This page contains information about analyzing your organization policy settings to see which resources are covered by which organization policy. Using Policy Analyzer for organization policies, you can create an analysis query to get information on both custom and predefined organization policies.
An analysis query is composed of a scope and a constraint.
- Constraint: specifies the resource name of a constraint.
- Scope: specifies an organization to scope the analysis. All organization policies with the specified constraint defined in this scope are included in the analysis.
For more information about organization policies, see the Introduction to the Organization Policy Service. For more information about how to create custom constraints, see Creating and managing custom constraints.
Before you begin
Enable the Cloud Asset API.
You must enable the API in the project or organization you will use to send the query. This doesn't have to be the same resource that you scope your query to.
Required roles and permissions
To get the permissions that you need to run an organization policy analysis, ask your administrator to grant you the following IAM roles on the organization resource in which you want to conduct your analysis:
-
To conduct the analysis:
Cloud Asset Viewer (
roles/cloudasset.viewer) -
To view custom constraints:
Organization Policy Viewer (
roles/orgpolicy.policyViewer)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to run an organization policy analysis. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to run an organization policy analysis:
-
To conduct the analysis:
-
cloudasset.assets.analyzeOrgPolicy -
cloudasset.assets.searchAllResources -
cloudasset.assets.searchAllIamPolicies
-
-
To view custom constraints:
orgpolicy.customConstraints.get
You might also be able to get these permissions with custom roles or other predefined roles.
Analyze configured policies
An organization policy is built from a constraint and optional conditions under which that constraint is enforced. You can use Policy Analyzer to return a list of organization policies with a particular constraint and the resources to which those policies are attached.
For each organization policy that is detected in the query's scope, Policy Analyzer returns a result entry. A result entry contains the following fields:
consolidatedPolicy: the resource to which the organization policy is attached, and the effective policy enforcement on that resource with respect to hierarchy evaluation rules.policyBundle: the full configured organization policy attached to the above resource, and the organization policies defined on its ancestors in the resource hierarchy.
gcloud
To get an analysis of how an organization policy constraint is enforced
within an organization, use the
gcloud beta asset analyze-org-policies command:
gcloud beta asset analyze-org-policies \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_POLICIES \
--filter=FILTER_QUERY
Replace the following:
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
LIMIT_POLICIES: the number of result entries you want to view. To see unlimited entries, enter
unlimited.FILTER_QUERY: a filter query to see only policies that match your filtering expression. The only available field for filtering is
consolidated_policy.attached_resource. For example,consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/projects/1234567890"would only return policies that were attached to the project with the project ID1234567890.
The YAML response is similar to the following:
Sample YAML response
--- consolidatedPolicy: appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 rules: - enforce: true policyBundle: - appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621 reset: true - appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true --- consolidatedPolicy: appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true policyBundle: - appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491 rules: - enforce: true
REST
To get an analysis of how an organization policy constraint is enforced
within an organization, use the Cloud Asset API's
analyzeOrgPolicies method.
HTTP method and URL:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicies
Request JSON body:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': 'FILTER_QUERY',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
Replace the following:
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
FILTER_QUERY: a filter query to see only policies that match your filtering expression. The only available field for filtering is
consolidated_policy.attached_resource. For example,consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/projects/1234567890"would only return policies that were attached to the project with the project ID1234567890.PAGE_SIZE: the number of result entries per page you want to view. To see unlimited entries, enter
unlimited. A request made with this flag set returns anextPageTokenvalue if the total number of result entries is greater than the PAGE_SIZE.PAGE_TOKEN: only to be set on requests after the first request that includes the
page_sizeflag. You can use thenextPageTokenvalues received from previous responses to return a particular page of results.
The JSON response is similar to the following:
Sample JSON response
{
"orgPolicyResults": [
{
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
},
{
"values": {
"allowedValues": [
"C03kd36xr"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012",
"rules": [
{
"values": {
"allowedValues": [
"C03kd36xr"
]
}
}
],
"inheritFromParent": true,
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/123456789012"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
}
]
},
{
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123",
"rules": [
{
"values": {
"allowedValues": [
"C0265whk2"
]
}
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/234567890123"
}
]
}
]
"constraint": {
"googleDefinedConstraint": {
"name": "constraints/iam.allowedPolicyMemberDomains",
"displayName": "Domain restricted sharing",
"description": "This list constraint defines one or more Cloud Identity or Google Workspace customer IDs whose principals can be added to IAM policies. \u003cbr\u003eBy default, all user identities are allowed to be added to IAM policies. Only allowed values can be defined in this constraint, denied values are not supported. \u003cbr\u003eIf this constraint is active, only principals that belong to the allowed customer IDs can be added to IAM policies.",
"constraintDefault": "ALLOW",
"listConstraint": {}
}
}
}
Analyze containers
A container in this context is a project, folder, or organization resource. You can use Policy Analyzer to return a list of all containers that have organization policies with a particular constraint enforced on them. Policy Analyzer also returns the full name of each container, and the container's parent in the hierarchy.
For each container that is detected in the query's scope, Policy Analyzer returns a result entry. A result entry contains the following fields:
fullResourceName: the full name of the container resource.parent: the full resource name of the parent of this container resource.consolidatedPolicy: the container to which the organization policy is attached, and the effective policy enforcement on that container with respect to hierarchy evaluation rules.policyBundle: the organization policy configured directly on the container, if one exists, and the organization policies defined on the ancestors of the container in the resource hierarchy.
gcloud
To get an analysis of how an organization policy constraint is enforced on
containers within an organization, use the
gcloud beta asset analyze-org-policy-governed-containers command:
gcloud beta asset analyze-org-policy-governed-containers \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_CONTAINERS \
--filter=FILTER_QUERY
Replace the following:
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
LIMIT_CONTAINERS: the number of result entries you want to view. To see unlimited entries, enter
unlimited.FILTER_QUERY: a filter query to see only containers that match your filtering expression. The only available field for filtering is
parent. For example,parent="//cloudresourcemanager.googleapis.com/organizations/012345678901"would only return containers that were children of the organization with the organization ID012345678901.
The YAML response is similar to the following:
Sample YAML response
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
attachedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
rules:
- values:
allowedValues:
- projects/donghe-project1/zones/us-central1-a/instances/instance-1
fullResourceName: //cloudresourcemanager.googleapis.com/projects/donghe-project1
parent: //cloudresourcemanager.googleapis.com/folders/86513245445
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
attachedResource: //cloudresourcemanager.googleapis.com/projects/donghe-project1
inheritFromParent: true
rules:
- values:
allowedValues:
- projects/donghe-project1/zones/us-central1-a/instances/instance-1
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
attachedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
rules:
- denyAll: true
fullResourceName: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
parent: //cloudresourcemanager.googleapis.com/organizations/474566717491
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
attachedResource: //cloudresourcemanager.googleapis.com/projects/jeffreyai-prj01-on-ipa1
inheritFromParent: true
rules:
- denyAll: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
rules:
- values:
allowedValues:
- projects/opa-test-project-1-364621/zones/us-central1-a/instances/instance-1
fullResourceName: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
parent: //cloudresourcemanager.googleapis.com/folders/666681422980
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-1-364621
rules:
- values:
allowedValues:
- projects/opa-test-project-1-364621/zones/us-central1-a/instances/instance-1
REST
To get an analysis of how an organization policy constraint is enforced on
containers within an organization, use the Cloud Asset API's
analyzeOrgPolicyGovernedContainers method.
HTTP method and URL:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicyGovernedContainers
Request JSON body:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': '"FILTER_QUERY"',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
Replace the following:
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
FILTER_QUERY: a filter query to see only containers that match your filtering expression. The only available field for filtering is
parent. For example,parent="//cloudresourcemanager.googleapis.com/organizations/012345678901"would only return containers that were children of the organization with the organization ID012345678901.PAGE_SIZE: the number of pages of result entries you want to view. To see unlimited entries, enter
unlimited. A request made with this flag set returns anextPageTokenvalue if the total number of result entries is greater than the PAGE_SIZE.PAGE_TOKEN: only to be set on requests after the first request that includes the
page_sizeflag. You can use thenextPageTokenvalues received from previous responses to return a particular page of results.
The JSON response is similar to the following:
Sample JSON response
{
"governedContainers": [
{
"fullResourceName": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"parent": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980"
}
]
},
{
"fullResourceName": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-1",
"parent": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/513502730678"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/666681422980"
}
]
}
]
"constraint": {
"googleDefinedConstraint": {
"name": "constraints/compute.requireOsLogin",
"displayName": "Require OS Login",
"description": "This boolean constraint, when set to \u003ccode\u003etrue\u003c/code\u003e, enables OS Login on all newly created Projects. All VM instances created in new projects will have OS Login enabled. On new and existing projects, this constraint prevents metadata updates that disable OS Login at the project or instance level. \u003cbr\u003eBy default, the OS Login feature is disabled on Compute Engine projects.\u003cbr\u003eGKE instances in private clusters running node pool versions 1.20.5-gke.2000 and later support OS Login. GKE instances in public clusters do not currently support OS Login. If this constraint is applied to a Project running public clusters, GKE instances running in that Project may not function properly.",
"constraintDefault": "ALLOW",
"booleanConstraint": {}
}
}
}
Analyze assets
An asset in this context is a Google Cloud resource or Identity and Access Management (IAM) allow policy. You can use Policy Analyzer to return a list of all assets that have organization policies with a particular constraint enforced on them. Policy Analyzer also returns the full name of each asset, the asset's parent in the hierarchy, and any ancestor project, folder, and organization resources above the asset in the hierarchy.
For each asset that is detected in the query's scope, Policy Analyzer returns a result entry.
A result entry for a resource contains the following fields:
fullResourceName: the full resource name of the resource.parent: the full resource name of the parent of the resource.project: the relative resource name of the project that contains the resource.folders: the relative resource name of any folders that contain the resource.organization: the relative resource name of the organization that contains the resource.consolidatedPolicy: the resource to which the organization policy is attached, and the effective policy enforcement on that resource with respect to hierarchy evaluation rules.policyBundle: the full configured organization policy attached to the above resource, and the organization policies defined on its ancestors in the resource hierarchy.
A result entry for an allow policy contains the following fields:
attachedResource: the resource to which the allow policy is attached.policy: the allow policy.project: the relative resource name of the project that contains the allow policy.folders: the relative resource name of any folders that contain the allow policy.organization: the relative resource name of the organization that contains the allow policy.consolidatedPolicy: the resource to which the organization policy is attached, and the effective policy enforcement on that resource with respect to hierarchy evaluation rules.policyBundle: the full configured organization policy attached to the above resource, and the organization policies defined on its ancestors in the resource hierarchy.
gcloud
To get an analysis of how an organization policy constraint is enforced on
assets within an organization, use the
gcloud beta asset analyze-org-policy-governed-assets command:
gcloud beta asset analyze-org-policy-governed-assets \
--constraint=CONSTRAINT_NAME \
--scope=organizations/ORGANIZATION_ID \
--limit=LIMIT_ASSETS \
--filter=FILTER_QUERY
Replace the following:
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
LIMIT_ASSETS: the number of result entries you want to view. To see unlimited entries, enter
unlimited.FILTER_QUERY: a filter query to see only assets that match your filtering expression. The available fields for filtering are
governed_resource.folders,governed_resource.project,governed_iam_policy.folders, andgoverned_iam_policy.project. For example,governed_resource.project="projects/1234567890"would only return assets that were attached to the project with the project ID1234567890.
The YAML response is similar to the following:
Sample YAML response
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
rules:
- enforce: false
governedResource:
folders:
- folders/513502730678
- folders/666681422980
fullResourceName: //container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1
project: projects/892625391619
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
attachedResource: //cloudresourcemanager.googleapis.com/projects/opa-test-project-2
reset: true
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
attachedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
rules:
- enforce: false
governedResource:
folders:
- folders/800636178739
- folders/408342778736
fullResourceName: //container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1
project: projects/761097189269
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
attachedResource: //cloudresourcemanager.googleapis.com/projects/project2-244918
rules:
- enforce: false
- appliedResource: //cloudresourcemanager.googleapis.com/folders/408342778736
attachedResource: //cloudresourcemanager.googleapis.com/folders/408342778736
rules:
- condition:
description: cond-desc1
expression: resource.matchTag("474566717491/env", "prod")
title: cond-title1
enforce: false
- enforce: true
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
---
consolidatedPolicy:
appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
governedResource:
fullResourceName: //container.googleapis.com/projects/probe-per-rt-project/zones/us-west1-a/clusters/test-cluster-for-backup/nodePools/default-pool
organization: organizations/474566717491
parent: //container.googleapis.com/projects/probe-per-rt-project/zones/us-west1-a/clusters/test-cluster-for-backup
project: projects/896190383908
policyBundle:
- appliedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
attachedResource: //cloudresourcemanager.googleapis.com/organizations/474566717491
rules:
- enforce: true
REST
To get an analysis of how an organization policy constraint is enforced on
assets within an organization, use the Cloud Asset API's
analyzeOrgPolicyGovernedAssets method.
HTTP method and URL:
GET http://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:analyzeOrgPolicyGovernedAssets
Request JSON body:
JSON_REQUEST="{
'constraint': 'CONSTRAINT_NAME',
'filter': 'FILTER_QUERY',
'page_size': PAGE_SIZE,
'page_token': PAGE_TOKEN
}"
Replace the following:
ORGANIZATION_ID: the ID of your organization resource. For more information about finding your organization ID, see Creating and managing organizations.
CONSTRAINT_NAME: the name of the organization policy constraint you want to analyze. For a list of constraints, see Organization policy constraints.
FILTER_QUERY: a filter query to see only assets that match your filtering expression. The available fields for filtering are
governed_resource.folders,governed_resource.project,governed_iam_policy.folders, andgoverned_iam_policy.project. For example,governed_resource.project="projects/1234567890"would only return assets that were attached to the project with the project ID1234567890.PAGE_SIZE: the number of pages of result entries you want to view. To see unlimited entries, enter
unlimited. A request made with this flag set returns anextPageTokenvalue if the total number of result entries is greater than the PAGE_SIZE.PAGE_TOKEN: only to be set on requests after the first request that includes the
page_sizeflag. You can use thenextPageTokenvalues received from previous responses to return a particular page of results.
The JSON response is similar to the following:
Sample JSON response
{
"governedAssets": [
{
"governedResource": {
"fullResourceName": "//container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1/nodePools/default-pool",
"parent": "//container.googleapis.com/projects/opa-test-project-2/zones/us-central1-c/clusters/opa-test-project-2-cluster-1",
"project": "projects/892625391619",
"folders": [
"folders/513502730678",
"folders/666681422980"
],
"organization": "organizations/474566717491"
},
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2",
"reset": true,
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/opa-test-project-2"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491"
}
]
},
{
"governedResource": {
"fullResourceName": "//container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1/nodePools/default-pool",
"parent": "//container.googleapis.com/projects/project2-244918/zones/us-central1-c/clusters/cluster-1",
"project": "projects/761097189269",
"folders": [
"folders/800636178739",
"folders/408342778736"
],
"organization": "organizations/474566717491"
},
"consolidatedPolicy": {
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918"
},
"policyBundle": [
{
"attachedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918",
"rules": [
{
"enforce": false
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/projects/project2-244918"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/folders/408342778736",
"rules": [
{
"enforce": false,
"condition": {
"expression": "resource.matchTag(\"474566717491/env\", \"prod\")",
"title": "cond-title1",
"description": "cond-desc1"
}
},
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/folders/408342778736"
},
{
"attachedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491",
"rules": [
{
"enforce": true
}
],
"appliedResource": "//cloudresourcemanager.googleapis.com/organizations/474566717491"
}
]
}
]
"constraint": {
"customConstraint": {
"name": "organizations/474566717491/customConstraints/custom.disableGkeAutoUpgrade",
"resourceTypes": [
"container.googleapis.com/NodePool"
],
"methodTypes": [
"CREATE",
"UPDATE"
],
"condition": "resource.management.autoUpgrade == false",
"actionType": "ALLOW",
"displayName": "Disable GKE auto upgrade",
"description": "Only allow GKE NodePool resource create or updates if AutoUpgrade is not enabled"
}
}
}
What's next
- Learn more about Using constraints.
- Learn how to Create and manage custom constraints.