CustomConstraint

A custom constraint defined by customers which can only be applied to the given resource types and organization.

By creating a custom constraint, customers can apply policies of this custom constraint. Creating a custom constraint itself does NOT apply any policy enforcement.

JSON representation
{
  "name": string,
  "resourceTypes": [
    string
  ],
  "methodTypes": [
    enum (MethodType)
  ],
  "condition": string,
  "actionType": enum (ActionType),
  "displayName": string,
  "description": string,
  "updateTime": string
}
Fields
name

string

Immutable. Name of the constraint. This is unique within the organization. Format of the name should be

  • organizations/{organizationId}/customConstraints/{custom_constraint_id}

Example: organizations/123/customConstraints/custom.createOnlyE2TypeVms

The max length is 70 characters and the minimum length is 1. Note that the prefix organizations/{organizationId}/customConstraints/ is not counted.

resourceTypes[]

string

Immutable. The resource instance type on which this policy applies. Format will be of the form : <canonical service name>/<type> Example:

  • compute.googleapis.com/Instance.
methodTypes[]

enum (MethodType)

All the operations being applied for this constraint.

condition

string

Org policy condition/expression. For example: resource.instanceName.matches("[production|test]_.*_(\d)+") or, resource.management.auto_upgrade == true

The max length of the condition is 1000 characters.

actionType

enum (ActionType)

Allow or deny type.

displayName

string

One line display name for the UI. The max length of the displayName is 200 characters.

description

string

Detailed information about this custom policy constraint. The max length of the description is 2000 characters.

updateTime

string (Timestamp format)

Output only. The last time this custom constraint was updated. This represents the last time that the customConstraints.create or customConstraints.patch RPC was called

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

MethodType

The operation for which this constraint will be applied. To apply this constraint only when creating new VMs, the methodTypes should be CREATE only. To apply this constraint when creating or deleting VMs, the methodTypes should be CREATE and DELETE.

UPDATE only custom constraints are not supported. Use CREATE or CREATE, UPDATE.

Enums
METHOD_TYPE_UNSPECIFIED Unspecified. Results in an error.
CREATE Constraint applied when creating the resource.
UPDATE Constraint applied when updating the resource.
DELETE Constraint applied when deleting the resource. Not supported yet.
REMOVE_GRANT Constraint applied when removing an IAM grant.
GOVERN_TAGS Constraint applied when enforcing forced tagging.

ActionType

Allow or deny type.

Enums
ACTION_TYPE_UNSPECIFIED Unspecified. Results in an error.
ALLOW Allowed action type.
DENY Deny action type.