This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to create an org policy to deny the creation of all external load balancers

Posted on 10-24-2024 09:02 PM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

I want to create an org policy to deny the creation of all external load balancers:

I am referring to the following documentation:

https://cloud.google.com/load-balancing/docs/org-policy-constraints

  • Deny all external load balancers

     
    {
"constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
"listPolicy": {
  "deniedValues": [
    "in:EXTERNAL"
  ]
}
}

 

The following is my workflow:

1. Created the following org policy in my project: `constraints/compute.restrictLoadBalancerCreationForTypes` using the instructions in the following: https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies#boolea...

2. When i try to create a load balancer, i get the following, which is expected:

Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/org-policy-12345. Forwarding Rule projects/xxxxxx/global/forwardingRules/frontend-5 of type GLOBAL_EXTERNAL_MANAGED_HTTP_HTTPS is not allowed.

But now i want to update this org policy to only deny creation of external load balancers:

3. In the "Organization Policies" page in the Google Cloud Console, i select the constraint `constraints/compute.restrictLoadBalancerCreationForTypes`  from the list and clicked `Manage Policy`.

4. I then went to Add a rule > Add condition > Condition Editor, and entered the following, but i get an error:

org-policy-error.jpg

What am i missing in my understanding please?

 

Solved Solved
0 3 544
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @kensan 

Thank you for your response.

I wanted to customize my org policy `constraints/compute.restrictLoadBalancerCreationForTypes`  using the console.

I was doing the following, which was not working:

Under `Manage Policy`, I then went to Add a rule > Add condition > Condition Editor. I then added the condition that i added in my query.

In order to disallow the creation of only external load balancers, i had to do the following, and it worked:

Under Manage Policy, go to "Edit rule"

- In **Policy values** dropdown, select **Custom**.

- In **Policy type** dropdown, select **Deny**.

- In **Add value**, enter `in:External`.

- Click **Done**.

With this, i was able to create internal load balancers and not external load balancers.

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Can someone please help with this.

Thank you for your time!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @mountaincode2 ,

Welcome to Google Cloud Community!

Based on your provided document. The first step is to create a Policy File and use the JSON configuration sample to create a policy file based on your requirement.

To create a Policy file here is the guide:

  1. Open Cloud shell terminal, then click on Open Editor.1213.png
  2. Add a new file with an extension name json (<filename>.json).

 1111.png

      3. On the file paste the configuration from the document.  
2222.png

     4. Then, follow step 2 on the guide from the documentation.

I hope the above information is helpful.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @kensan 

Thank you for your response.

I wanted to customize my org policy `constraints/compute.restrictLoadBalancerCreationForTypes`  using the console.

I was doing the following, which was not working:

Under `Manage Policy`, I then went to Add a rule > Add condition > Condition Editor. I then added the condition that i added in my query.

In order to disallow the creation of only external load balancers, i had to do the following, and it worked:

Under Manage Policy, go to "Edit rule"

- In **Policy values** dropdown, select **Custom**.

- In **Policy type** dropdown, select **Deny**.

- In **Add value**, enter `in:External`.

- Click **Done**.

With this, i was able to create internal load balancers and not external load balancers.

 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all