Lilly Tech Systems
Organization Policies
Organization Policies provide centralized, hierarchical controls that apply regardless of IAM permissions. They are your strongest guardrail for preventing resource deletion across your entire GCP organization.
Organization Policy Service Overview
The Organization Policy Service lets you define constraints on how resources can be configured across your GCP hierarchy. Unlike IAM (which controls who can do what), Organization Policies control what can be done at all:
| Feature | IAM | Organization Policy |
|---|---|---|
| Scope | Per-member (who) | Per-resource hierarchy (what) |
| Granularity | Individual permissions | Constraint-based rules |
| Inheritance | Additive (more roles = more access) | Hierarchical (parent policies cascade down) |
| Override | Deny policies override allow | Child can inherit, merge, or replace parent |
| Best for | Controlling identity permissions | Enforcing organizational standards |
Built-in Constraints for Resource Protection
GCP provides several built-in constraints relevant to preventing resource destruction:
# List all available constraints gcloud org-policies list-available-constraints \ --organization=123456789 # Key constraints for resource protection: # constraints/compute.restrictXpnProjectLienRemoval # - Prevents removing project liens on Shared VPC hosts # constraints/iam.disableServiceAccountKeyCreation # - Prevents creating SA keys (forces WIF) # constraints/gcp.restrictServiceUsage # - Restricts which GCP services can be used # constraints/compute.requireShieldedVm # - Requires Shielded VM for all instances
Custom Organization Policy Constraints
For AI agent guardrails, custom constraints let you define exactly what operations to block. Custom organization policy constraints use Common Expression Language (CEL):
# custom-constraint-no-project-delete.yaml
name: organizations/123456789/customConstraints/custom.preventProjectDeletion
resourceTypes:
- cloudresourcemanager.googleapis.com/Project
methodTypes:
- DELETE
condition: "true"
actionType: DENY
displayName: "Prevent project deletion"
description: "Blocks all project deletion requests across the organization"
# Create the custom constraint gcloud org-policies set-custom-constraint \ custom-constraint-no-project-delete.yaml # Create a policy that enforces it gcloud org-policies set-policy policy-enforce-no-project-delete.yaml
# policy-enforce-no-project-delete.yaml
name: organizations/123456789/policies/custom.preventProjectDeletion
spec:
rules:
- enforce: true
Custom Constraints for Key GCP Services
Create custom constraints to prevent deletion of critical resource types:
name: organizations/123456789/customConstraints/custom.preventComputeInstanceDeletion resourceTypes: - compute.googleapis.com/Instance methodTypes: - DELETE condition: "true" actionType: DENY displayName: "Prevent Compute Engine instance deletion" description: "Blocks all Compute Engine instance deletion requests"
name: organizations/123456789/customConstraints/custom.preventCloudSQLDeletion resourceTypes: - sqladmin.googleapis.com/Instance methodTypes: - DELETE condition: "true" actionType: DENY displayName: "Prevent Cloud SQL instance deletion" description: "Blocks all Cloud SQL instance deletion requests"
name: organizations/123456789/customConstraints/custom.preventGKEClusterDeletion resourceTypes: - container.googleapis.com/Cluster methodTypes: - DELETE condition: "true" actionType: DENY displayName: "Prevent GKE cluster deletion" description: "Blocks all GKE cluster deletion requests"
Tag-Based Policies for Resource Protection
Instead of blanket denials, use tags to selectively protect resources. This allows agents to delete dev resources but not production ones:
# Create a tag key for protection level gcloud resource-manager tags keys create protection-level \ --parent=organizations/123456789 \ --description="Resource protection level" # Create tag values gcloud resource-manager tags values create critical \ --parent=organizations/123456789/tagKeys/protection-level \ --description="Critical resource - cannot be deleted" gcloud resource-manager tags values create standard \ --parent=organizations/123456789/tagKeys/protection-level \ --description="Standard resource - normal deletion rules" # Apply the tag to a critical project gcloud resource-manager tags bindings create \ --tag-value=organizations/123456789/tagKeys/protection-level/tagValues/critical \ --parent=//cloudresourcemanager.googleapis.com/projects/prod-web-app \ --location=global
# Only prevent deletion on resources tagged as "critical"
name: organizations/123456789/customConstraints/custom.preventCriticalDeletion
resourceTypes:
- compute.googleapis.com/Instance
methodTypes:
- DELETE
condition: "resource.matchTag('123456789/protection-level', 'critical')"
actionType: DENY
displayName: "Prevent critical resource deletion"
description: "Blocks deletion of resources tagged as critical"
Policy Inheritance and Overrides
Organization policies follow a hierarchical inheritance model:
Default Inheritance
Policies set at the organization level apply to all folders and projects below. A folder inherits from its parent organization, and a project inherits from its parent folder.
Merge Behavior
By default, child policies merge with parent policies. If a parent denies project deletion and a child adds a constraint on VM deletion, both constraints apply.
Override (Reset)
A child resource can reset (override) a parent policy by setting
inheritFromParent: false. Use this sparingly — typically only for development environments that need fewer restrictions.Enforcement Priority
Organization → Folder → Project. The most restrictive effective policy wins when policies conflict.
# Allow deletion in dev folder only (override parent)
name: folders/987654321/policies/custom.preventProjectDeletion
spec:
inheritFromParent: false
rules:
- enforce: false
orgpolicy.policy.set permission, which would allow them to modify or override organization policies.Essential Security Foundations Blueprint
Google's Security Foundations Blueprint provides a reference architecture for secure GCP deployments. Key recommendations for AI agent guardrails:
- Separate projects per environment: Production, staging, and development in different projects under different folders
- Centralized logging: Aggregate all audit logs in a dedicated logging project
- Shared VPC: Centralize networking to prevent agents from modifying network configuration
- Resource hierarchy: Use folders to group projects by environment, with progressively stricter policies for production
- Break-glass procedures: Document and test emergency access procedures for when legitimate deletions are needed
Terraform: Organization Policies
# Custom constraint to prevent project deletion resource "google_org_policy_custom_constraint" "prevent_project_delete" { name = "custom.preventProjectDeletion" parent = "organizations/${var.org_id}" display_name = "Prevent Project Deletion" description = "Blocks project deletion across the organization" action_type = "DENY" condition = "true" method_types = ["DELETE"] resource_types = ["cloudresourcemanager.googleapis.com/Project"] } # Enforce the constraint at the organization level resource "google_org_policy_policy" "enforce_no_project_delete" { name = "organizations/${var.org_id}/policies/${google_org_policy_custom_constraint.prevent_project_delete.name}" parent = "organizations/${var.org_id}" spec { rules { enforce = "TRUE" } } } # Disable SA key creation (force WIF) resource "google_org_policy_policy" "disable_sa_key_creation" { name = "organizations/${var.org_id}/policies/iam.disableServiceAccountKeyCreation" parent = "organizations/${var.org_id}" spec { rules { enforce = "TRUE" } } }