- Resource: OSPolicyAssignment
- OSPolicy
- Mode
- ResourceGroup
- OSFilter
- InventoryFilter
- Resource
- PackageResource
- DesiredState
- APT
- Deb
- File
- Remote
- Gcs
- YUM
- Zypper
- RPM
- GooGet
- MSI
- RepositoryResource
- AptRepository
- ArchiveType
- YumRepository
- ZypperRepository
- GooRepository
- ExecResource
- Exec
- Interpreter
- FileResource
- DesiredState
- InstanceFilter
- LabelSet
- Inventory
- Rollout
- FixedOrPercent
- RolloutState
- Methods
Resource: OSPolicyAssignment
OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances.
An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script.
For more information, see OS policy and OS policy assignment .
| JSON representation |
|---|
{ "name" : string , "description" : string , "osPolicies" : [ { object ( |
| Fields | |
|---|---|
name
|
Resource name. Format: This field is ignored when you create an OS policy assignment. |
description
|
OS policy assignment description. Length of the description is limited to 1024 characters. |
osPolicies[]
|
Required. List of OS policies to be applied to the VMs. |
instanceFilter
|
Required. Filter to select VMs. |
rollout
|
Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instanceFilter - osPolicies 3) OSPolicyAssignment is deleted. |
revisionId
|
Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment |
revisionCreateTime
|
Output only. The timestamp that the revision was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
etag
|
The etag for this OS policy assignment. If this is provided on update, it must match the server's etag. |
rolloutState
|
Output only. OS policy assignment rollout state |
baseline
|
Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of |
deleted
|
Output only. Indicates that this revision deletes the OS policy assignment. |
reconciling
|
Output only. Indicates that reconciliation is in progress for the revision. This value is |
uid
|
Output only. Server generated unique id for the OS policy assignment resource. |
OSPolicy
An OS policy defines the desired state configuration for a VM.
| JSON representation |
|---|
{ "id" : string , "description" : string , "mode" : enum ( |
id
string
Required. The id of the OS policy with the following restrictions:
- Must contain only lowercase letters, numbers, and hyphens.
- Must start with a letter.
- Must be between 1-63 characters.
- Must end with a number or a letter.
- Must be unique within the assignment.
description
string
Policy description. Length of the description is limited to 1024 characters.
mode
enum (
Mode
)
Required. Policy mode
resourceGroups[]
object (
ResourceGroup
)
Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored.
If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag allowNoResourceGroupMatch
allowNoResourceGroupMatch
boolean
This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to true
if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.
Mode
Policy mode
| Enums | |
|---|---|
MODE_UNSPECIFIED
|
Invalid mode |
VALIDATION
|
This mode checks if the configuration resources in the policy are in their desired state. No actions are performed if they are not in the desired state. This mode is used for reporting purposes. |
ENFORCEMENT
|
This mode checks if the configuration resources in the policy are in their desired state, and if not, enforces the desired state. |
ResourceGroup
Resource groups provide a mechanism to group OS policy resources.
Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems.
When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the OSFilter
specified within the resource group.
| JSON representation |
|---|
{ "osFilter" : { object ( |
| Fields | |
|---|---|
osFilter
|
Deprecated. Use the |
inventoryFilters[]
|
List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either If the list is empty, this resource group will be applied to the target VM unconditionally. |
resources[]
|
Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. |
OSFilter
Filtering criteria to select VMs based on OS details.
| JSON representation |
|---|
{ "osShortName" : string , "osVersion" : string } |
| Fields | |
|---|---|
osShortName
|
This should match OS short name emitted by the OS inventory agent. An empty value matches any OS. |
osVersion
|
This value should match the version emitted by the OS inventory agent. Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of |
InventoryFilter
Filtering criteria to select VMs based on inventory details.
| JSON representation |
|---|
{ "osShortName" : string , "osVersion" : string } |
| Fields | |
|---|---|
osShortName
|
Required. The OS short name |
osVersion
|
The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of An empty string matches all OS versions. |
Resource
An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc.
The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
| JSON representation |
|---|
{ "id" : string , // Union field |
id
string
Required. The id of the resource with the following restrictions:
- Must contain only lowercase letters, numbers, and hyphens.
- Must start with a letter.
- Must be between 1-63 characters.
- Must end with a number or a letter.
- Must be unique within the OS policy.
resource_type
. Resource type. resource_type
can be only one of the following:pkg
object (
PackageResource
)
Package resource
repository
object (
RepositoryResource
)
Package repository resource
exec
object (
ExecResource
)
Exec resource
file
object (
FileResource
)
File resource
PackageResource
A resource that manages a system package.
| JSON representation |
|---|
{ "desiredState" : enum ( |
desiredState
enum (
DesiredState
)
Required. The desired state the agent should maintain for this package.
system_package
. A system package. system_package
can be only one of the following:apt
object (
APT
)
A package managed by Apt.
deb
object (
Deb
)
A deb package file.
yum
object (
YUM
)
A package managed by YUM.
zypper
object (
Zypper
)
A package managed by Zypper.
rpm
object (
RPM
)
An rpm package file.
googet
object (
GooGet
)
A package managed by GooGet.
msi
object (
MSI
)
An MSI package.
DesiredState
The desired state that the OS Config agent maintains on the VM.
| Enums | |
|---|---|
DESIRED_STATE_UNSPECIFIED
|
Unspecified is invalid. |
INSTALLED
|
Ensure that the package is installed. |
REMOVED
|
The agent ensures that the package is not installed and uninstalls it if detected. |
APT
A package managed by APT. - install: apt-get update && apt-get -y install [name]
- remove: apt-get -y remove [name]
| JSON representation |
|---|
{ "name" : string } |
| Fields | |
|---|---|
name
|
Required. Package name. |
Deb
A deb package file. dpkg packages only support INSTALLED state.
| JSON representation |
|---|
{
"source"
:
{
object (
|
| Fields | |
|---|---|
source
|
Required. A deb package. |
pullDeps
|
Whether dependencies should also be installed. - install when false: |
File
A remote or local file.
| JSON representation |
|---|
{ "allowInsecure" : boolean , // Union field |
allowInsecure
boolean
Defaults to false. When false, files are subject to validations based on the file type:
Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
type
. A specific type of file. type
can be only one of the following:remote
object (
Remote
)
A generic remote file.
gcs
object (
Gcs
)
A Cloud Storage object.
localPath
string
A local path within the VM to use.
Remote
Specifies a file available via some URI.
| JSON representation |
|---|
{ "uri" : string , "sha256Checksum" : string } |
| Fields | |
|---|---|
uri
|
Required. URI from which to fetch the object. It should contain both the protocol and path following the format |
sha256Checksum
|
SHA256 checksum of the remote file. |
Gcs
Specifies a file available as a Cloud Storage Object.
| JSON representation |
|---|
{ "bucket" : string , "object" : string , "generation" : string } |
| Fields | |
|---|---|
bucket
|
Required. Bucket of the Cloud Storage object. |
object
|
Required. Name of the Cloud Storage object. |
generation
|
Generation number of the Cloud Storage object. |
YUM
A package managed by YUM. - install: yum -y install package
- remove: yum -y remove package
| JSON representation |
|---|
{ "name" : string } |
| Fields | |
|---|---|
name
|
Required. Package name. |
Zypper
A package managed by Zypper. - install: zypper -y install package
- remove: zypper -y rm package
| JSON representation |
|---|
{ "name" : string } |
| Fields | |
|---|---|
name
|
Required. Package name. |
RPM
An RPM package file. RPM packages only support INSTALLED state.
| JSON representation |
|---|
{
"source"
:
{
object (
|
| Fields | |
|---|---|
source
|
Required. An rpm package. |
pullDeps
|
Whether dependencies should also be installed. - install when false: |
GooGet
A package managed by GooGet. - install: googet -noconfirm install package
- remove: googet -noconfirm remove package
| JSON representation |
|---|
{ "name" : string } |
| Fields | |
|---|---|
name
|
Required. Package name. |
MSI
An MSI package. MSI packages only support INSTALLED state.
| JSON representation |
|---|
{
"source"
:
{
object (
|
| Fields | |
|---|---|
source
|
Required. The MSI package. |
properties[]
|
Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of |
RepositoryResource
A resource that manages a package repository.
| JSON representation |
|---|
{ // Union field |
repository
. A specific type of repository. repository
can be only one of the following:apt
object (
AptRepository
)
An Apt Repository.
yum
object (
YumRepository
)
A Yum Repository.
zypper
object (
ZypperRepository
)
A Zypper Repository.
goo
object (
GooRepository
)
A Goo Repository.
AptRepository
Represents a single apt package repository. These will be added to a repo file that will be managed at /etc/apt/sources.list.d/google_osconfig.list
.
| JSON representation |
|---|
{
"archiveType"
:
enum (
|
| Fields | |
|---|---|
archiveType
|
Required. Type of archive files in this repository. |
uri
|
Required. URI for this repository. |
distribution
|
Required. Distribution of this repository. |
components[]
|
Required. List of components for this repository. Must contain at least one item. |
gpgKey
|
URI of the key file for this repository. The agent maintains a keyring at |
ArchiveType
Type of archive.
| Enums | |
|---|---|
ARCHIVE_TYPE_UNSPECIFIED
|
Unspecified is invalid. |
DEB
|
Deb indicates that the archive contains binary files. |
DEB_SRC
|
Deb-src indicates that the archive contains source files. |
YumRepository
Represents a single yum package repository. These are added to a repo file that is managed at /etc/yum.repos.d/google_osconfig.repo
.
| JSON representation |
|---|
{ "id" : string , "displayName" : string , "baseUrl" : string , "gpgKeys" : [ string ] } |
| Fields | |
|---|---|
id
|
Required. A one word, unique name for this repository. This is the |
displayName
|
The display name of the repository. |
baseUrl
|
Required. The location of the repository directory. |
gpgKeys[]
|
URIs of GPG keys. |
ZypperRepository
Represents a single zypper package repository. These are added to a repo file that is managed at /etc/zypp/repos.d/google_osconfig.repo
.
| JSON representation |
|---|
{ "id" : string , "displayName" : string , "baseUrl" : string , "gpgKeys" : [ string ] } |
| Fields | |
|---|---|
id
|
Required. A one word, unique name for this repository. This is the |
displayName
|
The display name of the repository. |
baseUrl
|
Required. The location of the repository directory. |
gpgKeys[]
|
URIs of GPG keys. |
GooRepository
Represents a Goo package repository. These are added to a repo file that is managed at C:/ProgramData/GooGet/repos/google_osconfig.repo
.
| JSON representation |
|---|
{ "name" : string , "url" : string } |
| Fields | |
|---|---|
name
|
Required. The name of the repository. |
url
|
Required. The url of the repository. |
ExecResource
A resource that allows executing scripts on the VM.
The ExecResource
has 2 stages: validate
and enforce
and both stages accept a script as an argument to execute.
When the ExecResource
is applied by the agent, it first executes the script in the validate
stage. The validate
stage can signal that the ExecResource
is already in the desired state by returning an exit code of 100
. If the ExecResource
is not in the desired state, it should return an exit code of 101
. Any other exit code returned by this stage is considered an error.
If the ExecResource
is not in the desired state based on the exit code from the validate
stage, the agent proceeds to execute the script from the enforce
stage. If the ExecResource
is already in the desired state, the enforce
stage will not be run. Similar to validate
stage, the enforce
stage should return an exit code of 100
to indicate that the resource in now in its desired state. Any other exit code is considered an error.
NOTE: An exit code of 100
was chosen over 0
(and 101
vs 1
) to have an explicit indicator of in desired state
, not in desired state
and errors. Because, for example, Powershell will always return an exit code of 0
unless an exit
statement is provided in the script. So, for reasons of consistency and being explicit, exit codes 100
and 101
were chosen.
| JSON representation |
|---|
{ "validate" : { object ( |
| Fields | |
|---|---|
validate
|
Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate. |
enforce
|
What to run to bring this resource into the desired state. An exit code of 100 indicates "success", any other exit code indicates a failure running enforce. |
Exec
A file or script to execute.
| JSON representation |
|---|
{ "args" : [ string ] , "interpreter" : enum ( |
args[]
string
Optional arguments to pass to the source during execution.
interpreter
enum (
Interpreter
)
Required. The script interpreter to use.
outputFilePath
string
Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.
source
. What to execute. source
can be only one of the following:file
object (
File
)
A remote or local file.
script
string
An inline script. The size of the script is limited to 32KiB.
Interpreter
The interpreter to use.
| Enums | |
|---|---|
INTERPRETER_UNSPECIFIED
|
Invalid value, the request will return validation error. |
NONE
|
If an interpreter is not specified, the source is executed directly. This execution, without an interpreter, only succeeds for executables and scripts that have shebang lines . |
SHELL
|
Indicates that the script runs with /bin/sh
on Linux and cmd.exe
on Windows. |
POWERSHELL
|
Indicates that the script runs with PowerShell. |
FileResource
A resource that manages the state of a file.
| JSON representation |
|---|
{ "path" : string , "state" : enum ( |
path
string
Required. The absolute path of the file within the VM.
state
enum (
DesiredState
)
Required. Desired state of the file.
source
. The source for the contents of the file. source
can be only one of the following:file
object (
File
)
A remote or local source.
content
string
A a file with this content. The size of the content is limited to 32KiB.
DesiredState
Desired state of the file.
| Enums | |
|---|---|
DESIRED_STATE_UNSPECIFIED
|
Unspecified is invalid. |
PRESENT
|
Ensure file at path is present. |
ABSENT
|
Ensure file at path is absent. |
CONTENTS_MATCH
|
Ensure the contents of the file at path matches. If the file does not exist it will be created. |
InstanceFilter
Filters to select target VMs for an assignment.
If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them.
| JSON representation |
|---|
{ "all" : boolean , "osShortNames" : [ string ] , "inclusionLabels" : [ { object ( |
| Fields | |
|---|---|
all
|
Target all VMs in the project. If true, no other criteria is permitted. |
osShortNames[]
|
Deprecated. Use the |
inclusionLabels[]
|
List of label sets used for VM inclusion. If the list has more than one |
exclusionLabels[]
|
List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM. |
inventories[]
|
List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories. |
LabelSet
Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: env=prod
and type=webserver
will only be applicable for those VMs with both labels present.
| JSON representation |
|---|
{ "labels" : { string : string , ... } } |
| Fields | |
|---|---|
labels
|
Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. An object containing a list of |
Inventory
VM inventory details.
| JSON representation |
|---|
{ "osShortName" : string , "osVersion" : string } |
| Fields | |
|---|---|
osShortName
|
Required. The OS short name |
osVersion
|
The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of An empty string matches all OS versions. |
Rollout
Message to configure the rollout at the zonal level for the OS policy assignment.
| JSON representation |
|---|
{
"disruptionBudget"
:
{
object (
|
| Fields | |
|---|---|
disruptionBudget
|
Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment. |
minWaitDuration
|
Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the A duration in seconds with up to nine fractional digits, ending with ' |
FixedOrPercent
Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value.
| JSON representation |
|---|
{ // Union field |
mode
. Type of the value. mode
can be only one of the following:fixed
integer
Specifies a fixed value.
percent
integer
Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
RolloutState
OS policy assignment rollout state
| Enums | |
|---|---|
ROLLOUT_STATE_UNSPECIFIED
|
Invalid value |
IN_PROGRESS
|
The rollout is in progress. |
CANCELLING
|
The rollout is being cancelled. |
CANCELLED
|
The rollout is cancelled. |
SUCCEEDED
|
The rollout has completed successfully. |
Methods |
|
|---|---|
|
Create an OS policy assignment. |
|
Delete the OS policy assignment. |
|
Retrieve an existing OS policy assignment. |
|
List the OS policy assignments under the parent resource. |
|
List the OS policy assignment revisions for a given OS policy assignment. |
|
Update an existing OS policy assignment. |
