Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
To get more information about CustomConstraint, see:
resource "google_org_policy_custom_constraint" "constraint" {
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
resource "google_org_policy_custom_constraint" "constraint" {
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
display_name = "Disable GKE auto upgrade"
description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
resource "google_org_policy_policy" "bool" {
name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
parent = "organizations/123456789"
spec {
rules {
enforce = "TRUE"
}
}
}
The following arguments are supported:
name
-
(Required)
Immutable. The name of the custom constraint. This is unique within the organization.
condition
-
(Required)
A CEL condition that refers to a supported service resource, for example resource.management.autoUpgrade == false
. For details about CEL usage, see Common Expression Language.
action_type
-
(Required)
The action to take if the condition is met.
Possible values are: ALLOW
, DENY
.
method_types
-
(Required)
A list of RESTful methods for which to enforce the constraint. Can be CREATE
, UPDATE
, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.
resource_types
-
(Required)
Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, container.googleapis.com/NodePool
.
parent
-
(Required)
The parent of the resource, an organization. Format should be organizations/{organization_id}
.
display_name
-
(Optional)
A human-friendly name for the constraint.
description
-
(Optional)
A human-friendly description of the constraint to display as an error message when the policy is violated.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{parent}}/customConstraints/{{name}}
update_time
-
Output only. The timestamp representing when the constraint was last updated.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.CustomConstraint can be imported using any of these accepted formats:
{{parent}}/customConstraints/{{name}}
In Terraform v1.5.0 and later, use an import
block to import CustomConstraint using one of the formats above. For example:
import {
id = "{{parent}}/customConstraints/{{name}}"
to = google_org_policy_custom_constraint.default
}
When using the terraform import
command, CustomConstraint can be imported using one of the formats above. For example:
$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}