# Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCcslImages'. Reason: 'The resource is not in the allowed list of images.'

- **ID:** `policy/gcp-organization-policy-constraint-blocking-resource`
- **Domain:** policy
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 75%

## Root Cause

GCP organization policy constraint restricts non-CCSL (Google Cloud Customer-Supplied License) images, blocking custom image creation.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| gcloud 450.0.0 | active | — | — |
| Compute Engine API v1 | active | — | — |

## Workarounds

1. **Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.** (85% success)
   ```
   Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
   ```
2. **Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'** (70% success)
   ```
   Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
   ```
3. **Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'** (90% success)
   ```
   Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
   ```

## Dead Ends

- **Delete and recreate the image with a different name.** — The policy is based on image source, not name. Any non-CCSL image is blocked regardless of naming. (95% fail)
- **Remove the constraint from the specific project only.** — Organization policy constraints are inherited from the organization level and cannot be overridden at project level without organization admin privileges. (80% fail)
- **Use a different region to create the image.** — The constraint applies globally across all regions in the organization. (100% fail)