The problem requires restricting the types of Google Cloud services that can be deployed within specific folders to enforce compliance, without affecting other parts of the resource hierarchy, using the most efficient and simple method.
Organization Policies: Organization policies allow you to define centralized, programmatic controls over your Google Cloud resources. They apply hierarchically, meaning a policy set on a folder applies to all projects and resources within that folder and its descendants.
Restrict Resource Service Usage Constraint: This specific organization policy constraint is designed precisely for controlling which Google Cloud services can be used (and thus deployed/created resources for) within a given part of the resource hierarchy. It supports both allowlists and denylists of service API identifiers.
Extract Reference: "The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources." and "This constraint can be used in two mutually exclusive ways: Denylist - resources of any service that isn't denied are allowed. Allowlist - resources of any service that isn't allowed are denied." (Google Cloud Documentation: "Restricting resource usage | Resource Manager Documentation" - https://cloud.google.com/resource-manager/docs/organization-policy/restricting-resources)
Folder-Level Application: Applying this organization policy at the folder level directly meets the requirement of applying restrictions "only to the designated folders without affecting other parts of the resource hierarchy." This is more efficient and simpler than applying a global policy with numerous exceptions.
Let's evaluate the other options:
B. Implement IAM conditions on service account creation within each folder: IAM conditions control permissions for who can do what. While they can be used for very fine-grained access control, they are not designed to restrict the types of services that can be deployed directly. Controlling service account creation doesn't prevent a user with appropriate permissions from deploying other resources.
C. Create a global organization policy... and apply exceptions: While technically possible, this is less efficient and simple if the goal is to only restrict specific folders. Managing exceptions for the entire rest of the organization would be more complex than simply applying the policy directly where it's needed.
D. Configure VPC Service Controls perimeters around each folder: VPC Service Controls primarily prevent data exfiltration and restrict API access at a network perimeter level. They are not designed to restrict which types of Google Cloud services can be deployed within a project or folder; rather, they control how allowed services interact with each other and with external endpoints.
Therefore, creating an organization policy with the "Restrict Resource Service Usage" constraint at the folder level is the most efficient, simple, and direct method to achieve the stated goal.
