Scoped Organizational Policy Constraints Administration

21 Jul, 2022
Xebia Background Header Wave

You need organization level permission to configure GCP resource constraints. Gladly, you can scope these permissions to your workload context by using Resource Tags and IAM conditions. Let’s show you how to do so.

Organization Policy Constraints

IAM only restricts the allowed actions. It does not restrict you from deploying resources with specific attributes such as non-shielded VM’s or external IP addresses. These restrictions are configured with Organization Policy Constraints.

You need the Organization Policy Admin role to configure resource constraints. Sadly, this permission is granted at the Organization-level. As a result, you either have the permission to manage all resource constraints or none at all.

You can use IAM conditions to scope IAM permissions to certain resources. In this case, we scope the Organization Policy Admin role to resources tagged with a certain key.

Scoped Organization Policy Admin

In this example, a workload CI/CD service account is granted permissions to configure resource constraints on Folders and Projects tagged with the org-policy-scope/my-scope-tag value. As a result, the workload team is able to configure resource constraints on their projects, without the risk of configuring resource constraints on other projects.

See the sources on GitHub.

The infrastructure is configured with the next steps:

  1. Define Resource Tags
  2. Bind Resource Tags
  3. Assign Conditional IAM Permissions
  4. Configure Organization Policy Constraints

Remark Step 1, 2 and 3 require Organizational IAM policy permissions.

1. Define Resource Tags

Define the org-policy-scope-resource tag key and the my-scope-value as scope.

resource "google_tags_tag_key" "org_policy_scope" {
  parent =

  short_name  = "org-policy-scope"
  description = "Scoping tag for organization policy constraint management."

resource "google_tags_tag_value" "org_policy_scope_my_scope" {
  parent      =
  short_name  = "my-scope"
  description = "Org policy scope (my-scope) tag."

2. Bind Resource Tags

Bind the org-policy-scope/my-scope-resource tag to applicable resources.

resource "google_project" "example" {
  project_id = "org-pol-admin-example"
  name       = "org-pol-admin-example"

resource "google_tags_tag_binding" "scope_my_scope_allow_project_example" {
  tag_value =
  parent    = "//${google_project.example.number}"

3. Assign Conditional IAM Permissions

Conditionally assign the Organizationl Policy Administrator-role to the CI/CD service account.

resource "google_organization_iam_member" "cicd_org_policy_admin_scope_my_scope" {
  org_id =
  role   = "roles/orgpolicy.policyAdmin"
  member = "serviceAccount:${}"

  condition {
    title = "my-scope"
    expression = "resource.matchTagId('${}', '${}')"

4. Configure Organization Policy Constraints

Finally, deploy your resource constraints using the CI/CD service account.

resource "google_org_policy_policy" "scope_my_scope_require_shielded_vm" {
  parent =
  name   = "${}/policies/compute.requireShieldedVm"

  spec {
    inherit_from_parent = false

    rules {
      enforce = "TRUE"

  timeouts {
    create = "1m"

Remark A timeout will occur when you try to create a resource constraint on an out-of-scope resource. The timeout occurs, because the Terraform provider tries to read the current configuration, but isn’t allowed to do so.


Organization Policy Constraints are a valuable addition to IAM permissions. By using IAM Conditions and Resource Tags you can scope the ORganization Policy Admin permissions. As a result you can enable workload teams to leverage resource constraints.

Image by MasterTux from Pixabay

Laurens Knoll
As a cloud consultant I enjoy taking software engineering practices to the cloud. Continuously improving the customers systems, tools and processes by focusing on integration and quality.

Get in touch with us to learn more about the subject and related solutions

Explore related posts