ResourceManagerPolicy
This resource is able to configure organization policy constraints for a project, folder, or organization. The parent resource is configured by setting one of projectRef, folderRef, or organizationRef.
| Property | Value |
|---|---|
| Google Cloud Service Name | Cloud Resource Manager |
| Google Cloud Service Documentation | /resource-manager/docs/ |
| Google Cloud REST Resource Name | v1.policy |
| Google Cloud REST Resource Documentation | /resource-manager/reference/rest/v1/Policy |
| Config Connector Resource Short Names | gcpresourcemanagerpolicy gcpresourcemanagerpolicies resourcemanagerpolicy |
| Config Connector Service Name | cloudresourcemanager.googleapis.com |
| Config Connector Resource Fully Qualified Name | resourcemanagerpolicies.resourcemanager.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
booleanPolicy: enforced: boolean constraint: string folderRef: external: string name: string namespace: string listPolicy: allow: all: boolean values: - string deny: all: boolean values: - string inheritFromParent: boolean suggestedValue: string organizationRef: external: string name: string namespace: string projectRef: external: string name: string namespace: string restorePolicy: default: boolean version: integer | Fields | |
|---|---|
|
Optional |
A boolean policy is a constraint that is either enforced or not. |
|
Required* |
If true, then the Policy is enforced. If false, then any configuration is acceptable. |
|
Required |
Immutable. The name of the Constraint the Policy is configuring, for example, serviceuser.services. |
|
Optional |
The folder on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified. |
|
Optional |
Allowed value: The `name` field of a `Folder` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. . |
|
Optional |
One or the other must be set. |
|
Optional |
The policy allows or denies all values. |
|
Optional |
The policy can define specific values that are allowed or denied. |
|
Optional |
|
|
Optional |
One or the other must be set. |
|
Optional |
The policy allows or denies all values. |
|
Optional |
The policy can define specific values that are allowed or denied. |
|
Optional |
|
|
Optional |
If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. |
|
Optional |
The Google Cloud Console will try to default to a configuration that matches the value specified in this field. |
|
Optional |
The organization on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified. |
|
Optional |
Allowed value: The `name` field of an `Organization` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
The project on which to configure the constraint. Only one of projectRef, folderRef, or organizationRef may be specified. |
|
Optional |
Allowed value: The `name` field of a `Project` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
A restore policy is a constraint to restore the default policy. |
|
Required* |
May only be set to true. If set, then the default Policy is restored. |
|
Optional |
Version of the Policy. Default version is 0. |
* Field is required when parent field is specified
Status
Schema
conditions: - lastTransitionTime: string message: string reason: string status: string type: string etag: string observedGeneration: integer updateTime: string | Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
etag |
The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
updateTime |
The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z". |
Sample YAML(s)
Organization Policy For Folder
# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: resourcemanagerpolicy-sample-folder spec: folderRef: name: resourcemanagerpolicy-dep-folder constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true --- apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder metadata: annotations: # Replace "${ORG_ID?}" with the numeric ID for your organization cnrm.cloud.google.com/organization-id: "${ORG_ID?}" name: resourcemanagerpolicy-dep-folder spec: displayName: Organization Policy Sample Organization Policy For Organization
# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: resourcemanagerpolicy-sample-org spec: organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "${ORG_ID?}" constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true Organization Policy For Project
# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: resourcemanagerpolicy-sample-proj spec: projectRef: name: resourcemanagerpolicy-dep-proj constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true --- apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project metadata: annotations: # Replace "${ORG_ID?}" with the numeric ID for your folder cnrm.cloud.google.com/organization-id: "${ORG_ID?}" name: resourcemanagerpolicy-dep-proj spec: name: Org Policy Sample