Project factory doesnt support Allow all for org constraint policies at project level

[nagendrasidgs]

We have a use case to Allow 'All' for a constraint(constraints/compute.restrictVpcPeering) at the Project level. At the same time, we deny that at the 'org' level.

Now the issue is in the Fast as it is using the project factory and the project factory does not provide an option to pass 'All' as 'true' or 'deny'. It only does 'values'. Are there options that we leverage to perform the above?

[nagendrasidgs]

Was able to get through. Basically, we need to pass an empty value: that would auto-pick the all: true at the project level.

Maybe adding an example to restrict something at org and how to allow 'all' at the project level. Would help!

An example: the below will set Allow 'All'. This will come in handy when you do private service connect at the project level for private GKE; Apigee; private SQL.

constraints/compute.restrictVpcPeering:
  inherit_from_parent: null
  status: true
  suggested_value: null
  values:

[nagendrasidgs]

Closing this Issue as its resolved

[ludoo]

Was able to get through. Basically, we need to pass an empty value: that would auto-pick the all: true at the project level.

Maybe adding an example to restrict something at org and how to allow 'all' at the project level. Would help!

Yes, I always struggle with org policies, and often reverse engineer what I apply in the console via plan to figure out the syntax. An example would be very useful, would you be ok with adding the one you found to the relevant README, in a PR?