0
0
GCPcloud~10 mins

Organization policies in GCP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Organization policies
Define Organization Policy
Attach Policy to Resource
Policy Evaluated on Requests
Allow or Deny Action Based on Policy
Enforce Compliance Across Resources
Organization policies are rules set at the organization level that control what actions are allowed or denied on resources. They are attached to resources and evaluated on each request to enforce compliance.
Execution Sample
GCP
resource "google_org_policy_policy" "restrict_compute_regions" {
  org_id = "123456789"
  constraint = "constraints/compute.allowedRegions"
  list_policy {
    allowed_values = ["us-central1", "us-east1"]
  }
}
This code creates an organization policy that restricts Compute Engine resources to only use specified regions.
Process Table
StepActionResourcePolicy EvaluatedResult
1Define policy restrict_compute_regionsOrganization 123456789constraints/compute.allowedRegionsPolicy created with allowed regions us-central1, us-east1
2Attach policy to organizationOrganization 123456789constraints/compute.allowedRegionsPolicy active on organization and all child resources
3Request to create VM in us-central1Project under org 123456789constraints/compute.allowedRegionsAllowed (region in allowed list)
4Request to create VM in europe-west1Project under org 123456789constraints/compute.allowedRegionsDenied (region not in allowed list)
5Request to create VM in us-east1Project under org 123456789constraints/compute.allowedRegionsAllowed (region in allowed list)
6Request to create VM in asia-east1Project under org 123456789constraints/compute.allowedRegionsDenied (region not in allowed list)
💡 Requests outside allowed regions are denied, enforcing the organization policy.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Policy allowed_regionsempty[us-central1, us-east1][us-central1, us-east1][us-central1, us-east1][us-central1, us-east1][us-central1, us-east1]
Request regionnonenonenoneus-central1europe-west1asia-east1
Request resultnonenonenoneAllowedDeniedDenied
Key Moments - 2 Insights
Why is a VM creation request denied even though the project is under the organization?
Because the requested region is not in the allowed regions list defined by the organization policy, as shown in execution_table rows 4 and 6.
Does the organization policy apply only to the organization or also to projects under it?
The policy applies to the organization and all its child resources, including projects, as shown in execution_table row 2.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the result of a VM creation request in us-east1?
ADenied
BAllowed
CPending
DError
💡 Hint
Check execution_table row 5 where the request region is us-east1.
At which step does the policy become active on the organization and its projects?
AStep 2
BStep 3
CStep 1
DStep 4
💡 Hint
Look at execution_table row 2 describing policy attachment.
If the allowed regions list included 'europe-west1', what would be the result at step 4?
AError
BDenied
CAllowed
DPending
💡 Hint
Refer to variable_tracker for request region and result changes.
Concept Snapshot
Organization policies in GCP control resource behavior across the organization.
They are defined with constraints and attached to organization or folders.
Policies are evaluated on each request to allow or deny actions.
Example: Restrict Compute Engine regions to a whitelist.
Policies enforce compliance centrally and cascade down resource hierarchy.
Full Transcript
Organization policies in Google Cloud let you set rules that control what actions can happen on resources within your organization. You define a policy with a constraint, like allowed regions for Compute Engine. Then you attach this policy to your organization or folders. When someone tries to create or modify a resource, Google Cloud checks the policy. If the action matches the allowed rules, it proceeds; if not, it is denied. For example, if you restrict Compute Engine regions to us-central1 and us-east1, any VM creation request outside these regions will be denied. This helps keep your cloud environment compliant with your company rules.