Class: Google::Cloud::OrgPolicy::V2::PolicySpec

Inherits:

Object

Object
Google::Cloud::OrgPolicy::V2::PolicySpec

show all

Extended by:: Protobuf::MessageExts::ClassMethods

Includes:: Protobuf::MessageExts

Defined in:: proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb

Overview

Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources.

Defined Under Namespace

Classes: PolicyRule

Instance Attribute Summary collapse

#etag ⇒ ::String
An opaque tag indicating the current version of the policySpec, used for concurrency control.
#inherit_from_parent ⇒ ::Boolean
Determines the inheritance behavior for this policy.
#reset ⇒ ::Boolean
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource.
#rules ⇒ ::Array<::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule>
In policies for boolean constraints, the following requirements apply:.
#update_time ⇒ ::Google::Protobuf::Timestamp readonly
Output only.

Instance Attribute Details

#etag ⇒ `::String`

Returns An opaque tag indicating the current version of the policySpec, used for concurrency control.

This field is ignored if used in a CreatePolicy request.

When the policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current policySpec to use when executing a read-modify-write loop.

When the policy is returned from a GetEffectivePolicy request, the etag will be unset.

Returns:

(::String) —
An opaque tag indicating the current version of the policySpec, used for concurrency control.

This field is ignored if used in a CreatePolicy request.

When the policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current policySpec to use when executing a read-modify-write loop.

When the policy is returned from a GetEffectivePolicy request, the etag will be unset.

# File 'proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb', line 125

class PolicySpec
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A rule used to express this policy.
  # @!attribute [rw] values
  #   @return [::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule::StringValues]
  #     List of values to be used for this policy rule. This field can be set
  #     only in policies for list constraints.
  # @!attribute [rw] allow_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are allowed. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] deny_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are denied. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] enforce
  #   @return [::Boolean]
  #     If `true`, then the policy is enforced. If `false`, then any
  #     configuration is acceptable.
  #     This field can be set only in policies for boolean constraints.
  # @!attribute [rw] condition
  #   @return [::Google::Type::Expr]
  #     A condition which determines whether this rule is used
  #     in the evaluation of the policy. When set, the `expression` field in
  #     the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
  #     or "&&" operators. Each subexpression must be of the form
  #     "resource.matchTag('<ORG_ID>/tag_key_short_name,
  #     'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
  #     'tagValues/value_id')". where key_name and value_name are the resource
  #     names for Label Keys and Values. These names are available from the Tag
  #     Manager Service. An example expression is:
  #     "resource.matchTag('123456789/environment,
  #     'prod')". or "resource.matchTagId('tagKeys/123',
  #     'tagValues/456')".
  class PolicyRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A message that holds specific allowed and denied values.
    # This message can define specific values and subtrees of the Resource
    # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
    # are allowed or denied. This is achieved by using the `under:` and
    # optional `is:` prefixes.
    # The `under:` prefix is used to denote resource subtree values.
    # The `is:` prefix is used to denote specific values, and is required only
    # if the value contains a ":". Values prefixed with "is:" are treated the
    # same as values with no prefix.
    # Ancestry subtrees must be in one of the following formats:
    #
    # - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
    # - `folders/<folder-id>` (for example, `folders/1234`)
    # - `organizations/<organization-id>` (for example, `organizations/1234`)
    #
    # The `supports_under` field of the associated `Constraint`  defines
    # whether ancestry prefixes can be used.
    # @!attribute [rw] allowed_values
    #   @return [::Array<::String>]
    #     List of values allowed at this resource.
    # @!attribute [rw] denied_values
    #   @return [::Array<::String>]
    #     List of values denied at this resource.
    class StringValues
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

#inherit_from_parent ⇒ `::Boolean`

Returns Determines the inheritance behavior for this policy.

If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.

Returns:

(::Boolean) —
Determines the inheritance behavior for this policy.

If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints.

# File 'proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb', line 125

class PolicySpec
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A rule used to express this policy.
  # @!attribute [rw] values
  #   @return [::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule::StringValues]
  #     List of values to be used for this policy rule. This field can be set
  #     only in policies for list constraints.
  # @!attribute [rw] allow_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are allowed. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] deny_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are denied. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] enforce
  #   @return [::Boolean]
  #     If `true`, then the policy is enforced. If `false`, then any
  #     configuration is acceptable.
  #     This field can be set only in policies for boolean constraints.
  # @!attribute [rw] condition
  #   @return [::Google::Type::Expr]
  #     A condition which determines whether this rule is used
  #     in the evaluation of the policy. When set, the `expression` field in
  #     the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
  #     or "&&" operators. Each subexpression must be of the form
  #     "resource.matchTag('<ORG_ID>/tag_key_short_name,
  #     'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
  #     'tagValues/value_id')". where key_name and value_name are the resource
  #     names for Label Keys and Values. These names are available from the Tag
  #     Manager Service. An example expression is:
  #     "resource.matchTag('123456789/environment,
  #     'prod')". or "resource.matchTagId('tagKeys/123',
  #     'tagValues/456')".
  class PolicyRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A message that holds specific allowed and denied values.
    # This message can define specific values and subtrees of the Resource
    # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
    # are allowed or denied. This is achieved by using the `under:` and
    # optional `is:` prefixes.
    # The `under:` prefix is used to denote resource subtree values.
    # The `is:` prefix is used to denote specific values, and is required only
    # if the value contains a ":". Values prefixed with "is:" are treated the
    # same as values with no prefix.
    # Ancestry subtrees must be in one of the following formats:
    #
    # - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
    # - `folders/<folder-id>` (for example, `folders/1234`)
    # - `organizations/<organization-id>` (for example, `organizations/1234`)
    #
    # The `supports_under` field of the associated `Constraint`  defines
    # whether ancestry prefixes can be used.
    # @!attribute [rw] allowed_values
    #   @return [::Array<::String>]
    #     List of values allowed at this resource.
    # @!attribute [rw] denied_values
    #   @return [::Array<::String>]
    #     List of values denied at this resource.
    class StringValues
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

#reset ⇒ `::Boolean`

Returns Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.

Returns:

(::Boolean) —
Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false.

# File 'proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb', line 125

class PolicySpec
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A rule used to express this policy.
  # @!attribute [rw] values
  #   @return [::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule::StringValues]
  #     List of values to be used for this policy rule. This field can be set
  #     only in policies for list constraints.
  # @!attribute [rw] allow_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are allowed. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] deny_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are denied. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] enforce
  #   @return [::Boolean]
  #     If `true`, then the policy is enforced. If `false`, then any
  #     configuration is acceptable.
  #     This field can be set only in policies for boolean constraints.
  # @!attribute [rw] condition
  #   @return [::Google::Type::Expr]
  #     A condition which determines whether this rule is used
  #     in the evaluation of the policy. When set, the `expression` field in
  #     the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
  #     or "&&" operators. Each subexpression must be of the form
  #     "resource.matchTag('<ORG_ID>/tag_key_short_name,
  #     'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
  #     'tagValues/value_id')". where key_name and value_name are the resource
  #     names for Label Keys and Values. These names are available from the Tag
  #     Manager Service. An example expression is:
  #     "resource.matchTag('123456789/environment,
  #     'prod')". or "resource.matchTagId('tagKeys/123',
  #     'tagValues/456')".
  class PolicyRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A message that holds specific allowed and denied values.
    # This message can define specific values and subtrees of the Resource
    # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
    # are allowed or denied. This is achieved by using the `under:` and
    # optional `is:` prefixes.
    # The `under:` prefix is used to denote resource subtree values.
    # The `is:` prefix is used to denote specific values, and is required only
    # if the value contains a ":". Values prefixed with "is:" are treated the
    # same as values with no prefix.
    # Ancestry subtrees must be in one of the following formats:
    #
    # - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
    # - `folders/<folder-id>` (for example, `folders/1234`)
    # - `organizations/<organization-id>` (for example, `organizations/1234`)
    #
    # The `supports_under` field of the associated `Constraint`  defines
    # whether ancestry prefixes can be used.
    # @!attribute [rw] allowed_values
    #   @return [::Array<::String>]
    #     List of values allowed at this resource.
    # @!attribute [rw] denied_values
    #   @return [::Array<::String>]
    #     List of values denied at this resource.
    class StringValues
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

#rules ⇒ `::Array<::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule>`

Returns In policies for boolean constraints, the following requirements apply:

There must be one and only one policy rule where condition is unset.
Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition.
During policy evaluation, policy rules with conditions that are true for a target resource take precedence.

Returns:

(::Array<::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule>) —
In policies for boolean constraints, the following requirements apply:
- There must be one and only one policy rule where condition is unset.
- Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition.
- During policy evaluation, policy rules with conditions that are true for a target resource take precedence.

# File 'proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb', line 125

class PolicySpec
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A rule used to express this policy.
  # @!attribute [rw] values
  #   @return [::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule::StringValues]
  #     List of values to be used for this policy rule. This field can be set
  #     only in policies for list constraints.
  # @!attribute [rw] allow_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are allowed. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] deny_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are denied. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] enforce
  #   @return [::Boolean]
  #     If `true`, then the policy is enforced. If `false`, then any
  #     configuration is acceptable.
  #     This field can be set only in policies for boolean constraints.
  # @!attribute [rw] condition
  #   @return [::Google::Type::Expr]
  #     A condition which determines whether this rule is used
  #     in the evaluation of the policy. When set, the `expression` field in
  #     the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
  #     or "&&" operators. Each subexpression must be of the form
  #     "resource.matchTag('<ORG_ID>/tag_key_short_name,
  #     'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
  #     'tagValues/value_id')". where key_name and value_name are the resource
  #     names for Label Keys and Values. These names are available from the Tag
  #     Manager Service. An example expression is:
  #     "resource.matchTag('123456789/environment,
  #     'prod')". or "resource.matchTagId('tagKeys/123',
  #     'tagValues/456')".
  class PolicyRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A message that holds specific allowed and denied values.
    # This message can define specific values and subtrees of the Resource
    # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
    # are allowed or denied. This is achieved by using the `under:` and
    # optional `is:` prefixes.
    # The `under:` prefix is used to denote resource subtree values.
    # The `is:` prefix is used to denote specific values, and is required only
    # if the value contains a ":". Values prefixed with "is:" are treated the
    # same as values with no prefix.
    # Ancestry subtrees must be in one of the following formats:
    #
    # - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
    # - `folders/<folder-id>` (for example, `folders/1234`)
    # - `organizations/<organization-id>` (for example, `organizations/1234`)
    #
    # The `supports_under` field of the associated `Constraint`  defines
    # whether ancestry prefixes can be used.
    # @!attribute [rw] allowed_values
    #   @return [::Array<::String>]
    #     List of values allowed at this resource.
    # @!attribute [rw] denied_values
    #   @return [::Array<::String>]
    #     List of values denied at this resource.
    class StringValues
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

#update_time ⇒ `::Google::Protobuf::Timestamp` (readonly)

Returns Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.

Returns:

(::Google::Protobuf::Timestamp) —
Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy.

# File 'proto_docs/google/cloud/orgpolicy/v2/orgpolicy.rb', line 125

class PolicySpec
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A rule used to express this policy.
  # @!attribute [rw] values
  #   @return [::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule::StringValues]
  #     List of values to be used for this policy rule. This field can be set
  #     only in policies for list constraints.
  # @!attribute [rw] allow_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are allowed. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] deny_all
  #   @return [::Boolean]
  #     Setting this to true means that all values are denied. This field can
  #     be set only in policies for list constraints.
  # @!attribute [rw] enforce
  #   @return [::Boolean]
  #     If `true`, then the policy is enforced. If `false`, then any
  #     configuration is acceptable.
  #     This field can be set only in policies for boolean constraints.
  # @!attribute [rw] condition
  #   @return [::Google::Type::Expr]
  #     A condition which determines whether this rule is used
  #     in the evaluation of the policy. When set, the `expression` field in
  #     the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
  #     or "&&" operators. Each subexpression must be of the form
  #     "resource.matchTag('<ORG_ID>/tag_key_short_name,
  #     'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
  #     'tagValues/value_id')". where key_name and value_name are the resource
  #     names for Label Keys and Values. These names are available from the Tag
  #     Manager Service. An example expression is:
  #     "resource.matchTag('123456789/environment,
  #     'prod')". or "resource.matchTagId('tagKeys/123',
  #     'tagValues/456')".
  class PolicyRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A message that holds specific allowed and denied values.
    # This message can define specific values and subtrees of the Resource
    # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
    # are allowed or denied. This is achieved by using the `under:` and
    # optional `is:` prefixes.
    # The `under:` prefix is used to denote resource subtree values.
    # The `is:` prefix is used to denote specific values, and is required only
    # if the value contains a ":". Values prefixed with "is:" are treated the
    # same as values with no prefix.
    # Ancestry subtrees must be in one of the following formats:
    #
    # - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
    # - `folders/<folder-id>` (for example, `folders/1234`)
    # - `organizations/<organization-id>` (for example, `organizations/1234`)
    #
    # The `supports_under` field of the associated `Constraint`  defines
    # whether ancestry prefixes can be used.
    # @!attribute [rw] allowed_values
    #   @return [::Array<::String>]
    #     List of values allowed at this resource.
    # @!attribute [rw] denied_values
    #   @return [::Array<::String>]
    #     List of values denied at this resource.
    class StringValues
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

Class: Google::Cloud::OrgPolicy::V2::PolicySpec

Overview

Defined Under Namespace

Instance Attribute Summary collapse

Instance Attribute Details

#etag ⇒ ::String

#inherit_from_parent ⇒ ::Boolean

#reset ⇒ ::Boolean

#rules ⇒ ::Array<::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule>

#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)

#etag ⇒ `::String`

#inherit_from_parent ⇒ `::Boolean`

#reset ⇒ `::Boolean`

#rules ⇒ `::Array<::Google::Cloud::OrgPolicy::V2::PolicySpec::PolicyRule>`

#update_time ⇒ `::Google::Protobuf::Timestamp` (readonly)