diff --git a/.changelog/6608.txt b/.changelog/6608.txt new file mode 100644 index 00000000000..c27d23104bf --- /dev/null +++ b/.changelog/6608.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +google_org_policy_custom_constraint +``` diff --git a/google/resource_org_policy_custom_constraint_test.go b/google/resource_org_policy_custom_constraint_test.go new file mode 100644 index 00000000000..71664db3c87 --- /dev/null +++ b/google/resource_org_policy_custom_constraint_test.go @@ -0,0 +1 @@ +package google diff --git a/website/docs/r/org_policy_custom_constraint.html.markdown b/website/docs/r/org_policy_custom_constraint.html.markdown new file mode 100644 index 00000000000..76855db061c --- /dev/null +++ b/website/docs/r/org_policy_custom_constraint.html.markdown @@ -0,0 +1,152 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +subcategory: "Organization Policy" +page_title: "Google: google_org_policy_custom_constraint" +description: |- + Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. +--- + +# google\_org\_policy\_custom\_constraint + +Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. + +~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. +See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. + +To get more information about CustomConstraint, see: + +* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints) +* How-to Guides + * [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) + * [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services) + +## Example Usage - Org Policy Custom Constraint Basic + + +```hcl +resource "google_org_policy_custom_constraint" "constraint" { + provider = google-beta + + name = "custom.disableGkeAutoUpgrade" + parent = "organizations/123456789" + + action_type = "ALLOW" + condition = "resource.management.autoUpgrade == false" + method_types = ["CREATE", "UPDATE"] + resource_types = ["container.googleapis.com/NodePool"] +} +``` +## Example Usage - Org Policy Custom Constraint Full + + +```hcl +resource "google_org_policy_custom_constraint" "constraint" { + provider = google-beta + + name = "custom.disableGkeAutoUpgrade" + parent = "organizations/123456789" + display_name = "Disable GKE auto upgrade" + description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced." + + action_type = "ALLOW" + condition = "resource.management.autoUpgrade == false" + method_types = ["CREATE", "UPDATE"] + resource_types = ["container.googleapis.com/NodePool"] +} + +resource "google_org_policy_policy" "bool" { + provider = google-beta + + name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}" + parent = "organizations/123456789" + + spec { + rules { + enforce = "TRUE" + } + } +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `name` - + (Required) + Immutable. The name of the custom constraint. This is unique within the organization. + +* `condition` - + (Required) + A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language). + +* `action_type` - + (Required) + The action to take if the condition is met. + Possible values are `ALLOW` and `DENY`. + +* `method_types` - + (Required) + A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services). + +* `resource_types` - + (Required) + Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`. + +* `parent` - + (Required) + The parent of the resource, an organization. Format should be `organizations/{organization_id}`. + + +- - - + + +* `display_name` - + (Optional) + A human-friendly name for the constraint. + +* `description` - + (Optional) + A human-friendly description of the constraint to display as an error message when the policy is violated. + + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +* `id` - an identifier for the resource with format `{{parent}}/customConstraints/{{name}}` + +* `update_time` - + Output only. The timestamp representing when the constraint was last updated. + + +## Timeouts + +This resource provides the following +[Timeouts](/docs/configuration/resources.html#timeouts) configuration options: + +- `create` - Default is 20 minutes. +- `update` - Default is 20 minutes. +- `delete` - Default is 20 minutes. + +## Import + + +CustomConstraint can be imported using any of these accepted formats: + +``` +$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}} +```