docs: update generated docs (#1053)
Updates for both discovery docs and epydoc API Documentation
Fixes: #1049
diff --git a/docs/dyn/cloudresourcemanager_v1.folders.html b/docs/dyn/cloudresourcemanager_v1.folders.html
index 0445c6f..7f911b0 100644
--- a/docs/dyn/cloudresourcemanager_v1.folders.html
+++ b/docs/dyn/cloudresourcemanager_v1.folders.html
@@ -78,11 +78,14 @@
<code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Clears a `Policy` from a resource.</p>
<p class="toc_element">
+ <code><a href="#close">close()</a></code></p>
+<p class="firstline">Close httplib2 connections.</p>
+<p class="toc_element">
<code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
+<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging `Policies` in the resource hierarchy. The returned `Policy` will not have an `etag`set because it is a computed `Policy` across multiple resources. Subtrees of Resource Manager resource hierarchy with 'under:' prefix will not be expanded.</p>
<p class="toc_element">
<code><a href="#getOrgPolicy">getOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Gets a `Policy` on a resource.</p>
+<p class="firstline">Gets a `Policy` on a resource. If no `Policy` is set on the resource, a `Policy` is returned with default values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The `etag` value can be used with `SetOrgPolicy()` to create or update a `Policy` during read-modify-write.</p>
<p class="toc_element">
<code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p>
@@ -97,7 +100,7 @@
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#setOrgPolicy">setOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
+<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for that `Constraint` on the resource if one does not exist. Not supplying an `etag` on the request `Policy` results in an unconditional write of the `Policy`.</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body=None, x__xgafv=None)</code>
@@ -109,9 +112,8 @@
The object takes the form of:
{ # The request sent to the ClearOrgPolicy method.
+ "etag": "A String", # The current version, for concurrency control. Not sending an `etag` will cause the `Policy` to be cleared blindly.
"constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
- "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
- # will cause the `Policy` to be cleared blindly.
}
x__xgafv: string, V1 error format.
@@ -122,25 +124,18 @@
Returns:
An object of the form:
- { # A generic empty message that you can re-use to avoid defining duplicated
- # empty messages in your APIs. A typical example is to use it as the request
- # or the response type of an API method. For instance:
- #
- # service Foo {
- # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
- # }
- #
- # The JSON representation for `Empty` is empty JSON object `{}`.
+ { # A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for `Empty` is empty JSON object `{}`.
}</pre>
</div>
<div class="method">
+ <code class="details" id="close">close()</code>
+ <pre>Close httplib2 connections.</pre>
+</div>
+
+<div class="method">
<code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body=None, x__xgafv=None)</code>
- <pre>Gets the effective `Policy` on a resource. This is the result of merging
-`Policies` in the resource hierarchy. The returned `Policy` will not have
-an `etag`set because it is a computed `Policy` across multiple resources.
-Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
-not be expanded.
+ <pre>Gets the effective `Policy` on a resource. This is the result of merging `Policies` in the resource hierarchy. The returned `Policy` will not have an `etag`set because it is a computed `Policy` across multiple resources. Subtrees of Resource Manager resource hierarchy with 'under:' prefix will not be expanded.
Args:
resource: string, The name of the resource to start computing the effective `Policy`. (required)
@@ -159,240 +154,33 @@
Returns:
An object of the form:
- { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
- # for configurations of Cloud Platform resources.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this resource. # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.
},
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
+ "restoreDefault": { # Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. # Restores the default behavior of the constraint; independent of `Constraint` type.
},
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A [list of available constraints](/resource-manager/docs/organization-policy/org-policy-constraints) is available. Immutable after creation.
"version": 42, # Version of the `Policy`. Default version is 0;
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # A [list of available
- # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
- # is available.
- #
- # Immutable after creation.
- "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
- # resource.
- #
- # `ListPolicy` can define specific values and subtrees of Cloud Resource
- # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
- # are allowed or denied by setting the `allowed_values` and `denied_values`
- # fields. This is achieved by using the `under:` and optional `is:` prefixes.
- # The `under:` prefix is used to denote resource subtree values.
- # The `is:` prefix is used to denote specific values, and is required only
- # if the value contains a ":". Values prefixed with "is:" are treated the
- # same as values with no prefix.
- # Ancestry subtrees must be in one of the following formats:
- # - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- # - "folders/<folder-id>", e.g. "folders/1234"
- # - "organizations/<organization-id>", e.g. "organizations/1234"
- # The `supports_under` field of the associated `Constraint` defines whether
- # ancestry prefixes can be used. You can set `allowed_values` and
- # `denied_values` in the same `Policy` if `all_values` is
- # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
- # values. If `all_values` is set to either `ALLOW` or `DENY`,
- # `allowed_values` and `denied_values` must be unset.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this resource. `ListPolicy` can define specific values and subtrees of Cloud Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied by setting the `allowed_values` and `denied_values` fields. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. You can set `allowed_values` and `denied_values` in the same `Policy` if `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all values. If `all_values` is set to either `ALLOW` or `DENY`, `allowed_values` and `denied_values` must be unset. # List of values either allowed or disallowed.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"allValues": "A String", # The policy all_values state.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Policy`. If `suggested_value`
- # is not set, it will inherit the value specified higher in the hierarchy,
- # unless `inherit_from_parent` is `false`.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
- #
- # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
- # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
- # set to `true`, then the values from the effective `Policy` of the parent
- # resource are inherited, meaning the values set in this `Policy` are
- # added to the values inherited up the hierarchy.
- #
- # Setting `Policy` hierarchies that inherit both allowed values and denied
- # values isn't recommended in most circumstances to keep the configuration
- # simple and understandable. However, it is possible to set a `Policy` with
- # `allowed_values` set that inherits a `Policy` with `denied_values` set.
- # In this case, the values that are allowed must be in `allowed_values` and
- # not present in `denied_values`.
- #
- # For example, suppose you have a `Constraint`
- # `constraints/serviceuser.services`, which has a `constraint_type` of
- # `list_constraint`, and with `constraint_default` set to `ALLOW`.
- # Suppose that at the Organization level, a `Policy` is applied that
- # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
- # `Policy` is applied to a project below the Organization that has
- # `inherit_from_parent` set to `false` and field all_values set to DENY,
- # then an attempt to activate any API will be denied.
- #
- # The following examples demonstrate different possible layerings for
- # `projects/bar` parented by `organizations/foo`:
- #
- # Example 1 (no inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has `inherit_from_parent` `false` and values:
- # {allowed_values: "E3" allowed_values: "E4"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E3`, and `E4`.
- #
- # Example 2 (inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {value: "E3" value: "E4" inherit_from_parent: true}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
- #
- # Example 3 (inheriting both allowed and denied values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {denied_values: "E1"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The value accepted at `projects/bar` is `E2`.
- #
- # Example 4 (RestoreDefault):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {RestoreDefault: {}}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 5 (no policy inherits parent policy):
- # `organizations/foo` has no `Policy` set.
- # `projects/bar` has no `Policy` set.
- # The accepted values at both levels are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 6 (ListConstraint allowing all):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: ALLOW}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # Any value is accepted at `projects/bar`.
- #
- # Example 7 (ListConstraint allowing none):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: DENY}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # No value is accepted at `projects/bar`.
- #
- # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
- # Given the following resource hierarchy
- # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "under:organizations/O1"}
- # `projects/bar` has a `Policy` with:
- # {allowed_values: "under:projects/P3"}
- # {denied_values: "under:folders/F2"}
- # The accepted values at `organizations/foo` are `organizations/O1`,
- # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
- # `projects/P3`.
- # The accepted values at `projects/bar` are `organizations/O1`,
- # `folders/F1`, `projects/P1`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 (ListConstraint allowing none): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} The accepted values at `organizations/foo` are `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
},
}</pre>
</div>
<div class="method">
<code class="details" id="getOrgPolicy">getOrgPolicy(resource, body=None, x__xgafv=None)</code>
- <pre>Gets a `Policy` on a resource.
-
-If no `Policy` is set on the resource, a `Policy` is returned with default
-values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
-`etag` value can be used with `SetOrgPolicy()` to create or update a
-`Policy` during read-modify-write.
+ <pre>Gets a `Policy` on a resource. If no `Policy` is set on the resource, a `Policy` is returned with default values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The `etag` value can be used with `SetOrgPolicy()` to create or update a `Policy` during read-modify-write.
Args:
resource: string, Name of the resource the `Policy` is set on. (required)
@@ -411,228 +199,26 @@
Returns:
An object of the form:
- { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
- # for configurations of Cloud Platform resources.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this resource. # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.
},
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
+ "restoreDefault": { # Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. # Restores the default behavior of the constraint; independent of `Constraint` type.
},
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A [list of available constraints](/resource-manager/docs/organization-policy/org-policy-constraints) is available. Immutable after creation.
"version": 42, # Version of the `Policy`. Default version is 0;
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # A [list of available
- # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
- # is available.
- #
- # Immutable after creation.
- "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
- # resource.
- #
- # `ListPolicy` can define specific values and subtrees of Cloud Resource
- # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
- # are allowed or denied by setting the `allowed_values` and `denied_values`
- # fields. This is achieved by using the `under:` and optional `is:` prefixes.
- # The `under:` prefix is used to denote resource subtree values.
- # The `is:` prefix is used to denote specific values, and is required only
- # if the value contains a ":". Values prefixed with "is:" are treated the
- # same as values with no prefix.
- # Ancestry subtrees must be in one of the following formats:
- # - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- # - "folders/<folder-id>", e.g. "folders/1234"
- # - "organizations/<organization-id>", e.g. "organizations/1234"
- # The `supports_under` field of the associated `Constraint` defines whether
- # ancestry prefixes can be used. You can set `allowed_values` and
- # `denied_values` in the same `Policy` if `all_values` is
- # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
- # values. If `all_values` is set to either `ALLOW` or `DENY`,
- # `allowed_values` and `denied_values` must be unset.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this resource. `ListPolicy` can define specific values and subtrees of Cloud Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied by setting the `allowed_values` and `denied_values` fields. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. You can set `allowed_values` and `denied_values` in the same `Policy` if `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all values. If `all_values` is set to either `ALLOW` or `DENY`, `allowed_values` and `denied_values` must be unset. # List of values either allowed or disallowed.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"allValues": "A String", # The policy all_values state.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Policy`. If `suggested_value`
- # is not set, it will inherit the value specified higher in the hierarchy,
- # unless `inherit_from_parent` is `false`.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
- #
- # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
- # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
- # set to `true`, then the values from the effective `Policy` of the parent
- # resource are inherited, meaning the values set in this `Policy` are
- # added to the values inherited up the hierarchy.
- #
- # Setting `Policy` hierarchies that inherit both allowed values and denied
- # values isn't recommended in most circumstances to keep the configuration
- # simple and understandable. However, it is possible to set a `Policy` with
- # `allowed_values` set that inherits a `Policy` with `denied_values` set.
- # In this case, the values that are allowed must be in `allowed_values` and
- # not present in `denied_values`.
- #
- # For example, suppose you have a `Constraint`
- # `constraints/serviceuser.services`, which has a `constraint_type` of
- # `list_constraint`, and with `constraint_default` set to `ALLOW`.
- # Suppose that at the Organization level, a `Policy` is applied that
- # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
- # `Policy` is applied to a project below the Organization that has
- # `inherit_from_parent` set to `false` and field all_values set to DENY,
- # then an attempt to activate any API will be denied.
- #
- # The following examples demonstrate different possible layerings for
- # `projects/bar` parented by `organizations/foo`:
- #
- # Example 1 (no inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has `inherit_from_parent` `false` and values:
- # {allowed_values: "E3" allowed_values: "E4"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E3`, and `E4`.
- #
- # Example 2 (inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {value: "E3" value: "E4" inherit_from_parent: true}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
- #
- # Example 3 (inheriting both allowed and denied values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {denied_values: "E1"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The value accepted at `projects/bar` is `E2`.
- #
- # Example 4 (RestoreDefault):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {RestoreDefault: {}}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 5 (no policy inherits parent policy):
- # `organizations/foo` has no `Policy` set.
- # `projects/bar` has no `Policy` set.
- # The accepted values at both levels are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 6 (ListConstraint allowing all):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: ALLOW}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # Any value is accepted at `projects/bar`.
- #
- # Example 7 (ListConstraint allowing none):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: DENY}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # No value is accepted at `projects/bar`.
- #
- # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
- # Given the following resource hierarchy
- # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "under:organizations/O1"}
- # `projects/bar` has a `Policy` with:
- # {allowed_values: "under:projects/P3"}
- # {denied_values: "under:folders/F2"}
- # The accepted values at `organizations/foo` are `organizations/O1`,
- # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
- # `projects/P3`.
- # The accepted values at `projects/bar` are `organizations/O1`,
- # `folders/F1`, `projects/P1`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 (ListConstraint allowing none): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} The accepted values at `organizations/foo` are `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
},
}</pre>
</div>
@@ -646,13 +232,9 @@
body: object, The request body.
The object takes the form of:
-{ # The request sent to the `ListAvailableOrgPolicyConstraints` method on the
- # project, folder, or organization.
- "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
- # and will be ignored. The server may at any point start using this field.
- "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
- # be ignored. The server may at any point start using this field to limit
- # page size.
+{ # The request sent to the `ListAvailableOrgPolicyConstraints` method on the project, folder, or organization.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.
}
x__xgafv: string, V1 error format.
@@ -663,54 +245,23 @@
Returns:
An object of the form:
- { # The response returned from the `ListAvailableOrgPolicyConstraints` method.
- # Returns all `Constraints` that could be set at this level of the hierarchy
- # (contrast with the response from `ListPolicies`, which returns all policies
- # which are set).
+ { # The response returned from the `ListAvailableOrgPolicyConstraints` method. Returns all `Constraints` that could be set at this level of the hierarchy (contrast with the response from `ListPolicies`, which returns all policies which are set).
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
"constraints": [ # The collection of constraints that are settable on the request resource.
- { # A `Constraint` describes a way in which a resource's configuration can be
- # restricted. For example, it controls which cloud services can be activated
- # across an organization, or whether a Compute Engine instance can have
- # serial port connections established. `Constraints` can be configured by the
- # organization's policy administrator to fit the needs of the organzation by
- # setting Policies for `Constraints` at different locations in the
- # organization's resource hierarchy. Policies are inherited down the resource
- # hierarchy from higher levels, but can also be overridden. For details about
- # the inheritance rules please read about
- # [Policies](/resource-manager/reference/rest/v1/Policy).
- #
- # `Constraints` have a default behavior determined by the `constraint_default`
- # field, which is the enforcement behavior that is used in the absence of a
- # `Policy` being defined or inherited for the resource in question.
- "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
- #
- # For example a constraint `constraints/compute.disableSerialPortAccess`.
- # If it is enforced on a VM instance, serial port connections will not be
- # opened to that instance.
- },
- "name": "A String", # Immutable value, required to globally be unique. For example,
- # `constraints/serviceuser.services`
- "displayName": "A String", # The human readable name.
- #
- # Mutable.
+ { # A `Constraint` describes a way in which a resource's configuration can be restricted. For example, it controls which cloud services can be activated across an organization, or whether a Compute Engine instance can have serial port connections established. `Constraints` can be configured by the organization's policy administrator to fit the needs of the organzation by setting Policies for `Constraints` at different locations in the organization's resource hierarchy. Policies are inherited down the resource hierarchy from higher levels, but can also be overridden. For details about the inheritance rules please read about [Policies](/resource-manager/reference/rest/v1/Policy). `Constraints` have a default behavior determined by the `constraint_default` field, which is the enforcement behavior that is used in the absence of a `Policy` being defined or inherited for the resource in question.
+ "displayName": "A String", # The human readable name. Mutable.
+ "description": "A String", # Detailed description of what this `Constraint` controls as well as how and where it is enforced. Mutable.
"version": 42, # Version of the `Constraint`. Default version is 0;
- "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
- # configured by an Organization's policy administrator with a `Policy`.
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Constraint`.
- "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
- # can be used in `Policy.allowed_values` and `Policy.denied_values`. For
- # example, `"under:folders/123"` would match any resource under the
- # 'folders/123' folder.
- },
+ "name": "A String", # Immutable value, required to globally be unique. For example, `constraints/serviceuser.services`
"constraintDefault": "A String", # The evaluation behavior of this constraint in the absence of 'Policy'.
- "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
- # where it is enforced.
- #
- # Mutable.
+ "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are configured by an Organization's policy administrator with a `Policy`. # Defines this constraint as being a ListConstraint.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Constraint`.
+ "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder.
+ },
+ "booleanConstraint": { # A `Constraint` that is either enforced or not. For example a constraint `constraints/compute.disableSerialPortAccess`. If it is enforced on a VM instance, serial port connections will not be opened to that instance. # Defines this constraint as being a BooleanConstraint.
+ },
},
],
- "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
}</pre>
</div>
@@ -738,11 +289,8 @@
The object takes the form of:
{ # The request sent to the ListOrgPolicies method.
- "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
- # be ignored. The server may at any point start using this field to limit
- # page size.
- "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
- # and will be ignored. The server may at any point start using this field.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.
}
x__xgafv: string, V1 error format.
@@ -753,234 +301,29 @@
Returns:
An object of the form:
- { # The response returned from the `ListOrgPolicies` method. It will be empty
- # if no `Policies` are set on the resource.
- "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
- # the server may at any point start supplying a valid token.
- "policies": [ # The `Policies` that are set on the resource. It will be empty if no
- # `Policies` are set.
- { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
- # for configurations of Cloud Platform resources.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
+ { # The response returned from the `ListOrgPolicies` method. It will be empty if no `Policies` are set on the resource.
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but the server may at any point start supplying a valid token.
+ "policies": [ # The `Policies` that are set on the resource. It will be empty if no `Policies` are set.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this resource. # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.
},
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
+ "restoreDefault": { # Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. # Restores the default behavior of the constraint; independent of `Constraint` type.
},
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A [list of available constraints](/resource-manager/docs/organization-policy/org-policy-constraints) is available. Immutable after creation.
"version": 42, # Version of the `Policy`. Default version is 0;
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # A [list of available
- # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
- # is available.
- #
- # Immutable after creation.
- "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
- # resource.
- #
- # `ListPolicy` can define specific values and subtrees of Cloud Resource
- # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
- # are allowed or denied by setting the `allowed_values` and `denied_values`
- # fields. This is achieved by using the `under:` and optional `is:` prefixes.
- # The `under:` prefix is used to denote resource subtree values.
- # The `is:` prefix is used to denote specific values, and is required only
- # if the value contains a ":". Values prefixed with "is:" are treated the
- # same as values with no prefix.
- # Ancestry subtrees must be in one of the following formats:
- # - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- # - "folders/<folder-id>", e.g. "folders/1234"
- # - "organizations/<organization-id>", e.g. "organizations/1234"
- # The `supports_under` field of the associated `Constraint` defines whether
- # ancestry prefixes can be used. You can set `allowed_values` and
- # `denied_values` in the same `Policy` if `all_values` is
- # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
- # values. If `all_values` is set to either `ALLOW` or `DENY`,
- # `allowed_values` and `denied_values` must be unset.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this resource. `ListPolicy` can define specific values and subtrees of Cloud Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied by setting the `allowed_values` and `denied_values` fields. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. You can set `allowed_values` and `denied_values` in the same `Policy` if `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all values. If `all_values` is set to either `ALLOW` or `DENY`, `allowed_values` and `denied_values` must be unset. # List of values either allowed or disallowed.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"allValues": "A String", # The policy all_values state.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Policy`. If `suggested_value`
- # is not set, it will inherit the value specified higher in the hierarchy,
- # unless `inherit_from_parent` is `false`.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
- #
- # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
- # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
- # set to `true`, then the values from the effective `Policy` of the parent
- # resource are inherited, meaning the values set in this `Policy` are
- # added to the values inherited up the hierarchy.
- #
- # Setting `Policy` hierarchies that inherit both allowed values and denied
- # values isn't recommended in most circumstances to keep the configuration
- # simple and understandable. However, it is possible to set a `Policy` with
- # `allowed_values` set that inherits a `Policy` with `denied_values` set.
- # In this case, the values that are allowed must be in `allowed_values` and
- # not present in `denied_values`.
- #
- # For example, suppose you have a `Constraint`
- # `constraints/serviceuser.services`, which has a `constraint_type` of
- # `list_constraint`, and with `constraint_default` set to `ALLOW`.
- # Suppose that at the Organization level, a `Policy` is applied that
- # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
- # `Policy` is applied to a project below the Organization that has
- # `inherit_from_parent` set to `false` and field all_values set to DENY,
- # then an attempt to activate any API will be denied.
- #
- # The following examples demonstrate different possible layerings for
- # `projects/bar` parented by `organizations/foo`:
- #
- # Example 1 (no inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has `inherit_from_parent` `false` and values:
- # {allowed_values: "E3" allowed_values: "E4"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E3`, and `E4`.
- #
- # Example 2 (inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {value: "E3" value: "E4" inherit_from_parent: true}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
- #
- # Example 3 (inheriting both allowed and denied values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {denied_values: "E1"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The value accepted at `projects/bar` is `E2`.
- #
- # Example 4 (RestoreDefault):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {RestoreDefault: {}}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 5 (no policy inherits parent policy):
- # `organizations/foo` has no `Policy` set.
- # `projects/bar` has no `Policy` set.
- # The accepted values at both levels are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 6 (ListConstraint allowing all):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: ALLOW}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # Any value is accepted at `projects/bar`.
- #
- # Example 7 (ListConstraint allowing none):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: DENY}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # No value is accepted at `projects/bar`.
- #
- # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
- # Given the following resource hierarchy
- # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "under:organizations/O1"}
- # `projects/bar` has a `Policy` with:
- # {allowed_values: "under:projects/P3"}
- # {denied_values: "under:folders/F2"}
- # The accepted values at `organizations/foo` are `organizations/O1`,
- # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
- # `projects/P3`.
- # The accepted values at `projects/bar` are `organizations/O1`,
- # `folders/F1`, `projects/P1`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 (ListConstraint allowing none): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} The accepted values at `organizations/foo` are `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
},
},
],
@@ -1003,11 +346,7 @@
<div class="method">
<code class="details" id="setOrgPolicy">setOrgPolicy(resource, body=None, x__xgafv=None)</code>
- <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
-that `Constraint` on the resource if one does not exist.
-
-Not supplying an `etag` on the request `Policy` results in an unconditional
-write of the `Policy`.
+ <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for that `Constraint` on the resource if one does not exist. Not supplying an `etag` on the request `Policy` results in an unconditional write of the `Policy`.
Args:
resource: string, Resource name of the resource to attach the `Policy`. (required)
@@ -1015,228 +354,26 @@
The object takes the form of:
{ # The request sent to the SetOrgPolicyRequest method.
- "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
- # for configurations of Cloud Platform resources.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
+ "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` for configurations of Cloud Platform resources. # `Policy` to set on the resource.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this resource. # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.
},
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
+ "restoreDefault": { # Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. # Restores the default behavior of the constraint; independent of `Constraint` type.
},
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A [list of available constraints](/resource-manager/docs/organization-policy/org-policy-constraints) is available. Immutable after creation.
"version": 42, # Version of the `Policy`. Default version is 0;
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # A [list of available
- # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
- # is available.
- #
- # Immutable after creation.
- "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
- # resource.
- #
- # `ListPolicy` can define specific values and subtrees of Cloud Resource
- # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
- # are allowed or denied by setting the `allowed_values` and `denied_values`
- # fields. This is achieved by using the `under:` and optional `is:` prefixes.
- # The `under:` prefix is used to denote resource subtree values.
- # The `is:` prefix is used to denote specific values, and is required only
- # if the value contains a ":". Values prefixed with "is:" are treated the
- # same as values with no prefix.
- # Ancestry subtrees must be in one of the following formats:
- # - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- # - "folders/<folder-id>", e.g. "folders/1234"
- # - "organizations/<organization-id>", e.g. "organizations/1234"
- # The `supports_under` field of the associated `Constraint` defines whether
- # ancestry prefixes can be used. You can set `allowed_values` and
- # `denied_values` in the same `Policy` if `all_values` is
- # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
- # values. If `all_values` is set to either `ALLOW` or `DENY`,
- # `allowed_values` and `denied_values` must be unset.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this resource. `ListPolicy` can define specific values and subtrees of Cloud Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied by setting the `allowed_values` and `denied_values` fields. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. You can set `allowed_values` and `denied_values` in the same `Policy` if `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all values. If `all_values` is set to either `ALLOW` or `DENY`, `allowed_values` and `denied_values` must be unset. # List of values either allowed or disallowed.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"allValues": "A String", # The policy all_values state.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Policy`. If `suggested_value`
- # is not set, it will inherit the value specified higher in the hierarchy,
- # unless `inherit_from_parent` is `false`.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
- #
- # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
- # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
- # set to `true`, then the values from the effective `Policy` of the parent
- # resource are inherited, meaning the values set in this `Policy` are
- # added to the values inherited up the hierarchy.
- #
- # Setting `Policy` hierarchies that inherit both allowed values and denied
- # values isn't recommended in most circumstances to keep the configuration
- # simple and understandable. However, it is possible to set a `Policy` with
- # `allowed_values` set that inherits a `Policy` with `denied_values` set.
- # In this case, the values that are allowed must be in `allowed_values` and
- # not present in `denied_values`.
- #
- # For example, suppose you have a `Constraint`
- # `constraints/serviceuser.services`, which has a `constraint_type` of
- # `list_constraint`, and with `constraint_default` set to `ALLOW`.
- # Suppose that at the Organization level, a `Policy` is applied that
- # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
- # `Policy` is applied to a project below the Organization that has
- # `inherit_from_parent` set to `false` and field all_values set to DENY,
- # then an attempt to activate any API will be denied.
- #
- # The following examples demonstrate different possible layerings for
- # `projects/bar` parented by `organizations/foo`:
- #
- # Example 1 (no inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has `inherit_from_parent` `false` and values:
- # {allowed_values: "E3" allowed_values: "E4"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E3`, and `E4`.
- #
- # Example 2 (inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {value: "E3" value: "E4" inherit_from_parent: true}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
- #
- # Example 3 (inheriting both allowed and denied values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {denied_values: "E1"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The value accepted at `projects/bar` is `E2`.
- #
- # Example 4 (RestoreDefault):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {RestoreDefault: {}}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 5 (no policy inherits parent policy):
- # `organizations/foo` has no `Policy` set.
- # `projects/bar` has no `Policy` set.
- # The accepted values at both levels are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 6 (ListConstraint allowing all):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: ALLOW}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # Any value is accepted at `projects/bar`.
- #
- # Example 7 (ListConstraint allowing none):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: DENY}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # No value is accepted at `projects/bar`.
- #
- # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
- # Given the following resource hierarchy
- # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "under:organizations/O1"}
- # `projects/bar` has a `Policy` with:
- # {allowed_values: "under:projects/P3"}
- # {denied_values: "under:folders/F2"}
- # The accepted values at `organizations/foo` are `organizations/O1`,
- # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
- # `projects/P3`.
- # The accepted values at `projects/bar` are `organizations/O1`,
- # `folders/F1`, `projects/P1`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 (ListConstraint allowing none): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} The accepted values at `organizations/foo` are `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
},
},
}
@@ -1249,228 +386,26 @@
Returns:
An object of the form:
- { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
- # for configurations of Cloud Platform resources.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this resource. # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.
},
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
+ "restoreDefault": { # Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. # Restores the default behavior of the constraint; independent of `Constraint` type.
},
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A [list of available constraints](/resource-manager/docs/organization-policy/org-policy-constraints) is available. Immutable after creation.
"version": 42, # Version of the `Policy`. Default version is 0;
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # A [list of available
- # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
- # is available.
- #
- # Immutable after creation.
- "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
- # resource.
- #
- # `ListPolicy` can define specific values and subtrees of Cloud Resource
- # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
- # are allowed or denied by setting the `allowed_values` and `denied_values`
- # fields. This is achieved by using the `under:` and optional `is:` prefixes.
- # The `under:` prefix is used to denote resource subtree values.
- # The `is:` prefix is used to denote specific values, and is required only
- # if the value contains a ":". Values prefixed with "is:" are treated the
- # same as values with no prefix.
- # Ancestry subtrees must be in one of the following formats:
- # - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
- # - "folders/<folder-id>", e.g. "folders/1234"
- # - "organizations/<organization-id>", e.g. "organizations/1234"
- # The `supports_under` field of the associated `Constraint` defines whether
- # ancestry prefixes can be used. You can set `allowed_values` and
- # `denied_values` in the same `Policy` if `all_values` is
- # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
- # values. If `all_values` is set to either `ALLOW` or `DENY`,
- # `allowed_values` and `denied_values` must be unset.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this resource. `ListPolicy` can define specific values and subtrees of Cloud Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied by setting the `allowed_values` and `denied_values` fields. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. You can set `allowed_values` and `denied_values` in the same `Policy` if `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all values. If `all_values` is set to either `ALLOW` or `DENY`, `allowed_values` and `denied_values` must be unset. # List of values either allowed or disallowed.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"allValues": "A String", # The policy all_values state.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
- "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
- # that matches the value specified in this `Policy`. If `suggested_value`
- # is not set, it will inherit the value specified higher in the hierarchy,
- # unless `inherit_from_parent` is `false`.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
- #
- # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
- # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
- # set to `true`, then the values from the effective `Policy` of the parent
- # resource are inherited, meaning the values set in this `Policy` are
- # added to the values inherited up the hierarchy.
- #
- # Setting `Policy` hierarchies that inherit both allowed values and denied
- # values isn't recommended in most circumstances to keep the configuration
- # simple and understandable. However, it is possible to set a `Policy` with
- # `allowed_values` set that inherits a `Policy` with `denied_values` set.
- # In this case, the values that are allowed must be in `allowed_values` and
- # not present in `denied_values`.
- #
- # For example, suppose you have a `Constraint`
- # `constraints/serviceuser.services`, which has a `constraint_type` of
- # `list_constraint`, and with `constraint_default` set to `ALLOW`.
- # Suppose that at the Organization level, a `Policy` is applied that
- # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
- # `Policy` is applied to a project below the Organization that has
- # `inherit_from_parent` set to `false` and field all_values set to DENY,
- # then an attempt to activate any API will be denied.
- #
- # The following examples demonstrate different possible layerings for
- # `projects/bar` parented by `organizations/foo`:
- #
- # Example 1 (no inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has `inherit_from_parent` `false` and values:
- # {allowed_values: "E3" allowed_values: "E4"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E3`, and `E4`.
- #
- # Example 2 (inherited values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {value: "E3" value: "E4" inherit_from_parent: true}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
- #
- # Example 3 (inheriting both allowed and denied values):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {denied_values: "E1"}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The value accepted at `projects/bar` is `E2`.
- #
- # Example 4 (RestoreDefault):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values:"E2"}
- # `projects/bar` has a `Policy` with values:
- # {RestoreDefault: {}}
- # The accepted values at `organizations/foo` are `E1`, `E2`.
- # The accepted values at `projects/bar` are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 5 (no policy inherits parent policy):
- # `organizations/foo` has no `Policy` set.
- # `projects/bar` has no `Policy` set.
- # The accepted values at both levels are either all or none depending on
- # the value of `constraint_default` (if `ALLOW`, all; if
- # `DENY`, none).
- #
- # Example 6 (ListConstraint allowing all):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: ALLOW}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # Any value is accepted at `projects/bar`.
- #
- # Example 7 (ListConstraint allowing none):
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "E1" allowed_values: "E2"}
- # `projects/bar` has a `Policy` with:
- # {all: DENY}
- # The accepted values at `organizations/foo` are `E1`, E2`.
- # No value is accepted at `projects/bar`.
- #
- # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
- # Given the following resource hierarchy
- # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
- # `organizations/foo` has a `Policy` with values:
- # {allowed_values: "under:organizations/O1"}
- # `projects/bar` has a `Policy` with:
- # {allowed_values: "under:projects/P3"}
- # {denied_values: "under:folders/F2"}
- # The accepted values at `organizations/foo` are `organizations/O1`,
- # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
- # `projects/P3`.
- # The accepted values at `projects/bar` are `organizations/O1`,
- # `folders/F1`, `projects/P1`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 (ListConstraint allowing none): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} The accepted values at `organizations/foo` are `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
},
}</pre>
</div>