Harnessing GCP Organization Policies for Governance at Scale
Introduction
As your Google Cloud footprint grows, so does the challenge of keeping every project aligned with corporate standards. Google Cloud Organization Policies let you codify guardrails at the Org or Folder level, ensuring that no team can bypass critical rules—whether it’s restricting VM shapes, enforcing resource locations, or requiring mandatory tags.
In this post, we’ll explore:
- What Organization Policies are and how they differ from IAM
- Common constraint types and real-world use cases
- How to author and manage policies in Terraform
- Monitoring, troubleshooting, and best practices
What Are GCP Organization Policies?
Organization Policies are a form of policy-as-code that sit above projects and folders. Unlike IAM (which governs who can do what), Org Policies govern what can be done—period. They use a system of constraints (boolean, list, or custom) that evaluate resource metadata or configuration and allow or deny actions accordingly.
Key differences from IAM:
- IAM: “Can user X create a VM in project Y?”
- Org Policy: “Can anyone create a VM anywhere without tags?”
Core Constraint Types
1. Boolean Constraints
- Simple allow/deny rules.
- Example:
constraints/compute.disableSerialPortAccess # Blocks serial console on all VMs - GCP Docs: Boolean Constraints
2. List Constraints
- Whitelists or blacklists of allowed values.
- Example:
constraints/gcp.resourceLocations # Restricts regions (e.g., ["asia-southeast2"]) - GCP Docs: List Constraints
3. Custom Constraints (Requires GCP Enterprise)
- Define your own rules using CEL (Common Expression Language).
- Example:
constraints/pubsub.restrictTopicPrefix # Enforce naming conventions - GCP Docs: Custom Constraints
Real-World Use Cases
| Use Case | Example Constraint | Why It Matters |
|---|---|---|
| Geo-compliance | gcp.resourceLocations = ["asia-southeast2"] | Ensures data residency laws are followed. |
| Security hardening | compute.vmExternalIpAccess = DENY | Prevents accidental public exposure. |
| Cost control | compute.restrictVmMachineTypes = ["e2-*"] | Bans expensive VM shapes. |
| Metadata governance | Custom constraint requiring `env:prod | dev` tags |
Managing Org Policies with Terraform
Example: Restrict Resource Locations
data "google_organization" "org" {
domain = "example.com" # Your GCP organization domain
}
resource "google_org_policy_policy" "restrict_regions" {
parent = data.google_organization.org.name
constraint = "constraints/gcp.resourceLocations"
spec {
rules {
values {
allowed_values = ["asia-southeast2", "us-central1"] # Allowed regions
}
condition {
expression = "resource.matchTag('12345678/env', 'prod')" # CEL for granular control
}
}
# Fallback rule (allow all other cases)
rules {
enforce = false
}
}
}
Key Notes:
- Always include a fallback rule (
enforce = false) to avoid accidental lockouts. - Use conditions for granular targeting (e.g., only enforce on prod resources).
- Dry-run first: Set
spec { inherit_from_parent = true }during testing.
GCP Docs: Terraform Org Policies
Monitoring & Troubleshooting
- Policy Troubleshooter
- Test policies in the GCP Console before enforcement.
- Audit Logs
- Filter for
policyviolation.googleapis.comin Cloud Logging.
- Filter for
- Dry-run Mode
spec { inherit_from_parent = true # Logs violations without blocking }
Best Practices
- Start Small
- Begin with audit-only policies, then escalate to
deny.
- Begin with audit-only policies, then escalate to
- Hierarchy Matters
- Apply policies at the Folder level for team-specific rules.
- Document Exceptions
- Use Policy Exemptions for legitimate overrides.
- Automate Checks
gcloud org-policies describe constraints/compute.disableSerialPortAccess
Conclusion
GCP Organization Policies turn governance into code, eliminating manual checks. By combining constraints, Terraform, and hierarchical enforcement, you can scale cloud operations without sacrificing security or compliance.
Related Posts
- Securing Terraform Deployments on GCP with Label Enforcement
- GCP Custom Roles: When and How to Use Them
