Regen docs (#373)
diff --git a/docs/dyn/cloudresourcemanager_v1.folders.html b/docs/dyn/cloudresourcemanager_v1.folders.html
new file mode 100644
index 0000000..9b909ec
--- /dev/null
+++ b/docs/dyn/cloudresourcemanager_v1.folders.html
@@ -0,0 +1,2233 @@
+<html><body>
+<style>
+
+body, h1, h2, h3, div, span, p, pre, a {
+ margin: 0;
+ padding: 0;
+ border: 0;
+ font-weight: inherit;
+ font-style: inherit;
+ font-size: 100%;
+ font-family: inherit;
+ vertical-align: baseline;
+}
+
+body {
+ font-size: 13px;
+ padding: 1em;
+}
+
+h1 {
+ font-size: 26px;
+ margin-bottom: 1em;
+}
+
+h2 {
+ font-size: 24px;
+ margin-bottom: 1em;
+}
+
+h3 {
+ font-size: 20px;
+ margin-bottom: 1em;
+ margin-top: 1em;
+}
+
+pre, code {
+ line-height: 1.5;
+ font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
+}
+
+pre {
+ margin-top: 0.5em;
+}
+
+h1, h2, h3, p {
+ font-family: Arial, sans serif;
+}
+
+h1, h2, h3 {
+ border-bottom: solid #CCC 1px;
+}
+
+.toc_element {
+ margin-top: 0.5em;
+}
+
+.firstline {
+ margin-left: 2 em;
+}
+
+.method {
+ margin-top: 1em;
+ border: solid 1px #CCC;
+ padding: 1em;
+ background: #EEE;
+}
+
+.details {
+ font-weight: bold;
+ font-size: 14px;
+}
+
+</style>
+
+<h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1>
+<h2>Instance Methods</h2>
+<p class="toc_element">
+ <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Clears a `Policy` from a resource.</p>
+<p class="toc_element">
+ <code><a href="#clearOrgPolicyV1">clearOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Clears a `Policy` from a resource.</p>
+<p class="toc_element">
+ <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
+<p class="toc_element">
+ <code><a href="#getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
+<p class="toc_element">
+ <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets a `Policy` on a resource.</p>
+<p class="toc_element">
+ <code><a href="#getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets a `Policy` on a resource.</p>
+<p class="toc_element">
+ <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p>
+<p class="toc_element">
+ <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p>
+<p class="firstline">Retrieves the next page of results.</p>
+<p class="toc_element">
+ <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Lists all the `Policies` set for a particular resource.</p>
+<p class="toc_element">
+ <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p>
+<p class="firstline">Retrieves the next page of results.</p>
+<p class="toc_element">
+ <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
+<p class="toc_element">
+ <code><a href="#setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
+<h3>Method Details</h3>
+<div class="method">
+ <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Clears a `Policy` from a resource.
+
+Args:
+ resource: string, Name of the resource for the `Policy` to clear. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ClearOrgPolicy method.
+ "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
+ # will cause the `Policy` to be cleared blindly.
+ "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A generic empty message that you can re-use to avoid defining duplicated
+ # empty messages in your APIs. A typical example is to use it as the request
+ # or the response type of an API method. For instance:
+ #
+ # service Foo {
+ # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
+ # }
+ #
+ # The JSON representation for `Empty` is empty JSON object `{}`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="clearOrgPolicyV1">clearOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Clears a `Policy` from a resource.
+
+Args:
+ resource: string, Name of the resource for the `Policy` to clear. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ClearOrgPolicy method.
+ "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
+ # will cause the `Policy` to be cleared blindly.
+ "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A generic empty message that you can re-use to avoid defining duplicated
+ # empty messages in your APIs. A typical example is to use it as the request
+ # or the response type of an API method. For instance:
+ #
+ # service Foo {
+ # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
+ # }
+ #
+ # The JSON representation for `Empty` is empty JSON object `{}`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Gets the effective `Policy` on a resource. This is the result of merging
+`Policies` in the resource hierarchy. The returned `Policy` will not have
+an `etag`set because it is a computed `Policy` across multiple resources.
+
+Args:
+ resource: string, The name of the resource to start computing the effective `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetEffectiveOrgPolicy method.
+ "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Gets the effective `Policy` on a resource. This is the result of merging
+`Policies` in the resource hierarchy. The returned `Policy` will not have
+an `etag`set because it is a computed `Policy` across multiple resources.
+
+Args:
+ resource: string, The name of the resource to start computing the effective `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetEffectiveOrgPolicy method.
+ "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Gets a `Policy` on a resource.
+
+If no `Policy` is set on the resource, a `Policy` is returned with default
+values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
+`etag` value can be used with `SetOrgPolicy()` to create or update a
+`Policy` during read-modify-write.
+
+Args:
+ resource: string, Name of the resource the `Policy` is set on. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetOrgPolicy method.
+ "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Gets a `Policy` on a resource.
+
+If no `Policy` is set on the resource, a `Policy` is returned with default
+values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
+`etag` value can be used with `SetOrgPolicy()` to create or update a
+`Policy` during read-modify-write.
+
+Args:
+ resource: string, Name of the resource the `Policy` is set on. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetOrgPolicy method.
+ "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code>
+ <pre>Lists `Constraints` that could be applied on the specified resource.
+
+Args:
+ resource: string, Name of the resource to list `Constraints` for. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the [ListAvailableOrgPolicyConstraints]
+ # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
+ # and will be ignored. The server may at any point start using this field.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
+ # be ignored. The server may at any point start using this field to limit
+ # page size.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The response returned from the ListAvailableOrgPolicyConstraints method.
+ # Returns all `Constraints` that could be set at this level of the hierarchy
+ # (contrast with the response from `ListPolicies`, which returns all policies
+ # which are set).
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
+ "constraints": [ # The collection of constraints that are settable on the request resource.
+ { # A `Constraint` describes a way in which a resource's configuration can be
+ # restricted. For example, it controls which cloud services can be activated
+ # across an organization, or whether a Compute Engine instance can have
+ # serial port connections established. `Constraints` can be configured by the
+ # organization's policy adminstrator to fit the needs of the organzation by
+ # setting Policies for `Constraints` at different locations in the
+ # organization's resource hierarchy. Policies are inherited down the resource
+ # hierarchy from higher levels, but can also be overridden. For details about
+ # the inheritance rules please read about
+ # Policies.
+ #
+ # `Constraints` have a default behavior determined by the `constraint_default`
+ # field, which is the enforcement behavior that is used in the absence of a
+ # `Policy` being defined or inherited for the resource in question.
+ "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
+ "displayName": "A String", # The human readable name.
+ #
+ # Mutable.
+ "name": "A String", # Immutable value, required to globally be unique. For example,
+ # `constraints/serviceuser.services`
+ "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
+ #
+ # For example a constraint `constraints/compute.disableSerialPortAccess`.
+ # If it is enforced on a VM instance, serial port connections will not be
+ # opened to that instance.
+ },
+ "version": 42, # Version of the `Constraint`. Default version is 0;
+ "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
+ # configured by an Organization's policy administrator with a `Policy`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Constraint`.
+ },
+ "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
+ # where it is enforced.
+ #
+ # Mutable.
+ },
+ ],
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code>
+ <pre>Retrieves the next page of results.
+
+Args:
+ previous_request: The request for the previous page. (required)
+ previous_response: The response from the request for the previous page. (required)
+
+Returns:
+ A request object that you can call 'execute()' on to request the next
+ page. Returns None if there are no more items in the collection.
+ </pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code>
+ <pre>Lists all the `Policies` set for a particular resource.
+
+Args:
+ resource: string, Name of the resource to list Policies for. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ListOrgPolicies method.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
+ # and will be ignored. The server may at any point start using this field.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
+ # be ignored. The server may at any point start using this field to limit
+ # page size.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The response returned from the ListOrgPolicies method. It will be empty
+ # if no `Policies` are set on the resource.
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
+ # the server may at any point start supplying a valid token.
+ "policies": [ # The `Policies` that are set on the resource. It will be empty if no
+ # `Policies` are set.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ ],
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code>
+ <pre>Retrieves the next page of results.
+
+Args:
+ previous_request: The request for the previous page. (required)
+ previous_response: The response from the request for the previous page. (required)
+
+Returns:
+ A request object that you can call 'execute()' on to request the next
+ page. Returns None if there are no more items in the collection.
+ </pre>
+</div>
+
+<div class="method">
+ <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
+that `Constraint` on the resource if one does not exist.
+
+Not supplying an `etag` on the request `Policy` results in an unconditional
+write of the `Policy`.
+
+Args:
+ resource: string, Resource name of the resource to attach the `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the SetOrgPolicyRequest method.
+ "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
+that `Constraint` on the resource if one does not exist.
+
+Not supplying an `etag` on the request `Policy` results in an unconditional
+write of the `Policy`.
+
+Args:
+ resource: string, Resource name of the resource to attach the `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the SetOrgPolicyRequest method.
+ "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+</body></html>
\ No newline at end of file