Stay organized with collections
Save and categorize content based on your preferences.
As an organization administrator, you need to define policies that developers adhere to when applying infrastructure as code. Your organization's set of policies is represented as a policy library. This page helps you create a centralized policy repository and add constraints.
Before you begin
You need an empty Git repository for storing your organization's policy library.
You need to configure Git to connect securely. For example, if your git repository is on GitHub, you can follow the process outlined in Connecting to GitHub with SSH.
Duplicate the sample library
Google provides a sample repository that includes a set of pre-defined constraint templates which you can modify for your personal use.
Clone the policy library sample repository and duplicate it to your POLICY_LIBRARY_REPO:
git clone https://github.com/GoogleCloudPlatform/policy-library.git
cd policy-library
git remote set-url origin POLICY_LIBRARY_REPO
git push origin main
Examine the available constraint templates in policies/templates:
ls policies/templates
Select the constraint templates you want to use. For this example, choose gcp_storage_location_v1.yaml, which enforces location for Cloud Storage buckets.
Create constraint YAML files corresponding to those templates under policies/constraints.
From inside your local copy of the policy-library repository, use the following commands to commit and push your changes:
gitadd--all.gitcommit-m"Initial commit of policy library constraints"gitpush-uoriginmain
Library structure
A policy library repository contains the following directories:
policies/ – This directory contains two subdirectories:
constraints/ – This directory is initially empty. Place your constraint files here.
templates/ – This directory contains pre-defined constraint templates.
validator/ – This directory contains the .rego files and their associated unit tests. You don't need to touch this directory unless you intend to modify existing constraint templates or create new ones. Running make build inlines the Rego content in the corresponding constraint template files.
Periodic updates
Periodically you should pull any changes from the public repository, which might contain new templates and Rego files.
The policy library contains a number of constraint templates and a samples
folder with example constraints. Read
Create Terraform constraints
or
Create CAI constraints
for details on how to write and use constraint templates and constraints.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page guides organization administrators on setting up a centralized policy repository, represented as a policy library, to define policies for developers using infrastructure as code.\u003c/p\u003e\n"],["\u003cp\u003eA pre-existing Git repository is required to store the policy library, and secure Git configuration is necessary for connection, which can be established by following the Github SSH process.\u003c/p\u003e\n"],["\u003cp\u003eA sample policy library from Google is provided, containing predefined constraint templates that can be duplicated, modified, and added to the organization's policy library.\u003c/p\u003e\n"],["\u003cp\u003eThe policy library repository has a specific structure with \u003ccode\u003epolicies/\u003c/code\u003e directory containing \u003ccode\u003econstraints/\u003c/code\u003e and \u003ccode\u003etemplates/\u003c/code\u003e subdirectories and a \u003ccode\u003evalidator/\u003c/code\u003e directory for Rego files, while periodic updates from the public repository should be made.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA products and features from the provided content, such as this product, are available "as is" and may have limited support, as well as being subject to the Pre-GA Offerings Terms in the General Service Terms section.\u003c/p\u003e\n"]]],[],null,["# Create a policy library\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nAs an organization administrator, you need to define policies that developers adhere to when applying infrastructure as code. Your organization's set of policies is represented as a policy library. This page helps you create a centralized policy repository and add constraints.\n\nBefore you begin\n----------------\n\n- You need an empty Git repository for storing your organization's policy library.\n- You need to configure Git to connect securely. For example, if your git repository is on GitHub, you can follow the process outlined in [Connecting to GitHub with SSH](https://docs.github.com/en/authentication/connecting-to-github-with-ssh).\n\nDuplicate the sample library\n----------------------------\n\nGoogle provides a sample repository that includes a set of pre-defined constraint templates which you can modify for your personal use.\n\n1. Clone the policy library sample repository and duplicate it to your \u003cvar translate=\"no\"\u003ePOLICY_LIBRARY_REPO\u003c/var\u003e:\n\n ```\n git clone https://github.com/GoogleCloudPlatform/policy-library.git\n cd policy-library\n git remote set-url origin POLICY_LIBRARY_REPO\n git push origin main\n ```\n2. Examine the available constraint templates in `policies/templates`:\n `ls policies/templates`\n\n3. Select the constraint templates you want to use. For this example, choose `gcp_storage_location_v1.yaml`, which enforces location for Cloud Storage buckets.\n\n4. Create constraint YAML files corresponding to those templates under `policies/constraints`.\n\n5. From inside your local copy of the `policy-library` repository, use the following commands to commit and push your changes:\n\n git add --all .\n git commit -m \"Initial commit of policy library constraints\"\n git push -u origin main\n\n### Library structure\n\nA policy library repository contains the following directories:\n\n- `policies/` -- This directory contains two subdirectories:\n\n - `constraints/` -- This directory is initially empty. Place your constraint files here.\n - `templates/` -- This directory contains pre-defined constraint templates.\n- `validator/` -- This directory contains the `.rego` files and their associated unit tests. You don't need to touch this directory unless you intend to modify existing constraint templates or create new ones. Running `make build` inlines the Rego content in the corresponding constraint template files.\n\nPeriodic updates\n----------------\n\nPeriodically you should pull any changes from the public repository, which might contain new templates and Rego files. \n\n git remote add public https://github.com/GoogleCloudPlatform/policy-library.git\n git pull public main\n git push origin main\n\nNext steps\n----------\n\nThe policy library contains a number of constraint templates and a `samples`\nfolder with example constraints. Read\n[Create Terraform constraints](/docs/terraform/policy-validation/create-terraform-constraints)\nor\n[Create CAI constraints](/docs/terraform/policy-validation/create-cai-constraints)\nfor details on how to write and use constraint templates and constraints."]]
