Exclude doesn't support individual resources

[ocervell]

AFAIK there is no way to exclude just one resource (individual VM or instance) using the exclude parameter: is this expected ?

E.g: I tried the following in a rule to prevent public IPs on CloudSQL, but the exclude is not working:

match:
    target: ["organization/*"]
    exclude: ["//cloudsql.googleapis.com/projects/<PROJECT>/instances/my-db"] 

or

match:
    target: ["organization/*"]
    exclude: ["organization/<ORG_ID>/folder/<FOLDER_NUMBER>/project/<PROJECT_NUMBER>/cloudsqlinstance/<INSTANCE_NUMBER>"] 

but excluding on the project level works (but might be inadequate for certain contexts):

match:
    target: ["organization/*"]
    exclude: ["organization/<ORG_ID>/folder/<FOLDER_NUMBER>/project/<PROJECT_NUMBER>"] 

[morgante]

Correct, projects are the most granular unit you can exclude (similar to the target semantics).