Organization policies on the Google Cloud Platform (GCP) streamline resource management, with “Constraints” for standard policies and “Custom Constraints” for tailored policy enforcement. This guide focuses on using “Custom Constraints” for label and machine type restrictions on Compute Engine VM resources, enhancing security and cost efficiency.
If issues arise while uploading Constraint YAML files via the gcloud command, consider the API request form linked below, ensuring access with the appropriate GCP permissions.
To utilize “Custom Constraints,” the “Organization Policy Administrator” role at the organization level is required. The YAML file for a “Custom Constraint” includes specific fields:
Fields such as ORGANIZATION_ID, CONSTRAINT_NAME, RESOURCE_NAME, METHOD_TYPES, CONDITION, ACTION_TYPE, DISPLAY_NAME, and DESCRIPTION should be customized as per requirement.
This guide covers two conditions for VMs: “resource.labels” for labels and “resource.machineType” for machine types.
For example, to restrict VM creation to the n2 and n2d series, a policy might be:
Another policy to limit high RAM capacity VMs might look like:
Labels, as key-value pairs, help organize resources. One scenario might require an ‘environment’ label for VMs:
Another could enforce a ‘prod’ label for production resources:
To enforce policies at the organization level, a YAML file is created and applied using a gcloud command. Project-level enforcement follows a similar process, with policies typically taking effect within 15 minutes.
In conclusion, this guide highlights the effective management of GCP resources using “Custom Constraints,” focusing on label and machine type restrictions for Compute Engine VMs. This approach aids in cost management and security enhancement, offering control and customization over GCP resource usage.
For further information or professional assistance in managing Google Cloud Platform resources, we invite you to contact Oredata. We are committed to providing advanced cloud solutions that cater to your business needs.
Author: Salih Furkan Demirer, Cloud DevOps Engineer at Oredata