OrgPolicyPolicy
This resource configures organization policy constraints for a project,
folder, or organization. Set exactly one of projectRef
, folderRef
, or organizationRef
to select the parent resource.
| Property | Value |
|---|---|
| Google Cloud Service Name | Organization Policy |
| Google Cloud Service Documentation | /resource-manager/docs/organization-policy/overview |
| Google Cloud REST Resource Name | organizations.policies |
| Google Cloud REST Resource Documentation | /resource-manager/docs/reference/orgpolicy/rest/v2/organizations.policies |
| Config Connector Resource Short Names | gcporgpolicypolicies gcporgpolicypolicy orgpolicypolicy |
| Config Connector Service Name | orgpolicy.googleapis.com |
| Config Connector Resource Fully Qualified Name | orgpolicypolicies.orgpolicy.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
dryRunSpec
:
inheritFromParent
:
boolean
reset
:
boolean
rules
:
-
allowAll
:
boolean
condition
:
description
:
string
expression
:
string
location
:
string
title
:
string
denyAll
:
boolean
enforce
:
boolean
parameters
:
allowAnyGKEPath
:
boolean
allowPaths
:
-
string
allowedAWSAccountIDs
:
-
string
allowedDataSources
:
-
string
allowedDomains
:
-
string
allowedEgressFQDNs
:
-
string
allowedEncryptions
:
-
string
allowedMemberSubjects
:
-
string
allowedParents
:
-
string
allowedPreviewFeatures
:
-
string
allowedPrincipalSets
:
-
string
allowedProviders
:
-
string
allowedRetentionDurationSeconds
:
integer
allowedRetentionPeriods
:
-
string
allowedSchemes
:
-
string
allowedServiceList
:
-
string
allowedServices
:
-
string
defaultAWSProvider
:
string
defaultXMLServiceProvider
:
string
deniedEditions
:
-
string
enforcedProjects
:
-
string
minimumDestroyScheduleDurationInDays
:
integer
nonFIPSMachineTypes
:
-
string
values
:
allowedValues
:
-
string
deniedValues
:
-
string
folderRef
:
external
:
string
name
:
string
namespace
:
string
organizationRef
:
external
:
string
projectRef
:
external
:
string
kind
:
string
name
:
string
namespace
:
string
resourceID
:
string
spec
:
inheritFromParent
:
boolean
reset
:
boolean
rules
:
-
allowAll
:
boolean
condition
:
description
:
string
expression
:
string
location
:
string
title
:
string
denyAll
:
boolean
enforce
:
boolean
parameters
:
allowAnyGKEPath
:
boolean
allowPaths
:
-
string
allowedAWSAccountIDs
:
-
string
allowedDataSources
:
-
string
allowedDomains
:
-
string
allowedEgressFQDNs
:
-
string
allowedEncryptions
:
-
string
allowedMemberSubjects
:
-
string
allowedParents
:
-
string
allowedPreviewFeatures
:
-
string
allowedPrincipalSets
:
-
string
allowedProviders
:
-
string
allowedRetentionDurationSeconds
:
integer
allowedRetentionPeriods
:
-
string
allowedSchemes
:
-
string
allowedServiceList
:
-
string
allowedServices
:
-
string
defaultAWSProvider
:
string
defaultXMLServiceProvider
:
string
deniedEditions
:
-
string
enforcedProjects
:
-
string
minimumDestroyScheduleDurationInDays
:
integer
nonFIPSMachineTypes
:
-
string
values
:
allowedValues
:
-
string
deniedValues
:
-
string
| Fields | |
|---|---|
| Optional |
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. |
| Optional |
Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. |
| Optional |
Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. |
| Optional |
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. |
| Optional |
|
| Optional |
Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. |
| Optional |
A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(' |
| Optional |
Optional. Description of the expression. This is a longer text which describes the expression, for example, when hovered over it in a UI. |
| Optional |
Textual representation of an expression in Common Expression Language syntax. |
| Optional |
Optional. String indicating the location of the expression for error reporting, for example, a file name and a position in the file. |
| Optional |
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used, for example, in UIs which allow to enter the expression. |
| Optional |
Setting this to true means that all values are denied. This field can be set only in policies for list constraints. |
| Optional |
If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. |
| Optional |
Optional. Required for managed constraints if parameters are defined. Passes parameter values when policy enforcement is enabled. Each field corresponds to a known managed-constraint parameter key; the value type matches the type defined in the constraint definition. For example, the essentialcontacts.managed.allowedContactDomains managed constraint takes: parameters: allowedDomains: - "@example.com" |
| Optional |
When true, any Google Kubernetes Engine resource path is permitted. |
| Optional |
Resource paths that are explicitly allowed by the managed constraint. |
| Optional |
|
| Optional |
AWS account IDs that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Data sources that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Contact domains that are allowed by the managed constraint (for example, email domains permitted by essentialcontacts.managed.allowedContactDomains). |
| Optional |
|
| Optional |
Fully qualified domain names that are allowed for egress traffic. |
| Optional |
|
| Optional |
Encryption types or modes that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Member subjects (for example, users or service accounts) that are allowed. |
| Optional |
|
| Optional |
Parent resources (organizations, folders, or projects) that are allowed. |
| Optional |
|
| Optional |
Preview features that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Principal sets that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Providers that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Retention durations (in seconds) that are allowed by the managed constraint. |
| Optional |
Retention periods that are allowed by the managed constraint. |
| Optional |
|
| Optional |
URI schemes that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Services that are allowed by the managed constraint (service list form). |
| Optional |
|
| Optional |
Services that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Default AWS provider used when no explicit provider is specified. |
| Optional |
Default XML service provider used when no explicit provider is specified. |
| Optional |
Editions that are denied by the managed constraint. |
| Optional |
|
| Optional |
Projects where the managed constraint is enforced. |
| Optional |
|
| Optional |
Minimum destroy schedule duration, in days, required by the managed constraint. |
| Optional |
Compute Engine machine types that are not FIPS-compliant but are allowed. |
| Optional |
|
| Optional |
List of values to be used for this policy rule. This field can be set only in policies for list constraints. |
| Optional |
List of values allowed at this resource. |
| Optional |
|
| Optional |
List of values denied at this resource. |
| Optional |
|
| Optional |
Immutable. The Folder that this resource belongs to. One and only one of 'projectRef', 'folderRef', or 'organizationRef' must be set. |
| Optional |
The 'name' field of a folder, when not managed by Config Connector. This field must be set when 'name' field is not set. |
| Optional |
The 'name' field of a 'Folder' resource. This field must be set when 'external' field is not set. |
| Optional |
The 'namespace' field of a 'Folder' resource. If unset, the namespace is defaulted to the namespace of the referencer resource. |
| Optional |
Immutable. The Organization that this resource belongs to. One and only one of 'projectRef', 'folderRef', or 'organizationRef' must be set. |
| Required* |
The 'name' field of an organization, when not managed by Config Connector. |
| Optional |
Immutable. The Project that this resource belongs to. One and only one of 'projectRef', 'folderRef', or 'organizationRef' must be set. |
| Optional |
The `projectID` field of a project, when not managed by Config Connector. |
| Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
| Optional |
The `name` field of a `Project` resource. |
| Optional |
The `namespace` field of a `Project` resource. |
| Optional |
The OrgPolicyPolicy name. If not given, the metadata.name will be used. |
| Optional |
Basic information about the Organization Policy. |
| Optional |
Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. |
| Optional |
Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. |
| Optional |
In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. |
| Optional |
|
| Optional |
Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. |
| Optional |
A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(' |
| Optional |
Optional. Description of the expression. This is a longer text which describes the expression, for example, when hovered over it in a UI. |
| Optional |
Textual representation of an expression in Common Expression Language syntax. |
| Optional |
Optional. String indicating the location of the expression for error reporting, for example, a file name and a position in the file. |
| Optional |
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used, for example, in UIs which allow to enter the expression. |
| Optional |
Setting this to true means that all values are denied. This field can be set only in policies for list constraints. |
| Optional |
If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. |
| Optional |
Optional. Required for managed constraints if parameters are defined. Passes parameter values when policy enforcement is enabled. Each field corresponds to a known managed-constraint parameter key; the value type matches the type defined in the constraint definition. For example, the essentialcontacts.managed.allowedContactDomains managed constraint takes: parameters: allowedDomains: - "@example.com" |
| Optional |
When true, any Google Kubernetes Engine resource path is permitted. |
| Optional |
Resource paths that are explicitly allowed by the managed constraint. |
| Optional |
|
| Optional |
AWS account IDs that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Data sources that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Contact domains that are allowed by the managed constraint (for example, email domains permitted by essentialcontacts.managed.allowedContactDomains). |
| Optional |
|
| Optional |
Fully qualified domain names that are allowed for egress traffic. |
| Optional |
|
| Optional |
Encryption types or modes that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Member subjects (for example, users or service accounts) that are allowed. |
| Optional |
|
| Optional |
Parent resources (organizations, folders, or projects) that are allowed. |
| Optional |
|
| Optional |
Preview features that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Principal sets that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Providers that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Retention durations (in seconds) that are allowed by the managed constraint. |
| Optional |
Retention periods that are allowed by the managed constraint. |
| Optional |
|
| Optional |
URI schemes that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Services that are allowed by the managed constraint (service list form). |
| Optional |
|
| Optional |
Services that are allowed by the managed constraint. |
| Optional |
|
| Optional |
Default AWS provider used when no explicit provider is specified. |
| Optional |
Default XML service provider used when no explicit provider is specified. |
| Optional |
Editions that are denied by the managed constraint. |
| Optional |
|
| Optional |
Projects where the managed constraint is enforced. |
| Optional |
|
| Optional |
Minimum destroy schedule duration, in days, required by the managed constraint. |
| Optional |
Compute Engine machine types that are not FIPS-compliant but are allowed. |
| Optional |
|
| Optional |
List of values to be used for this policy rule. This field can be set only in policies for list constraints. |
| Optional |
List of values allowed at this resource. |
| Optional |
|
| Optional |
List of values denied at this resource. |
| Optional |
|
* Field is required when parent field is specified
Status
Schema
conditions
:
-
lastTransitionTime
:
string
message
:
string
reason
:
string
status
:
string
type
:
string
externalRef
:
string
observedGeneration
:
integer
observedState
:
dryRunSpec
:
updateTime
:
string
spec
:
updateTime
:
string
| Fields | |
|---|---|
conditions
|
Conditions represent the latest available observations of the object's current state. |
conditions[]
|
|
conditions[].lastTransitionTime
|
Last time the condition transitioned from one status to another. |
conditions[].message
|
Human-readable message indicating details about last transition. |
conditions[].reason
|
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status
|
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type
|
Type is the type of the condition. |
externalRef
|
A unique specifier for the OrgPolicyPolicy resource in Google Cloud. |
observedGeneration
|
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
observedState
|
ObservedState is the state of the resource as most recently observed in Google Cloud. |
observedState.dryRunSpec
|
Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. |
observedState.dryRunSpec.updateTime
|
Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. |
observedState.spec
|
Basic information about the Organization Policy. |
observedState.spec.updateTime
|
Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. |

