- Resource: OSPolicyAssignment
- OSPolicy
- Mode
- ResourceGroup
- OSFilter
- InventoryFilter
- Resource
- PackageResource
- DesiredState
- APT
- Deb
- File
- Remote
- Gcs
- YUM
- Zypper
- RPM
- GooGet
- MSI
- RepositoryResource
- AptRepository
- ArchiveType
- YumRepository
- ZypperRepository
- GooRepository
- ExecResource
- Exec
- Interpreter
- FileResource
- DesiredState
- InstanceFilter
- LabelSet
- Inventory
- Rollout
- FixedOrPercent
- RolloutState
- Methods
Resource: OSPolicyAssignment
OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances.
An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script.
For more information, see OS policy and OS policy assignment.
JSON representation |
---|
{ "name": string, "description": string, "osPolicies": [ { object ( |
Fields | |
---|---|
name |
Resource name. Format: This field is ignored when you create an OS policy assignment. |
description |
OS policy assignment description. Length of the description is limited to 1024 characters. |
os |
Required. List of OS policies to be applied to the VMs. |
instance |
Required. Filter to select VMs. |
rollout |
Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instanceFilter - osPolicies 3) OSPolicyAssignment is deleted. |
revision |
Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment |
revision |
Output only. The timestamp that the revision was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
etag |
The etag for this OS policy assignment. If this is provided on update, it must match the server's etag. |
rollout |
Output only. OS policy assignment rollout state |
baseline |
Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of |
deleted |
Output only. Indicates that this revision deletes the OS policy assignment. |
reconciling |
Output only. Indicates that reconciliation is in progress for the revision. This value is |
uid |
Output only. Server generated unique id for the OS policy assignment resource. |
OSPolicy
An OS policy defines the desired state configuration for a VM.
JSON representation |
---|
{ "id": string, "description": string, "mode": enum ( |
Fields | |
---|---|
id |
Required. The id of the OS policy with the following restrictions:
|
description |
Policy description. Length of the description is limited to 1024 characters. |
mode |
Required. Policy mode |
resource |
Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag |
allow |
This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to |
Mode
Policy mode
Enums | |
---|---|
MODE_UNSPECIFIED |
Invalid mode |
VALIDATION |
This mode checks if the configuration resources in the policy are in their desired state. No actions are performed if they are not in the desired state. This mode is used for reporting purposes. |
ENFORCEMENT |
This mode checks if the configuration resources in the policy are in their desired state, and if not, enforces the desired state. |
ResourceGroup
Resource groups provide a mechanism to group OS policy resources.
Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems.
When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the OSFilter
specified within the resource group.
JSON representation |
---|
{ "osFilter": { object ( |
Fields | |
---|---|
osFilter |
Deprecated. Use the |
inventory |
List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either If the list is empty, this resource group will be applied to the target VM unconditionally. |
resources[] |
Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. |
OSFilter
Filtering criteria to select VMs based on OS details.
JSON representation |
---|
{ "osShortName": string, "osVersion": string } |
Fields | |
---|---|
os |
This should match OS short name emitted by the OS inventory agent. An empty value matches any OS. |
os |
This value should match the version emitted by the OS inventory agent. Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of |
InventoryFilter
Filtering criteria to select VMs based on inventory details.
JSON representation |
---|
{ "osShortName": string, "osVersion": string } |
Fields | |
---|---|
os |
Required. The OS short name |
os |
The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of An empty string matches all OS versions. |
Resource
An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc.
The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
JSON representation |
---|
{ "id": string, // Union field |
Fields | |
---|---|
id |
Required. The id of the resource with the following restrictions:
|
Union field resource_type . Resource type. resource_type can be only one of the following: |
|
pkg |
Package resource |
repository |
Package repository resource |
exec |
Exec resource |
file |
File resource |
PackageResource
A resource that manages a system package.
JSON representation |
---|
{ "desiredState": enum ( |
Fields | |
---|---|
desired |
Required. The desired state the agent should maintain for this package. |
Union field system_package . A system package. system_package can be only one of the following: |
|
apt |
A package managed by Apt. |
deb |
A deb package file. |
yum |
A package managed by YUM. |
zypper |
A package managed by Zypper. |
rpm |
An rpm package file. |
googet |
A package managed by GooGet. |
msi |
An MSI package. |
DesiredState
The desired state that the OS Config agent maintains on the VM.
Enums | |
---|---|
DESIRED_STATE_UNSPECIFIED |
Unspecified is invalid. |
INSTALLED |
Ensure that the package is installed. |
REMOVED |
The agent ensures that the package is not installed and uninstalls it if detected. |
APT
A package managed by APT. - install: apt-get update && apt-get -y install [name]
- remove: apt-get -y remove [name]
JSON representation |
---|
{ "name": string } |
Fields | |
---|---|
name |
Required. Package name. |
Deb
A deb package file. dpkg packages only support INSTALLED state.
JSON representation |
---|
{
"source": {
object ( |
Fields | |
---|---|
source |
Required. A deb package. |
pull |
Whether dependencies should also be installed. - install when false: |
File
A remote or local file.
JSON representation |
---|
{ "allowInsecure": boolean, // Union field |
Fields | |
---|---|
allow |
Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified. |
Union field type . A specific type of file. type can be only one of the following: |
|
remote |
A generic remote file. |
gcs |
A Cloud Storage object. |
local |
A local path within the VM to use. |
Remote
Specifies a file available via some URI.
JSON representation |
---|
{ "uri": string, "sha256Checksum": string } |
Fields | |
---|---|
uri |
Required. URI from which to fetch the object. It should contain both the protocol and path following the format |
sha256 |
SHA256 checksum of the remote file. |
Gcs
Specifies a file available as a Cloud Storage Object.
JSON representation |
---|
{ "bucket": string, "object": string, "generation": string } |
Fields | |
---|---|
bucket |
Required. Bucket of the Cloud Storage object. |
object |
Required. Name of the Cloud Storage object. |
generation |
Generation number of the Cloud Storage object. |
YUM
A package managed by YUM. - install: yum -y install package
- remove: yum -y remove package
JSON representation |
---|
{ "name": string } |
Fields | |
---|---|
name |
Required. Package name. |
Zypper
A package managed by Zypper. - install: zypper -y install package
- remove: zypper -y rm package
JSON representation |
---|
{ "name": string } |
Fields | |
---|---|
name |
Required. Package name. |
RPM
An RPM package file. RPM packages only support INSTALLED state.
JSON representation |
---|
{
"source": {
object ( |
Fields | |
---|---|
source |
Required. An rpm package. |
pull |
Whether dependencies should also be installed. - install when false: |
GooGet
A package managed by GooGet. - install: googet -noconfirm install package
- remove: googet -noconfirm remove package
JSON representation |
---|
{ "name": string } |
Fields | |
---|---|
name |
Required. Package name. |
MSI
An MSI package. MSI packages only support INSTALLED state.
JSON representation |
---|
{
"source": {
object ( |
Fields | |
---|---|
source |
Required. The MSI package. |
properties[] |
Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of |
RepositoryResource
A resource that manages a package repository.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field repository . A specific type of repository. repository can be only one of the following: |
|
apt |
An Apt Repository. |
yum |
A Yum Repository. |
zypper |
A Zypper Repository. |
goo |
A Goo Repository. |
AptRepository
Represents a single apt package repository. These will be added to a repo file that will be managed at /etc/apt/sources.list.d/google_osconfig.list
.
JSON representation |
---|
{
"archiveType": enum ( |
Fields | |
---|---|
archive |
Required. Type of archive files in this repository. |
uri |
Required. URI for this repository. |
distribution |
Required. Distribution of this repository. |
components[] |
Required. List of components for this repository. Must contain at least one item. |
gpg |
URI of the key file for this repository. The agent maintains a keyring at |
ArchiveType
Type of archive.
Enums | |
---|---|
ARCHIVE_TYPE_UNSPECIFIED |
Unspecified is invalid. |
DEB |
Deb indicates that the archive contains binary files. |
DEB_SRC |
Deb-src indicates that the archive contains source files. |
YumRepository
Represents a single yum package repository. These are added to a repo file that is managed at /etc/yum.repos.d/google_osconfig.repo
.
JSON representation |
---|
{ "id": string, "displayName": string, "baseUrl": string, "gpgKeys": [ string ] } |
Fields | |
---|---|
id |
Required. A one word, unique name for this repository. This is the |
display |
The display name of the repository. |
base |
Required. The location of the repository directory. |
gpg |
URIs of GPG keys. |
ZypperRepository
Represents a single zypper package repository. These are added to a repo file that is managed at /etc/zypp/repos.d/google_osconfig.repo
.
JSON representation |
---|
{ "id": string, "displayName": string, "baseUrl": string, "gpgKeys": [ string ] } |
Fields | |
---|---|
id |
Required. A one word, unique name for this repository. This is the |
display |
The display name of the repository. |
base |
Required. The location of the repository directory. |
gpg |
URIs of GPG keys. |
GooRepository
Represents a Goo package repository. These are added to a repo file that is managed at C:/ProgramData/GooGet/repos/google_osconfig.repo
.
JSON representation |
---|
{ "name": string, "url": string } |
Fields | |
---|---|
name |
Required. The name of the repository. |
url |
Required. The url of the repository. |
ExecResource
A resource that allows executing scripts on the VM.
The ExecResource
has 2 stages: validate
and enforce
and both stages accept a script as an argument to execute.
When the ExecResource
is applied by the agent, it first executes the script in the validate
stage. The validate
stage can signal that the ExecResource
is already in the desired state by returning an exit code of 100
. If the ExecResource
is not in the desired state, it should return an exit code of 101
. Any other exit code returned by this stage is considered an error.
If the ExecResource
is not in the desired state based on the exit code from the validate
stage, the agent proceeds to execute the script from the enforce
stage. If the ExecResource
is already in the desired state, the enforce
stage will not be run. Similar to validate
stage, the enforce
stage should return an exit code of 100
to indicate that the resource in now in its desired state. Any other exit code is considered an error.
NOTE: An exit code of 100
was chosen over 0
(and 101
vs 1
) to have an explicit indicator of in desired state
, not in desired state
and errors. Because, for example, Powershell will always return an exit code of 0
unless an exit
statement is provided in the script. So, for reasons of consistency and being explicit, exit codes 100
and 101
were chosen.
JSON representation |
---|
{ "validate": { object ( |
Fields | |
---|---|
validate |
Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate. |
enforce |
What to run to bring this resource into the desired state. An exit code of 100 indicates "success", any other exit code indicates a failure running enforce. |
Exec
A file or script to execute.
JSON representation |
---|
{ "args": [ string ], "interpreter": enum ( |
Fields | |
---|---|
args[] |
Optional arguments to pass to the source during execution. |
interpreter |
Required. The script interpreter to use. |
output |
Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes. |
Union field source . What to execute. source can be only one of the following: |
|
file |
A remote or local file. |
script |
An inline script. The size of the script is limited to 32KiB. |
Interpreter
The interpreter to use.
Enums | |
---|---|
INTERPRETER_UNSPECIFIED |
Invalid value, the request will return validation error. |
NONE |
If an interpreter is not specified, the source is executed directly. This execution, without an interpreter, only succeeds for executables and scripts that have shebang lines. |
SHELL |
Indicates that the script runs with /bin/sh on Linux and cmd.exe on Windows. |
POWERSHELL |
Indicates that the script runs with PowerShell. |
FileResource
A resource that manages the state of a file.
JSON representation |
---|
{ "path": string, "state": enum ( |
Fields | |
---|---|
path |
Required. The absolute path of the file within the VM. |
state |
Required. Desired state of the file. |
permissions |
Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 |
Union field source . The source for the contents of the file. source can be only one of the following: |
|
file |
A remote or local source. |
content |
A a file with this content. The size of the content is limited to 32KiB. |
DesiredState
Desired state of the file.
Enums | |
---|---|
DESIRED_STATE_UNSPECIFIED |
Unspecified is invalid. |
PRESENT |
Ensure file at path is present. |
ABSENT |
Ensure file at path is absent. |
CONTENTS_MATCH |
Ensure the contents of the file at path matches. If the file does not exist it will be created. |
InstanceFilter
Filters to select target VMs for an assignment.
If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them.
JSON representation |
---|
{ "all": boolean, "osShortNames": [ string ], "inclusionLabels": [ { object ( |
Fields | |
---|---|
all |
Target all VMs in the project. If true, no other criteria is permitted. |
osShortNames[] |
Deprecated. Use the |
inclusion |
List of label sets used for VM inclusion. If the list has more than one |
exclusion |
List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM. |
inventories[] |
List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories. |
LabelSet
Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: env=prod
and type=webserver
will only be applicable for those VMs with both labels present.
JSON representation |
---|
{ "labels": { string: string, ... } } |
Fields | |
---|---|
labels |
Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. An object containing a list of |
Inventory
VM inventory details.
JSON representation |
---|
{ "osShortName": string, "osVersion": string } |
Fields | |
---|---|
os |
Required. The OS short name |
os |
The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of An empty string matches all OS versions. |
Rollout
Message to configure the rollout at the zonal level for the OS policy assignment.
JSON representation |
---|
{
"disruptionBudget": {
object ( |
Fields | |
---|---|
disruption |
Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment. |
min |
Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the A duration in seconds with up to nine fractional digits, ending with ' |
FixedOrPercent
Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field mode . Type of the value. mode can be only one of the following: |
|
fixed |
Specifies a fixed value. |
percent |
Specifies the relative value defined as a percentage, which will be multiplied by a reference value. |
RolloutState
OS policy assignment rollout state
Enums | |
---|---|
ROLLOUT_STATE_UNSPECIFIED |
Invalid value |
IN_PROGRESS |
The rollout is in progress. |
CANCELLING |
The rollout is being cancelled. |
CANCELLED |
The rollout is cancelled. |
SUCCEEDED |
The rollout has completed successfully. |
Methods |
|
---|---|
|
Create an OS policy assignment. |
|
Delete the OS policy assignment. |
|
Retrieve an existing OS policy assignment. |
|
List the OS policy assignments under the parent resource. |
|
List the OS policy assignment revisions for a given OS policy assignment. |
|
Update an existing OS policy assignment. |