I am trying to default my Cloud Run services ingress access to be internal only unless a specific tag is being set on the service by the service owner (for instance).
I am trying to achieve this with org policies and tags.
Found the relevant org policy (Allowed ingress settings (Cloud Run)) and figured I create a "public" tag for those specific services.
I configured the policy to
- "allow all" if tag is public
- allow "internal" if tag is internal
I've set "internal" tag to the project - this resulted in desired state - only "internal traffic" setting was not grayed out on the service "trigger" configuration tab. But when I applied "public" tag to the same service, other settings were still greyed out, as if the tag did not take affect or my policy conditions are wrong.
What am I missing?
