REST Resource: projects.locations.instanceOSPoliciesCompliances

Resource: InstanceOSPoliciesCompliance

This API resource represents the OS policies compliance data for a Compute Engine virtual machine (VM) instance at a given point in time.

A Compute Engine VM can have multiple OS policy assignments, and each assignment can have multiple OS policies. As a result, multiple OS policies could be applied to a single VM.

You can use this API resource to determine both the compliance state of your VM as well as the compliance state of an individual OS policy.

For more information, see View compliance.

JSON representation 
{
  "name": string,
  "instance": string,
  "state": enum (OSPolicyComplianceState),
  "detailedState": string,
  "detailedStateReason": string,
  "osPolicyCompliances": [
    {
      object (OSPolicyCompliance)
    }
  ],
  "lastComplianceCheckTime": string,
  "lastComplianceRunId": string
}
Fields
name

string

Output only. The InstanceOSPoliciesCompliance API resource name.

Format: projects/{project_number}/locations/{location}/instanceOSPoliciesCompliances/{instance_id}
instance

string

Output only. The Compute Engine VM instance name.
state

enum (OSPolicyComplianceState)

Output only. Compliance state of the VM.
detailedState

string

Output only. Detailed compliance state of the VM. This field is populated only when compliance state is UNKNOWN.

It may contain one of the following values:

  • no-compliance-data: Compliance data is not available for this VM.
  • no-agent-detected: OS Config agent is not detected for this VM.
  • config-not-supported-by-agent: The version of the OS Config agent running on this VM does not support configuration management.
  • inactive: VM is not running.
  • internal-service-errors: There were internal service errors encountered while enforcing compliance.
  • agent-errors: OS config agent encountered errors while enforcing compliance.
detailedStateReason

string

Output only. The reason for the detailedState of the VM (if any).
osPolicyCompliances[]

object (OSPolicyCompliance)

Output only. Compliance data for each OSPolicy that is applied to the VM.
lastComplianceCheckTime

string (Timestamp format)

Output only. Timestamp of the last compliance check for the VM.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
lastComplianceRunId

string

Output only. Unique identifier for the last compliance run. This id will be logged by the OS config agent during a compliance run and can be used for debugging and tracing purpose.

OSPolicyComplianceState

Supported OSPolicy compliance states.

Enums
OS_POLICY_COMPLIANCE_STATE_UNSPECIFIED Default value. This value is unused.
COMPLIANT Compliant state.
NON_COMPLIANT Non-compliant state
UNKNOWN Unknown compliance state.
NO_OS_POLICIES_APPLICABLE No applicable OS policies were found for the instance. This state is only applicable to the instance.

OSPolicyCompliance

Compliance data for an OS policy

JSON representation 
{
  "osPolicyId": string,
  "osPolicyAssignment": string,
  "state": enum (OSPolicyComplianceState),
  "osPolicyResourceCompliances": [
    {
      object (OSPolicyResourceCompliance)
    }
  ]
}
Fields
osPolicyId

string

The OS policy id
osPolicyAssignment

string

Reference to the OSPolicyAssignment API resource that the OSPolicy belongs to.

Format: projects/{project_number}/locations/{location}/osPolicyAssignments/{osPolicyAssignmentId@revisionId}
state

enum (OSPolicyComplianceState)

Compliance state of the OS policy.
osPolicyResourceCompliances[]

object (OSPolicyResourceCompliance)

Compliance data for each OSPolicyResource that is applied to the VM.

OSPolicyResourceCompliance

Compliance data for an OS policy resource.

JSON representation 
{
  "osPolicyResourceId": string,
  "configSteps": [
    {
      object (OSPolicyResourceConfigStep)
    }
  ],
  "state": enum (OSPolicyComplianceState),

  // Union field output can be only one of the following:
  "execResourceOutput": {
    object (ExecResourceOutput)
  }
  // End of list of possible types for union field output.
}
Fields
osPolicyResourceId

string

The id of the OS policy resource.
configSteps[]

object (OSPolicyResourceConfigStep)

Ordered list of configuration steps taken by the agent for the OS policy resource.
state

enum (OSPolicyComplianceState)

Compliance state of the OS policy resource.
Union field output. Resource specific output. output can be only one of the following:
execResourceOutput

object (ExecResourceOutput)

ExecResource specific output.

OSPolicyResourceConfigStep

Step performed by the OS Config agent for configuring an OSPolicyResource to its desired state.

JSON representation 
{
  "type": enum (Type),
  "outcome": enum (Outcome),
  "errorMessage": string
}
Fields
type

enum (Type)

Configuration step type.
outcome

enum (Outcome)

Outcome of the configuration step.
errorMessage

string

An error message recorded during the execution of this step. Only populated when outcome is FAILED.

Type

Supported configuration step types

Enums
TYPE_UNSPECIFIED Default value. This value is unused.
VALIDATION Validation to detect resource conflicts, schema errors, etc.
DESIRED_STATE_CHECK Check the current desired state status of the resource.
DESIRED_STATE_ENFORCEMENT Enforce the desired state for a resource that is not in desired state.
DESIRED_STATE_CHECK_POST_ENFORCEMENT

Re-check desired state status for a resource after enforcement of all resources in the current configuration run.

This step is used to determine the final desired state status for the resource. It accounts for any resources that might have drifted from their desired state due to side effects from configuring other resources during the current configuration run.

Outcome

Supported outcomes for a configuration step.

Enums
OUTCOME_UNSPECIFIED Default value. This value is unused.
SUCCEEDED The step succeeded.
FAILED The step failed.

ExecResourceOutput

ExecResource specific output.

JSON representation 
{
  "enforcementOutput": string
}
Fields
enforcementOutput

string (bytes format)

Output from Enforcement phase output file (if run). Output size is limited to 100K bytes.

A base64-encoded string.

Methods

get
(deprecated)

 Get OS policies compliance data for the specified Compute Engine VM instance.

list
(deprecated)

 List OS policies compliance data for all Compute Engine VM instances in the specified zone.