v5.18.0/website/docs/r/org_policy_custom_constraint.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Organization Policy"
 description: |-
   Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
 ---

 # google\_org\_policy\_custom\_constraint

 Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.


 To get more information about CustomConstraint, see:

 * [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints)
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints)
     * [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services)

 ## Example Usage - Org Policy Custom Constraint Basic


 ```hcl
 resource "google_org_policy_custom_constraint" "constraint" {

   name         = "custom.disableGkeAutoUpgrade"
   parent       = "organizations/123456789"

   action_type    = "ALLOW"
   condition      = "resource.management.autoUpgrade == false"
   method_types   = ["CREATE", "UPDATE"]
   resource_types = ["container.googleapis.com/NodePool"]
 }
 ```
 ## Example Usage - Org Policy Custom Constraint Full


 ```hcl
 resource "google_org_policy_custom_constraint" "constraint" {

   name         = "custom.disableGkeAutoUpgrade"
   parent       = "organizations/123456789"
   display_name = "Disable GKE auto upgrade"
   description  = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."

   action_type    = "ALLOW"
   condition      = "resource.management.autoUpgrade == false"
   method_types   = ["CREATE", "UPDATE"]
   resource_types = ["container.googleapis.com/NodePool"]
 }

 resource "google_org_policy_policy" "bool" {

   name   = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
   parent = "organizations/123456789"

   spec {
     rules {
       enforce = "TRUE"
     }
   }
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   Immutable. The name of the custom constraint. This is unique within the organization.

 * `condition` -
   (Required)
   A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).

 * `action_type` -
   (Required)
   The action to take if the condition is met.
   Possible values are: `ALLOW`, `DENY`.

 * `method_types` -
   (Required)
   A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).

 * `resource_types` -
   (Required)
   Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.

 * `parent` -
   (Required)
   The parent of the resource, an organization. Format should be `organizations/{organization_id}`.


 - - -


 * `display_name` -
   (Optional)
   A human-friendly name for the constraint.

 * `description` -
   (Optional)
   A human-friendly description of the constraint to display as an error message when the policy is violated.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `{{parent}}/customConstraints/{{name}}`

 * `update_time` -
   Output only. The timestamp representing when the constraint was last updated.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 CustomConstraint can be imported using any of these accepted formats:

 * `{{parent}}/customConstraints/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CustomConstraint using one of the formats above. For example:

 ```tf
 import {
   id = "{{parent}}/customConstraints/{{name}}"
   to = google_org_policy_custom_constraint.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CustomConstraint can be imported using one of the formats above. For example:

 ```
 $ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}
 ```
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Organization Policy"
	description: \|-
	Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
	---

	# google\_org\_policy\_custom\_constraint

	Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.


	To get more information about CustomConstraint, see:

	* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints)
	* How-to Guides
	* [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints)
	* [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services)

	## Example Usage - Org Policy Custom Constraint Basic


	```hcl
	resource "google_org_policy_custom_constraint" "constraint" {

	name = "custom.disableGkeAutoUpgrade"
	parent = "organizations/123456789"

	action_type = "ALLOW"
	condition = "resource.management.autoUpgrade == false"
	method_types = ["CREATE", "UPDATE"]
	resource_types = ["container.googleapis.com/NodePool"]
	}
	```
	## Example Usage - Org Policy Custom Constraint Full


	```hcl
	resource "google_org_policy_custom_constraint" "constraint" {

	name = "custom.disableGkeAutoUpgrade"
	parent = "organizations/123456789"
	display_name = "Disable GKE auto upgrade"
	description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."

	action_type = "ALLOW"
	condition = "resource.management.autoUpgrade == false"
	method_types = ["CREATE", "UPDATE"]
	resource_types = ["container.googleapis.com/NodePool"]
	}

	resource "google_org_policy_policy" "bool" {

	name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
	parent = "organizations/123456789"

	spec {
	rules {
	enforce = "TRUE"
	}
	}
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	Immutable. The name of the custom constraint. This is unique within the organization.

	* `condition` -
	(Required)
	A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).

	* `action_type` -
	(Required)
	The action to take if the condition is met.
	Possible values are: `ALLOW`, `DENY`.

	* `method_types` -
	(Required)
	A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).

	* `resource_types` -
	(Required)
	Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.

	* `parent` -
	(Required)
	The parent of the resource, an organization. Format should be `organizations/{organization_id}`.


	- - -


	* `display_name` -
	(Optional)
	A human-friendly name for the constraint.

	* `description` -
	(Optional)
	A human-friendly description of the constraint to display as an error message when the policy is violated.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `{{parent}}/customConstraints/{{name}}`

	* `update_time` -
	Output only. The timestamp representing when the constraint was last updated.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	CustomConstraint can be imported using any of these accepted formats:

	* `{{parent}}/customConstraints/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CustomConstraint using one of the formats above. For example:

	```tf
	import {
	id = "{{parent}}/customConstraints/{{name}}"
	to = google_org_policy_custom_constraint.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CustomConstraint can be imported using one of the formats above. For example:

	```
	$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}
	```