| subcategory | page_title | description |
|---|---|---|
Organization Policy |
Google: google_org_policy_custom_constraint |
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. |
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.
To get more information about CustomConstraint, see:
- API documentation
- How-to Guides
resource "google_org_policy_custom_constraint" "constraint" {
provider = google-beta
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}resource "google_org_policy_custom_constraint" "constraint" {
provider = google-beta
name = "custom.disableGkeAutoUpgrade"
parent = "organizations/123456789"
display_name = "Disable GKE auto upgrade"
description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
action_type = "ALLOW"
condition = "resource.management.autoUpgrade == false"
method_types = ["CREATE", "UPDATE"]
resource_types = ["container.googleapis.com/NodePool"]
}
resource "google_org_policy_policy" "bool" {
provider = google-beta
name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
parent = "organizations/123456789"
spec {
rules {
enforce = "TRUE"
}
}
}The following arguments are supported:
-
name- (Required) Immutable. The name of the custom constraint. This is unique within the organization. -
condition- (Required) A CEL condition that refers to a supported service resource, for exampleresource.management.autoUpgrade == false. For details about CEL usage, see Common Expression Language. -
action_type- (Required) The action to take if the condition is met. Possible values areALLOWandDENY. -
method_types- (Required) A list of RESTful methods for which to enforce the constraint. Can beCREATE,UPDATE, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services. -
resource_types- (Required) Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example,container.googleapis.com/NodePool. -
parent- (Required) The parent of the resource, an organization. Format should beorganizations/{organization_id}.
-
display_name- (Optional) A human-friendly name for the constraint. -
description- (Optional) A human-friendly description of the constraint to display as an error message when the policy is violated.
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with format{{parent}}/customConstraints/{{name}} -
update_time- Output only. The timestamp representing when the constraint was last updated.
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
CustomConstraint can be imported using any of these accepted formats:
$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}