Overview
Google Cloud’s Organization Policy Service centralizes control over how resources can be configured across the Resource Manager hierarchy (organization → folder → project). It sets guardrails on what a resource may look like — restricting regions, services, and resource settings so teams can only create compliant resources. Zenable generates a custom organization policy constraint: a CEL condition evaluated against a strongly-typed representation of a resource when it is created or updated, with anALLOW or DENY action.
When this is a good choice
| Requirement | Why Organization Policy fits |
|---|---|
| Prevent teams from creating or configuring noncompliant resources | Constraints evaluate create/update requests before the resource exists; a DENY blocks the noncompliant configuration outright. |
| Restrict regions, public IPs, allowed services, or resource settings | The condition reads the resource’s own fields and allow/deny-lists values. |
| Write custom resource rules like Azure Policy definitions | Custom constraints are the Google Cloud equivalent — CEL over resource fields, checked on create/update. |
| Audit-only / test before enforcement | The enforcing policy supports dry-run: violations are audit-logged without denying. |
Capabilities
- Enforce at the organization, folder, or project level; descendants inherit by default
- CEL conditions over strongly-typed, service-specific
resource.*fields ALLOW(permit only when the condition is true) orDENY(block when the condition is true)- Enforced on
CREATE, orCREATEandUPDATE - Dry-run / audit mode to preview impact before enforcement
Limitations
- Requires a Google Cloud organization (Resource Manager hierarchy)
- Only applicable to Google Cloud environments
UPDATE-only constraints are not supported; most resource types allow up to 20 custom constraints
Generated Format
- Language: YAML
- Structure: a single
CustomConstraintdocument —name(custom.<Name>),resourceTypes,methodTypes,condition(CEL),actionType, and optionaldisplayName/description - Execution: created with
gcloud org-policies set-custom-constraint, then enforced by an organization policy (enforce: true, ordryRunSpecfor audit mode)