Bird
Raised Fist0
GCPcloud~30 mins

Organization policies in GCP - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Setting Up and Applying Organization Policies in GCP
📖 Scenario: You are a cloud administrator for a company using Google Cloud Platform (GCP). Your company wants to enforce rules across all projects to improve security and compliance. You will create and apply organization policies to control resource behavior.
🎯 Goal: Build a simple GCP organization policy setup that restricts VM instance creation to specific machine types and enforces a policy to disable external IP addresses on VM instances.
📋 What You'll Learn
Create a dictionary called org_policy_constraints with two constraints and their allowed values
Create a variable called target_resource with the exact resource path string
Write a function called apply_policy that takes resource and policy and returns a dictionary representing the applied policy
Create a final dictionary called applied_policy by calling apply_policy with target_resource and org_policy_constraints
💡 Why This Matters
🌍 Real World
Organizations use policies to enforce rules across all cloud projects to maintain security and compliance.
💼 Career
Cloud administrators and engineers must understand how to create and apply organization policies to manage resources effectively.
Progress0 / 4 steps
1
Create the organization policy constraints dictionary
Create a dictionary called org_policy_constraints with these exact entries: "compute.vmAllowedMachineTypes" set to a list containing "n1-standard-1" and "n1-standard-2", and "compute.disableExternalIp" set to true.
GCP
Hint

Use a dictionary with keys as constraint names and values as the allowed settings.

2
Define the target resource string
Create a variable called target_resource and set it to the string "organizations/123456789" representing the organization resource path.
GCP
Hint

Assign the exact string to the variable target_resource.

3
Write a function to apply the policy
Write a function called apply_policy that takes two parameters: resource and policy. The function should return a dictionary with keys "resource" set to resource and "policy" set to policy.
GCP
Hint

Define a function that returns a dictionary with the given parameters as values.

4
Create the final applied policy dictionary
Create a variable called applied_policy by calling the function apply_policy with target_resource and org_policy_constraints as arguments.
GCP
Hint

Call the function with the exact variable names and assign the result.

Practice

(1/5)
1. What is the main purpose of an Organization Policy in Google Cloud?
easy
A. To set rules that apply to all projects in a company
B. To create virtual machines automatically
C. To monitor network traffic in real-time
D. To manage billing accounts for users

Solution

  1. Step 1: Understand the role of organization policies

    Organization policies define rules that apply across all projects and resources in a company to keep them safe and compliant.

  2. Step 2: Compare options with the purpose

    Only To set rules that apply to all projects in a company describes setting rules across all projects, which matches the purpose of organization policies.

  3. Final Answer:

    To set rules that apply to all projects in a company -> Option A

  4. Quick Check:

    Organization policies control rules = A [OK]
Hint: Organization policies set company-wide rules, not individual tasks [OK]
Common Mistakes:
  • Confusing organization policies with billing or monitoring
  • Thinking policies create resources automatically
  • Assuming policies manage user accounts directly
2. Which of the following is the correct way to specify a constraint in an organization policy YAML file?
easy
A. constraint -> gcp.resourceLocations
B. constraint = gcp.resourceLocations
C. constraint: gcp.resourceLocations
D. constraint() gcp.resourceLocations

Solution

  1. Step 1: Recall YAML syntax for key-value pairs

    YAML uses colon (:) to assign values to keys, like key: value.

  2. Step 2: Identify correct constraint syntax

    constraint: gcp.resourceLocations uses constraint: gcp.resourceLocations, which is valid YAML syntax for specifying a constraint.

  3. Final Answer:

    constraint: gcp.resourceLocations -> Option C

  4. Quick Check:

    YAML key-value uses colon = C [OK]
Hint: YAML uses colon for key-value pairs, not equals or arrows [OK]
Common Mistakes:
  • Using equals sign (=) instead of colon (:)
  • Using arrows (->) or parentheses incorrectly
  • Confusing YAML with programming language syntax
3. Given this organization policy snippet:
constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
  - "true"

What is the effect of this policy?
medium
A. It enables serial port access on all projects
B. It allows serial port access on compute instances
C. It disables all compute instances
D. It denies serial port access on compute instances

Solution

  1. Step 1: Understand the constraint meaning

    The constraint constraints/compute.disableSerialPortAccess controls serial port access on compute instances ("true" disables access, "false" allows it).

  2. Step 2: Interpret the deniedValues list

    Setting deniedValues: ["true"] denies the value "true", which disables serial port access on compute instances.

  3. Final Answer:

    It denies serial port access on compute instances -> Option D

  4. Quick Check:

    deny "true" disables access = A [OK]
Hint: Denying 'true' disables serial port access [OK]
Common Mistakes:
  • Thinking deniedValues means allowed values
  • Confusing serial port access with instance shutdown
  • Assuming the policy enables the feature
4. You wrote this organization policy YAML:
constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
    - true

But it does not work as expected. What is the likely error?
medium
A. The constraint name is incorrect
B. The denied value should be a string "true", not boolean true
C. The listPolicy block is missing required fields
D. YAML does not support lists under deniedValues

Solution

  1. Step 1: Check the deniedValues data type

    Organization policies expect deniedValues as strings, so "true" must be quoted.

  2. Step 2: Identify the error cause

    Using unquoted true is boolean in YAML, causing the policy to fail or behave unexpectedly.

  3. Final Answer:

    The denied value should be a string "true", not boolean true -> Option B

  4. Quick Check:

    Denied values must be strings in YAML [OK]
Hint: Always quote boolean values as strings in organization policies [OK]
Common Mistakes:
  • Not quoting boolean values in YAML
  • Assuming constraint names are wrong without checking
  • Thinking lists are not allowed under deniedValues
5. Your company wants to restrict all projects to only create resources in these regions: us-central1 and europe-west1. Which organization policy configuration achieves this?
hard
A. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1"
B. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "notin:us-central1" - "notin:europe-west1"
C. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "us-central1" - "europe-west1"
D. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "in:us-central1" - "in:europe-west1"

Solution

  1. Step 1: Understand the constraint for resource locations

    The constraints/gcp.resourceLocations controls allowed regions for resource creation.

  2. Step 2: Identify correct allowedValues format

    Allowed values should list region names as strings without prefixes like "in:"; constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" correctly lists "us-central1" and "europe-west1".

  3. Step 3: Eliminate incorrect options

    The configuration with "in:us-central1" uses invalid prefixes. Configurations using deniedValues do not restrict to only those regions: one attempts to deny outside the regions (wrong syntax and logic), the other denies the desired regions (allowing others).

  4. Final Answer:

    constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" -> Option A

  5. Quick Check:

    AllowedValues list regions as strings without prefixes = D [OK]
Hint: AllowedValues list regions as plain strings, no prefixes [OK]
Common Mistakes:
  • Using prefixes like 'in:' in allowedValues
  • Using deniedValues instead of allowedValues
  • Misunderstanding constraint syntax for regions