Bird
Raised Fist0
GCPcloud~10 mins

Organization policies in GCP - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to specify the constraint when creating an organization policy.

GCP
resource "google_org_policy_policy" "example" {
  org_id    = "123456789"
  constraint = "[1]"
}
Drag options to blanks, or click blank then click option'
Aconstraints/compute.disableSerialPortAccess
Bprojects/my-project
Cfolders/1234
Droles/editor
Attempts:
3 left
💡 Hint
Common Mistakes
Using project or folder IDs instead of a constraint name.
Using role names instead of constraints.
2fill in blank
medium

Complete the code to set the policy to deny serial port access.

GCP
resource "google_org_policy_policy" "example" {
  org_id    = "123456789"
  constraint = "constraints/compute.disableSerialPortAccess"
  boolean_policy {
    enforced = [1]
  }
}
Drag options to blanks, or click blank then click option'
A1
Bfalse
C"true"
Dtrue
Attempts:
3 left
💡 Hint
Common Mistakes
Using string 'true' instead of boolean true.
Setting enforced to false which disables the policy.
3fill in blank
hard

Fix the error in the policy definition by completing the missing field.

GCP
resource "google_org_policy_policy" "example" {
  org_id    = "123456789"
  [1] = "constraints/compute.disableSerialPortAccess"
  boolean_policy {
    enforced = true
  }
}
Drag options to blanks, or click blank then click option'
Apolicy_id
Borg_id
Cconstraint
Dname
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'name' or 'policy_id' instead of 'constraint'.
Repeating 'org_id' field.
4fill in blank
hard

Fill both blanks to create a list policy that allows only specific VM machine types.

GCP
resource "google_org_policy_policy" "example" {
  org_id    = "123456789"
  constraint = "constraints/compute.restrictMachineTypes"
  list_policy {
    [1] = ["n1-standard-1", "e2-medium"]
    [2] = false
  }
}
Drag options to blanks, or click blank then click option'
Aallowed_values
Bdenied_values
Call_values
Dinherit_from_parent
Attempts:
3 left
💡 Hint
Common Mistakes
Using denied_values when intending to allow.
Setting all_values to true which allows all values.
5fill in blank
hard

Fill all three blanks to define a policy that denies specific service accounts from being used.

GCP
resource "google_org_policy_policy" "example" {
  org_id    = "123456789"
  constraint = "[1]"
  list_policy {
    [2] = ["serviceAccount:bad-sa@example.iam.gserviceaccount.com"]
    [3] = false
  }
}
Drag options to blanks, or click blank then click option'
Aconstraints/iam.allowedPolicyMembers
Bdenied_values
Call_values
Dallowed_values
Attempts:
3 left
💡 Hint
Common Mistakes
Using allowed_values instead of denied_values.
Setting all_values to true instead of false.

Practice

(1/5)
1. What is the main purpose of an Organization Policy in Google Cloud?
easy
A. To set rules that apply to all projects in a company
B. To create virtual machines automatically
C. To monitor network traffic in real-time
D. To manage billing accounts for users

Solution

  1. Step 1: Understand the role of organization policies

    Organization policies define rules that apply across all projects and resources in a company to keep them safe and compliant.

  2. Step 2: Compare options with the purpose

    Only To set rules that apply to all projects in a company describes setting rules across all projects, which matches the purpose of organization policies.

  3. Final Answer:

    To set rules that apply to all projects in a company -> Option A

  4. Quick Check:

    Organization policies control rules = A [OK]
Hint: Organization policies set company-wide rules, not individual tasks [OK]
Common Mistakes:
  • Confusing organization policies with billing or monitoring
  • Thinking policies create resources automatically
  • Assuming policies manage user accounts directly
2. Which of the following is the correct way to specify a constraint in an organization policy YAML file?
easy
A. constraint -> gcp.resourceLocations
B. constraint = gcp.resourceLocations
C. constraint: gcp.resourceLocations
D. constraint() gcp.resourceLocations

Solution

  1. Step 1: Recall YAML syntax for key-value pairs

    YAML uses colon (:) to assign values to keys, like key: value.

  2. Step 2: Identify correct constraint syntax

    constraint: gcp.resourceLocations uses constraint: gcp.resourceLocations, which is valid YAML syntax for specifying a constraint.

  3. Final Answer:

    constraint: gcp.resourceLocations -> Option C

  4. Quick Check:

    YAML key-value uses colon = C [OK]
Hint: YAML uses colon for key-value pairs, not equals or arrows [OK]
Common Mistakes:
  • Using equals sign (=) instead of colon (:)
  • Using arrows (->) or parentheses incorrectly
  • Confusing YAML with programming language syntax
3. Given this organization policy snippet:
constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
  - "true"

What is the effect of this policy?
medium
A. It enables serial port access on all projects
B. It allows serial port access on compute instances
C. It disables all compute instances
D. It denies serial port access on compute instances

Solution

  1. Step 1: Understand the constraint meaning

    The constraint constraints/compute.disableSerialPortAccess controls serial port access on compute instances ("true" disables access, "false" allows it).

  2. Step 2: Interpret the deniedValues list

    Setting deniedValues: ["true"] denies the value "true", which disables serial port access on compute instances.

  3. Final Answer:

    It denies serial port access on compute instances -> Option D

  4. Quick Check:

    deny "true" disables access = A [OK]
Hint: Denying 'true' disables serial port access [OK]
Common Mistakes:
  • Thinking deniedValues means allowed values
  • Confusing serial port access with instance shutdown
  • Assuming the policy enables the feature
4. You wrote this organization policy YAML:
constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
    - true

But it does not work as expected. What is the likely error?
medium
A. The constraint name is incorrect
B. The denied value should be a string "true", not boolean true
C. The listPolicy block is missing required fields
D. YAML does not support lists under deniedValues

Solution

  1. Step 1: Check the deniedValues data type

    Organization policies expect deniedValues as strings, so "true" must be quoted.

  2. Step 2: Identify the error cause

    Using unquoted true is boolean in YAML, causing the policy to fail or behave unexpectedly.

  3. Final Answer:

    The denied value should be a string "true", not boolean true -> Option B

  4. Quick Check:

    Denied values must be strings in YAML [OK]
Hint: Always quote boolean values as strings in organization policies [OK]
Common Mistakes:
  • Not quoting boolean values in YAML
  • Assuming constraint names are wrong without checking
  • Thinking lists are not allowed under deniedValues
5. Your company wants to restrict all projects to only create resources in these regions: us-central1 and europe-west1. Which organization policy configuration achieves this?
hard
A. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1"
B. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "notin:us-central1" - "notin:europe-west1"
C. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "us-central1" - "europe-west1"
D. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "in:us-central1" - "in:europe-west1"

Solution

  1. Step 1: Understand the constraint for resource locations

    The constraints/gcp.resourceLocations controls allowed regions for resource creation.

  2. Step 2: Identify correct allowedValues format

    Allowed values should list region names as strings without prefixes like "in:"; constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" correctly lists "us-central1" and "europe-west1".

  3. Step 3: Eliminate incorrect options

    The configuration with "in:us-central1" uses invalid prefixes. Configurations using deniedValues do not restrict to only those regions: one attempts to deny outside the regions (wrong syntax and logic), the other denies the desired regions (allowing others).

  4. Final Answer:

    constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" -> Option A

  5. Quick Check:

    AllowedValues list regions as strings without prefixes = D [OK]
Hint: AllowedValues list regions as plain strings, no prefixes [OK]
Common Mistakes:
  • Using prefixes like 'in:' in allowedValues
  • Using deniedValues instead of allowedValues
  • Misunderstanding constraint syntax for regions