Skip to main content

google_organization_policy resource

Use the google_organization_policy InSpec audit resource to test constraints set on a GCP organization.

Syntax

Google organization policies can restrict certain GCP services. For more information see https://cloud.google.com/resource-manager/docs/organization-policy/understanding-constraints

A google_organization_policy resource block declares the tests for a single GCP organization constraint identified by the pair of the name of the organization and the constraint:

describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
  it { should exist }
  its('boolean_policy.enforced') { should be true }
end

Examples

The following examples show how to use this InSpec audit resource.

Test that a GCP organization has a specific constraint enforced

describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
  it { should exist }
  its('boolean_policy.enforced') { should be true }
end

Test that a GCP organization has certain values allowed for a list constraint

describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/someListConstraint') do
  it { should exist }
  its('list_policy.allowed_values') { should include 'included_val' }
  its('list_policy.allowed_values') { should_not include 'excluded' }
  its('list_policy.denied_values') { should include 'denied' }
end

Properties

update_time
The time stamp this policy was last updated.
boolean_policy
Only available for constraints that are boolean policies.
enforced
Boolean for if this policy is enforced.
list_policy
Available for list policies.
allowed_values
List of values allowed at this resource.
denied_values
List of values denied at this resource.

GCP Permissions

Ensure the Cloud Resource Manager API is enabled for the project.

Edit this page on GitHub

Thank you for your feedback!

×