Regen all docs. (#700)
* Stop recursing if discovery == {}
* Generate docs with 'make docs'.
diff --git a/docs/dyn/cloudresourcemanager_v1.folders.html b/docs/dyn/cloudresourcemanager_v1.folders.html
index c7174cc..6598718 100644
--- a/docs/dyn/cloudresourcemanager_v1.folders.html
+++ b/docs/dyn/cloudresourcemanager_v1.folders.html
@@ -72,7 +72,7 @@
</style>
-<h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1>
+<h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
@@ -139,6 +139,8 @@
<pre>Gets the effective `Policy` on a resource. This is the result of merging
`Policies` in the resource hierarchy. The returned `Policy` will not have
an `etag`set because it is a computed `Policy` across multiple resources.
+Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
+not be expanded.
Args:
resource: string, The name of the resource to start computing the effective `Policy`. (required)
@@ -163,6 +165,7 @@
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
@@ -184,17 +187,27 @@
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
- # A `ListPolicy` can define specific values that are allowed or denied by
- # setting either the `allowed_values` or `denied_values` fields. It can also
- # be used to allow or deny all values, by setting the `all_values` field. If
- # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
- # or `denied_values` must be set (attempting to set both or neither will
- # result in a failed request). If `all_values` is set to either `ALLOW` or
- # `DENY`, `allowed_values` and `denied_values` must be unset.
+ # `ListPolicy` can define specific values and subtrees of Cloud Resource
+ # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+ # are allowed or denied by setting the `allowed_values` and `denied_values`
+ # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+ # The `under:` prefix is used to denote resource subtree values.
+ # The `is:` prefix is used to denote specific values, and is required only
+ # if the value contains a ":". Values prefixed with "is:" are treated the
+ # same as values with no prefix.
+ # Ancestry subtrees must be in one of the following formats:
+ # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123”
+ # - “folders/<folder-id>”, e.g. “folders/1234”
+ # - “organizations/<organization-id>”, e.g. “organizations/1234”
+ # The `supports_under` field of the associated `Constraint` defines whether
+ # ancestry prefixes can be used. You can set `allowed_values` and
+ # `denied_values` in the same `Policy` if `all_values` is
+ # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+ # values. If `all_values` is set to either `ALLOW` or `DENY`,
+ # `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
- # set for `denied_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
@@ -221,12 +234,13 @@
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
- # The following examples demonstrate different possible layerings:
+ # The following examples demonstrate different possible layerings for
+ # `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: “E1” allowed_values:”E2”}
- # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
@@ -279,13 +293,26 @@
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
+ #
+ # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+ # Given the following resource hierarchy
+ # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "under:organizations/O1"}
+ # `projects/bar` has a `Policy` with:
+ # {allowed_values: "under:projects/P3"}
+ # {denied_values: "under:folders/F2"}
+ # The accepted values at `organizations/foo` are `organizations/O1`,
+ # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+ # `projects/P3`.
+ # The accepted values at `projects/bar` are `organizations/O1`,
+ # `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
- # set for `allowed_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
@@ -294,9 +321,10 @@
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
- # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
- # with `constraint_default` set to `ALLOW`. A `Policy` for that
- # `Constraint` exhibits the following behavior:
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
@@ -335,7 +363,6 @@
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
- "version": 42, # Version of the `Policy`. Default version is 0;
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
@@ -386,6 +413,7 @@
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
@@ -407,17 +435,27 @@
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
- # A `ListPolicy` can define specific values that are allowed or denied by
- # setting either the `allowed_values` or `denied_values` fields. It can also
- # be used to allow or deny all values, by setting the `all_values` field. If
- # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
- # or `denied_values` must be set (attempting to set both or neither will
- # result in a failed request). If `all_values` is set to either `ALLOW` or
- # `DENY`, `allowed_values` and `denied_values` must be unset.
+ # `ListPolicy` can define specific values and subtrees of Cloud Resource
+ # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+ # are allowed or denied by setting the `allowed_values` and `denied_values`
+ # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+ # The `under:` prefix is used to denote resource subtree values.
+ # The `is:` prefix is used to denote specific values, and is required only
+ # if the value contains a ":". Values prefixed with "is:" are treated the
+ # same as values with no prefix.
+ # Ancestry subtrees must be in one of the following formats:
+ # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123”
+ # - “folders/<folder-id>”, e.g. “folders/1234”
+ # - “organizations/<organization-id>”, e.g. “organizations/1234”
+ # The `supports_under` field of the associated `Constraint` defines whether
+ # ancestry prefixes can be used. You can set `allowed_values` and
+ # `denied_values` in the same `Policy` if `all_values` is
+ # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+ # values. If `all_values` is set to either `ALLOW` or `DENY`,
+ # `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
- # set for `denied_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
@@ -444,12 +482,13 @@
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
- # The following examples demonstrate different possible layerings:
+ # The following examples demonstrate different possible layerings for
+ # `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: “E1” allowed_values:”E2”}
- # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
@@ -502,13 +541,26 @@
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
+ #
+ # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+ # Given the following resource hierarchy
+ # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "under:organizations/O1"}
+ # `projects/bar` has a `Policy` with:
+ # {allowed_values: "under:projects/P3"}
+ # {denied_values: "under:folders/F2"}
+ # The accepted values at `organizations/foo` are `organizations/O1`,
+ # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+ # `projects/P3`.
+ # The accepted values at `projects/bar` are `organizations/O1`,
+ # `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
- # set for `allowed_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
@@ -517,9 +569,10 @@
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
- # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
- # with `constraint_default` set to `ALLOW`. A `Policy` for that
- # `Constraint` exhibits the following behavior:
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
@@ -558,7 +611,6 @@
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
- "version": 42, # Version of the `Policy`. Default version is 0;
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
@@ -627,10 +679,8 @@
"displayName": "A String", # The human readable name.
#
# Mutable.
- "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
- # where it is enforced.
- #
- # Mutable.
+ "name": "A String", # Immutable value, required to globally be unique. For example,
+ # `constraints/serviceuser.services`
"booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
#
# For example a constraint `constraints/compute.disableSerialPortAccess`.
@@ -640,11 +690,17 @@
"version": 42, # Version of the `Constraint`. Default version is 0;
"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
# configured by an Organization's policy administrator with a `Policy`.
+ "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
+ # can be used in `Policy.allowed_values` and `Policy.denied_values`. For
+ # example, `"under:folders/123"` would match any resource under the
+ # 'folders/123' folder.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Constraint`.
},
- "name": "A String", # Immutable value, required to globally be unique. For example,
- # `constraints/serviceuser.services`
+ "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
+ # where it is enforced.
+ #
+ # Mutable.
},
],
}</pre>
@@ -701,6 +757,7 @@
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
@@ -722,17 +779,27 @@
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
- # A `ListPolicy` can define specific values that are allowed or denied by
- # setting either the `allowed_values` or `denied_values` fields. It can also
- # be used to allow or deny all values, by setting the `all_values` field. If
- # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
- # or `denied_values` must be set (attempting to set both or neither will
- # result in a failed request). If `all_values` is set to either `ALLOW` or
- # `DENY`, `allowed_values` and `denied_values` must be unset.
+ # `ListPolicy` can define specific values and subtrees of Cloud Resource
+ # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+ # are allowed or denied by setting the `allowed_values` and `denied_values`
+ # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+ # The `under:` prefix is used to denote resource subtree values.
+ # The `is:` prefix is used to denote specific values, and is required only
+ # if the value contains a ":". Values prefixed with "is:" are treated the
+ # same as values with no prefix.
+ # Ancestry subtrees must be in one of the following formats:
+ # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123”
+ # - “folders/<folder-id>”, e.g. “folders/1234”
+ # - “organizations/<organization-id>”, e.g. “organizations/1234”
+ # The `supports_under` field of the associated `Constraint` defines whether
+ # ancestry prefixes can be used. You can set `allowed_values` and
+ # `denied_values` in the same `Policy` if `all_values` is
+ # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+ # values. If `all_values` is set to either `ALLOW` or `DENY`,
+ # `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
- # set for `denied_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
@@ -759,12 +826,13 @@
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
- # The following examples demonstrate different possible layerings:
+ # The following examples demonstrate different possible layerings for
+ # `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: “E1” allowed_values:”E2”}
- # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
@@ -817,13 +885,26 @@
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
+ #
+ # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+ # Given the following resource hierarchy
+ # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "under:organizations/O1"}
+ # `projects/bar` has a `Policy` with:
+ # {allowed_values: "under:projects/P3"}
+ # {denied_values: "under:folders/F2"}
+ # The accepted values at `organizations/foo` are `organizations/O1`,
+ # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+ # `projects/P3`.
+ # The accepted values at `projects/bar` are `organizations/O1`,
+ # `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
- # set for `allowed_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
@@ -832,9 +913,10 @@
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
- # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
- # with `constraint_default` set to `ALLOW`. A `Policy` for that
- # `Constraint` exhibits the following behavior:
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
@@ -873,7 +955,6 @@
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
- "version": 42, # Version of the `Policy`. Default version is 0;
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
@@ -928,6 +1009,7 @@
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
@@ -949,17 +1031,27 @@
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
- # A `ListPolicy` can define specific values that are allowed or denied by
- # setting either the `allowed_values` or `denied_values` fields. It can also
- # be used to allow or deny all values, by setting the `all_values` field. If
- # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
- # or `denied_values` must be set (attempting to set both or neither will
- # result in a failed request). If `all_values` is set to either `ALLOW` or
- # `DENY`, `allowed_values` and `denied_values` must be unset.
+ # `ListPolicy` can define specific values and subtrees of Cloud Resource
+ # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+ # are allowed or denied by setting the `allowed_values` and `denied_values`
+ # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+ # The `under:` prefix is used to denote resource subtree values.
+ # The `is:` prefix is used to denote specific values, and is required only
+ # if the value contains a ":". Values prefixed with "is:" are treated the
+ # same as values with no prefix.
+ # Ancestry subtrees must be in one of the following formats:
+ # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123”
+ # - “folders/<folder-id>”, e.g. “folders/1234”
+ # - “organizations/<organization-id>”, e.g. “organizations/1234”
+ # The `supports_under` field of the associated `Constraint` defines whether
+ # ancestry prefixes can be used. You can set `allowed_values` and
+ # `denied_values` in the same `Policy` if `all_values` is
+ # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+ # values. If `all_values` is set to either `ALLOW` or `DENY`,
+ # `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
- # set for `denied_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
@@ -986,12 +1078,13 @@
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
- # The following examples demonstrate different possible layerings:
+ # The following examples demonstrate different possible layerings for
+ # `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: “E1” allowed_values:”E2”}
- # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
@@ -1044,13 +1137,26 @@
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
+ #
+ # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+ # Given the following resource hierarchy
+ # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "under:organizations/O1"}
+ # `projects/bar` has a `Policy` with:
+ # {allowed_values: "under:projects/P3"}
+ # {denied_values: "under:folders/F2"}
+ # The accepted values at `organizations/foo` are `organizations/O1`,
+ # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+ # `projects/P3`.
+ # The accepted values at `projects/bar` are `organizations/O1`,
+ # `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
- # set for `allowed_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
@@ -1059,9 +1165,10 @@
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
- # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
- # with `constraint_default` set to `ALLOW`. A `Policy` for that
- # `Constraint` exhibits the following behavior:
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
@@ -1100,7 +1207,6 @@
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
- "version": 42, # Version of the `Policy`. Default version is 0;
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
@@ -1133,6 +1239,7 @@
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
@@ -1154,17 +1261,27 @@
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
- # A `ListPolicy` can define specific values that are allowed or denied by
- # setting either the `allowed_values` or `denied_values` fields. It can also
- # be used to allow or deny all values, by setting the `all_values` field. If
- # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
- # or `denied_values` must be set (attempting to set both or neither will
- # result in a failed request). If `all_values` is set to either `ALLOW` or
- # `DENY`, `allowed_values` and `denied_values` must be unset.
+ # `ListPolicy` can define specific values and subtrees of Cloud Resource
+ # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+ # are allowed or denied by setting the `allowed_values` and `denied_values`
+ # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+ # The `under:` prefix is used to denote resource subtree values.
+ # The `is:` prefix is used to denote specific values, and is required only
+ # if the value contains a ":". Values prefixed with "is:" are treated the
+ # same as values with no prefix.
+ # Ancestry subtrees must be in one of the following formats:
+ # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123”
+ # - “folders/<folder-id>”, e.g. “folders/1234”
+ # - “organizations/<organization-id>”, e.g. “organizations/1234”
+ # The `supports_under` field of the associated `Constraint` defines whether
+ # ancestry prefixes can be used. You can set `allowed_values` and
+ # `denied_values` in the same `Policy` if `all_values` is
+ # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+ # values. If `all_values` is set to either `ALLOW` or `DENY`,
+ # `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
- # set for `denied_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
@@ -1191,12 +1308,13 @@
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
- # The following examples demonstrate different possible layerings:
+ # The following examples demonstrate different possible layerings for
+ # `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: “E1” allowed_values:”E2”}
- # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
@@ -1249,13 +1367,26 @@
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
+ #
+ # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+ # Given the following resource hierarchy
+ # O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "under:organizations/O1"}
+ # `projects/bar` has a `Policy` with:
+ # {allowed_values: "under:projects/P3"}
+ # {denied_values: "under:folders/F2"}
+ # The accepted values at `organizations/foo` are `organizations/O1`,
+ # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+ # `projects/P3`.
+ # The accepted values at `projects/bar` are `organizations/O1`,
+ # `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
- # set for `allowed_values` and `all_values` is set to
- # `ALL_VALUES_UNSPECIFIED`.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
@@ -1264,9 +1395,10 @@
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
- # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
- # with `constraint_default` set to `ALLOW`. A `Policy` for that
- # `Constraint` exhibits the following behavior:
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
@@ -1305,7 +1437,6 @@
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
- "version": 42, # Version of the `Policy`. Default version is 0;
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#