View Source GoogleApi.CloudAsset.V1.Model.GoogleCloudOrgpolicyV1ListPolicy (google_api_cloud_asset v0.35.0)
Used in policy_type
to specify how list_policy
behaves at this resource. ListPolicy
can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations
, Folders
, Projects
) that are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The supports_under
field of the associated Constraint
defines whether ancestry prefixes can be used. You can set allowed_values
and denied_values
in the same Policy
if all_values
is ALL_VALUES_UNSPECIFIED
. ALLOW
or DENY
are used to allow or deny all values. If all_values
is set to either ALLOW
or DENY
, allowed_values
and denied_values
must be unset.
Attributes
-
allValues
(type:String.t
, default:nil
) - The policy all_values state. -
allowedValues
(type:list(String.t)
, default:nil
) - List of values allowed at this resource. Can only be set ifall_values
is set toALL_VALUES_UNSPECIFIED
. -
deniedValues
(type:list(String.t)
, default:nil
) - List of values denied at this resource. Can only be set ifall_values
is set toALL_VALUES_UNSPECIFIED
. -
inheritFromParent
(type:boolean()
, default:nil
) - Determines the inheritance behavior for thisPolicy
. By default, aListPolicy
set at a resource supersedes anyPolicy
set anywhere up the resource hierarchy. However, ifinherit_from_parent
is set totrue
, then the values from the effectivePolicy
of the parent resource are inherited, meaning the values set in thisPolicy
are added to the values inherited up the hierarchy. SettingPolicy
hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set aPolicy
withallowed_values
set that inherits aPolicy
withdenied_values
set. In this case, the values that are allowed must be inallowed_values
and not present indenied_values
. For example, suppose you have aConstraint
constraints/serviceuser.services
, which has aconstraint_type
oflist_constraint
, and withconstraint_default
set toALLOW
. Suppose that at the Organization level, aPolicy
is applied that restricts the allowed API activations to {E1
,E2
}. Then, if aPolicy
is applied to a project below the Organization that hasinherit_from_parent
set tofalse
and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings forprojects/bar
parented byorganizations/foo
: Example 1 (no inherited values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
hasinherit_from_parent
false
and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE3
, andE4
. Example 2 (inherited values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE1
,E2
,E3
, andE4
. Example 3 (inheriting both allowed and denied values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {denied_values: "E1"} The accepted values atorganizations/foo
areE1
,E2
. The value accepted atprojects/bar
isE2
. Example 4 (RestoreDefault):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {RestoreDefault: {}} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none). Example 5 (no policy inherits parent policy):organizations/foo
has noPolicy
set.projects/bar
has noPolicy
set. The accepted values at both levels are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none). Example 6 (ListConstraint allowing all):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: ALLOW} The accepted values atorganizations/foo
areE1
, E2. Any value is accepted at
projects/bar. Example 7 (ListConstraint allowing none):
organizations/foohas a
Policywith values: {allowed_values: "E1" allowed_values: "E2"}
projects/barhas a
Policywith: {all: DENY} The accepted values at
organizations/fooare
E1, E2
. No value is accepted atprojects/bar
. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3},organizations/foo
has aPolicy
with values: {allowed_values: "under:organizations/O1"}projects/bar
has aPolicy
with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values atorganizations/foo
areorganizations/O1
,folders/F1
,folders/F2
,projects/P1
,projects/P2
,projects/P3
. The accepted values atprojects/bar
areorganizations/O1
,folders/F1
,projects/P1
. -
suggestedValue
(type:String.t
, default:nil
) - Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in thisPolicy
. Ifsuggested_value
is not set, it will inherit the value specified higher in the hierarchy, unlessinherit_from_parent
isfalse
.
Summary
Functions
Unwrap a decoded JSON object into its complex fields.
Types
Functions
Unwrap a decoded JSON object into its complex fields.