Manage function resources using custom constraints

This page provides supplemental information for setting custom constraints on functions created using gcloud functions commands or the Cloud Functions v2 API.

For a detailed description of how to use custom constraints, see Manage custom constraints for projects.

Limitations

The following limitations apply to using custom organization policies for Cloud Functions v2 API functions:

  • Not enforced for VM instance names when you use the bulk insert API.
  • Only enforced on the CREATE method for Compute Engine resources.
  • Only available on Cloud Functions v2 API. They can't be applied on Cloud Run functions (1st gen).
  • Only protects functions when using the Cloud Functions v2 API. Cloud Run functions can also be modified from the Cloud Run API as well. For additional protection, you might need to also apply custom constraints on Cloud Run as well.

Common organization policy examples

The following table provides the syntax of some custom organization policies that you might find useful:

Description Constraint syntax
Prevent functions from being created with a specific language 
    name: organizations/ORGANIZATION_IDcustomConstraints/custom.cloudFunctionRuntimeBlock
    resource_types: cloudfunctions.googleapis.com/Function
    method_types:
      - CREATE
      - UPDATE
    condition: resource.buildConfig.runtime == "python312"
    action_type: DENY
    display_name: Deny functions using Python 3.12
    description: Functions cannot be created with Python 3.12 as the language runtime
Require functions to use a specific worker pool 
    name: organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsWorkerPool
    resource_types: cloudfunctions.googleapis.com/Function
    method_types:
      - CREATE
      - UPDATE
    condition: resource.buildConfig.workerPool == "WORKER_POOL"
    action_type: DENY
    display_name: Require worker pool
    description: Functions must use a worker pool
Replace WORKER_POOL with the name of your Cloud Build worker pool.
Require that functions store all container images in a specific image repository 
    name: organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsRepository
    resource_types: cloudfunctions.googleapis.com/Function
    method_types:
      - CREATE
      - UPDATE
    condition: resource.buildConfig.dockerRepository.startsWith("REPO_PATH")
    action_type: DENY
    display_name: Image repository constraint
    description: Functions must push images to a central image repository under REPO_PATH
 Replace REPO_PATH with the URI of the image repository URL that you want all functions to store their container images in.

What's next