Restrict new deployments by product version

Cloud Run functions offers two product versions: Cloud Run functions (1st gen) and Cloud Run functions created through the Google Cloud Functions v2 APIs. If your organization wants to enforce a restriction specifying that only one of the versions can be used to deploy new functions, you can define a new organization policy with the constraint constraints/cloudfunctions.restrictAllowedGenerations. You use this constraint to specify the generation (version) you want to allow or deny in the folder or project the policy is applied to.

The restriction will only apply to new functions being deployed for the first time. You will still be able to redeploy existing functions even if they don't comply with the policy.

Before you begin

To create or change organization policies, your account must have the role roles/orgpolicy.policyAdmin.

Use a policy to set and enforce restrictions

You can use Google Cloud CLI or Google Cloud console to create a policy that restricts new Cloud Run functions that are deployed for the first time within a given organization to the specified environment.

Note that setting a policy does not apply to existing functions. All functions that were deployed before the policy can be redeployed, updated, or deleted without restriction.

Console

  1. Go to the Organization policies page in the Google Cloud console.
    Go to the Organization policies page

  2. Select the project, folder, or organization for which you want to add the new policy.

    The Organization policies page displays a list of the available organization policy constraints.

  3. Find the Allowed Cloud Functions Generations policy in the list. You can use the Filter field at the top of the list.

  4. Click the name of the policy. Alternatively, you can select Edit Policy from the context menu.

  5. Click Manage Policy.

  6. Select Customize under Applies to.

  7. Select Replace under Policy enforcement.

  8. Click Add Rule under Rules.

  9. Select Custom for Policy Values.

  10. Select Allow for Policy Type.

  11. In Custom Value specify the environment that you want to enforce in the organization. Supported values:

    • 1stGen: Allow the use of Cloud Run functions (1st gen) only.
    • 2ndGen: Allow the use of Cloud Run functions (2nd gen) only.
    • To explicitly allow both environments, specify 1stGen and 2ndGen together. By default, both environments are allowed when no policy is set.
  12. Click Done.

  13. Click Save.

The changes will take effect shortly, and the policy will prevent the deployment of Cloud Run functions in the specified environment.

gcloud

Run the following command:

gcloud resource-manager org-policies \
allow cloudfunctions.restrictAllowedGenerations \
--organization=ORGANIZATION_NUMBER VERSION

where ORGANIZATION_NUMBER is the number of the organization to which you want to apply the policy, and VERSION is the Cloud Run functions version that must be used for new deployments. VERSION can be one of the following:

  • 1stGen: Allow the use of Cloud Run functions (1st gen) only.
  • 2ndGen: Allow the use of Cloud Run functions (2nd gen) only.
  • To explicitly allow both environments, specify 1stGen and 2ndGen together. By default, both environments are allowed when no policy is set.