REST Resource: projects.locations.osPolicyAssignments

Resource: OSPolicyAssignment

OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances.

An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script.

For more information, see OS policy and OS policy assignment.

JSON representation
{
  "name": string,
  "description": string,
  "osPolicies": [
    {
      object (OSPolicy)
    }
  ],
  "instanceFilter": {
    object (InstanceFilter)
  },
  "rollout": {
    object (Rollout)
  },
  "revisionId": string,
  "revisionCreateTime": string,
  "rolloutState": enum (RolloutState),
  "baseline": boolean,
  "deleted": boolean,
  "reconciling": boolean,
  "uid": string
}
Fields
name

string

Resource name.

Format: projects/{project_number}/locations/{location}/osPolicyAssignments/{osPolicyAssignmentId}

This field is ignored when you create an OS policy assignment.

description

string

OS policy assignment description. Length of the description is limited to 1024 characters.

osPolicies[]

object (OSPolicy)

Required. List of OS policies to be applied to the VMs.

instanceFilter

object (InstanceFilter)

Required. Filter to select VMs.

rollout

object (Rollout)

Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instanceFilter - osPolicies 3) OSPolicyAssignment is deleted.

revisionId

string

Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment

revisionCreateTime

string (Timestamp format)

Output only. The timestamp that the revision was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

rolloutState

enum (RolloutState)

Output only. OS policy assignment rollout state

baseline

boolean

Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision.

For a given OS policy assignment, there is only one revision with a value of true for this field.

deleted

boolean

Output only. Indicates that this revision deletes the OS policy assignment.

reconciling

boolean

Output only. Indicates that reconciliation is in progress for the revision. This value is true when the rolloutState is one of: * IN_PROGRESS * CANCELLING

uid

string

Output only. Server generated unique id for the OS policy assignment resource.

OSPolicy

An OS policy defines the desired state configuration for a VM.

JSON representation
{
  "id": string,
  "description": string,
  "mode": enum (Mode),
  "resourceGroups": [
    {
      object (ResourceGroup)
    }
  ],
  "allowNoResourceGroupMatch": boolean
}
Fields
id

string

Required. The id of the OS policy with the following restrictions:

  • Must contain only lowercase letters, numbers, and hyphens.
  • Must start with a letter.
  • Must be between 1-63 characters.
  • Must end with a number or a letter.
  • Must be unique within the assignment.
description

string

Policy description. Length of the description is limited to 1024 characters.

mode

enum (Mode)

Required. Policy mode

resourceGroups[]

object (ResourceGroup)

Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored.

If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag allowNoResourceGroupMatch

allowNoResourceGroupMatch

boolean

This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to true if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.

Mode

Policy mode

Enums
MODE_UNSPECIFIED Invalid mode
VALIDATION This mode checks if the configuration resources in the policy are in their desired state. No actions are performed if they are not in the desired state. This mode is used for reporting purposes.
ENFORCEMENT This mode checks if the configuration resources in the policy are in their desired state, and if not, enforces the desired state.

ResourceGroup

Resource groups provide a mechanism to group OS policy resources.

Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems.

When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the OSFilter specified within the resource group.

JSON representation
{
  "osFilter": {
    object (OSFilter)
  },
  "resources": [
    {
      object (Resource)
    }
  ]
}
Fields
osFilter

object (OSFilter)

Used to specify the OS filter for a resource group

resources[]

object (Resource)

Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.

OSFilter

The OSFilter is used to specify the OS filtering criteria for the resource group.

JSON representation
{
  "osShortName": string,
  "osVersion": string
}
Fields
osShortName

string

This should match OS short name emitted by the OS inventory agent. An empty value matches any OS.

osVersion

string

This value should match the version emitted by the OS inventory agent. Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of 7, specify the following value for this field 7.*

Resource

An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc.

The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.

JSON representation
{
  "id": string,

  // Union field resource_type can be only one of the following:
  "pkg": {
    object (PackageResource)
  },
  "repository": {
    object (RepositoryResource)
  },
  "exec": {
    object (ExecResource)
  },
  "file": {
    object (FileResource)
  }
  // End of list of possible types for union field resource_type.
}
Fields
id

string

Required. The id of the resource with the following restrictions:

  • Must contain only lowercase letters, numbers, and hyphens.
  • Must start with a letter.
  • Must be between 1-63 characters.
  • Must end with a number or a letter.
  • Must be unique within the OS policy.
Union field resource_type. Resource type. resource_type can be only one of the following:
pkg

object (PackageResource)

Package resource

repository

object (RepositoryResource)

Package repository resource

exec

object (ExecResource)

Exec resource

file

object (FileResource)

File resource

PackageResource

A resource that manages a system package.

JSON representation
{
  "desiredState": enum (DesiredState),

  // Union field system_package can be only one of the following:
  "apt": {
    object (APT)
  },
  "deb": {
    object (Deb)
  },
  "yum": {
    object (YUM)
  },
  "zypper": {
    object (Zypper)
  },
  "rpm": {
    object (RPM)
  },
  "googet": {
    object (GooGet)
  },
  "msi": {
    object (