How to create an Org Policy Constraint with conditions? - GCP

Question

I am working on a small project in python, with which I could create the org policy gcp.disableSerialPortAccess as "Not Enforced" Org Policy with the condition of "tagValues/776487819778".

I can feel it that is something simple, but i do not understand how to create the request...

I tried using this request https://github.com/googleapis/python-org-policy/blob/main/samples/generated_samples/orgpolicy_v2_generated_org_policy_create_policy_sync.py , but i do not know how to construct it.

This is how i try to end up: https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy#boolean_policy_example

Spec : Rule Enforce with Condition as "tagValues/776487819778"

Can someone please help?

from google.cloud import orgpolicy_v2
from google.cloud.orgpolicy_v2 import types

Exp=(
    "expression" : "tagValues/776487819778",
    "title" : "this is the title",
    "description" : "this is a description",
    )


def build_policy():
    
    
    
    
    
    rule = types.PolicySpec.PolicyRule()
    rule.enforce = False
    rule.condition = (Exp)
    


    print(types.PolicySpec.PolicyRule)
    
    spec = types.PolicySpec()
    spec.rules.append(rule)
    

    policy = types.Policy(
        name="projects/project-id/policies/gcp.disableSerialPortAccess",
        spec = spec
        )

    return policy


def sample_update_policy():
    # Create a client   
    client = orgpolicy_v2.OrgPolicyClient()

    policy = build_policy()

    # Debug - view created policy
    print(policy)

    # Initialize request argument(s)
    request = orgpolicy_v2.UpdatePolicyRequest(
        policy=policy,
    )

    # Make the request
    response = client.update_policy(request=request)
    
    # Handle the response
    print(response)

sample_update_policy()

Answer 1

Exp is a dictionary (Key/Value).

To duplicate the example in your link use the following code:

def build_policy():
    Exp = {
        "expression" : "resource.matchTagId('org-id-from-gcp/disableSerialAccess', 'yes')",
        "title" : "this is the title",
        "description" : "this is a description",
    }

    rule1 = types.PolicySpec.PolicyRule()
    rule1.enforce = True
    rule1.condition = Exp

    rule2 = types.PolicySpec.PolicyRule()
    rule2.enforce = False

    spec = types.PolicySpec()

    spec.rules.append(rule1)
    spec.rules.append(rule2)

    policy = types.Policy(
        name="projects/project-id-from-gcp/policies/gcp.disableSerialPortAccess",
        spec = spec
    )

    return policy

Answer 2

Your expression field in Exp needs to use the IAM attribute resource.matchTagId(tagKey, tagValues) to be a valid expression. From the IAM documentation:

Checks whether the resource for the request has a tag with the specified key and value.

Something else to note is that the Exp dictionary has to be using curly braces instead of parentheses in case it's not compiling (or could be a typo):

#Using the IAM attribute
Exp = {
    "expression" : "resource.matchTagId('tagKeys/1234', 'tagValues/776487819778')",
    "title" : "this is the title",
    "description" : "this is a description",
}

This another page is also useful if you need further samples and details about the fields inside a Policy type (including the CEL expression syntax).