@pulumi/gcp/orgpolicy/policy.d.ts

A Pulumi package for creating and managing Google Cloud Platform resources.

import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * Defines an organization policy which is used to specify constraints for configurations of Google Cloud resources.
 *
 * To get more information about Policy, see:
 *
 * * [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.policies)
 * * How-to Guides
 *     * [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints)
 *     * [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services)
 *
 * ## Example Usage
 *
 * ### Org Policy Policy Enforce
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const basic = new gcp.organizations.Project("basic", {
 *     projectId: "id",
 *     name: "id",
 *     orgId: "123456789",
 *     deletionPolicy: "DELETE",
 * });
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: pulumi.interpolate`projects/${basic.projectId}/policies/iam.disableServiceAccountKeyUpload`,
 *     parent: pulumi.interpolate`projects/${basic.projectId}`,
 *     spec: {
 *         rules: [{
 *             enforce: "FALSE",
 *         }],
 *     },
 * });
 * ```
 * ### Org Policy Policy Folder
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const basic = new gcp.organizations.Folder("basic", {
 *     parent: "organizations/123456789",
 *     displayName: "folder",
 *     deletionProtection: false,
 * });
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: pulumi.interpolate`${basic.name}/policies/gcp.resourceLocations`,
 *     parent: basic.name,
 *     spec: {
 *         inheritFromParent: true,
 *         rules: [{
 *             denyAll: "TRUE",
 *         }],
 *     },
 * });
 * ```
 * ### Org Policy Policy Organization
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: "organizations/123456789/policies/gcp.detailedAuditLoggingMode",
 *     parent: "organizations/123456789",
 *     spec: {
 *         reset: true,
 *     },
 * });
 * ```
 * ### Org Policy Policy Project
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const basic = new gcp.organizations.Project("basic", {
 *     projectId: "id",
 *     name: "id",
 *     orgId: "123456789",
 *     deletionPolicy: "DELETE",
 * });
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: pulumi.interpolate`projects/${basic.projectId}/policies/gcp.resourceLocations`,
 *     parent: pulumi.interpolate`projects/${basic.projectId}`,
 *     spec: {
 *         rules: [
 *             {
 *                 condition: {
 *                     description: "A sample condition for the policy",
 *                     expression: "resource.matchTagId('tagKeys/123', 'tagValues/345')",
 *                     location: "sample-location.log",
 *                     title: "sample-condition",
 *                 },
 *                 values: {
 *                     allowedValues: ["projects/allowed-project"],
 *                     deniedValues: ["projects/denied-project"],
 *                 },
 *             },
 *             {
 *                 allowAll: "TRUE",
 *             },
 *         ],
 *     },
 * });
 * ```
 * ### Org Policy Policy Dry Run Spec
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const constraint = new gcp.orgpolicy.CustomConstraint("constraint", {
 *     name: "custom.disableGkeAutoUpgrade_8647",
 *     parent: "organizations/123456789",
 *     displayName: "Disable GKE auto upgrade",
 *     description: "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced.",
 *     actionType: "ALLOW",
 *     condition: "resource.management.autoUpgrade == false",
 *     methodTypes: ["CREATE"],
 *     resourceTypes: ["container.googleapis.com/NodePool"],
 * });
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: pulumi.interpolate`organizations/123456789/policies/${constraint.name}`,
 *     parent: "organizations/123456789",
 *     spec: {
 *         rules: [{
 *             enforce: "FALSE",
 *         }],
 *     },
 *     dryRunSpec: {
 *         inheritFromParent: false,
 *         reset: false,
 *         rules: [{
 *             enforce: "FALSE",
 *         }],
 *     },
 * });
 * ```
 * ### Org Policy Policy Parameters Enforce
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const basic = new gcp.organizations.Project("basic", {
 *     projectId: "id",
 *     name: "id",
 *     orgId: "123456789",
 *     deletionPolicy: "DELETE",
 * });
 * const primary = new gcp.orgpolicy.Policy("primary", {
 *     name: pulumi.interpolate`projects/${basic.name}/policies/compute.managed.restrictDiskCreation`,
 *     parent: pulumi.interpolate`projects/${basic.name}`,
 *     spec: {
 *         rules: [{
 *             enforce: "TRUE",
 *             parameters: JSON.stringify({
 *                 isSizeLimitCheck: true,
 *                 allowedDiskTypes: [
 *                     "pd-ssd",
 *                     "pd-standard",
 *                 ],
 *             }),
 *         }],
 *     },
 * });
 * ```
 *
 * ## Import
 *
 * Policy can be imported using any of these accepted formats:
 *
 * * `{{parent}}/policies/{{name}}`
 *
 * When using the `pulumi import` command, Policy can be imported using one of the formats above. For example:
 *
 * ```sh
 * $ pulumi import gcp:orgpolicy/policy:Policy default {{parent}}/policies/{{name}}
 * ```
 */
export declare class Policy extends pulumi.CustomResource {
    /**
     * Get an existing Policy resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy;
    /**
     * Returns true if the given object is an instance of Policy.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Policy;
    /**
     * Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
     * Structure is documented below.
     */
    readonly dryRunSpec: pulumi.Output<outputs.orgpolicy.PolicyDryRunSpec | undefined>;
    /**
     * Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
     */
    readonly etag: pulumi.Output<string>;
    /**
     * Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
     */
    readonly name: pulumi.Output<string>;
    /**
     * The parent of the resource.
     */
    readonly parent: pulumi.Output<string>;
    /**
     * Basic information about the Organization Policy.
     * Structure is documented below.
     */
    readonly spec: pulumi.Output<outputs.orgpolicy.PolicySpec | undefined>;
    /**
     * Create a Policy resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Policy resources.
 */
export interface PolicyState {
    /**
     * Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
     * Structure is documented below.
     */
    dryRunSpec?: pulumi.Input<inputs.orgpolicy.PolicyDryRunSpec>;
    /**
     * Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
     */
    etag?: pulumi.Input<string>;
    /**
     * Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
     */
    name?: pulumi.Input<string>;
    /**
     * The parent of the resource.
     */
    parent?: pulumi.Input<string>;
    /**
     * Basic information about the Organization Policy.
     * Structure is documented below.
     */
    spec?: pulumi.Input<inputs.orgpolicy.PolicySpec>;
}
/**
 * The set of arguments for constructing a Policy resource.
 */
export interface PolicyArgs {
    /**
     * Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced.
     * Structure is documented below.
     */
    dryRunSpec?: pulumi.Input<inputs.orgpolicy.PolicyDryRunSpec>;
    /**
     * Immutable. The resource name of the Policy. Must be one of the following forms, where constraintName is the name of the constraint which this Policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, "projects/123/policies/compute.disableSerialPortAccess". Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number.
     */
    name?: pulumi.Input<string>;
    /**
     * The parent of the resource.
     */
    parent: pulumi.Input<string>;
    /**
     * Basic information about the Organization Policy.
     * Structure is documented below.
     */
    spec?: pulumi.Input<inputs.orgpolicy.PolicySpec>;
}