Test organization policy changes with Policy Simulator

Policy Simulator for Organization Policy lets you preview the impact ofa new custom constraint or organization policy that enforces a custom or managedconstraint before it is enforced on your production environment.Policy Simulator provides a list of resources that violate the proposed policybefore it is enforced, allowing you to reconfigure those resources, requestexceptions, or change the scope of your organization policy, all withoutdisrupting your developers or bringing down your environment.

This page describes how to test a change to an organization policy usingPolicy Simulator. It also explains how to interpret the results of thesimulation and how to apply the tested organization policy if you so choose.

Before you begin

  • If you are using the Google Cloud CLI, set the project you want to use for making API calls:

    gcloud config set projectPROJECT_ID

    ReplacePROJECT_ID with the name or ID of the project.

  • Enable the Policy Simulator and Resource Manager APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  • Optional: Get an introduction to the Organization Policy Service.

Required roles

To get the permissions that you need to run and access simulations, ask your administrator to grant you theOrgPolicy Simulator Admin (roles/policysimulator.orgPolicyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to run and access simulations. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to run and access simulations:

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.get
  • orgpolicy.policies.list
  • cloudasset.assets.searchAllResources
  • cloudasset.assets.listResource
  • cloudasset.assets.listOrgPolicy
  • policysimulator.orgPolicyViolationsPreviews.list
  • policysimulator.orgPolicyViolationsPreviews.get
  • policysimulator.orgPolicyViolationsPreviews.create
  • policysimulator.orgPolicyViolations.list

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Test a policy change

You can test a change to a custom constraint, an organization policy thatenforces a custom or managed constraint, or both at the same time.

Note: Policy Simulator cannot test changes to legacy managedconstraints.

Test a change to a custom constraint

Console

  1. In the Google Cloud console, go to theOrganization policies page.

    Go to Organization policies

  2. From the organization selector, select your organization resource.

  3. Do one of the following:

    • To test a new custom constraint, clickCustom constraint.

    • To make changes to an existing custom constraint, select it from the liston theOrganization policies page, and then clickEdit constraint.

  4. Create or update the custom constraint you want to test.

    1. In theDisplay name box, enter a human-friendly name for theconstraint. This field has a maximum length of 200 characters.Don't use PII or sensitive data in display names, because it couldbe exposed in error messages.

    2. In theConstraint ID box, enter the name you want for your newcustom constraint. A custom constraint must start withcustom., and canonly include uppercase letters, lowercase letters, or numbers, forexample,custom.disableGkeAutoUpgrade. The maximum length of this fieldis 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom..Don't include PII or sensitive data in your constraint ID, because itcould be exposed in error messages.

      The constraint ID can't be changed after a custom constraint is created.

    3. In theDescription box, enter a human-friendly description of theconstraint to display as an error message when the policy is violated.This field has a maximum length of 2000 characters.Don't include PII or sensitive data in your description, because itcould be exposed in error messages.

    4. In theResource type box, select the name of the Google CloudREST resource containing the object and field you want to restrict—forexample,container.googleapis.com/NodePool. Most resource types canhave a maximum of 20 custom constraints per resource. If you try tocreate a custom constraint for a resource that already has the maximumnumber of custom constraints, the operation fails.

    5. In theEnforcement method section, select whether to enforce theconstraint on a RESTCREATE method, or on bothCREATE andUPDATEmethods. Not all Google Cloud services support both methods. To seesupported methods for each service, find the service inSupported services.

    6. To define a condition, clickEdit condition.

    7. In theAdd condition panel, create a CEL condition that refers to asupported service resource, for exampleresource.management.autoUpgrade == false. This field has a maximumlength of 1000 characters. For details about CEL usage, seeCommon Expression Language.For more information about the service resources you can use in yourcustom constraints, seeCustom constraint supported services.

    8. ClickSave.

    9. In theAction section, select whether to allow or deny the evaluatedmethod if the condition you wrote is met.

      The deny action means that the operation to create or update the resourceis blocked if the condition evaluates to true.

      The allow action means that the operation to create or update theresource is permitted only if the condition evaluates to true. Everyother case except ones explicitly listed in the condition is blocked.

  5. ClickTest constraint.

  6. If this is a new constraint, then theConfigure organization policy paneappears. To define an organization policy that enforces the customconstraint, do the following:

    1. In theSelect scope box, select the resource for which you want totest the custom constraint.

    2. ClickOverride parents' policy.

    3. ClickAdd a rule.

    4. In theEnforcement section, selectOn.

    5. Optionally, to make the organization policy conditional on a tag, clickAdd condition. If you add a conditional rule to an organizationpolicy, you must add at least one unconditional rule or the policy cannotbe saved. For more details, seeSetting an organization policy with tags.

    6. ClickDone, and then clickContinue.

TheSimulation history page appears, with a list of simulations performedby you in the last 14 days. SeePolicy Simulator results on this page formore information.

gcloud

  1. To test enforcing a new or updated custom constraint, create a JSON or YAMLfile that defines the custom constraint you want to test.

    If you want to test changes to an existing custom constraint, you can usetheorganizations.customConstraints.get gcloud CLI command toretrieve the current JSON or YAML representation of the custom constraint,and then make edits to that file.

    A YAML file that defines a custom constraint looks similar to the following:

    name:organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAMEresourceTypes:-RESOURCE_NAMEmethodTypes:-METHOD1-METHOD2condition:"CONDITION"actionType:ACTIONdisplayName:DISPLAY_NAMEdescription:DESCRIPTION

    Replace the following:

    • ORGANIZATION_ID: your organization ID, such as123456789.

    • CONSTRAINT_NAME: the name you want for your newcustom constraint. A custom constraint must start withcustom., and canonly include uppercase letters, lowercase letters, or numbers, forexample,custom.disableGkeAutoUpgrade. The maximum length of this fieldis 70 characters, not counting the prefix, for example,organizations/123456789/customConstraints/custom..

    • RESOURCE_NAME: the fully qualified name of theGoogle Cloud REST resource containing the object and field you want torestrict. For example,container.googleapis.com/NodePool. Most resourcetypes can have a maximum of 20 custom constraints per resource. If you try tocreate a custom constraint for a resource that already has the maximumnumber of custom constraints, the operation fails. For more information aboutthe service resources you can use in your custom constraints, seeCustom constraint supported services.

    • METHOD1,METHOD2: a list ofRESTful methods for which to enforce the constraint. Can beCREATE orCREATE andUPDATE. Not all Google Cloud services support both methods. Tosee supported methods for each service, find the service inSupported services.

    • CONDITION: a CEL condition that refers to asupported service resource, for example"resource.management.autoUpgrade == false". This field has a maximumlength of 1000 characters. For details about CEL usage, seeCommon Expression Language.

    • ACTION: the action to take if thecondition ismet. This can be eitherALLOW orDENY.

      • The deny action means that if the condition evaluates to true, theoperation to create or update the resource is blocked.

      • The allow action means that if the condition evaluates to true,the operation to create or update the resource is permitted. This alsomeans that every other case except the one explicitly listed in thecondition is blocked.

    • DISPLAY_NAME: a human-friendly name for theconstraint. This field has a maximum length of 200 characters.

    • DESCRIPTION: a human-friendly description of theconstraint to display as an error message when the policy is violated. Thisfield has a maximum length of 2000For more information about how to create custom constraints, seeCreating and managing custom constraints.

  2. Create or modify an organization policy that enforces the custom constraint.

    • To test enforcing a new or updated custom constraint, create aJSON or YAML file that defines the organization policy you want to test:

      name:organizations/ORGANIZATION_ID/policies/CONSTRAINT_NAMEspec:rules:-enforce:true

      Replace the following:

      • ORGANIZATION_ID with your organizationID, such as1234567890123.

      • CONSTRAINT_NAME with the name of the customconstraint you want to test. For example,custom.EnforceGKEBinaryAuthz.

    • To test enforcing a custom constraint conditionally based on theexistence of a particular tag, create a JSON or YAML file that definesthe organization policy:

      name:organizations/ORGANIZATION_ID/policies/CONSTRAINT_NAMEspec:rules:-condition:expression:CONDITIONenforce:false-enforce:true

      Replace the following:

      • ORGANIZATION_ID with your organizationID, such as1234567890123.

      • CONSTRAINT_NAME with the name of the customconstraint you want to test. For example,custom.EnforceGKEBinaryAuthz.

      • CONDITION with a CEL condition that refers toa supported service resource, for example"resource.matchTag('env', 'dev')".

      For more information about conditional organization policies, seeSetting an organization policy with tags.

    • To test deleting an organization policy that enforces a customconstraint, create a JSON or YAML file that defines the organizationpolicy with no rules set except for inheriting the policy from itsparent resource:

      name:organizations/ORGANIZATION_ID/policies/CONSTRAINT_NAMEspec:inheritFromParent:true

      Replace the following:

      • ORGANIZATION_ID with your organizationID, such as1234567890123.

      • CONSTRAINT_NAME with the name of the customconstraint you want to test. For example,custom.EnforceGKEBinaryAuthz.

  3. To simulate the change to a custom constraint, organization policy, or both,run thepolicy-intelligence simulate orgpolicycommand:

    gcloudpolicy-intelligencesimulateorgpolicy\--organization=ORGANIZATION_ID\--custom-constraints=CONSTRAINT_PATH\--policies=POLICY_PATH

    Replace the following:

    • ORGANIZATION_ID: your organization ID, such as1234567890123. Simulating changes over multiple organizations is notsupported.

    • CONSTRAINT_PATH: the full path to the customconstraint that you have created or updated. For example,tmp/constraint.yaml. If you set the--policies flag, you don't need toset the--custom-constraints flag.

    • POLICY_PATH: the full path to the organizationpolicy you have created or updated. For example,tmp/policy.yamlIf you set the--custom-constraints flag, you don't need to set the--policies flag.

After several minutes, the command prints a list of resources that wouldviolate the changes to the custom constraint, the organization policy, orboth.

Results are also viewable on theSimulation history page ofthe Google Cloud console. SeePolicy Simulator resultson this page to learn how to read the results.

The following is a sample response for an organization policy simulation.This simulation involves a custom constraint that restricts the creation ofGoogle Kubernetes Engine cluster resources where Binary Authorization is not enabled. In thiscase, if the proposed change were applied, two cluster resources wouldviolate the policy:orgpolicy-test-cluster under the projectsimulator-test-project, andautopilot-cluster-1 under the projectorgpolicy-test-0.

Waitingforoperation[organizations/012345678901/locations/global/orgPolicyViolationsPreviews/85be9a2d-8c49-470d-a65a-d0cb9ffa8f83/operations/1883a83c-c448-42e5-a7c5-10a850928f06]tocomplete...done.---customConstraint:actionType:ALLOWcondition:resource.binaryAuthorization.enabled==truemethodTypes:-CREATEname:organizations/012345678901/customConstraints/custom.EnforceGKEBinaryAuthzresourceTypes:-container.googleapis.com/Clustername:organizations/012345678901/locations/global/orgPolicyViolationsPreviews/3dd47fd3-6df1-4156-8f10-413a3fc0ed83/orgPolicyViolations/b9fd23a5-7163-46de-9fec-7b9aa6af1113resource:ancestors:-organizations/012345678901-projects/456789012345assetType:container.googleapis.com/Clusterresource://container.googleapis.com/projects/simulator-test-project/locations/us-central1/clusters/orgpolicy-test-cluster---customConstraint:actionType:ALLOWcondition:resource.binaryAuthorization.enabled==truemethodTypes:-CREATEname:organizations/012345678901/customConstraints/custom.EnforceGKEBinaryAuthzresourceTypes:-container.googleapis.com/Clustername:organizations/012345678901/locations/global/orgPolicyViolationsPreviews/3dd47fd3-6df1-4156-8f10-413a3fc0ed83/orgPolicyViolations/e73896e6-7613-4a8d-8436-5df7a6455121resource:ancestors:-organizations/012345678901-folders/789012345678-projects/456789012345assetType:container.googleapis.com/Clusterresource://container.googleapis.com/projects/orgpolicy-test-0/locations/us-central1/clusters/autopilot-cluster-1

Test a change to a managed constraint

Console

  1. In the Google Cloud console, go to theOrganization policies page.

    Go to Organization policies

  2. ClickSelect project, and then select the organization, folder, orproject resource for which you want to edit the organization policy.

  3. From the list, select the managed constraint for which you want to updatethe organization policy. On thePolicy details page, you can see thesource of this organization policy, the effective policy evaluation on thisresource, and more details about the managed constraint.

  4. To update the organization policy for this resource, clickManage policy.

  5. On theEdit policy page, selectOverride parent's policy.

  6. ClickAdd a rule.

  7. In theEnforcement section, select whether enforcement of thisorganization policy should be on or off.

  8. Optionally, to make the organization policy conditional on a tag, clickAdd condition. If you add a conditional rule to an organization policy,you must add at least one unconditional rule or the policy cannot be saved.For more details, seeSetting an organization policy with tags.

  9. ClickTest changes.

TheSimulation history page appears, with a list of simulations performedby you in the last 14 days. SeePolicy Simulator results on this page formore information.

gcloud

  1. Create or modify an organization policy that enforces a managed constraint.

    Replace the following:

  2. Run thepolicy-intelligence simulate orgpolicycommand:

    gcloudpolicy-intelligencesimulateorgpolicy\--organization=ORGANIZATION_ID\--policies=POLICY_PATH

    Replace the following:

    • ORGANIZATION_ID with your organization ID, such as1234567890123. Simulating changes over multiple organizations is notsupported.

    • POLICY_PATH with the full path to yourorganization policy YAML file.

    After several minutes, the command prints a list of resources that wouldviolate the changes to the custom constraint, the organization policy, orboth.

    Results are also viewable on theSimulation history page ofthe Google Cloud console. SeePolicy Simulator resultson this page to learn how to read the results.

Policy Simulator results

Policy Simulator reports the results of a change in a custom constraintor organization policy as a list of violations of the simulated policy. TheGoogle Cloud console stores results of simulations generated by you in the last 14days.

To view simulation results, go to theSimulation history page.

Go to Simulation history

Select a simulation to see details. On theSimulation report page, you cansee the preview of violations, which lists the number of total violations causedby the new custom constraint or organization policy, the number of resourcesthat were checked in the scope of the simulation, and the time at which thesimulation completed.

If you simulated a custom constraint, you can clickConstraint details tosee the specific configuration that was simulated. If you simulated anorganization policy, thePolicy details tab shows the configuration that wassimulated.

All violations are listed in the table of resources. Each resource that violatesthe new custom constraint or organization policy is listed with a link to theresource entry in Cloud Asset Inventory. Project, folder, and organization resources aredisplayed with the sum total of resources below them in the hierarchy thatviolate the new custom constraint or organization policy.

Apply a tested policy change

After you have tested your custom constraint, organization policy, or both, youcan set up the custom constraint and enforce the organization policy. You cansee all Policy Simulator results in the Google Cloud console, regardlessof how they were generated. If your simulation report includes changes to nomore than one organization policy, you can enforce the organization policydirectly through the simulation results. To enforce test changes in multipleorganization policies, use the Google Cloud CLI.

Console

  1. To enforce a custom constraint Policy Simulator results, go to theSimulation history page.

    Go to Simulation history

  2. Select the simulation report for the custom constraint or organizationpolicy you want to apply.

  3. If this simulation report includes a custom constraint, clickSave constraint.

  4. If this simulation report includes changes to no more than one organizationpolicy, you can apply that organization policy as adry-run policyto monitor behavior in production without introducing risk by clickingSet dry run policy. ThePolicy details page for the neworganization policy page appears.

    You can enforce the organization policy immediately by clicking and then clickingSet policy.

gcloud

  1. To enforce a custom constraint, you must set it up to make it available fororganization policies in your organization. To set up a custom constraint,use thegcloud org-policies set-custom-constraintcommand:

    gcloudorg-policiesset-custom-constraintCONSTRAINT_PATH

    ReplaceCONSTRAINT_PATH with the full path to yourcustom constraint file. For example,/home/user/customconstraint.yaml.

    After this is completed, your custom constraint is available in your listof Google Cloud organization policies.

  2. To set the organization policy, use thegcloud org-policies set-policycommand:

    gcloudorg-policiesset-policyPOLICY_PATH

    ReplacePOLICY_PATH with the full path to yourorganization policy YAML file.

    The policy takes up to 15 minutes to take effect.

Save simulation results

Console

If you are using the Google Cloud console, you can save Policy Simulatorresults as a CSV file.

  1. To save Policy Simulator results, go to theSimulation historypage.

    Go to Simulation history

  2. Select the simulation report you want to save.

  3. ClickExport full results.

gcloud

If you are using the gcloud CLI, you can savePolicy Simulator results as JSON or YAML files.

By default, test results in the Google Cloud CLI are output in YAML format. Tosave a test result as a YAML file, redirect the output of thesimulate orgpolicy command when running the simulation:

>FILENAME

ReplaceFILENAME with a name for the output file.

To save a test result as a JSON file, add the following flagto thesimulate orgpolicy command when running the simulation:

--format=json>FILENAME

ReplaceFILENAME with a name for the output file.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.