Class: Google::Apis::CloudresourcemanagerV1::ListPolicy

Inherits:
Object
  • Object
show all
Includes:
Google::Apis::Core::Hashable, Google::Apis::Core::JsonObjectSupport
Defined in:
generated/google/apis/cloudresourcemanager_v1/classes.rb,
generated/google/apis/cloudresourcemanager_v1/representations.rb,
generated/google/apis/cloudresourcemanager_v1/representations.rb

Overview

Used in policy_type to specify how list_policy behaves at this resource. ListPolicy can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied by setting the allowed_values and denied_values fields. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats:

  • “projects/”, e.g. “projects/tokyo-rain-123”
  • “folders/”, e.g. “folders/1234”
  • “organizations/”, e.g. “organizations/1234” The supports_under field of the associated Constraint defines whether ancestry prefixes can be used. You can set allowed_values and denied_values in the same Policy if all_values is ALL_VALUES_UNSPECIFIED. ALLOW or DENY are used to allow or deny all values. If all_values is set to either ALLOW or DENY, allowed_values and denied_values must be unset.

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Google::Apis::Core::JsonObjectSupport

#to_json

Methods included from Google::Apis::Core::Hashable

process_value, #to_h

Constructor Details

#initialize(**args) ⇒ ListPolicy

Returns a new instance of ListPolicy



968
969
970
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 968

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#all_valuesString

The policy all_values state. Corresponds to the JSON property allValues

Returns:

  • (String) 


856
857
858
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 856

def all_values
  @all_values
end

#allowed_valuesArray<String>

List of values allowed at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED. Corresponds to the JSON property allowedValues

Returns:

  • (Array<String>) 


862
863
864
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 862

def allowed_values
  @allowed_values
end

#denied_valuesArray<String>

List of values denied at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED. Corresponds to the JSON property deniedValues

Returns:

  • (Array<String>) 


868
869
870
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 868

def denied_values
  @denied_values
end

#inherit_from_parentBoolean Also known as: inherit_from_parent?

Determines the inheritance behavior for this Policy. By default, a ListPolicy set at a resource supercedes any Policy set anywhere up the resource hierarchy. However, if inherit_from_parent is set to true, then the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. Setting Policy hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a Policy with allowed_values set that inherits a Policy with denied_values set. In this case, the values that are allowed must be in allowed_values and not present in denied_values. For example, suppose you have a Constraint constraints/serviceuser.services, which has a constraint_type of list_constraint, and with constraint_default set to ALLOW. Suppose that at the Organization level, a Policy is applied that restricts the allowed API activations to E1`, `E2. Then, if a Policy is applied to a project below the Organization that has inherit_from_parent set to false and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for projects/bar parented by organizations/foo: Example 1 (no inherited values): organizations/foo has a Policy with values: allowed_values: “E1” allowed_values:”E2” projects/bar has inherit_from_parent false and values: allowed_values: "E3" allowed_values: "E4" The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E3, and E4. Example 2 (inherited values): organizations/foo has a Policy with values: allowed_values: “E1” allowed_values:”E2” projects/bar has a Policy with values: value: “E3” value: ”E4” inherit_from_parent: true The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E1, E2, E3, and E4. Example 3 (inheriting both allowed and denied values): organizations/foo has a Policy with values: allowed_values: "E1" allowed_values: "E2" projects/bar has a Policy with: denied_values: "E1" The accepted values at organizations/foo are E1, E2. The value accepted at projects/bar is E2. Example 4 (RestoreDefault): organizations/foo has a Policy with values: allowed_values: “E1” allowed_values:”E2” projects/bar has a Policy with values: RestoreDefault:` The accepted values atorganizations/fooareE1,E2. The accepted values atprojects/barare either all or none depending on the value ofconstraint_default(ifALLOW, all; if DENY, none). Example 5 (no policy inherits parent policy): organizations/foohas noPolicyset. projects/barhas noPolicyset. The accepted values at both levels are either all or none depending on the value ofconstraint_default(ifALLOW, all; if DENY, none). Example 6 (ListConstraint allowing all): organizations/foohas aPolicywith values: allowed_values: “E1” allowed_values: ”E2” projects/barhas aPolicywith: all: ALLOW The accepted values atorganizations/fooareE1, E2. Any value is accepted at projects/bar. Example 7 (ListConstraint allowing none): organizations/foo has a Policy with values: allowed_values: “E1” allowed_values: ”E2” projects/bar has a Policy with: all: DENY The accepted values at organizations/foo are E1, E2. No value is accepted atprojects/bar. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->F1, F2; F1->P1; F2->P2, P3, organizations/foohas aPolicywith values: allowed_values: "under:organizations/O1" projects/barhas aPolicywith: allowed_values: "under:projects/P3" denied_values: "under:folders/F2" The accepted values atorganizations/fooareorganizations/O1, folders/F1,folders/F2,projects/P1,projects/P2, projects/P3. The accepted values atprojects/barareorganizations/O1, folders/F1,projects/P1. Corresponds to the JSON propertyinheritFromParent`

Returns:

  • (Boolean) 


957
958
959
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 957

def inherit_from_parent
  @inherit_from_parent
end

#suggested_valueString

Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Policy. If suggested_value is not set, it will inherit the value specified higher in the hierarchy, unless inherit_from_parent is false. Corresponds to the JSON property suggestedValue

Returns:

  • (String) 


966
967
968
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 966

def suggested_value
  @suggested_value
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object



973
974
975
976
977
978
979
 
# File 'generated/google/apis/cloudresourcemanager_v1/classes.rb', line 973

def update!(**args)
  @all_values = args[:all_values] if args.key?(:all_values)
  @allowed_values = args[:allowed_values] if args.key?(:allowed_values)
  @denied_values = args[:denied_values] if args.key?(:denied_values)
  @inherit_from_parent = args[:inherit_from_parent] if args.key?(:inherit_from_parent)
  @suggested_value = args[:suggested_value] if args.key?(:suggested_value)
end