subcategory | page_title | description |
---|---|---|
Organization Policy |
Google: google_org_policy_custom_constraint |
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. |
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.
To get more information about CustomConstraint, see:
- API documentation
- How-to Guides
resource "google_org_policy_custom_constraint" "constraint" {
provider = google-beta
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
resource "google_org_policy_custom_constraint" "constraint" {
provider = google-beta
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
display_name = "Disable GKE auto upgrade"
description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
resource "google_org_policy_policy" "bool" {
provider = google-beta
name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
parent = "organizations/123456789"
spec {
rules {
enforce = "TRUE"
}
}
}
The following arguments are supported:
-
name
- (Required) Immutable. The name of the custom constraint. This is unique within the organization. -
condition
- (Required) A CEL condition that refers to a supported service resource, for exampleresource.management.autoUpgrade == false
. For details about CEL usage, see Common Expression Language. -
action_type
- (Required) The action to take if the condition is met. Possible values areALLOW
andDENY
. -
method_types
- (Required) A list of RESTful methods for which to enforce the constraint. Can beCREATE
,UPDATE
, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services. -
resource_types
- (Required) Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example,container.googleapis.com/NodePool
. -
parent
- (Required) The parent of the resource, an organization. Format should beorganizations/{organization_id}
.
-
display_name
- (Optional) A human-friendly name for the constraint. -
description
- (Optional) A human-friendly description of the constraint to display as an error message when the policy is violated.
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with format{{parent}}/customConstraints/{{name}}
-
update_time
- Output only. The timestamp representing when the constraint was last updated.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
CustomConstraint can be imported using any of these accepted formats:
$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}