Enable compliance updates
This page describes how to enable compliance updates for Assured Workloads folders. Assured Workloads regularly updates its control packages with new settings and general improvements, such as updated organization policy constraint values. By enabling compliance updates, your Assured Workloads folders can be evaluated to determine how your folder configuration differs from the latest available configuration.
By default, this feature is automatically enabled for new Assured Workloads folders. For existing folders, we strongly recommend that you follow the steps to enable compliance updates.
This feature does not incur any additional charges, nor does it affect the behavior of Assured Workloads monitoring; you will still be alerted when your folder falls out of compliance with its current configuration, regardless of whether updates to its configuration are available.
Before you begin
- Identify the resource IDs for the Assured Workloads folders for which to enable compliance updates.
- Assign or verify IAM permissions on the target Assured Workloads folders and workloads.
Required IAM permissions
To enable compliance updates, the caller must be granted IAM permissions using either a predefined role that includes a wider set of permissions, or a custom role that is restricted to the minimum necessary permissions.
The following permissions are required:
assuredworkloads.workload.updateon the target workload. This permission is included in the Assured Workloads Editor (roles/assuredworkloads.editor) and Assured Workloads Admin (roles/assuredworkloads.admin) predefined roles.resourcemanager.folders.setIamPolicyandresourcemanager.folders.getIamPolicyon the target folder. These permissions are included in the Folder IAM Admin (roles/resourcemanager.folderIamAdmin) role and other highly permissive predefined roles.
Enable compliance updates
When you enable compliance updates, the
Assured Workloads Service Agent
is created. This service agent is then granted the
Assured Workloads Service Agent (roles/assuredworkloads.serviceAgent)
role on the target Assured Workloads folder. This role enables the
service agent to check for any available compliance updates on the folder.
To enable compliance updates, complete the following steps:
Console
In the Google Cloud console, go to the Assured Workloads page.
At the top of the page in the Introducing Compliance Updates pane, click Enable compliance updates.
When prompted to Enable compliance updates?, click Enable.
Compliance updates are now enabled for all Assured Workloads folders in your organization.
REST
The
enableComplianceUpdates
method enables Assured Workloads to notify you of compliance updates
for a single Assured Workloads folder.
Replace the following placeholder values with your own:
- ENDPOINT_URI: The Assured Workloads
service endpoint URI.
This URI must be the endpoint matching the location of the destination
workload, such as
https://us-west1-assuredworkloads.googleapis.comfor a regionalized workload in theus-west1region andhttps://us-assuredworkloads.googleapis.comfor a multi-region workload in the US. - ORGANIZATION_ID: The organization ID for the
Assured Workloads folder. For example:
919698201234 - LOCATION_ID: The location of the Assured Workloads
folder. For example:
us-west1orus. It corresponds to thedata regionvalue of the workload. - WORKLOAD_ID: The ID of the Assured Workloads workload
for which to enable compliance updates. For example:
00-701ea036-7152-4780-a867-9f5
HTTP method, URL, and query parameters:
PUT https://[ENDPOINT_URI]/v1beta1/organizations/[ORGANIZATION_ID]/locations/[LOCATION_ID]/workloads/[WORKLOAD_ID]:enableComplianceUpdates
For example:
PUT https://us-west1-assuredworkloads.googleapis.com/v1beta1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:enableComplianceUpdates