Class: Google::Cloud::OrgPolicy::V2::Constraint

Inherits:

Object

• Object
• Google::Cloud::OrgPolicy::V2::Constraint

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/orgpolicy/v2/constraint.rb

Overview

A constraint describes a way to restrict resource's configuration. For example, you could enforce a constraint that controls which Google Cloud services can be activated across an organization, or whether a Compute Engine instance can have serial port connections established. Constraints can be configured by the organization policy administrator to fit the needs of the organization by setting a policy that includes constraints at different locations in the organization's resource hierarchy. Policies are inherited down the resource hierarchy from higher levels, but can also be overridden. For details about the inheritance rules please read about [policies][google.cloud.OrgPolicy.v2.Policy].

Constraints have a default behavior determined by the constraint_default field, which is the enforcement behavior that is used in the absence of a policy being defined or inherited for the resource in question.

Defined Under Namespace

Modules: ConstraintDefault Classes: BooleanConstraint, ListConstraint

Instance Attribute Summary

• #boolean_constraint ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::BooleanConstraint

  Defines this constraint as being a BooleanConstraint.

• #constraint_default ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::ConstraintDefault

  The evaluation behavior of this constraint in the absence of a policy.

• #description ⇒ ::String

  Detailed description of what this constraint controls as well as how and where it is enforced.

• #display_name ⇒ ::String

  The human readable name.

• #list_constraint ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::ListConstraint

  Defines this constraint as being a ListConstraint.

• #name ⇒ ::String

  Immutable.

• #supports_dry_run ⇒ ::Boolean

  Shows if dry run is supported for this constraint or not.

Instance Attribute Details

#boolean_constraint ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::BooleanConstraint

Returns Defines this constraint as being a BooleanConstraint.

Returns:

• (::Google::Cloud::OrgPolicy::V2::Constraint::BooleanConstraint) —

  Defines this constraint as being a BooleanConstraint.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#constraint_default ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::ConstraintDefault

Returns The evaluation behavior of this constraint in the absence of a policy.

Returns:

• (::Google::Cloud::OrgPolicy::V2::Constraint::ConstraintDefault) —

  The evaluation behavior of this constraint in the absence of a policy.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#description ⇒ ::String

Returns Detailed description of what this constraint controls as well as how and where it is enforced.

Mutable.

Returns:

• (::String) —

  Detailed description of what this constraint controls as well as how and where it is enforced.

  Mutable.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#display_name ⇒ ::String

Returns The human readable name.

Mutable.

Returns:

• (::String) —

  The human readable name.

  Mutable.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#list_constraint ⇒ ::Google::Cloud::OrgPolicy::V2::Constraint::ListConstraint

Returns Defines this constraint as being a ListConstraint.

Returns:

• (::Google::Cloud::OrgPolicy::V2::Constraint::ListConstraint) —

  Defines this constraint as being a ListConstraint.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#name ⇒ ::String

Returns Immutable. The resource name of the constraint. Must be in one of the following forms:

• projects/{project_number}/constraints/{constraint_name}
• folders/{folder_id}/constraints/{constraint_name}
• organizations/{organization_id}/constraints/{constraint_name}

For example, "/projects/123/constraints/compute.disableSerialPortAccess".

Returns:

• (::String) —

  Immutable. The resource name of the constraint. Must be in one of the following forms:

  • projects/{project_number}/constraints/{constraint_name}
  • folders/{folder_id}/constraints/{constraint_name}
  • organizations/{organization_id}/constraints/{constraint_name}

  For example, "/projects/123/constraints/compute.disableSerialPortAccess".

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end

#supports_dry_run ⇒ ::Boolean

Returns Shows if dry run is supported for this constraint or not.

Returns:

• (::Boolean) —

  Shows if dry run is supported for this constraint or not.

# File 'proto_docs/google/cloud/orgpolicy/v2/constraint.rb', line 71

class Constraint
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A constraint that allows or disallows a list of string values, which are
  # configured by an Organization Policy administrator with a policy.
  # @!attribute [rw] supports_in
  #   @return [::Boolean]
  #     Indicates whether values grouped into categories can be used in
  #     `Policy.allowed_values` and `Policy.denied_values`. For example,
  #     `"in:Python"` would match any value in the 'Python' group.
  # @!attribute [rw] supports_under
  #   @return [::Boolean]
  #     Indicates whether subtrees of the Resource Manager resource hierarchy
  #     can be used in `Policy.allowed_values` and `Policy.denied_values`. For
  #     example, `"under:folders/123"` would match any resource under the
  #     'folders/123' folder.
  class ListConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A constraint that is either enforced or not.
  #
  # For example, a constraint `constraints/compute.disableSerialPortAccess`.
  # If it is enforced on a VM instance, serial port connections will not be
  # opened to that instance.
  class BooleanConstraint
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specifies the default behavior in the absence of any policy for the
  # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  #
  # Immutable after creation.
  module ConstraintDefault
    # This is only used for distinguishing unset values and should never be
    # used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0

    # Indicate that all values are allowed for list constraints.
    # Indicate that enforcement is off for boolean constraints.
    ALLOW = 1

    # Indicate that all values are denied for list constraints.
    # Indicate that enforcement is on for boolean constraints.
    DENY = 2
  end
end