Skip to main content

Overview

Google Cloud’s Organization Policy Service centralizes control over how resources can be configured across the Resource Manager hierarchy (organization → folder → project). It sets guardrails on what a resource may look like — restricting regions, services, and resource settings so teams can only create compliant resources. Zenable generates a custom organization policy constraint: a CEL condition evaluated against a strongly-typed representation of a resource when it is created or updated, with an ALLOW or DENY action.

When this is a good choice

RequirementWhy Organization Policy fits
Prevent teams from creating or configuring noncompliant resourcesConstraints evaluate create/update requests before the resource exists; a DENY blocks the noncompliant configuration outright.
Restrict regions, public IPs, allowed services, or resource settingsThe condition reads the resource’s own fields and allow/deny-lists values.
Write custom resource rules like Azure Policy definitionsCustom constraints are the Google Cloud equivalent — CEL over resource fields, checked on create/update.
Audit-only / test before enforcementThe enforcing policy supports dry-run: violations are audit-logged without denying.
For AWS environments see AWS SCP; for Azure see Azure Policy.

Capabilities

  • Enforce at the organization, folder, or project level; descendants inherit by default
  • CEL conditions over strongly-typed, service-specific resource.* fields
  • ALLOW (permit only when the condition is true) or DENY (block when the condition is true)
  • Enforced on CREATE, or CREATE and UPDATE
  • Dry-run / audit mode to preview impact before enforcement

Limitations

  • Requires a Google Cloud organization (Resource Manager hierarchy)
  • Only applicable to Google Cloud environments
  • UPDATE-only constraints are not supported; most resource types allow up to 20 custom constraints

Generated Format

  • Language: YAML
  • Structure: a single CustomConstraint document — name (custom.<Name>), resourceTypes, methodTypes, condition (CEL), actionType, and optional displayName / description
  • Execution: created with gcloud org-policies set-custom-constraint, then enforced by an organization policy (enforce: true, or dryRunSpec for audit mode)

Example Guardrail

name: custom.restrictComputeRegions
resourceTypes:
  - compute.googleapis.com/Instance
methodTypes:
  - CREATE
  - UPDATE
condition: "resource.zone.startsWith('us-')"
actionType: ALLOW
displayName: Restrict Compute to US regions
description: Only allow Compute instances created or updated in US zones.
Once created, an organization policy enforces the constraint across the chosen scope:
name: projects/PROJECT_ID/policies/custom.restrictComputeRegions
spec:
  rules:
    - enforce: true
Learn more at the Organization Policy overview and Create custom constraints.