googleFolderOrganizationPolicy

Allows management of Organization Policies for a Google Cloud Folder.

\~> Warning: This resource has been superseded by googleOrgPolicyPolicy. googleOrgPolicyPolicy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions.

To get more information about Organization Policies, see:

• API documentation
• How-to Guides
• Introduction to the Organization Policy Service

Example Usage

To set policy with a boolean constraint:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.folderOrganizationPolicy.FolderOrganizationPolicy(
  this,
  "serial_port_policy",
  {
    boolean_policy: [
      {
        enforced: true,
      },
    ],
    constraint: "compute.disableSerialPortAccess",
    folder: "folders/123456789",
  }
);

To set a policy with a list constraint:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.folderOrganizationPolicy.FolderOrganizationPolicy(
  this,
  "services_policy",
  {
    constraint: "serviceuser.services",
    folder: "folders/123456789",
    list_policy: [
      {
        allow: [
          {
            all: true,
          },
        ],
      },
    ],
  }
);

Or to deny some services, use the following instead:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.folderOrganizationPolicy.FolderOrganizationPolicy(
  this,
  "services_policy",
  {
    constraint: "serviceuser.services",
    folder: "folders/123456789",
    list_policy: [
      {
        deny: [
          {
            values: ["cloudresourcemanager.googleapis.com"],
          },
        ],
        suggested_value: "compute.googleapis.com",
      },
    ],
  }
);

To restore the default folder organization policy, use the following instead:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.folderOrganizationPolicy.FolderOrganizationPolicy(
  this,
  "services_policy",
  {
    constraint: "serviceuser.services",
    folder: "folders/123456789",
    restore_policy: [
      {
        default: true,
      },
    ],
  }
);

Argument Reference

The following arguments are supported:

• folder - (Required) The resource name of the folder to set the policy for. Its format is folders/{folder_id}.

• constraint - (Required) The name of the Constraint the Policy is configuring, for example, serviceuserServices. Check out the complete list of available constraints.

• version - (Optional) Version of the Policy. Default version is 0.

• booleanPolicy - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.

• listPolicy - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

• restorePolicy - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.

\~> Note: If none of [booleanPolicy, listPolicy, restorePolicy] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'.

The booleanPolicy block supports:

• enforced - (Required) If true, then the Policy is enforced. If false, then any configuration is acceptable.

The listPolicy block supports:

• allow or deny - (Optional) One or the other must be set.

• suggestedValue - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

• inheritFromParent - (Optional) If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

The allow or deny blocks support:

• all - (Optional) The policy allows or denies all values.

• values - (Optional) The policy can define specific values that are allowed or denied.

The restorePolicy block supports:

• default - (Required) May only be set to true. If set, then the default Policy is restored.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

• etag - (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

• updateTime - (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Import

Folder organization policies can be imported using any of the follow formats:

$ terraform import google_folder_organization_policy.policy folders/folder-1234/constraints/serviceuser.services
$ terraform import google_folder_organization_policy.policy folder-1234/serviceuser.services