> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud Organization Policy

> Google Cloud resource-configuration compliance enforcement

## Overview

Google Cloud's [Organization Policy Service](https://docs.cloud.google.com/organization-policy/overview) centralizes control over how resources can be configured across the Resource Manager hierarchy (organization → folder → project). It sets guardrails on **what** a resource may look like — restricting regions, services, and resource settings so teams can only create compliant resources.

Zenable generates a **custom organization policy constraint**: a [CEL](https://docs.cloud.google.com/organization-policy/create-custom-constraints) condition evaluated against a strongly-typed representation of a resource when it is created or updated, with an `ALLOW` or `DENY` action.

## When this is a good choice

| Requirement                                                          | Why Organization Policy fits                                                                                                     |
| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| Prevent teams from creating or configuring noncompliant resources    | Constraints evaluate create/update requests before the resource exists; a `DENY` blocks the noncompliant configuration outright. |
| Restrict regions, public IPs, allowed services, or resource settings | The condition reads the resource's own fields and allow/deny-lists values.                                                       |
| Write custom resource rules like Azure Policy definitions            | Custom constraints are the Google Cloud equivalent — CEL over resource fields, checked on create/update.                         |
| Audit-only / test before enforcement                                 | The enforcing policy supports dry-run: violations are audit-logged without denying.                                              |

For AWS environments see [AWS SCP](/integrations/guardrails/aws-scp); for Azure see [Azure Policy](/integrations/guardrails/azure-policy).

## Capabilities

* Enforce at the organization, folder, or project level; descendants inherit by default
* CEL conditions over strongly-typed, service-specific `resource.*` fields
* `ALLOW` (permit only when the condition is true) or `DENY` (block when the condition is true)
* Enforced on `CREATE`, or `CREATE` and `UPDATE`
* Dry-run / audit mode to preview impact before enforcement

## Limitations

* Requires a Google Cloud organization (Resource Manager hierarchy)
* Only applicable to Google Cloud environments
* `UPDATE`-only constraints are not supported; most resource types allow up to 20 custom constraints

## Generated Format

* **Language:** YAML
* **Structure:** a single `CustomConstraint` document — `name` (`custom.<Name>`), `resourceTypes`, `methodTypes`, `condition` (CEL), `actionType`, and optional `displayName` / `description`
* **Execution:** created with `gcloud org-policies set-custom-constraint`, then enforced by an organization policy (`enforce: true`, or `dryRunSpec` for audit mode)

## Example Guardrail

```yaml theme={null}
name: custom.restrictComputeRegions
resourceTypes:
  - compute.googleapis.com/Instance
methodTypes:
  - CREATE
  - UPDATE
condition: "resource.zone.startsWith('us-')"
actionType: ALLOW
displayName: Restrict Compute to US regions
description: Only allow Compute instances created or updated in US zones.
```

Once created, an organization policy enforces the constraint across the chosen scope:

```yaml theme={null}
name: projects/PROJECT_ID/policies/custom.restrictComputeRegions
spec:
  rules:
    - enforce: true
```

Learn more at the [Organization Policy overview](https://docs.cloud.google.com/organization-policy/overview) and [Create custom constraints](https://docs.cloud.google.com/organization-policy/create-custom-constraints).
