Creating and managing custom organization policies

Google Cloud Organization Policy gives you centralized, programmatic control over your organization's resources. As the organization policy administrator, you can define an organization policy, which is a set of restrictions called constraints that apply to Google Cloud resources and descendants of those resources in the Google Cloud resource hierarchy. You can enforce organization policies at the organization, folder, or project level.

Organization Policy provides predefined constraints for various Google Cloud services. However, if you want greater control from your organization policies, you can create custom organization policies.

This page describes how to view, create, and manage custom organization policies. Custom organization policies are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.

Before you begin

For more information about what organization policies and constraints are and how they work, see the Introduction to the Organization Policy Service.

Required roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you the Organization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, see Manage access.

This predefined role contains the permissions required to manage organization policies. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to manage organization policies:

  • orgpolicy.constraints.list
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

You might also be able to get these permissions with custom roles or other predefined roles.

Custom constraints

A custom constraint is created in a YAML file which specifies the resources, methods, conditions, and actions that are subject to the constraint. These are specific to the service on which you're enforcing the organization policy. The conditions for your custom constraint are defined using Common Expression Language (CEL).

Set up a custom constraint

You can create a custom constraint and set it up for use in organization policies using the Google Cloud console or Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Organization policies page.

    Go to Organization policies

  2. Select the project picker at the top of the page.

  3. From the project picker, select the resource for which you want to set the organization policy.

  4. Click Custom constraint.

  5. In the Display name box, enter a human-friendly name for the constraint. This field has a maximum length of 200 characters. Don't use PII or sensitive data in constraint names, because they could be exposed in error messages.

  6. In the Constraint ID box, enter the name you want for your new custom constraint. A custom constraint must start with custom., and can only include uppercase letters, lowercase letters, or numbers, for example, custom.disableGkeAutoUpgrade. The maximum length of this field is 70 characters, not counting the prefix, for example, organizations/123456789/customConstraints/custom..

  7. In the Description box, enter a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.

  8. In the Resource type box, select the name of the Google Cloud REST resource containing the object and field you want to restrict—for example, container.googleapis.com/NodePool. There is a maximum of 20 custom constraints per resource type. If you try to create a custom constraint for a resource type that already has 20 custom constraints, the operation fails.

  9. Under Enforcement method, select whether to enforce the constraint on a REST CREATE method, or on both CREATE and UPDATE methods. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.

  10. To define a condition, click Edit condition.

    1. In the Add condition panel, create a CEL condition that refers to a supported service resource, for example resource.management.autoUpgrade == false. This field has a maximum length of 1000 characters. For details about CEL usage, see Common Expression Language. For more information about the service resources you can use in your custom constraints, see Custom constraint supported services.

    2. Click Save.

  11. Under Action, select whether to allow or deny the evaluated method if the above condition is met.

    The deny action means that the operation to create or update the resource is blocked if the condition evaluates to true.

    The allow action means that the operation to create or update the resource is permitted only if the condition evaluates to true. Every other case except ones explicitly listed in the condition is blocked.

  12. Click Create constraint.

When you have entered a value into each field, the equivalent YAML configuration for this custom constraint appears on the right.

gcloud

To create a custom constraint using the Google Cloud CLI, create a YAML file for the custom constraint:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- RESOURCE_NAME
methodTypes:
- METHOD1
- METHOD2
condition: "CONDITION"
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION

Replace the following:

  • ORGANIZATION_ID: your organization ID, such as 123456789.

  • CONSTRAINT_NAME: the name you want for your new custom constraint. A custom constraint must start with custom., and can only include uppercase letters, lowercase letters, or numbers, for example, custom.disableGkeAutoUpgrade. The maximum length of this field is 70 characters, not counting the prefix, for example, organizations/123456789/customConstraints/custom..

  • RESOURCE_NAME: the fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, container.googleapis.com/NodePool. There is a maximum of 20 custom constraints per resource type. If you try to create a custom constraint for a resource type that already has 20 custom constraints, the operation fails. For more information about the service resources you can use in your custom constraints, see Custom constraint supported services.

  • METHOD1,METHOD2: a list of RESTful methods for which to enforce the constraint. Can be CREATE or CREATE and UPDATE. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.

  • CONDITION: a CEL condition that refers to a supported service resource, for example "resource.management.autoUpgrade == false". This field has a maximum length of 1000 characters. For details about CEL usage, see Common Expression Language.

  • ACTION: the action to take if the condition is met. This can be either ALLOW or DENY.

    The deny action means that if the condition evaluates to true, the operation to create or update the resource is blocked.

    The allow action means that if the condition evaluates to true, the operation to create or update the resource is permitted. This also means that every other case except the one explicitly listed in the condition is blocked.

  • DISPLAY_NAME: a human-friendly name for the constraint. This field has a maximum length of 200 characters.

  • DESCRIPTION: a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.

After you have created a new custom constraint using the Google Cloud CLI, you must set it up to make it available for organization policies in your organization. To set up a custom constraint, use the gcloud org-policies set-custom-constraint command:

gcloud org-policies set-custom-constraint CONSTRAINT_PATH
Replace CONSTRAINT_PATH with the full path to your custom constraint file. For example, /home/user/customconstraint.yaml. Once completed, you will find your custom constraints as available organization policies in your list of Google Cloud organization policies. To verify that the custom constraint exists, use the gcloud org-policies list-custom-constraints command:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID with the ID of your organization resource. For more information, see Viewing organization policies.

Update a custom constraint

You can update a custom constraint by editing the constraint in the Google Cloud console, or by creating a new YAML file and using the set-custom-constraint gcloud CLI command again. There is no versioning of custom constraints, so this overwrites the existing custom constraint. If the custom constraint is already enforced, the updated custom constraint takes effect immediately.

Console

  1. In the Google Cloud console, go to the Organization policies page.

    Go to Organization policies

  2. Select the project picker at the top of the page.

  3. From the project picker, select the resource for which you want to update the organization policy.

  4. Select the constraint you want to edit from the list on the Organization policies page. The Policy details page for that constraint should appear.

  5. Click Edit constraint.

  6. Make changes to the display name, description, enforcement method, condition, and action. You can't change the constraint ID or resource type once the constraint is created.

  7. Click Save changes.

gcloud

To edit an existing custom constraint using Google Cloud CLI, create a new YAML file containing the changes you want to make:

name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME
resourceTypes:
- RESOURCE_NAME
methodTypes:
- METHOD1
- METHOD2
condition: "CONDITION"
actionType: ACTION
displayName: DISPLAY_NAME
description: DESCRIPTION

Replace the following:

  • ORGANIZATION_ID: your organization ID, such as 123456789.

  • CONSTRAINT_NAME: the name you want for your new custom constraint. A custom constraint must start with custom., and can only include uppercase letters, lowercase letters, or numbers, for example, custom.disableGkeAutoUpgrade. The maximum length of this field is 70 characters, not counting the prefix, for example, organizations/123456789/customConstraints/custom..

  • RESOURCE_NAME: the fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, container.googleapis.com/NodePool. For more information about the service resources you can use in your custom constraints, see Custom constraint supported services.

  • METHOD1,METHOD2: a list of RESTful methods for which to enforce the constraint. Can be CREATE or CREATE and UPDATE. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in Supported services.

  • CONDITION: a CEL condition that refers to a supported service resource, for example "resource.management.autoUpgrade == false". This field has a maximum length of 1000 characters. For details about CEL usage, see Common Expression Language.

  • ACTION: the action to take if the condition is met. This can be either ALLOW or DENY.

  • DISPLAY_NAME: a human-friendly name for the constraint. This field has a maximum length of 200 characters.

  • DESCRIPTION: a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.

After you have created a new custom constraint using the Google Cloud CLI, you must set it up to make it available for organization policies in your organization. To set up a custom constraint, use the gcloud org-policies set-custom-constraint command:

gcloud org-policies set-custom-constraint CONSTRAINT_PATH
Replace CONSTRAINT_PATH with the full path to your custom constraint file. For example, /home/user/customconstraint.yaml. Once completed, you will find your custom constraints as available organization policies in your list of Google Cloud organization policies. To verify that the custom constraint exists, use the gcloud org-policies list-custom-constraints command:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID with the ID of your organization resource. For more information, see Viewing organization policies.

Delete a custom constraint

You can delete a custom constraint using the Google Cloud console or the Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Organization policies page.

    Go to Organization policies

  2. Select the project picker at the top of the page.

  3. From the project picker, select the resource for which you want to delete the organization policy.

  4. Select the constraint you want to delete from the list on the Organization policies page. The Policy details page for that constraint should appear.

  5. Click Delete.

  6. To confirm you want to delete the constraint, click Delete.

gcloud

To delete a custom constraint, use the org-policies delete-custom-constraint gcloud CLI command:

gcloud org-policies delete-custom-constraint custom.CONSTRAINT_NAME \
  --organization=ORGANIZATION_ID

Replace the following:

  • ORGANIZATION_ID: your organization ID, such as 123456789.

  • CONSTRAINT_NAME: the name of your custom constraint. For example, custom.disableGkeAutoUpgrade.

The output is similar to the following:

Deleted custom constraint [organizations/123456789/customConstraints/custom.disableGkeAutoUpgrade]

If you delete a custom constraint, any policies that have been created using that constraint continue to exist, but are ignored. You can't create another custom constraint with the same name as a deleted custom constraint.

Test and analyze organization policy changes

We recommend that you test and dry-run all changes to your organization policies, to better understand the state of your environment and how changes affect it.

Policy Simulator for Organization Policy helps you understand the effect of a constraint and organization policy on your current environment. Using this tool, you can review all resource configurations to see where violations occur, before it is enforced on your production environment. For detailed instructions, see Test organization policy changes with Policy Simulator.

When you understand the current effect, you can create an organization policy in dry-run mode to understand the impact and potential violations of a policy over the next 30 days. An organization policy in dry-run mode is a type of organization policy where violations of the policy are audit-logged, but the violating actions aren't denied. You can create an organization policy in dry-run mode from a custom constraint using the Google Cloud console or Google Cloud CLI. For detailed instructions, see Create an organization policy in dry-run mode.

Enforce a custom organization policy

Once a custom constraint has been set up, it operates identically to predefined boolean constraints. Google Cloud checks custom constraints first when evaluating if a user request is allowed. If any of the custom organization policies deny the request, the request is rejected. Then, Google Cloud checks for predefined organization policies enforced on that resource.

You can enforce a boolean constraint by creating an organization policy that references it, and applying that organization policy to a Google Cloud resource.

Console

To enforce a boolean constraint:

  1. In the Google Cloud console, go to the Organization policies page.

    Go to Organization policies

  2. Select the project picker at the top of the page.
  3. From the project picker, select the project for which you want to set the organization policy.
  4. Select your constraint from the list on the Organization policies page. The Policy details page for that constraint should appear.
  5. To configure the organization policy for this resource, click Manage policy.
  6. On the Edit policy page, select Override parent's policy.
  7. Click Add a rule.
  8. Under Enforcement, select whether enforcement of this organization policy should be on or off.
  9. Optionally, to make the organization policy conditional on a tag, click Add condition. Note that if you add a conditional rule to an organization policy, you must add at least one unconditional rule or the policy cannot be saved. For more details, see Setting an organization policy with tags.
  10. If this is a custom constraint, you can click Test changes to simulate the effect of this organization policy. For more information, see Test organization policy changes with Policy Simulator.
  11. To finish and apply the organization policy, click Set policy. The policy will take up to 15 minutes to take effect.

gcloud

To create an organization policy that enforces a boolean constraint, create a policy YAML file that references the constraint:

      name: projects/PROJECT_ID/policies/CONSTRAINT_NAME
      spec:
        rules:
        - enforce: true
    

Replace the following:

  • PROJECT_ID: the project on which you want to enforce your constraint.
  • CONSTRAINT_NAME: the name you defined for your custom constraint. For example, custom.disableGkeAutoUpgrade.

To enforce the organization policy containing the constraint, run the following command:

    gcloud org-policies set-policy POLICY_PATH
    

Replace POLICY_PATH with the full path to your organization policy YAML file. The policy will take up to 15 minutes to take effect.

Example constraint

You can define custom constraints similar to the predefined constraints provided by Google. A typical custom constraint YAML file looks similar to the following:

name: organizations/1234567890123/customConstraints/custom.disableGkeAutoUpgrade
resourceTypes:
- container.googleapis.com/NodePool
methodTypes:
- CREATE
- UPDATE
condition: "resource.management.autoUpgrade == false"
actionType: ALLOW
displayName: Disable GKE auto upgrade
description: Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.

Common Expression Language

Organization Policy Service uses Common Expression Language (CEL) to evaluate conditions on custom constraints. CEL is an open-source non-Turing complete language that implements common semantics for expression evaluation.

Each service that supports custom constraints makes a particular set of their resources and the fields of these resources available. The available fields are strongly typed, and can be directly referenced by custom constraints.

You can construct CEL conditions that refer to service resource fields based on the type of the field. Organization Policy Service supports a subset of CEL data types, expressions, and macros. The sections below list the available data types and common expressions and macros that work with them.

For details on which expressions and macros are available for each service, see Custom constraint supported services.

The following JSON example shows each of the potential field types you can reference using custom constraints:

{
  integerValue: 1
  stringValue: "A text string"
  booleanValue: true
  nestedValue: {
    nestedStringValue: "Another text string"
  }
  listValue: [foo, bar]
  mapValue["costCenter"] == "123"
}

For every CEL expression, the custom constraint is enforced when the condition evaluates to true. You can combine expressions with and (&&) and or (||) to create a complex query. When creating the YAML or JSON file for your custom constraint, enclose the full query in double quotes (").

Integer

Integer fields, such as integerValue in the example above, allow comparison operators to be used in conditions. For example:

resource.integerValue == 1
resource.integerValue > 5
resource.integerValue < 10

String

String fields, such as stringValue in the example above, can be evaluated using a string literal, a regular expression, or a CEL expression. For example:

resource.stringValue == "abc"
// stringValue is exactly "abc".

resource.stringValue.matches("dev$")
// stringValue matches a regular expression, which specifies the string ends
// with the word "dev".

resource.stringValue.startsWith("startValue")
// stringValue starts with "startValue".

resource.stringValue.endsWith("endValue")
// stringValue ends with "endValue".

resource.stringValue.contains("fooBar")
// stringValue contains "fooBar".

Nested fields, such as nestedStringValue in the example above, must be referenced with the full path. For example:

resource.nestedValue.nestedStringValue == "foo"
// nestedValue contains the object nestedStringValue, which has a value of "foo".

Boolean

Boolean fields, such as booleanValue in the example above, contain a boolean value, either true or false.

List

List fields, such as listValue in the example above, can be evaluated by the size of the list, the contents of the list, and whether a particular element exists anywhere within the list.

For example:

resource.listValue.size() >= 1 && resource.listValue[0] == "bar"
// listValue has size greater than or equal to one, and the first element is "bar".

resource.listValue.exists(value, value == "foo")
// listValue has at least one element that is exactly "foo".

resource.listValue.all(value, value.contains("foo"))
// listValue is a list of values that are all exactly "foo".

Map

Map fields, such as mapValue in the example above, are key-value pairs that can be evaluated based on the existence and value of particular elements.

For example:

has(resource.mapValue.foo) && resource.mapValue.foo == "bar"
// mapValue contains the key "foo", and that key has the value "bar".

Troubleshooting CEL errors

A condition that is created with invalid expressions or type mismatches returns an error when you attempt to set up the custom constraint. For example, given the following invalid custom constraint, which compares a string with an integer:

name: organizations/1234567890123/customConstraints/custom.badConfig
resourceTypes:
- dataproc.googleapis.com/Cluster
methodTypes:
- CREATE
- UPDATE
condition: "resource.config.masterConfig.numInstances == 'mismatch'"
actionType: ALLOW
displayName: Number of instances is a string
description: Demonstrate that type mismatches cause an error.

An error is produced if you try to set up that constraint using the Google Cloud CLI:

ERROR: (gcloud.org-policies.set-custom-constraint) INVALID_ARGUMENT: Custom constraint condition [resource.config.masterConfig.numInstances == "mismatch"] is invalid. Error: ERROR: <input>:1:15: found no matching overload for '_==_' applied to '(int, string)' (candidates: (%A0, %A0))
 | resource.config.masterConfig.numInstances == "mismatch"
 | ..........................................^.

In the Google Cloud console, invalid CEL syntax errors will be flagged with an Error icon. Highlighting this icon displays a tooltip containing more information about the syntax error.

Organization Policy Service compiles and validates conditions that you create, returning an error if the condition is not syntactically correct. However, there are certain conditions which compile, but results in an error when Google Cloud attempts to enforce the constraints. For example, if you set up a constraint with a condition that tries to access a list index or map key that does not exist, the constraint fails and returns an error at the time of enforcement, and blocks any attempt to create the resource.

When creating conditions that depend on list or map elements, we recommend starting the condition with a check that ensures the condition is valid in all cases. For example, check list.size() before referencing a particular list element or use has() before referencing a map element.

Supported services

Each service defines the set of custom constraint fields that can be used to enforce organization policies on their service resources. For a list of services that support custom constraints, see Custom constraint supported services.

For more information about setting up an organization policy scanner, see Organization Policy vulnerability findings.

What's next