Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Unable to create an org policy to deny the creation of all external load balancers

I want to create an org policy to deny the creation of all external load balancers:

I am referring to the following documentation:

https://cloud.google.com/load-balancing/docs/org-policy-constraints

  • Deny all external load balancers

     
    {
    "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
    "listPolicy": {
      "deniedValues": [
        "in:EXTERNAL"
      ]
    }
    }

 

The following is my workflow:

1. Created the following org policy in my project: `constraints/compute.restrictLoadBalancerCreationForTypes` using the instructions in the following: https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies#boolea...

2. When i try to create a load balancer, i get the following, which is expected:

Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/org-policy-12345. Forwarding Rule projects/xxxxxx/global/forwardingRules/frontend-5 of type GLOBAL_EXTERNAL_MANAGED_HTTP_HTTPS is not allowed.

But now i want to update this org policy to only deny creation of external load balancers:

3. In the "Organization Policies" page in the Google Cloud Console, i select the constraint `constraints/compute.restrictLoadBalancerCreationForTypes`  from the list and clicked `Manage Policy`.

4. I then went to Add a rule > Add condition > Condition Editor, and entered the following, but i get an error:

org-policy-error.jpg

What am i missing in my understanding please?

 

Solved Solved
0 3 565
1 ACCEPTED SOLUTION

Hi @kensan 

Thank you for your response.

I wanted to customize my org policy `constraints/compute.restrictLoadBalancerCreationForTypes`  using the console.

I was doing the following, which was not working:

Under `Manage Policy`, I then went to Add a rule > Add condition > Condition Editor. I then added the condition that i added in my query.

In order to disallow the creation of only external load balancers, i had to do the following, and it worked:

Under Manage Policy, go to "Edit rule"

- In **Policy values** dropdown, select **Custom**.

- In **Policy type** dropdown, select **Deny**.

- In **Add value**, enter `in:External`.

- Click **Done**.

With this, i was able to create internal load balancers and not external load balancers.

 

View solution in original post