Enforce organization policy by using Resource Manager

This guide describes how to set an organization policy that includes the resource locations constraint, and how to test that constraint after it is applied in the Google Cloud console.

Before you begin

Required roles

To get the permissions that you need to restrict where Compute Engine disks can be created, ask your administrator to grant you the following IAM roles:

To set an organization policy: Organization Policy Administrator (roles/orgpolicy.policyAdmin) on your organization
To create a Compute Engine disk: Compute Storage Admin (roles/compute.storageAdmin) on your project

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable the APIs

Enable the Compute Engine and Resource Manager APIs.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the APIs

Create a project

Ensure that you have the Project Creator IAM role (roles/resourcemanager.projectCreator). Learn how to grant roles.
In the Google Cloud console, go to the project selector page.

Go to project selector
Click Create project.
Name your project. Make a note of your generated project ID.
Edit the other fields as needed.
Click Create.

Create a Compute Engine disk

To test the functionality of the resource locations constraint, set up a Compute Engine regional persistent disk. When you create a regional persistent disk, you must specify the location where it will reside. For more information about creating Compute Engine regional persistent disks, see Create and manage regional disks.

In the Google Cloud console, go to the Disks page.

Go to Disks
Select the project that you created.
1. If you are prompted to link a billing account to your project, do so now. For more information about enabling billing, see Enable billing for a project.
Click Create disk.
Specify a Name for your disk.
For the Location, choose Regional.
For the Region, select europe-north1 (Finland).
For the Zone, select europe-north1-a.
Select the Replica zone in the same region.
Click Create.

When the disk is successfully created, a green check mark appears next to the name.

Set the organization policy

To set an organization policy on the project that you created:

In the Google Cloud console, go to the Organization policies page.

Go to Organization policies
Click Select.
Select the project that you created.
Click Google Cloud Platform - Resource Location Restriction, and then click Manage policy.
Under Policy source, select Override parent's policy.
Under Policy enforcement, select Replace.
Click Add rule.
Under Policy values, select Custom.
Under Policy type, select Allow.
In the Custom values box, enter in:asia-locations.
Click Done, and then click Set policy. A notification appears to confirm the policy update.

asia-locations is a value group that is curated by Google to include every location in a particular geographic region. In this case, every region in Asia is defined as an allowed location for any resources created after this point. Note that the regional persistent disk you created is not affected by this new policy, because the policy is not retroactive.

Testing the organization policy

Now that the organization policy is in effect, you cannot create resources in regions that were not specified as part of the organization policy. To test this, try to create a regional persistent disk in an invalid location:

In the Google Cloud console, go to the Disks page.

Go to Disks
Select the project that you created.
Click Create Disk.
Specify a Name for your disk.
For the Location, choose Regional.
For the Region, select europe-north1 (Finland).
For the Zone, select europe-north1-a.
Select the Replica zone in the same region.
Click Create.

A red exclamation point appears next to the name, and an error notification displays:

Location ZONE:europe-north1-a violates constraint
constraints/gcp.resourceLocations on the resource RESOURCE_ID

Where RESOURCE_ID is the full resource path of your project and disk. The disk is not created.

Create regional persistent disk in valid location

The organization policy constraint blocks the creation of resources unless you specify a valid location:

In the Google Cloud console, go to the Disks page.

Go to Disks
Select the project that you created.
Click Create Disk.
Specify a Name for your disk.
For the Location, choose Regional.
For the Region, select asia-east2 (Hong Kong).
For the Zone, select asia-east2-a.
Select the Replica zone in the same region.
Click Create.

The resource is created successfully because all zones under asia-east2 are within the asia-locations value group.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete regional persistent disks

Delete the regional persistent disks you created for this quickstart:

In the Google Cloud console, go to the Disks page.

Go to Disks
In the list that appears, select both of the disks that you created.
Click Delete.
In the confirmation dialog that appears, click Delete.

A notification dialog appears to confirm the disks were deleted.

Delete the project

Delete the project that you created for this quickstart:

In the Google Cloud console, go to the Manage resources page.

Go to Manage resources
In the list of resources that appears, select the project that you created, then click Delete.
On the Shut down project dialog that appears, enter the project ID, and then click Shut down anyway.

What's next

Learn more about creating and managing organization policies.
Review the services that support the resource locations constraint.