Complete the code to specify the constraint when creating an organization policy.
resource "google_org_policy_policy" "example" { org_id = "123456789" constraint = "[1]" }
The constraint field must specify a valid organization policy constraint, such as constraints/compute.disableSerialPortAccess.
Complete the code to set the policy to deny serial port access.
resource "google_org_policy_policy" "example" { org_id = "123456789" constraint = "constraints/compute.disableSerialPortAccess" boolean_policy { enforced = [1] } }
The enforced field must be set to true to deny serial port access.
Fix the error in the policy definition by completing the missing field.
resource "google_org_policy_policy" "example" { org_id = "123456789" [1] = "constraints/compute.disableSerialPortAccess" boolean_policy { enforced = true } }
The field constraint is required to specify which policy constraint to apply.
Fill both blanks to create a list policy that allows only specific VM machine types.
resource "google_org_policy_policy" "example" { org_id = "123456789" constraint = "constraints/compute.restrictMachineTypes" list_policy { [1] = ["n1-standard-1", "e2-medium"] [2] = false } }
The allowed_values field lists permitted values, and all_values must be set to false to enforce the allowed list (whitelist).
Fill all three blanks to define a policy that denies specific service accounts from being used.
resource "google_org_policy_policy" "example" { org_id = "123456789" constraint = "[1]" list_policy { [2] = ["serviceAccount:bad-sa@example.iam.gserviceaccount.com"] [3] = false } }
The constraint for IAM allowed policy members specifies the policy type, denied_values lists the disallowed accounts, and all_values set to false to enforce the denied list (blacklist).