orgpolicy

package
v8.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CustomConstraint

type CustomConstraint struct {
	pulumi.CustomResourceState

	// The action to take if the condition is met.
	// Possible values are: `ALLOW`, `DENY`.
	ActionType pulumi.StringOutput `pulumi:"actionType"`
	// A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).
	Condition pulumi.StringOutput `pulumi:"condition"`
	// A human-friendly description of the constraint to display as an error message when the policy is violated.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// A human-friendly name for the constraint.
	DisplayName pulumi.StringPtrOutput `pulumi:"displayName"`
	// A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).
	MethodTypes pulumi.StringArrayOutput `pulumi:"methodTypes"`
	// Immutable. The name of the custom constraint. This is unique within the organization.
	Name pulumi.StringOutput `pulumi:"name"`
	// The parent of the resource, an organization. Format should be `organizations/{organization_id}`.
	//
	// ***
	Parent pulumi.StringOutput `pulumi:"parent"`
	// Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.
	ResourceTypes pulumi.StringArrayOutput `pulumi:"resourceTypes"`
	// Output only. The timestamp representing when the constraint was last updated.
	UpdateTime pulumi.StringOutput `pulumi:"updateTime"`
}

Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.

To get more information about CustomConstraint, see:

* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints) * How-to Guides

## Example Usage

### Org Policy Custom Constraint Basic

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
			Name:       pulumi.String("custom.disableGkeAutoUpgrade"),
			Parent:     pulumi.String("organizations/123456789"),
			ActionType: pulumi.String("ALLOW"),
			Condition:  pulumi.String("resource.management.autoUpgrade == false"),
			MethodTypes: pulumi.StringArray{
				pulumi.String("CREATE"),
				pulumi.String("UPDATE"),
			},
			ResourceTypes: pulumi.StringArray{
				pulumi.String("container.googleapis.com/NodePool"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Org Policy Custom Constraint Full

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
			Name:        pulumi.String("custom.disableGkeAutoUpgrade"),
			Parent:      pulumi.String("organizations/123456789"),
			DisplayName: pulumi.String("Disable GKE auto upgrade"),
			Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
			ActionType:  pulumi.String("ALLOW"),
			Condition:   pulumi.String("resource.management.autoUpgrade == false"),
			MethodTypes: pulumi.StringArray{
				pulumi.String("CREATE"),
				pulumi.String("UPDATE"),
			},
			ResourceTypes: pulumi.StringArray{
				pulumi.String("container.googleapis.com/NodePool"),
			},
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "bool", &orgpolicy.PolicyArgs{
			Name: constraint.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
			}).(pulumi.StringOutput),
			Parent: pulumi.String("organizations/123456789"),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce: pulumi.String("TRUE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

CustomConstraint can be imported using any of these accepted formats:

* `{{parent}}/customConstraints/{{name}}`

When using the `pulumi import` command, CustomConstraint can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:orgpolicy/customConstraint:CustomConstraint default {{parent}}/customConstraints/{{name}} ```

func GetCustomConstraint

func GetCustomConstraint(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *CustomConstraintState, opts ...pulumi.ResourceOption) (*CustomConstraint, error)

GetCustomConstraint gets an existing CustomConstraint resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewCustomConstraint

func NewCustomConstraint(ctx *pulumi.Context,
	name string, args *CustomConstraintArgs, opts ...pulumi.ResourceOption) (*CustomConstraint, error)

NewCustomConstraint registers a new resource with the given unique name, arguments, and options.

func (*CustomConstraint) ElementType

func (*CustomConstraint) ElementType() reflect.Type

func (*CustomConstraint) ToCustomConstraintOutput

func (i *CustomConstraint) ToCustomConstraintOutput() CustomConstraintOutput

func (*CustomConstraint) ToCustomConstraintOutputWithContext

func (i *CustomConstraint) ToCustomConstraintOutputWithContext(ctx context.Context) CustomConstraintOutput

type CustomConstraintArgs

type CustomConstraintArgs struct {
	// The action to take if the condition is met.
	// Possible values are: `ALLOW`, `DENY`.
	ActionType pulumi.StringInput
	// A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).
	Condition pulumi.StringInput
	// A human-friendly description of the constraint to display as an error message when the policy is violated.
	Description pulumi.StringPtrInput
	// A human-friendly name for the constraint.
	DisplayName pulumi.StringPtrInput
	// A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).
	MethodTypes pulumi.StringArrayInput
	// Immutable. The name of the custom constraint. This is unique within the organization.
	Name pulumi.StringPtrInput
	// The parent of the resource, an organization. Format should be `organizations/{organization_id}`.
	//
	// ***
	Parent pulumi.StringInput
	// Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.
	ResourceTypes pulumi.StringArrayInput
}

The set of arguments for constructing a CustomConstraint resource.

func (CustomConstraintArgs) ElementType

func (CustomConstraintArgs) ElementType() reflect.Type

type CustomConstraintArray

type CustomConstraintArray []CustomConstraintInput

func (CustomConstraintArray) ElementType

func (CustomConstraintArray) ElementType() reflect.Type

func (CustomConstraintArray) ToCustomConstraintArrayOutput

func (i CustomConstraintArray) ToCustomConstraintArrayOutput() CustomConstraintArrayOutput

func (CustomConstraintArray) ToCustomConstraintArrayOutputWithContext

func (i CustomConstraintArray) ToCustomConstraintArrayOutputWithContext(ctx context.Context) CustomConstraintArrayOutput

type CustomConstraintArrayInput

type CustomConstraintArrayInput interface {
	pulumi.Input

	ToCustomConstraintArrayOutput() CustomConstraintArrayOutput
	ToCustomConstraintArrayOutputWithContext(context.Context) CustomConstraintArrayOutput
}

CustomConstraintArrayInput is an input type that accepts CustomConstraintArray and CustomConstraintArrayOutput values. You can construct a concrete instance of `CustomConstraintArrayInput` via:

CustomConstraintArray{ CustomConstraintArgs{...} }

type CustomConstraintArrayOutput

type CustomConstraintArrayOutput struct{ *pulumi.OutputState }

func (CustomConstraintArrayOutput) ElementType

func (CustomConstraintArrayOutput) Index

func (CustomConstraintArrayOutput) ToCustomConstraintArrayOutput

func (o CustomConstraintArrayOutput) ToCustomConstraintArrayOutput() CustomConstraintArrayOutput

func (CustomConstraintArrayOutput) ToCustomConstraintArrayOutputWithContext

func (o CustomConstraintArrayOutput) ToCustomConstraintArrayOutputWithContext(ctx context.Context) CustomConstraintArrayOutput

type CustomConstraintInput

type CustomConstraintInput interface {
	pulumi.Input

	ToCustomConstraintOutput() CustomConstraintOutput
	ToCustomConstraintOutputWithContext(ctx context.Context) CustomConstraintOutput
}

type CustomConstraintMap

type CustomConstraintMap map[string]CustomConstraintInput

func (CustomConstraintMap) ElementType

func (CustomConstraintMap) ElementType() reflect.Type

func (CustomConstraintMap) ToCustomConstraintMapOutput

func (i CustomConstraintMap) ToCustomConstraintMapOutput() CustomConstraintMapOutput

func (CustomConstraintMap) ToCustomConstraintMapOutputWithContext

func (i CustomConstraintMap) ToCustomConstraintMapOutputWithContext(ctx context.Context) CustomConstraintMapOutput

type CustomConstraintMapInput

type CustomConstraintMapInput interface {
	pulumi.Input

	ToCustomConstraintMapOutput() CustomConstraintMapOutput
	ToCustomConstraintMapOutputWithContext(context.Context) CustomConstraintMapOutput
}

CustomConstraintMapInput is an input type that accepts CustomConstraintMap and CustomConstraintMapOutput values. You can construct a concrete instance of `CustomConstraintMapInput` via:

CustomConstraintMap{ "key": CustomConstraintArgs{...} }

type CustomConstraintMapOutput

type CustomConstraintMapOutput struct{ *pulumi.OutputState }

func (CustomConstraintMapOutput) ElementType

func (CustomConstraintMapOutput) ElementType() reflect.Type

func (CustomConstraintMapOutput) MapIndex

func (CustomConstraintMapOutput) ToCustomConstraintMapOutput

func (o CustomConstraintMapOutput) ToCustomConstraintMapOutput() CustomConstraintMapOutput

func (CustomConstraintMapOutput) ToCustomConstraintMapOutputWithContext

func (o CustomConstraintMapOutput) ToCustomConstraintMapOutputWithContext(ctx context.Context) CustomConstraintMapOutput

type CustomConstraintOutput

type CustomConstraintOutput struct{ *pulumi.OutputState }

func (CustomConstraintOutput) ActionType

The action to take if the condition is met. Possible values are: `ALLOW`, `DENY`.

func (CustomConstraintOutput) Condition

A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).

func (CustomConstraintOutput) Description

A human-friendly description of the constraint to display as an error message when the policy is violated.

func (CustomConstraintOutput) DisplayName

A human-friendly name for the constraint.

func (CustomConstraintOutput) ElementType

func (CustomConstraintOutput) ElementType() reflect.Type

func (CustomConstraintOutput) MethodTypes

A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).

func (CustomConstraintOutput) Name

Immutable. The name of the custom constraint. This is unique within the organization.

func (CustomConstraintOutput) Parent

The parent of the resource, an organization. Format should be `organizations/{organization_id}`.

***

func (CustomConstraintOutput) ResourceTypes

Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.

func (CustomConstraintOutput) ToCustomConstraintOutput

func (o CustomConstraintOutput) ToCustomConstraintOutput() CustomConstraintOutput

func (CustomConstraintOutput) ToCustomConstraintOutputWithContext

func (o CustomConstraintOutput) ToCustomConstraintOutputWithContext(ctx context.Context) CustomConstraintOutput

func (CustomConstraintOutput) UpdateTime

Output only. The timestamp representing when the constraint was last updated.

type CustomConstraintState

type CustomConstraintState struct {
	// The action to take if the condition is met.
	// Possible values are: `ALLOW`, `DENY`.
	ActionType pulumi.StringPtrInput
	// A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).
	Condition pulumi.StringPtrInput
	// A human-friendly description of the constraint to display as an error message when the policy is violated.
	Description pulumi.StringPtrInput
	// A human-friendly name for the constraint.
	DisplayName pulumi.StringPtrInput
	// A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).
	MethodTypes pulumi.StringArrayInput
	// Immutable. The name of the custom constraint. This is unique within the organization.
	Name pulumi.StringPtrInput
	// The parent of the resource, an organization. Format should be `organizations/{organization_id}`.
	//
	// ***
	Parent pulumi.StringPtrInput
	// Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.
	ResourceTypes pulumi.StringArrayInput
	// Output only. The timestamp representing when the constraint was last updated.
	UpdateTime pulumi.StringPtrInput
}

func (CustomConstraintState) ElementType

func (CustomConstraintState) ElementType() reflect.Type

type Policy

type Policy struct {
	pulumi.CustomResourceState

	// Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
	// Structure is documented below.
	DryRunSpec PolicyDryRunSpecPtrOutput `pulumi:"dryRunSpec"`
	// Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
	Name pulumi.StringOutput `pulumi:"name"`
	// The parent of the resource.
	//
	// ***
	Parent pulumi.StringOutput `pulumi:"parent"`
	// Basic information about the Organization Policy.
	// Structure is documented below.
	Spec PolicySpecPtrOutput `pulumi:"spec"`
}

Defines an organization policy which is used to specify constraints for configurations of Google Cloud resources.

To get more information about Policy, see:

* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.policies) * How-to Guides

## Example Usage

### Org Policy Policy Enforce

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("id"),
			Name:           pulumi.String("id"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v/policies/iam.disableServiceAccountKeyUpload", name), nil
			}).(pulumi.StringOutput),
			Parent: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v", name), nil
			}).(pulumi.StringOutput),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Org Policy Policy Folder

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewFolder(ctx, "basic", &organizations.FolderArgs{
			Parent:             pulumi.String("organizations/123456789"),
			DisplayName:        pulumi.String("folder"),
			DeletionProtection: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("%v/policies/gcp.resourceLocations", name), nil
			}).(pulumi.StringOutput),
			Parent: basic.Name,
			Spec: &orgpolicy.PolicySpecArgs{
				InheritFromParent: pulumi.Bool(true),
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						DenyAll: pulumi.String("TRUE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Org Policy Policy Organization

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name:   pulumi.String("organizations/123456789/policies/gcp.detailedAuditLoggingMode"),
			Parent: pulumi.String("organizations/123456789"),
			Spec: &orgpolicy.PolicySpecArgs{
				Reset: pulumi.Bool(true),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Org Policy Policy Project

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		basic, err := organizations.NewProject(ctx, "basic", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("id"),
			Name:           pulumi.String("id"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v/policies/gcp.resourceLocations", name), nil
			}).(pulumi.StringOutput),
			Parent: basic.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v", name), nil
			}).(pulumi.StringOutput),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Condition: &orgpolicy.PolicySpecRuleConditionArgs{
							Description: pulumi.String("A sample condition for the policy"),
							Expression:  pulumi.String("resource.matchTagId('tagKeys/123', 'tagValues/345')"),
							Location:    pulumi.String("sample-location.log"),
							Title:       pulumi.String("sample-condition"),
						},
						Values: &orgpolicy.PolicySpecRuleValuesArgs{
							AllowedValues: pulumi.StringArray{
								pulumi.String("projects/allowed-project"),
							},
							DeniedValues: pulumi.StringArray{
								pulumi.String("projects/denied-project"),
							},
						},
					},
					&orgpolicy.PolicySpecRuleArgs{
						AllowAll: pulumi.String("TRUE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Org Policy Policy Dry Run Spec

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/orgpolicy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		constraint, err := orgpolicy.NewCustomConstraint(ctx, "constraint", &orgpolicy.CustomConstraintArgs{
			Name:        pulumi.String("custom.disableGkeAutoUpgrade_13293"),
			Parent:      pulumi.String("organizations/123456789"),
			DisplayName: pulumi.String("Disable GKE auto upgrade"),
			Description: pulumi.String("Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."),
			ActionType:  pulumi.String("ALLOW"),
			Condition:   pulumi.String("resource.management.autoUpgrade == false"),
			MethodTypes: pulumi.StringArray{
				pulumi.String("CREATE"),
			},
			ResourceTypes: pulumi.StringArray{
				pulumi.String("container.googleapis.com/NodePool"),
			},
		})
		if err != nil {
			return err
		}
		_, err = orgpolicy.NewPolicy(ctx, "primary", &orgpolicy.PolicyArgs{
			Name: constraint.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("organizations/123456789/policies/%v", name), nil
			}).(pulumi.StringOutput),
			Parent: pulumi.String("organizations/123456789"),
			Spec: &orgpolicy.PolicySpecArgs{
				Rules: orgpolicy.PolicySpecRuleArray{
					&orgpolicy.PolicySpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
			DryRunSpec: &orgpolicy.PolicyDryRunSpecArgs{
				InheritFromParent: pulumi.Bool(false),
				Reset:             pulumi.Bool(false),
				Rules: orgpolicy.PolicyDryRunSpecRuleArray{
					&orgpolicy.PolicyDryRunSpecRuleArgs{
						Enforce: pulumi.String("FALSE"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Policy can be imported using any of these accepted formats:

* `{{parent}}/policies/{{name}}`

When using the `pulumi import` command, Policy can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}} ```

func GetPolicy

func GetPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *PolicyState, opts ...pulumi.ResourceOption) (*Policy, error)

GetPolicy gets an existing Policy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewPolicy

func NewPolicy(ctx *pulumi.Context,
	name string, args *PolicyArgs, opts ...pulumi.ResourceOption) (*Policy, error)

NewPolicy registers a new resource with the given unique name, arguments, and options.

func (*Policy) ElementType

func (*Policy) ElementType() reflect.Type

func (*Policy) ToPolicyOutput

func (i *Policy) ToPolicyOutput() PolicyOutput

func (*Policy) ToPolicyOutputWithContext

func (i *Policy) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicyArgs

type PolicyArgs struct {
	// Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
	// Structure is documented below.
	DryRunSpec PolicyDryRunSpecPtrInput
	// Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
	Name pulumi.StringPtrInput
	// The parent of the resource.
	//
	// ***
	Parent pulumi.StringInput
	// Basic information about the Organization Policy.
	// Structure is documented below.
	Spec PolicySpecPtrInput
}

The set of arguments for constructing a Policy resource.

func (PolicyArgs) ElementType

func (PolicyArgs) ElementType() reflect.Type

type PolicyArray

type PolicyArray []PolicyInput

func (PolicyArray) ElementType

func (PolicyArray) ElementType() reflect.Type

func (PolicyArray) ToPolicyArrayOutput

func (i PolicyArray) ToPolicyArrayOutput() PolicyArrayOutput

func (PolicyArray) ToPolicyArrayOutputWithContext

func (i PolicyArray) ToPolicyArrayOutputWithContext(ctx context.Context) PolicyArrayOutput

type PolicyArrayInput

type PolicyArrayInput interface {
	pulumi.Input

	ToPolicyArrayOutput() PolicyArrayOutput
	ToPolicyArrayOutputWithContext(context.Context) PolicyArrayOutput
}

PolicyArrayInput is an input type that accepts PolicyArray and PolicyArrayOutput values. You can construct a concrete instance of `PolicyArrayInput` via:

PolicyArray{ PolicyArgs{...} }

type PolicyArrayOutput

type PolicyArrayOutput struct{ *pulumi.OutputState }

func (PolicyArrayOutput) ElementType

func (PolicyArrayOutput) ElementType() reflect.Type

func (PolicyArrayOutput) Index

func (PolicyArrayOutput) ToPolicyArrayOutput

func (o PolicyArrayOutput) ToPolicyArrayOutput() PolicyArrayOutput

func (PolicyArrayOutput) ToPolicyArrayOutputWithContext

func (o PolicyArrayOutput) ToPolicyArrayOutputWithContext(ctx context.Context) PolicyArrayOutput

type PolicyDryRunSpec

type PolicyDryRunSpec struct {
	// (Output)
	// An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy`is returned from either a`GetPolicy`or a`ListPolicies`request, this`etag`indicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from a`GetEffectivePolicy`request, the`etag` will be unset.
	Etag *string `pulumi:"etag"`
	// Determines the inheritance behavior for this policy. If `inheritFromParent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
	InheritFromParent *bool `pulumi:"inheritFromParent"`
	// Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.
	Reset *bool `pulumi:"reset"`
	// In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
	// Structure is documented below.
	Rules []PolicyDryRunSpecRule `pulumi:"rules"`
	// (Output)
	// Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy.
	UpdateTime *string `pulumi:"updateTime"`
}

type PolicyDryRunSpecArgs

type PolicyDryRunSpecArgs struct {
	// (Output)
	// An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy`is returned from either a`GetPolicy`or a`ListPolicies`request, this`etag`indicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from a`GetEffectivePolicy`request, the`etag` will be unset.
	Etag pulumi.StringPtrInput `pulumi:"etag"`
	// Determines the inheritance behavior for this policy. If `inheritFromParent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.
	InheritFromParent pulumi.BoolPtrInput `pulumi:"inheritFromParent"`
	// Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.
	Reset pulumi.BoolPtrInput `pulumi:"reset"`
	// In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence.
	// Structure is documented below.
	Rules PolicyDryRunSpecRuleArrayInput `pulumi:"rules"`
	// (Output)
	// Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy.
	UpdateTime pulumi.StringPtrInput `pulumi:"updateTime"`
}

func (PolicyDryRunSpecArgs) ElementType

func (PolicyDryRunSpecArgs) ElementType() reflect.Type

func (PolicyDryRunSpecArgs) ToPolicyDryRunSpecOutput

func (i PolicyDryRunSpecArgs) ToPolicyDryRunSpecOutput() PolicyDryRunSpecOutput

func (PolicyDryRunSpecArgs) ToPolicyDryRunSpecOutputWithContext

func (i PolicyDryRunSpecArgs) ToPolicyDryRunSpecOutputWithContext(ctx context.Context) PolicyDryRunSpecOutput

func (PolicyDryRunSpecArgs) ToPolicyDryRunSpecPtrOutput

func (i PolicyDryRunSpecArgs) ToPolicyDryRunSpecPtrOutput() PolicyDryRunSpecPtrOutput

func (PolicyDryRunSpecArgs) ToPolicyDryRunSpecPtrOutputWithContext

func (i PolicyDryRunSpecArgs) ToPolicyDryRunSpecPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecPtrOutput

type PolicyDryRunSpecInput

type PolicyDryRunSpecInput interface {
	pulumi.Input

	ToPolicyDryRunSpecOutput() PolicyDryRunSpecOutput
	ToPolicyDryRunSpecOutputWithContext(context.Context) PolicyDryRunSpecOutput
}

PolicyDryRunSpecInput is an input type that accepts PolicyDryRunSpecArgs and PolicyDryRunSpecOutput values. You can construct a concrete instance of `PolicyDryRunSpecInput` via:

PolicyDryRunSpecArgs{...}

type PolicyDryRunSpecOutput

type PolicyDryRunSpecOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecOutput) ElementType

func (PolicyDryRunSpecOutput) ElementType() reflect.Type

func (PolicyDryRunSpecOutput) Etag

(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy`is returned from either a`GetPolicy`or a`ListPolicies`request, this`etag`indicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from a`GetEffectivePolicy`request, the`etag` will be unset.

func (PolicyDryRunSpecOutput) InheritFromParent

func (o PolicyDryRunSpecOutput) InheritFromParent() pulumi.BoolPtrOutput

Determines the inheritance behavior for this policy. If `inheritFromParent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.

func (PolicyDryRunSpecOutput) Reset

Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.

func (PolicyDryRunSpecOutput) Rules

In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.

func (PolicyDryRunSpecOutput) ToPolicyDryRunSpecOutput

func (o PolicyDryRunSpecOutput) ToPolicyDryRunSpecOutput() PolicyDryRunSpecOutput

func (PolicyDryRunSpecOutput) ToPolicyDryRunSpecOutputWithContext

func (o PolicyDryRunSpecOutput) ToPolicyDryRunSpecOutputWithContext(ctx context.Context) PolicyDryRunSpecOutput

func (PolicyDryRunSpecOutput) ToPolicyDryRunSpecPtrOutput

func (o PolicyDryRunSpecOutput) ToPolicyDryRunSpecPtrOutput() PolicyDryRunSpecPtrOutput

func (PolicyDryRunSpecOutput) ToPolicyDryRunSpecPtrOutputWithContext

func (o PolicyDryRunSpecOutput) ToPolicyDryRunSpecPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecPtrOutput

func (PolicyDryRunSpecOutput) UpdateTime

(Output) Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy.

type PolicyDryRunSpecPtrInput

type PolicyDryRunSpecPtrInput interface {
	pulumi.Input

	ToPolicyDryRunSpecPtrOutput() PolicyDryRunSpecPtrOutput
	ToPolicyDryRunSpecPtrOutputWithContext(context.Context) PolicyDryRunSpecPtrOutput
}

PolicyDryRunSpecPtrInput is an input type that accepts PolicyDryRunSpecArgs, PolicyDryRunSpecPtr and PolicyDryRunSpecPtrOutput values. You can construct a concrete instance of `PolicyDryRunSpecPtrInput` via:

        PolicyDryRunSpecArgs{...}

or:

        nil

type PolicyDryRunSpecPtrOutput

type PolicyDryRunSpecPtrOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecPtrOutput) Elem

func (PolicyDryRunSpecPtrOutput) ElementType

func (PolicyDryRunSpecPtrOutput) ElementType() reflect.Type

func (PolicyDryRunSpecPtrOutput) Etag

(Output) An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy`is returned from either a`GetPolicy`or a`ListPolicies`request, this`etag`indicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from a`GetEffectivePolicy`request, the`etag` will be unset.

func (PolicyDryRunSpecPtrOutput) InheritFromParent

func (o PolicyDryRunSpecPtrOutput) InheritFromParent() pulumi.BoolPtrOutput

Determines the inheritance behavior for this policy. If `inheritFromParent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.

func (PolicyDryRunSpecPtrOutput) Reset

Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.

func (PolicyDryRunSpecPtrOutput) Rules

In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. Structure is documented below.

func (PolicyDryRunSpecPtrOutput) ToPolicyDryRunSpecPtrOutput

func (o PolicyDryRunSpecPtrOutput) ToPolicyDryRunSpecPtrOutput() PolicyDryRunSpecPtrOutput

func (PolicyDryRunSpecPtrOutput) ToPolicyDryRunSpecPtrOutputWithContext

func (o PolicyDryRunSpecPtrOutput) ToPolicyDryRunSpecPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecPtrOutput

func (PolicyDryRunSpecPtrOutput) UpdateTime

(Output) Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy.

type PolicyDryRunSpecRule

type PolicyDryRunSpecRule struct {
	// Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.
	AllowAll *string `pulumi:"allowAll"`
	// A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
	// Structure is documented below.
	Condition *PolicyDryRunSpecRuleCondition `pulumi:"condition"`
	// Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.
	DenyAll *string `pulumi:"denyAll"`
	// If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
	Enforce *string `pulumi:"enforce"`
	// List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	// Structure is documented below.
	Values *PolicyDryRunSpecRuleValues `pulumi:"values"`
}

type PolicyDryRunSpecRuleArgs

type PolicyDryRunSpecRuleArgs struct {
	// Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.
	AllowAll pulumi.StringPtrInput `pulumi:"allowAll"`
	// A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
	// Structure is documented below.
	Condition PolicyDryRunSpecRuleConditionPtrInput `pulumi:"condition"`
	// Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.
	DenyAll pulumi.StringPtrInput `pulumi:"denyAll"`
	// If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
	Enforce pulumi.StringPtrInput `pulumi:"enforce"`
	// List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	// Structure is documented below.
	Values PolicyDryRunSpecRuleValuesPtrInput `pulumi:"values"`
}

func (PolicyDryRunSpecRuleArgs) ElementType

func (PolicyDryRunSpecRuleArgs) ElementType() reflect.Type

func (PolicyDryRunSpecRuleArgs) ToPolicyDryRunSpecRuleOutput

func (i PolicyDryRunSpecRuleArgs) ToPolicyDryRunSpecRuleOutput() PolicyDryRunSpecRuleOutput

func (PolicyDryRunSpecRuleArgs) ToPolicyDryRunSpecRuleOutputWithContext

func (i PolicyDryRunSpecRuleArgs) ToPolicyDryRunSpecRuleOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleOutput

type PolicyDryRunSpecRuleArray

type PolicyDryRunSpecRuleArray []PolicyDryRunSpecRuleInput

func (PolicyDryRunSpecRuleArray) ElementType

func (PolicyDryRunSpecRuleArray) ElementType() reflect.Type

func (PolicyDryRunSpecRuleArray) ToPolicyDryRunSpecRuleArrayOutput

func (i PolicyDryRunSpecRuleArray) ToPolicyDryRunSpecRuleArrayOutput() PolicyDryRunSpecRuleArrayOutput

func (PolicyDryRunSpecRuleArray) ToPolicyDryRunSpecRuleArrayOutputWithContext

func (i PolicyDryRunSpecRuleArray) ToPolicyDryRunSpecRuleArrayOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleArrayOutput

type PolicyDryRunSpecRuleArrayInput

type PolicyDryRunSpecRuleArrayInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleArrayOutput() PolicyDryRunSpecRuleArrayOutput
	ToPolicyDryRunSpecRuleArrayOutputWithContext(context.Context) PolicyDryRunSpecRuleArrayOutput
}

PolicyDryRunSpecRuleArrayInput is an input type that accepts PolicyDryRunSpecRuleArray and PolicyDryRunSpecRuleArrayOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleArrayInput` via:

PolicyDryRunSpecRuleArray{ PolicyDryRunSpecRuleArgs{...} }

type PolicyDryRunSpecRuleArrayOutput

type PolicyDryRunSpecRuleArrayOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleArrayOutput) ElementType

func (PolicyDryRunSpecRuleArrayOutput) Index

func (PolicyDryRunSpecRuleArrayOutput) ToPolicyDryRunSpecRuleArrayOutput

func (o PolicyDryRunSpecRuleArrayOutput) ToPolicyDryRunSpecRuleArrayOutput() PolicyDryRunSpecRuleArrayOutput

func (PolicyDryRunSpecRuleArrayOutput) ToPolicyDryRunSpecRuleArrayOutputWithContext

func (o PolicyDryRunSpecRuleArrayOutput) ToPolicyDryRunSpecRuleArrayOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleArrayOutput

type PolicyDryRunSpecRuleCondition

type PolicyDryRunSpecRuleCondition struct {
	// Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression *string `pulumi:"expression"`
	// Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
	Location *string `pulumi:"location"`
	// Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
	Title *string `pulumi:"title"`
}

type PolicyDryRunSpecRuleConditionArgs

type PolicyDryRunSpecRuleConditionArgs struct {
	// Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringPtrInput `pulumi:"expression"`
	// Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
	Location pulumi.StringPtrInput `pulumi:"location"`
	// Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
	Title pulumi.StringPtrInput `pulumi:"title"`
}

func (PolicyDryRunSpecRuleConditionArgs) ElementType

func (PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionOutput

func (i PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionOutput() PolicyDryRunSpecRuleConditionOutput

func (PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionOutputWithContext

func (i PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleConditionOutput

func (PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionPtrOutput

func (i PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionPtrOutput() PolicyDryRunSpecRuleConditionPtrOutput

func (PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext

func (i PolicyDryRunSpecRuleConditionArgs) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleConditionPtrOutput

type PolicyDryRunSpecRuleConditionInput

type PolicyDryRunSpecRuleConditionInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleConditionOutput() PolicyDryRunSpecRuleConditionOutput
	ToPolicyDryRunSpecRuleConditionOutputWithContext(context.Context) PolicyDryRunSpecRuleConditionOutput
}

PolicyDryRunSpecRuleConditionInput is an input type that accepts PolicyDryRunSpecRuleConditionArgs and PolicyDryRunSpecRuleConditionOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleConditionInput` via:

PolicyDryRunSpecRuleConditionArgs{...}

type PolicyDryRunSpecRuleConditionOutput

type PolicyDryRunSpecRuleConditionOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleConditionOutput) Description

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (PolicyDryRunSpecRuleConditionOutput) ElementType

func (PolicyDryRunSpecRuleConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (PolicyDryRunSpecRuleConditionOutput) Location

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

func (PolicyDryRunSpecRuleConditionOutput) Title

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

func (PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionOutput

func (o PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionOutput() PolicyDryRunSpecRuleConditionOutput

func (PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionOutputWithContext

func (o PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleConditionOutput

func (PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionPtrOutput

func (o PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionPtrOutput() PolicyDryRunSpecRuleConditionPtrOutput

func (PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext

func (o PolicyDryRunSpecRuleConditionOutput) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleConditionPtrOutput

type PolicyDryRunSpecRuleConditionPtrInput

type PolicyDryRunSpecRuleConditionPtrInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleConditionPtrOutput() PolicyDryRunSpecRuleConditionPtrOutput
	ToPolicyDryRunSpecRuleConditionPtrOutputWithContext(context.Context) PolicyDryRunSpecRuleConditionPtrOutput
}

PolicyDryRunSpecRuleConditionPtrInput is an input type that accepts PolicyDryRunSpecRuleConditionArgs, PolicyDryRunSpecRuleConditionPtr and PolicyDryRunSpecRuleConditionPtrOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleConditionPtrInput` via:

        PolicyDryRunSpecRuleConditionArgs{...}

or:

        nil

type PolicyDryRunSpecRuleConditionPtrOutput

type PolicyDryRunSpecRuleConditionPtrOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleConditionPtrOutput) Description

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (PolicyDryRunSpecRuleConditionPtrOutput) Elem

func (PolicyDryRunSpecRuleConditionPtrOutput) ElementType

func (PolicyDryRunSpecRuleConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (PolicyDryRunSpecRuleConditionPtrOutput) Location

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

func (PolicyDryRunSpecRuleConditionPtrOutput) Title

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

func (PolicyDryRunSpecRuleConditionPtrOutput) ToPolicyDryRunSpecRuleConditionPtrOutput

func (o PolicyDryRunSpecRuleConditionPtrOutput) ToPolicyDryRunSpecRuleConditionPtrOutput() PolicyDryRunSpecRuleConditionPtrOutput

func (PolicyDryRunSpecRuleConditionPtrOutput) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext

func (o PolicyDryRunSpecRuleConditionPtrOutput) ToPolicyDryRunSpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleConditionPtrOutput

type PolicyDryRunSpecRuleInput

type PolicyDryRunSpecRuleInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleOutput() PolicyDryRunSpecRuleOutput
	ToPolicyDryRunSpecRuleOutputWithContext(context.Context) PolicyDryRunSpecRuleOutput
}

PolicyDryRunSpecRuleInput is an input type that accepts PolicyDryRunSpecRuleArgs and PolicyDryRunSpecRuleOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleInput` via:

PolicyDryRunSpecRuleArgs{...}

type PolicyDryRunSpecRuleOutput

type PolicyDryRunSpecRuleOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleOutput) AllowAll

Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.

func (PolicyDryRunSpecRuleOutput) Condition

A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.

func (PolicyDryRunSpecRuleOutput) DenyAll

Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.

func (PolicyDryRunSpecRuleOutput) ElementType

func (PolicyDryRunSpecRuleOutput) ElementType() reflect.Type

func (PolicyDryRunSpecRuleOutput) Enforce

If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.

func (PolicyDryRunSpecRuleOutput) ToPolicyDryRunSpecRuleOutput

func (o PolicyDryRunSpecRuleOutput) ToPolicyDryRunSpecRuleOutput() PolicyDryRunSpecRuleOutput

func (PolicyDryRunSpecRuleOutput) ToPolicyDryRunSpecRuleOutputWithContext

func (o PolicyDryRunSpecRuleOutput) ToPolicyDryRunSpecRuleOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleOutput

func (PolicyDryRunSpecRuleOutput) Values

List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

type PolicyDryRunSpecRuleValues

type PolicyDryRunSpecRuleValues struct {
	// List of values allowed at this resource.
	AllowedValues []string `pulumi:"allowedValues"`
	// List of values denied at this resource.
	DeniedValues []string `pulumi:"deniedValues"`
}

type PolicyDryRunSpecRuleValuesArgs

type PolicyDryRunSpecRuleValuesArgs struct {
	// List of values allowed at this resource.
	AllowedValues pulumi.StringArrayInput `pulumi:"allowedValues"`
	// List of values denied at this resource.
	DeniedValues pulumi.StringArrayInput `pulumi:"deniedValues"`
}

func (PolicyDryRunSpecRuleValuesArgs) ElementType

func (PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesOutput

func (i PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesOutput() PolicyDryRunSpecRuleValuesOutput

func (PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesOutputWithContext

func (i PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleValuesOutput

func (PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesPtrOutput

func (i PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesPtrOutput() PolicyDryRunSpecRuleValuesPtrOutput

func (PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext

func (i PolicyDryRunSpecRuleValuesArgs) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleValuesPtrOutput

type PolicyDryRunSpecRuleValuesInput

type PolicyDryRunSpecRuleValuesInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleValuesOutput() PolicyDryRunSpecRuleValuesOutput
	ToPolicyDryRunSpecRuleValuesOutputWithContext(context.Context) PolicyDryRunSpecRuleValuesOutput
}

PolicyDryRunSpecRuleValuesInput is an input type that accepts PolicyDryRunSpecRuleValuesArgs and PolicyDryRunSpecRuleValuesOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleValuesInput` via:

PolicyDryRunSpecRuleValuesArgs{...}

type PolicyDryRunSpecRuleValuesOutput

type PolicyDryRunSpecRuleValuesOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleValuesOutput) AllowedValues

List of values allowed at this resource.

func (PolicyDryRunSpecRuleValuesOutput) DeniedValues

List of values denied at this resource.

func (PolicyDryRunSpecRuleValuesOutput) ElementType

func (PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesOutput

func (o PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesOutput() PolicyDryRunSpecRuleValuesOutput

func (PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesOutputWithContext

func (o PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleValuesOutput

func (PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesPtrOutput

func (o PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesPtrOutput() PolicyDryRunSpecRuleValuesPtrOutput

func (PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext

func (o PolicyDryRunSpecRuleValuesOutput) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleValuesPtrOutput

type PolicyDryRunSpecRuleValuesPtrInput

type PolicyDryRunSpecRuleValuesPtrInput interface {
	pulumi.Input

	ToPolicyDryRunSpecRuleValuesPtrOutput() PolicyDryRunSpecRuleValuesPtrOutput
	ToPolicyDryRunSpecRuleValuesPtrOutputWithContext(context.Context) PolicyDryRunSpecRuleValuesPtrOutput
}

PolicyDryRunSpecRuleValuesPtrInput is an input type that accepts PolicyDryRunSpecRuleValuesArgs, PolicyDryRunSpecRuleValuesPtr and PolicyDryRunSpecRuleValuesPtrOutput values. You can construct a concrete instance of `PolicyDryRunSpecRuleValuesPtrInput` via:

        PolicyDryRunSpecRuleValuesArgs{...}

or:

        nil

type PolicyDryRunSpecRuleValuesPtrOutput

type PolicyDryRunSpecRuleValuesPtrOutput struct{ *pulumi.OutputState }

func (PolicyDryRunSpecRuleValuesPtrOutput) AllowedValues

List of values allowed at this resource.

func (PolicyDryRunSpecRuleValuesPtrOutput) DeniedValues

List of values denied at this resource.

func (PolicyDryRunSpecRuleValuesPtrOutput) Elem

func (PolicyDryRunSpecRuleValuesPtrOutput) ElementType

func (PolicyDryRunSpecRuleValuesPtrOutput) ToPolicyDryRunSpecRuleValuesPtrOutput

func (o PolicyDryRunSpecRuleValuesPtrOutput) ToPolicyDryRunSpecRuleValuesPtrOutput() PolicyDryRunSpecRuleValuesPtrOutput

func (PolicyDryRunSpecRuleValuesPtrOutput) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext

func (o PolicyDryRunSpecRuleValuesPtrOutput) ToPolicyDryRunSpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicyDryRunSpecRuleValuesPtrOutput

type PolicyInput

type PolicyInput interface {
	pulumi.Input

	ToPolicyOutput() PolicyOutput
	ToPolicyOutputWithContext(ctx context.Context) PolicyOutput
}

type PolicyMap

type PolicyMap map[string]PolicyInput

func (PolicyMap) ElementType

func (PolicyMap) ElementType() reflect.Type

func (PolicyMap) ToPolicyMapOutput

func (i PolicyMap) ToPolicyMapOutput() PolicyMapOutput

func (PolicyMap) ToPolicyMapOutputWithContext

func (i PolicyMap) ToPolicyMapOutputWithContext(ctx context.Context) PolicyMapOutput

type PolicyMapInput

type PolicyMapInput interface {
	pulumi.Input

	ToPolicyMapOutput() PolicyMapOutput
	ToPolicyMapOutputWithContext(context.Context) PolicyMapOutput
}

PolicyMapInput is an input type that accepts PolicyMap and PolicyMapOutput values. You can construct a concrete instance of `PolicyMapInput` via:

PolicyMap{ "key": PolicyArgs{...} }

type PolicyMapOutput

type PolicyMapOutput struct{ *pulumi.OutputState }

func (PolicyMapOutput) ElementType

func (PolicyMapOutput) ElementType() reflect.Type

func (PolicyMapOutput) MapIndex

func (PolicyMapOutput) ToPolicyMapOutput

func (o PolicyMapOutput) ToPolicyMapOutput() PolicyMapOutput

func (PolicyMapOutput) ToPolicyMapOutputWithContext

func (o PolicyMapOutput) ToPolicyMapOutputWithContext(ctx context.Context) PolicyMapOutput

type PolicyOutput

type PolicyOutput struct{ *pulumi.OutputState }

func (PolicyOutput) DryRunSpec

func (o PolicyOutput) DryRunSpec() PolicyDryRunSpecPtrOutput

Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. Structure is documented below.

func (PolicyOutput) ElementType

func (PolicyOutput) ElementType() reflect.Type

func (PolicyOutput) Etag

func (o PolicyOutput) Etag() pulumi.StringOutput

Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

func (PolicyOutput) Name

func (o PolicyOutput) Name() pulumi.StringOutput

Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.

func (PolicyOutput) Parent

func (o PolicyOutput) Parent() pulumi.StringOutput

The parent of the resource.

***

func (PolicyOutput) Spec

Basic information about the Organization Policy. Structure is documented below.

func (PolicyOutput) ToPolicyOutput

func (o PolicyOutput) ToPolicyOutput() PolicyOutput

func (PolicyOutput) ToPolicyOutputWithContext

func (o PolicyOutput) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicySpec

type PolicySpec struct {
	// (Output)
	// An opaque tag indicating the current version of the `Policy`, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the `Policy` is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset.
	Etag *string `pulumi:"etag"`
	// Determines the inheritance behavior for this `Policy`. If `inheritFromParent` is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
	InheritFromParent *bool `pulumi:"inheritFromParent"`
	// Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific `Constraint` at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.
	Reset *bool `pulumi:"reset"`
	// In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set `enforced` to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
	// Structure is documented below.
	Rules []PolicySpecRule `pulumi:"rules"`
	// (Output)
	// Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that `Policy`.
	UpdateTime *string `pulumi:"updateTime"`
}

type PolicySpecArgs

type PolicySpecArgs struct {
	// (Output)
	// An opaque tag indicating the current version of the `Policy`, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the `Policy` is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset.
	Etag pulumi.StringPtrInput `pulumi:"etag"`
	// Determines the inheritance behavior for this `Policy`. If `inheritFromParent` is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.
	InheritFromParent pulumi.BoolPtrInput `pulumi:"inheritFromParent"`
	// Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific `Constraint` at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.
	Reset pulumi.BoolPtrInput `pulumi:"reset"`
	// In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set `enforced` to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence.
	// Structure is documented below.
	Rules PolicySpecRuleArrayInput `pulumi:"rules"`
	// (Output)
	// Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that `Policy`.
	UpdateTime pulumi.StringPtrInput `pulumi:"updateTime"`
}

func (PolicySpecArgs) ElementType

func (PolicySpecArgs) ElementType() reflect.Type

func (PolicySpecArgs) ToPolicySpecOutput

func (i PolicySpecArgs) ToPolicySpecOutput() PolicySpecOutput

func (PolicySpecArgs) ToPolicySpecOutputWithContext

func (i PolicySpecArgs) ToPolicySpecOutputWithContext(ctx context.Context) PolicySpecOutput

func (PolicySpecArgs) ToPolicySpecPtrOutput

func (i PolicySpecArgs) ToPolicySpecPtrOutput() PolicySpecPtrOutput

func (PolicySpecArgs) ToPolicySpecPtrOutputWithContext

func (i PolicySpecArgs) ToPolicySpecPtrOutputWithContext(ctx context.Context) PolicySpecPtrOutput

type PolicySpecInput

type PolicySpecInput interface {
	pulumi.Input

	ToPolicySpecOutput() PolicySpecOutput
	ToPolicySpecOutputWithContext(context.Context) PolicySpecOutput
}

PolicySpecInput is an input type that accepts PolicySpecArgs and PolicySpecOutput values. You can construct a concrete instance of `PolicySpecInput` via:

PolicySpecArgs{...}

type PolicySpecOutput

type PolicySpecOutput struct{ *pulumi.OutputState }

func (PolicySpecOutput) ElementType

func (PolicySpecOutput) ElementType() reflect.Type

func (PolicySpecOutput) Etag

(Output) An opaque tag indicating the current version of the `Policy`, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the `Policy` is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset.

func (PolicySpecOutput) InheritFromParent

func (o PolicySpecOutput) InheritFromParent() pulumi.BoolPtrOutput

Determines the inheritance behavior for this `Policy`. If `inheritFromParent` is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.

func (PolicySpecOutput) Reset

Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific `Constraint` at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.

func (PolicySpecOutput) Rules

In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set `enforced` to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.

func (PolicySpecOutput) ToPolicySpecOutput

func (o PolicySpecOutput) ToPolicySpecOutput() PolicySpecOutput

func (PolicySpecOutput) ToPolicySpecOutputWithContext

func (o PolicySpecOutput) ToPolicySpecOutputWithContext(ctx context.Context) PolicySpecOutput

func (PolicySpecOutput) ToPolicySpecPtrOutput

func (o PolicySpecOutput) ToPolicySpecPtrOutput() PolicySpecPtrOutput

func (PolicySpecOutput) ToPolicySpecPtrOutputWithContext

func (o PolicySpecOutput) ToPolicySpecPtrOutputWithContext(ctx context.Context) PolicySpecPtrOutput

func (PolicySpecOutput) UpdateTime

func (o PolicySpecOutput) UpdateTime() pulumi.StringPtrOutput

(Output) Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that `Policy`.

type PolicySpecPtrInput

type PolicySpecPtrInput interface {
	pulumi.Input

	ToPolicySpecPtrOutput() PolicySpecPtrOutput
	ToPolicySpecPtrOutputWithContext(context.Context) PolicySpecPtrOutput
}

PolicySpecPtrInput is an input type that accepts PolicySpecArgs, PolicySpecPtr and PolicySpecPtrOutput values. You can construct a concrete instance of `PolicySpecPtrInput` via:

        PolicySpecArgs{...}

or:

        nil

func PolicySpecPtr

func PolicySpecPtr(v *PolicySpecArgs) PolicySpecPtrInput

type PolicySpecPtrOutput

type PolicySpecPtrOutput struct{ *pulumi.OutputState }

func (PolicySpecPtrOutput) Elem

func (PolicySpecPtrOutput) ElementType

func (PolicySpecPtrOutput) ElementType() reflect.Type

func (PolicySpecPtrOutput) Etag

(Output) An opaque tag indicating the current version of the `Policy`, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the `Policy` is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset.

func (PolicySpecPtrOutput) InheritFromParent

func (o PolicySpecPtrOutput) InheritFromParent() pulumi.BoolPtrOutput

Determines the inheritance behavior for this `Policy`. If `inheritFromParent` is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints.

func (PolicySpecPtrOutput) Reset

Ignores policies set above this resource and restores the `constraintDefault` enforcement behavior of the specific `Constraint` at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inheritFromParent` must be set to false.

func (PolicySpecPtrOutput) Rules

In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set `enforced` to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. Structure is documented below.

func (PolicySpecPtrOutput) ToPolicySpecPtrOutput

func (o PolicySpecPtrOutput) ToPolicySpecPtrOutput() PolicySpecPtrOutput

func (PolicySpecPtrOutput) ToPolicySpecPtrOutputWithContext

func (o PolicySpecPtrOutput) ToPolicySpecPtrOutputWithContext(ctx context.Context) PolicySpecPtrOutput

func (PolicySpecPtrOutput) UpdateTime

(Output) Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that `Policy`.

type PolicySpecRule

type PolicySpecRule struct {
	// Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.
	AllowAll *string `pulumi:"allowAll"`
	// A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
	// Structure is documented below.
	Condition *PolicySpecRuleCondition `pulumi:"condition"`
	// Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.
	DenyAll *string `pulumi:"denyAll"`
	// If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
	Enforce *string `pulumi:"enforce"`
	// List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	// Structure is documented below.
	Values *PolicySpecRuleValues `pulumi:"values"`
}

type PolicySpecRuleArgs

type PolicySpecRuleArgs struct {
	// Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.
	AllowAll pulumi.StringPtrInput `pulumi:"allowAll"`
	// A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
	// Structure is documented below.
	Condition PolicySpecRuleConditionPtrInput `pulumi:"condition"`
	// Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.
	DenyAll pulumi.StringPtrInput `pulumi:"denyAll"`
	// If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.
	Enforce pulumi.StringPtrInput `pulumi:"enforce"`
	// List of values to be used for this policy rule. This field can be set only in policies for list constraints.
	// Structure is documented below.
	Values PolicySpecRuleValuesPtrInput `pulumi:"values"`
}

func (PolicySpecRuleArgs) ElementType

func (PolicySpecRuleArgs) ElementType() reflect.Type

func (PolicySpecRuleArgs) ToPolicySpecRuleOutput

func (i PolicySpecRuleArgs) ToPolicySpecRuleOutput() PolicySpecRuleOutput

func (PolicySpecRuleArgs) ToPolicySpecRuleOutputWithContext

func (i PolicySpecRuleArgs) ToPolicySpecRuleOutputWithContext(ctx context.Context) PolicySpecRuleOutput

type PolicySpecRuleArray

type PolicySpecRuleArray []PolicySpecRuleInput

func (PolicySpecRuleArray) ElementType

func (PolicySpecRuleArray) ElementType() reflect.Type

func (PolicySpecRuleArray) ToPolicySpecRuleArrayOutput

func (i PolicySpecRuleArray) ToPolicySpecRuleArrayOutput() PolicySpecRuleArrayOutput

func (PolicySpecRuleArray) ToPolicySpecRuleArrayOutputWithContext

func (i PolicySpecRuleArray) ToPolicySpecRuleArrayOutputWithContext(ctx context.Context) PolicySpecRuleArrayOutput

type PolicySpecRuleArrayInput

type PolicySpecRuleArrayInput interface {
	pulumi.Input

	ToPolicySpecRuleArrayOutput() PolicySpecRuleArrayOutput
	ToPolicySpecRuleArrayOutputWithContext(context.Context) PolicySpecRuleArrayOutput
}

PolicySpecRuleArrayInput is an input type that accepts PolicySpecRuleArray and PolicySpecRuleArrayOutput values. You can construct a concrete instance of `PolicySpecRuleArrayInput` via:

PolicySpecRuleArray{ PolicySpecRuleArgs{...} }

type PolicySpecRuleArrayOutput

type PolicySpecRuleArrayOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleArrayOutput) ElementType

func (PolicySpecRuleArrayOutput) ElementType() reflect.Type

func (PolicySpecRuleArrayOutput) Index

func (PolicySpecRuleArrayOutput) ToPolicySpecRuleArrayOutput

func (o PolicySpecRuleArrayOutput) ToPolicySpecRuleArrayOutput() PolicySpecRuleArrayOutput

func (PolicySpecRuleArrayOutput) ToPolicySpecRuleArrayOutputWithContext

func (o PolicySpecRuleArrayOutput) ToPolicySpecRuleArrayOutputWithContext(ctx context.Context) PolicySpecRuleArrayOutput

type PolicySpecRuleCondition

type PolicySpecRuleCondition struct {
	// Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression *string `pulumi:"expression"`
	// Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
	Location *string `pulumi:"location"`
	// Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
	Title *string `pulumi:"title"`
}

type PolicySpecRuleConditionArgs

type PolicySpecRuleConditionArgs struct {
	// Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringPtrInput `pulumi:"expression"`
	// Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
	Location pulumi.StringPtrInput `pulumi:"location"`
	// Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
	Title pulumi.StringPtrInput `pulumi:"title"`
}

func (PolicySpecRuleConditionArgs) ElementType

func (PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionOutput

func (i PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionOutput() PolicySpecRuleConditionOutput

func (PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionOutputWithContext

func (i PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionOutputWithContext(ctx context.Context) PolicySpecRuleConditionOutput

func (PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionPtrOutput

func (i PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionPtrOutput() PolicySpecRuleConditionPtrOutput

func (PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionPtrOutputWithContext

func (i PolicySpecRuleConditionArgs) ToPolicySpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicySpecRuleConditionPtrOutput

type PolicySpecRuleConditionInput

type PolicySpecRuleConditionInput interface {
	pulumi.Input

	ToPolicySpecRuleConditionOutput() PolicySpecRuleConditionOutput
	ToPolicySpecRuleConditionOutputWithContext(context.Context) PolicySpecRuleConditionOutput
}

PolicySpecRuleConditionInput is an input type that accepts PolicySpecRuleConditionArgs and PolicySpecRuleConditionOutput values. You can construct a concrete instance of `PolicySpecRuleConditionInput` via:

PolicySpecRuleConditionArgs{...}

type PolicySpecRuleConditionOutput

type PolicySpecRuleConditionOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleConditionOutput) Description

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (PolicySpecRuleConditionOutput) ElementType

func (PolicySpecRuleConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (PolicySpecRuleConditionOutput) Location

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

func (PolicySpecRuleConditionOutput) Title

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

func (PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionOutput

func (o PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionOutput() PolicySpecRuleConditionOutput

func (PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionOutputWithContext

func (o PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionOutputWithContext(ctx context.Context) PolicySpecRuleConditionOutput

func (PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionPtrOutput

func (o PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionPtrOutput() PolicySpecRuleConditionPtrOutput

func (PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionPtrOutputWithContext

func (o PolicySpecRuleConditionOutput) ToPolicySpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicySpecRuleConditionPtrOutput

type PolicySpecRuleConditionPtrInput

type PolicySpecRuleConditionPtrInput interface {
	pulumi.Input

	ToPolicySpecRuleConditionPtrOutput() PolicySpecRuleConditionPtrOutput
	ToPolicySpecRuleConditionPtrOutputWithContext(context.Context) PolicySpecRuleConditionPtrOutput
}

PolicySpecRuleConditionPtrInput is an input type that accepts PolicySpecRuleConditionArgs, PolicySpecRuleConditionPtr and PolicySpecRuleConditionPtrOutput values. You can construct a concrete instance of `PolicySpecRuleConditionPtrInput` via:

        PolicySpecRuleConditionArgs{...}

or:

        nil

type PolicySpecRuleConditionPtrOutput

type PolicySpecRuleConditionPtrOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleConditionPtrOutput) Description

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (PolicySpecRuleConditionPtrOutput) Elem

func (PolicySpecRuleConditionPtrOutput) ElementType

func (PolicySpecRuleConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (PolicySpecRuleConditionPtrOutput) Location

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

func (PolicySpecRuleConditionPtrOutput) Title

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

func (PolicySpecRuleConditionPtrOutput) ToPolicySpecRuleConditionPtrOutput

func (o PolicySpecRuleConditionPtrOutput) ToPolicySpecRuleConditionPtrOutput() PolicySpecRuleConditionPtrOutput

func (PolicySpecRuleConditionPtrOutput) ToPolicySpecRuleConditionPtrOutputWithContext

func (o PolicySpecRuleConditionPtrOutput) ToPolicySpecRuleConditionPtrOutputWithContext(ctx context.Context) PolicySpecRuleConditionPtrOutput

type PolicySpecRuleInput

type PolicySpecRuleInput interface {
	pulumi.Input

	ToPolicySpecRuleOutput() PolicySpecRuleOutput
	ToPolicySpecRuleOutputWithContext(context.Context) PolicySpecRuleOutput
}

PolicySpecRuleInput is an input type that accepts PolicySpecRuleArgs and PolicySpecRuleOutput values. You can construct a concrete instance of `PolicySpecRuleInput` via:

PolicySpecRuleArgs{...}

type PolicySpecRuleOutput

type PolicySpecRuleOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleOutput) AllowAll

Setting this to `"TRUE"` means that all values are allowed. This field can be set only in Policies for list constraints.

func (PolicySpecRuleOutput) Condition

A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where keyName and valueName are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". Structure is documented below.

func (PolicySpecRuleOutput) DenyAll

Setting this to `"TRUE"` means that all values are denied. This field can be set only in Policies for list constraints.

func (PolicySpecRuleOutput) ElementType

func (PolicySpecRuleOutput) ElementType() reflect.Type

func (PolicySpecRuleOutput) Enforce

If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.

func (PolicySpecRuleOutput) ToPolicySpecRuleOutput

func (o PolicySpecRuleOutput) ToPolicySpecRuleOutput() PolicySpecRuleOutput

func (PolicySpecRuleOutput) ToPolicySpecRuleOutputWithContext

func (o PolicySpecRuleOutput) ToPolicySpecRuleOutputWithContext(ctx context.Context) PolicySpecRuleOutput

func (PolicySpecRuleOutput) Values

List of values to be used for this policy rule. This field can be set only in policies for list constraints. Structure is documented below.

type PolicySpecRuleValues

type PolicySpecRuleValues struct {
	// List of values allowed at this resource.
	AllowedValues []string `pulumi:"allowedValues"`
	// List of values denied at this resource.
	DeniedValues []string `pulumi:"deniedValues"`
}

type PolicySpecRuleValuesArgs

type PolicySpecRuleValuesArgs struct {
	// List of values allowed at this resource.
	AllowedValues pulumi.StringArrayInput `pulumi:"allowedValues"`
	// List of values denied at this resource.
	DeniedValues pulumi.StringArrayInput `pulumi:"deniedValues"`
}

func (PolicySpecRuleValuesArgs) ElementType

func (PolicySpecRuleValuesArgs) ElementType() reflect.Type

func (PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesOutput

func (i PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesOutput() PolicySpecRuleValuesOutput

func (PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesOutputWithContext

func (i PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesOutputWithContext(ctx context.Context) PolicySpecRuleValuesOutput

func (PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesPtrOutput

func (i PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesPtrOutput() PolicySpecRuleValuesPtrOutput

func (PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesPtrOutputWithContext

func (i PolicySpecRuleValuesArgs) ToPolicySpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicySpecRuleValuesPtrOutput

type PolicySpecRuleValuesInput

type PolicySpecRuleValuesInput interface {
	pulumi.Input

	ToPolicySpecRuleValuesOutput() PolicySpecRuleValuesOutput
	ToPolicySpecRuleValuesOutputWithContext(context.Context) PolicySpecRuleValuesOutput
}

PolicySpecRuleValuesInput is an input type that accepts PolicySpecRuleValuesArgs and PolicySpecRuleValuesOutput values. You can construct a concrete instance of `PolicySpecRuleValuesInput` via:

PolicySpecRuleValuesArgs{...}

type PolicySpecRuleValuesOutput

type PolicySpecRuleValuesOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleValuesOutput) AllowedValues

List of values allowed at this resource.

func (PolicySpecRuleValuesOutput) DeniedValues

List of values denied at this resource.

func (PolicySpecRuleValuesOutput) ElementType

func (PolicySpecRuleValuesOutput) ElementType() reflect.Type

func (PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesOutput

func (o PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesOutput() PolicySpecRuleValuesOutput

func (PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesOutputWithContext

func (o PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesOutputWithContext(ctx context.Context) PolicySpecRuleValuesOutput

func (PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesPtrOutput

func (o PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesPtrOutput() PolicySpecRuleValuesPtrOutput

func (PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesPtrOutputWithContext

func (o PolicySpecRuleValuesOutput) ToPolicySpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicySpecRuleValuesPtrOutput

type PolicySpecRuleValuesPtrInput

type PolicySpecRuleValuesPtrInput interface {
	pulumi.Input

	ToPolicySpecRuleValuesPtrOutput() PolicySpecRuleValuesPtrOutput
	ToPolicySpecRuleValuesPtrOutputWithContext(context.Context) PolicySpecRuleValuesPtrOutput
}

PolicySpecRuleValuesPtrInput is an input type that accepts PolicySpecRuleValuesArgs, PolicySpecRuleValuesPtr and PolicySpecRuleValuesPtrOutput values. You can construct a concrete instance of `PolicySpecRuleValuesPtrInput` via:

        PolicySpecRuleValuesArgs{...}

or:

        nil

type PolicySpecRuleValuesPtrOutput

type PolicySpecRuleValuesPtrOutput struct{ *pulumi.OutputState }

func (PolicySpecRuleValuesPtrOutput) AllowedValues

List of values allowed at this resource.

func (PolicySpecRuleValuesPtrOutput) DeniedValues

List of values denied at this resource.

func (PolicySpecRuleValuesPtrOutput) Elem

func (PolicySpecRuleValuesPtrOutput) ElementType

func (PolicySpecRuleValuesPtrOutput) ToPolicySpecRuleValuesPtrOutput

func (o PolicySpecRuleValuesPtrOutput) ToPolicySpecRuleValuesPtrOutput() PolicySpecRuleValuesPtrOutput

func (PolicySpecRuleValuesPtrOutput) ToPolicySpecRuleValuesPtrOutputWithContext

func (o PolicySpecRuleValuesPtrOutput) ToPolicySpecRuleValuesPtrOutputWithContext(ctx context.Context) PolicySpecRuleValuesPtrOutput

type PolicyState

type PolicyState struct {
	// Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
	// Structure is documented below.
	DryRunSpec PolicyDryRunSpecPtrInput
	// Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
	Etag pulumi.StringPtrInput
	// Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
	Name pulumi.StringPtrInput
	// The parent of the resource.
	//
	// ***
	Parent pulumi.StringPtrInput
	// Basic information about the Organization Policy.
	// Structure is documented below.
	Spec PolicySpecPtrInput
}

func (PolicyState) ElementType

func (PolicyState) ElementType() reflect.Type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL