapis.com"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var servicesPolicy = new Gcp.Organizations.Policy("services_policy", new()
        {
            OrgId = "123456789",
            Constraint = "serviceuser.services",
            ListPolicy = new Gcp.Organizations.Inputs.PolicyListPolicyArgs
            {
                SuggestedValue = "compute.googleapis.com",
                Deny = new Gcp.Organizations.Inputs.PolicyListPolicyDenyArgs
                {
                    Values = new[]
                    {
                        "cloudresourcemanager.googleapis.com",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Policy;
    import com.pulumi.gcp.organizations.PolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyListPolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyListPolicyDenyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var servicesPolicy = new Policy("servicesPolicy", PolicyArgs.builder()
                .orgId("123456789")
                .constraint("serviceuser.services")
                .listPolicy(PolicyListPolicyArgs.builder()
                    .suggestedValue("compute.googleapis.com")
                    .deny(PolicyListPolicyDenyArgs.builder()
                        .values("cloudresourcemanager.googleapis.com")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      servicesPolicy:
        type: gcp:organizations:Policy
        name: services_policy
        properties:
          orgId: '123456789'
          constraint: serviceuser.services
          listPolicy:
            suggestedValue: compute.googleapis.com
            deny:
              values:
                - cloudresourcemanager.googleapis.com
    

    To restore the default organization policy, use the following instead:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const servicesPolicy = new gcp.organizations.Policy("services_policy", {
        orgId: "123456789",
        constraint: "serviceuser.services",
        restorePolicy: {
            "default": true,
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    services_policy = gcp.organizations.Policy("services_policy",
        org_id="123456789",
        constraint="serviceuser.services",
        restore_policy={
            "default": True,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := organizations.NewPolicy(ctx, "services_policy", &organizations.PolicyArgs{
    			OrgId:      pulumi.String("123456789"),
    			Constraint: pulumi.String("serviceuser.services"),
    			RestorePolicy: &organizations.PolicyRestorePolicyArgs{
    				Default: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var servicesPolicy = new Gcp.Organizations.Policy("services_policy", new()
        {
            OrgId = "123456789",
            Constraint = "serviceuser.services",
            RestorePolicy = new Gcp.Organizations.Inputs.PolicyRestorePolicyArgs
            {
                Default = true,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Policy;
    import com.pulumi.gcp.organizations.PolicyArgs;
    import com.pulumi.gcp.organizations.inputs.PolicyRestorePolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var servicesPolicy = new Policy("servicesPolicy", PolicyArgs.builder()
                .orgId("123456789")
                .constraint("serviceuser.services")
                .restorePolicy(PolicyRestorePolicyArgs.builder()
                    .default_(true)
                    .build())
                .build());
    
        }
    }
    
    resources:
      servicesPolicy:
        type: gcp:organizations:Policy
        name: services_policy
        properties:
          orgId: '123456789'
          constraint: serviceuser.services
          restorePolicy:
            default: true
    

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               constraint: Optional[str] = None,
               org_id: Optional[str] = None,
               boolean_policy: Optional[PolicyBooleanPolicyArgs] = None,
               list_policy: Optional[PolicyListPolicyArgs] = None,
               restore_policy: Optional[PolicyRestorePolicyArgs] = None,
               version: Optional[int] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: gcp:organizations:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplepolicyResourceResourceFromOrganizationspolicy = new Gcp.Organizations.Policy("examplepolicyResourceResourceFromOrganizationspolicy", new()
    {
        Constraint = "string",
        OrgId = "string",
        BooleanPolicy = new Gcp.Organizations.Inputs.PolicyBooleanPolicyArgs
        {
            Enforced = false,
        },
        ListPolicy = new Gcp.Organizations.Inputs.PolicyListPolicyArgs
        {
            Allow = new Gcp.Organizations.Inputs.PolicyListPolicyAllowArgs
            {
                All = false,
                Values = new[]
                {
                    "string",
                },
            },
            Deny = new Gcp.Organizations.Inputs.PolicyListPolicyDenyArgs
            {
                All = false,
                Values = new[]
                {
                    "string",
                },
            },
            InheritFromParent = false,
            SuggestedValue = "string",
        },
        RestorePolicy = new Gcp.Organizations.Inputs.PolicyRestorePolicyArgs
        {
            Default = false,
        },
        Version = 0,
    });
    
    example, err := organizations.NewPolicy(ctx, "examplepolicyResourceResourceFromOrganizationspolicy", &organizations.PolicyArgs{
    	Constraint: pulumi.String("string"),
    	OrgId:      pulumi.String("string"),
    	BooleanPolicy: &organizations.PolicyBooleanPolicyArgs{
    		Enforced: pulumi.Bool(false),
    	},
    	ListPolicy: &organizations.PolicyListPolicyArgs{
    		Allow: &organizations.PolicyListPolicyAllowArgs{
    			All: pulumi.Bool(false),
    			Values: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		Deny: &organizations.PolicyListPolicyDenyArgs{
    			All: pulumi.Bool(false),
    			Values: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		InheritFromParent: pulumi.Bool(false),
    		SuggestedValue:    pulumi.String("string"),
    	},
    	RestorePolicy: &organizations.PolicyRestorePolicyArgs{
    		Default: pulumi.Bool(false),
    	},
    	Version: pulumi.Int(0),
    })
    
    var examplepolicyResourceResourceFromOrganizationspolicy = new Policy("examplepolicyResourceResourceFromOrganizationspolicy", PolicyArgs.builder()
        .constraint("string")
        .orgId("string")
        .booleanPolicy(PolicyBooleanPolicyArgs.builder()
            .enforced(false)
            .build())
        .listPolicy(PolicyListPolicyArgs.builder()
            .allow(PolicyListPolicyAllowArgs.builder()
                .all(false)
                .values("string")
                .build())
            .deny(PolicyListPolicyDenyArgs.builder()
                .all(false)
                .values("string")
                .build())
            .inheritFromParent(false)
            .suggestedValue("string")
            .build())
        .restorePolicy(PolicyRestorePolicyArgs.builder()
            .default_(false)
            .build())
        .version(0)
        .build());
    
    examplepolicy_resource_resource_from_organizationspolicy = gcp.organizations.Policy("examplepolicyResourceResourceFromOrganizationspolicy",
        constraint="string",
        org_id="string",
        boolean_policy={
            "enforced": False,
        },
        list_policy={
            "allow": {
                "all": False,
                "values": ["string"],
            },
            "deny": {
                "all": False,
                "values": ["string"],
            },
            "inherit_from_parent": False,
            "suggested_value": "string",
        },
        restore_policy={
            "default": False,
        },
        version=0)
    
    const examplepolicyResourceResourceFromOrganizationspolicy = new gcp.organizations.Policy("examplepolicyResourceResourceFromOrganizationspolicy", {
        constraint: "string",
        orgId: "string",
        booleanPolicy: {
            enforced: false,
        },
        listPolicy: {
            allow: {
                all: false,
                values: ["string"],
            },
            deny: {
                all: false,
                values: ["string"],
            },
            inheritFromParent: false,
            suggestedValue: "string",
        },
        restorePolicy: {
            "default": false,
        },
        version: 0,
    });
    
    type: gcp:organizations:Policy
    properties:
        booleanPolicy:
            enforced: false
        constraint: string
        listPolicy:
            allow:
                all: false
                values:
                    - string
            deny:
                all: false
                values:
                    - string
            inheritFromParent: false
            suggestedValue: string
        orgId: string
        restorePolicy:
            default: false
        version: 0
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Policy resource accepts the following input properties:

    Constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    OrgId string
    The numeric ID of the organization to set the policy for.
    BooleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    ListPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    RestorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    Version int
    Version of the Policy. Default version is 0.
    Constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    OrgId string
    The numeric ID of the organization to set the policy for.
    BooleanPolicy PolicyBooleanPolicyArgs
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    ListPolicy PolicyListPolicyArgs
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    RestorePolicy PolicyRestorePolicyArgs

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    Version int
    Version of the Policy. Default version is 0.
    constraint String
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    orgId String
    The numeric ID of the organization to set the policy for.
    booleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    listPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    restorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    version Integer
    Version of the Policy. Default version is 0.
    constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    orgId string
    The numeric ID of the organization to set the policy for.
    booleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    listPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    restorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    version number
    Version of the Policy. Default version is 0.
    constraint str
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    org_id str
    The numeric ID of the organization to set the policy for.
    boolean_policy PolicyBooleanPolicyArgs
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    list_policy PolicyListPolicyArgs
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    restore_policy PolicyRestorePolicyArgs

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    version int
    Version of the Policy. Default version is 0.
    constraint String
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    orgId String
    The numeric ID of the organization to set the policy for.
    booleanPolicy Property Map
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    listPolicy Property Map
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    restorePolicy Property Map

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    version Number
    Version of the Policy. Default version is 0.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    Id string
    The provider-assigned unique ID for this managed resource.
    UpdateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    Etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    Id string
    The provider-assigned unique ID for this managed resource.
    UpdateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    etag String
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    id String
    The provider-assigned unique ID for this managed resource.
    updateTime String
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    id string
    The provider-assigned unique ID for this managed resource.
    updateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    etag str
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    id str
    The provider-assigned unique ID for this managed resource.
    update_time str
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    etag String
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    id String
    The provider-assigned unique ID for this managed resource.
    updateTime String
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            boolean_policy: Optional[PolicyBooleanPolicyArgs] = None,
            constraint: Optional[str] = None,
            etag: Optional[str] = None,
            list_policy: Optional[PolicyListPolicyArgs] = None,
            org_id: Optional[str] = None,
            restore_policy: Optional[PolicyRestorePolicyArgs] = None,
            update_time: Optional[str] = None,
            version: Optional[int] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    BooleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    Constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    Etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    ListPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    OrgId string
    The numeric ID of the organization to set the policy for.
    RestorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    UpdateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    Version int
    Version of the Policy. Default version is 0.
    BooleanPolicy PolicyBooleanPolicyArgs
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    Constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    Etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    ListPolicy PolicyListPolicyArgs
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    OrgId string
    The numeric ID of the organization to set the policy for.
    RestorePolicy PolicyRestorePolicyArgs

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    UpdateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    Version int
    Version of the Policy. Default version is 0.
    booleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    constraint String
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    etag String
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    listPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    orgId String
    The numeric ID of the organization to set the policy for.
    restorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    updateTime String
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    version Integer
    Version of the Policy. Default version is 0.
    booleanPolicy PolicyBooleanPolicy
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    constraint string
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    etag string
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    listPolicy PolicyListPolicy
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    orgId string
    The numeric ID of the organization to set the policy for.
    restorePolicy PolicyRestorePolicy

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    updateTime string
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    version number
    Version of the Policy. Default version is 0.
    boolean_policy PolicyBooleanPolicyArgs
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    constraint str
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    etag str
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    list_policy PolicyListPolicyArgs
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    org_id str
    The numeric ID of the organization to set the policy for.
    restore_policy PolicyRestorePolicyArgs

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    update_time str
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    version int
    Version of the Policy. Default version is 0.
    booleanPolicy Property Map
    A boolean policy is a constraint that is either enforced or not. Structure is documented below.
    constraint String
    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.


    etag String
    (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    listPolicy Property Map
    A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
    orgId String
    The numeric ID of the organization to set the policy for.
    restorePolicy Property Map

    A restore policy is a constraint to restore the default policy. Structure is documented below.

    Note: If none of [boolean_policy, list_policy, restore_policy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.


    updateTime String
    (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
    version Number
    Version of the Policy. Default version is 0.

    Supporting Types

    PolicyBooleanPolicy, PolicyBooleanPolicyArgs

    Enforced bool
    If true, then the Policy is enforced. If false, then any configuration is acceptable.
    Enforced bool
    If true, then the Policy is enforced. If false, then any configuration is acceptable.
    enforced Boolean
    If true, then the Policy is enforced. If false, then any configuration is acceptable.
    enforced boolean
    If true, then the Policy is enforced. If false, then any configuration is acceptable.
    enforced bool
    If true, then the Policy is enforced. If false, then any configuration is acceptable.
    enforced Boolean
    If true, then the Policy is enforced. If false, then any configuration is acceptable.

    PolicyListPolicy, PolicyListPolicyArgs

    Allow PolicyListPolicyAllow
    or deny - (Optional) One or the other must be set.
    Deny PolicyListPolicyDeny
    One or the other must be set.
    InheritFromParent bool

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    SuggestedValue string
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
    Allow PolicyListPolicyAllow
    or deny - (Optional) One or the other must be set.
    Deny PolicyListPolicyDeny
    One or the other must be set.
    InheritFromParent bool

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    SuggestedValue string
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
    allow PolicyListPolicyAllow
    or deny - (Optional) One or the other must be set.
    deny PolicyListPolicyDeny
    One or the other must be set.
    inheritFromParent Boolean

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    suggestedValue String
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
    allow PolicyListPolicyAllow
    or deny - (Optional) One or the other must be set.
    deny PolicyListPolicyDeny
    One or the other must be set.
    inheritFromParent boolean

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    suggestedValue string
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
    allow PolicyListPolicyAllow
    or deny - (Optional) One or the other must be set.
    deny PolicyListPolicyDeny
    One or the other must be set.
    inherit_from_parent bool

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    suggested_value str
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
    allow Property Map
    or deny - (Optional) One or the other must be set.
    deny Property Map
    One or the other must be set.
    inheritFromParent Boolean

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The allow or deny blocks support:

    suggestedValue String
    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

    PolicyListPolicyAllow, PolicyListPolicyAllowArgs

    All bool
    The policy allows or denies all values.
    Values List<string>
    The policy can define specific values that are allowed or denied.
    All bool
    The policy allows or denies all values.
    Values []string
    The policy can define specific values that are allowed or denied.
    all Boolean
    The policy allows or denies all values.
    values List<String>
    The policy can define specific values that are allowed or denied.
    all boolean
    The policy allows or denies all values.
    values string[]
    The policy can define specific values that are allowed or denied.
    all bool
    The policy allows or denies all values.
    values Sequence[str]
    The policy can define specific values that are allowed or denied.
    all Boolean
    The policy allows or denies all values.
    values List<String>
    The policy can define specific values that are allowed or denied.

    PolicyListPolicyDeny, PolicyListPolicyDenyArgs

    All bool
    The policy allows or denies all values.
    Values List<string>
    The policy can define specific values that are allowed or denied.
    All bool
    The policy allows or denies all values.
    Values []string
    The policy can define specific values that are allowed or denied.
    all Boolean
    The policy allows or denies all values.
    values List<String>
    The policy can define specific values that are allowed or denied.
    all boolean
    The policy allows or denies all values.
    values string[]
    The policy can define specific values that are allowed or denied.
    all bool
    The policy allows or denies all values.
    values Sequence[str]
    The policy can define specific values that are allowed or denied.
    all Boolean
    The policy allows or denies all values.
    values List<String>
    The policy can define specific values that are allowed or denied.

    PolicyRestorePolicy, PolicyRestorePolicyArgs

    Default bool
    May only be set to true. If set, then the default Policy is restored.
    Default bool
    May only be set to true. If set, then the default Policy is restored.
    default_ Boolean
    May only be set to true. If set, then the default Policy is restored.
    default boolean
    May only be set to true. If set, then the default Policy is restored.
    default bool
    May only be set to true. If set, then the default Policy is restored.
    default Boolean
    May only be set to true. If set, then the default Policy is restored.

    Import

    Organization Policies can be imported using the org_id and the constraint, e.g.

    • {{org_id}}/constraints/{{constraint}}

    When using the pulumi import command, Organization Policies can be imported using one of the formats above. For example:

    $ pulumi import gcp:organizations/policy:Policy default {{org_id}}/constraints/{{constraint}}
    

    It is all right if the constraint contains a slash, as in the example above.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi