google_org_policy_policy

An organization policy gives you programmatic control over your organization's cloud resources. Using Organization Policies, you will be able to configure constraints across your entire resource hierarchy.

For more information, see:

Example Usage - enforce_policy

A test of an enforce orgpolicy policy for a project

resource "google_org_policy_policy" "primary" {
  name   = "projects/${google_project.basic.name}/policies/iam.disableServiceAccountKeyUpload"
  parent = "projects/${google_project.basic.name}"

  spec {
    rules {
      enforce = "FALSE"
    }
  }
}

resource "google_project" "basic" {
  project_id = "id"
  name       = "id"
  org_id     = "123456789"
}

Example Usage - folder_policy

A test of an orgpolicy policy for a folder

resource "google_org_policy_policy" "primary" {
  name   = "${google_folder.basic.name}/policies/gcp.resourceLocations"
  parent = google_folder.basic.name

  spec {
    inherit_from_parent = true

    rules {
      deny_all = "TRUE"
    }
  }
}

resource "google_folder" "basic" {
  parent       = "organizations/123456789"
  display_name = "folder"
}

Example Usage - organization_policy

A test of an orgpolicy policy for an organization

resource "google_org_policy_policy" "primary" {
  name   = "organizations/123456789/policies/gcp.detailedAuditLoggingMode"
  parent = "organizations/123456789"

  spec {
    reset = true
  }
}

Example Usage - project_policy

A test of an orgpolicy policy for a project

resource "google_org_policy_policy" "primary" {
  name   = "projects/${google_project.basic.name}/policies/gcp.resourceLocations"
  parent = "projects/${google_project.basic.name}"

  spec {
    rules {
      condition {
        description = "A sample condition for the policy"
        expression  = "resource.matchLabels('labelKeys/123', 'labelValues/345')"
        location    = "sample-location.log"
        title       = "sample-condition"
      }

      values {
        allowed_values = ["projects/allowed-project"]
        denied_values  = ["projects/denied-project"]
      }
    }

    rules {
      allow_all = "TRUE"
    }
  }
}

resource "google_project" "basic" {
  project_id = "id"
  name       = "id"
  org_id     = "123456789"
}

Example Usage - dry_run_spec

resource "google_org_policy_custom_constraint" "constraint" {
  name         = "custom.disableGkeAutoUpgrade%{random_suffix}"
  parent       = "organizations/123456789"
  display_name = "Disable GKE auto upgrade"
  description  = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."

  action_type    = "ALLOW"
  condition      = "resource.management.autoUpgrade == false"
  method_types   = ["CREATE"]
  resource_types = ["container.googleapis.com/NodePool"]
}

resource "google_org_policy_policy" "primary" {
  name   = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
  parent = "organizations/123456789"

  spec {
    rules {
      enforce = "FALSE"
    }
  }
  dry_run_spec {
    inherit_from_parent = false
    reset               = false
    rules {
      enforce = "FALSE"
    }
  }
}

Argument Reference

The following arguments are supported:


The dry_run_spec block supports:

The rules block supports:

The condition block supports:

The values block supports:

The spec block supports:

The rules block supports:

The condition block supports:

The values block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Policy can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Policy using one of the formats above. For example:

import {
  id = "{{parent}}/policies/{{name}}"
  to = google_org_policy_policy.default
}

When using the terraform import command, Policy can be imported using one of the formats above. For example:

$ terraform import google_org_policy_policy.default {{parent}}/policies/{{name}}