red888
Reputation: 31652
Why did I have to "replace" instead of merge the org constraints/compute.vmExternalIpAccess for the override to work?
Docs I saw don't mention merge vs replace: https://cloud.google.com/compute/docs/ip-addresses/configure-static-external-ip-address#setorgpolicy
I'm trying to override the org policy in a project and only allow public IP for one server:
resource "google_project_organization_policy" "compute_vmExternalIpAccess" {
project = "myproject"
constraint = "constraints/compute.vmExternalIpAccess"
list_policy {
inherit_from_parent = true # this doesn't work
allow {
values = [
google_compute_instance.myserver.id
]
}
}
}
After doing this I still got an error when trying to apply a public IP to the instance.
It was only after I "replaced" instead of merged did it work (making inherit_from_parent false).
I was expecting it to inherit the deny all from the parent and I would override with just my exception. The parent has deny all, but what would have happened if the parent had its own allow list of specific VMs?
Upvotes: 0
Views: 26
Answers (0)
Related Questions
- Can we inherit tags from the project level in Google Cloud?
- constraints/cloudbuild.allowedWorkerPools and Deploying to App Engine
- GCP Cloud Workstations config degraded error
- Update Org Policy constraints with Python
- List firewall for specific gke cluster using python api?
- How to add ssh key to project in GCP
- Google Compute Engine - Default behavior for Compute Engine Nested VMs will change on January 31, 2020
- Which Google Compute Engine Server is least likely to preempt my vms?
- Would a google cloud platform machine with many different CPUs allow me to run API requests through several differen IP addresses?