Unable to create an org policy to deny the creation of all external load balancers

mountaincode2 · October 25, 2024, 4:02am

I want to create an org policy to deny the creation of all external load balancers:

I am referring to the following documentation:

https://cloud.google.com/load-balancing/docs/org-policy-constraints

Deny all external load balancers

{
"constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
"listPolicy": {
  "deniedValues": [
    "in:EXTERNAL"
  ]
}
}

The following is my workflow:

Created the following org policy in my project: constraints/compute.restrictLoadBalancerCreationForTypes using the instructions in the following: https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies#boolean_constraints
When i try to create a load balancer, i get the following, which is expected:

Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/org-policy-12345. Forwarding Rule projects/xxxxxx/global/forwardingRules/frontend-5 of type GLOBAL_EXTERNAL_MANAGED_HTTP_HTTPS is not allowed.

But now i want to update this org policy to only deny creation of external load balancers:

In the “Organization Policies” page in the Google Cloud Console, i select the constraint constraints/compute.restrictLoadBalancerCreationForTypes from the list and clicked Manage Policy.
I then went to Add a rule > Add condition > Condition Editor, and entered the following, but i get an error:

What am i missing in my understanding please?

mountaincode2 · October 28, 2024, 4:21am

Can someone please help with this.

Thank you for your time!

kensan · October 29, 2024, 3:01pm

Hi @mountaincode2 ,

Welcome to Google Cloud Community!

Based on your provided document. The first step is to create a Policy File and use the JSON configuration sample to create a policy file based on your requirement.

To create a Policy file here is the guide:

Open Cloud shell terminal, then click on Open Editor.

1213.png1132×227 15.9 KB
Add a new file with an extension name json (.json).

On the file paste the configuration from the document.

Then, follow step 2 on the guide from the documentation.

I hope the above information is helpful.

mountaincode2 · October 30, 2024, 10:22am

Hi @kensan

Thank you for your response.

I wanted to customize my org policy constraints/compute.restrictLoadBalancerCreationForTypes using the console.

I was doing the following, which was not working:

Under Manage Policy, I then went to Add a rule > Add condition > Condition Editor. I then added the condition that i added in my query.

In order to disallow the creation of only external load balancers, i had to do the following, and it worked:

Under Manage Policy, go to “Edit rule”

In Policy values dropdown, select Custom.
In Policy type dropdown, select Deny.
In Add value, enter in:External.
Click Done.

With this, i was able to create internal load balancers and not external load balancers.

Topic		Replies	Views
org policy - disable error - Policy and Constraint must be of the same type Compute Infrastructure server-configuration	1	64	October 29, 2024
Unable to attach static IP to VM Compute Infrastructure compute-engine	2	43	January 5, 2023
Org policy Constraints Compute Infrastructure	0	11	September 13, 2023

Unable to create an org policy to deny the creation of all external load balancers

AI Suggested topics