Method: organizations.locations.workloads.restrictAllowedResources

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization scopes
IAM Permissions
RestrictionType

Restrict the list of resources allowed in the Workload environment. The current list of allowed products can be found at https://cloud.google.com/assured-workloads/docs/supported-products In addition to assuredworkloads.workload.update permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.

HTTP request

POST https://{endpoint}/v1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedResources

Where {endpoint} is one of the supported service endpoints.

The URLs use gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the Workload. This is the workloads's relative path in the API, formatted as "organizations/{organization_id}/locations/{locationId}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

name

string

Required. The resource name of the Workload. This is the workloads's relative path in the API, formatted as "organizations/{organization_id}/locations/{locationId}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

Request body

The request body contains data with the following structure:

JSON representation
{ "restrictionType": enum (`RestrictionType`) }

Fields

Fields
`restrictionType`	`enum (RestrictionType)` Required. The type of restriction for using gcp products in the Workload environment.

restrictionType

enum (RestrictionType)

Required. The type of restriction for using gcp products in the Workload environment.

Response body

If successful, the response body is empty.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the name resource:

assuredworkloads.workload.update

For more information, see the IAM documentation.

RestrictionType

The type of restriction.

Enums
`RESTRICTION_TYPE_UNSPECIFIED`	Unknown restriction type.
`ALLOW_ALL_GCP_RESOURCES`	Allow the use all of all gcp products, irrespective of the compliance posture. This effectively removes gcp.restrictServiceUsage OrgPolicy on the AssuredWorkloads Folder.
`ALLOW_COMPLIANT_RESOURCES`	Based on Workload's compliance regime, allowed list changes. See - https://cloud.google.com/assured-workloads/docs/supported-products for the list of supported resources.
`APPEND_COMPLIANT_RESOURCES`	Similar to ALLOW_COMPLIANT_RESOURCES but adds the list of compliant resources to the existing list of compliant resources. Effective org-policy of the Folder is considered to ensure there is no disruption to the existing customer workflows.