googleOrgPolicyCustomConstraint

Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.

\~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

To get more information about CustomConstraint, see:

• API documentation
• How-to Guides
• Official Documentation
• Supported Services

Example Usage - Org Policy Custom Constraint Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.orgPolicyCustomConstraint.OrgPolicyCustomConstraint(
  this,
  "constraint",
  {
    action_type: "ALLOW",
    condition: "resource.management.autoUpgrade == false",
    method_types: ["CREATE", "UPDATE"],
    name: "custom.disableGkeAutoUpgrade",
    parent: "organizations/123456789",
    provider: "${google-beta}",
    resource_types: ["container.googleapis.com/NodePool"],
  }
);

Example Usage - Org Policy Custom Constraint Full

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleOrgPolicyCustomConstraintConstraint =
  new google.orgPolicyCustomConstraint.OrgPolicyCustomConstraint(
    this,
    "constraint",
    {
      action_type: "ALLOW",
      condition: "resource.management.autoUpgrade == false",
      description:
        "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
      display_name: "Disable GKE auto upgrade",
      method_types: ["CREATE", "UPDATE"],
      name: "custom.disableGkeAutoUpgrade",
      parent: "organizations/123456789",
      provider: "${google-beta}",
      resource_types: ["container.googleapis.com/NodePool"],
    }
  );
new google.orgPolicyPolicy.OrgPolicyPolicy(this, "bool", {
  name: `organizations/123456789/policies/\${${googleOrgPolicyCustomConstraintConstraint.name}}`,
  parent: "organizations/123456789",
  provider: "${google-beta}",
  spec: [
    {
      rules: [
        {
          enforce: "TRUE",
        },
      ],
    },
  ],
});

Argument Reference

The following arguments are supported:

• name - (Required) Immutable. The name of the custom constraint. This is unique within the organization.

• condition - (Required) A CEL condition that refers to a supported service resource, for example resourceManagementAutoUpgrade ==False. For details about CEL usage, see Common Expression Language.

• actionType - (Required) The action to take if the condition is met. Possible values are allow and deny.

• methodTypes - (Required) A list of RESTful methods for which to enforce the constraint. Can be create, update, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.

• resourceTypes - (Required) Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, containerGoogleapisCom/nodePool.

• parent - (Required) The parent of the resource, an organization. Format should be organizations/{organizationId}.

• displayName - (Optional) A human-friendly name for the constraint.

• description - (Optional) A human-friendly description of the constraint to display as an error message when the policy is violated.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

• id - an identifier for the resource with format {{parent}}/customConstraints/{{name}}

• updateTime - Output only. The timestamp representing when the constraint was last updated.

Timeouts

This resource provides the following Timeouts configuration options:

• create - Default is 20 minutes.
• update - Default is 20 minutes.
• delete - Default is 20 minutes.

Import

CustomConstraint can be imported using any of these accepted formats:

$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}