To manage OS policies across projects and zones at scale, use the policy orchestrator feature in VM Manager. Policy orchestrator lets you create, update, and delete OS policy assignments in your resources in an iterative way to minimize any errors. You can also monitor the overall rollout status of the OS policy assignments in your organization and folders. If there are failed assignments, then you can choose to edit or delete the policy orchestrator.
To use this feature, you must be familiar with OS policies and OS policy assignments.
Use cases
You can use policy orchestrator to perform these common tasks:
Apply policies across your organization
Use policy orchestrator to gradually apply OS policy changes across multiple projects and zones in your organization. The following example describes a typical use case of a policy orchestrator.
You want to apply OS policies to VMs in a few projects under folder F1 in your organization. Consider two test projects P1 and P2 under folder F1. To apply the OS policies across these two projects, do the following:
- Create an OS policy orchestrator in folder F1 and set the orchestrator scope to P1 and P2.
- If the orchestration is successful, expand the orchestration scope by adding more projects in multiple, gradual steps. You can also disable the scope filter completely to roll out changes to all projects under folder F1.
Automatically create policies in new projects and zones
When Google makes new Google Cloud locations available or if you create or move Google Cloud projects in your organization, the policy orchestrator automatically discovers those changes and eventually enforces policies in new locations and projects. You can also define the scope of orchestration and apply changes to specific projects and resources.
Note that individual project owners can remove or modify policies created by the orchestrator, but policy orchestrator inserts or updates the policies in the following iteration.
How it works
When you create a policy orchestrator, you can specify an existing OS policy file and the scope for the orchestration. The policy orchestrator then applies the OS policy to your resources iteratively. In each iteration, the policy orchestrator identifies resources in scope of orchestration and performs the requested action on these resources.
You can define the orchestration scope by selecting the projects and zones from the following options:
- All Google Cloud projects in a resource hierarchy defined by the parent of the particular policy orchestrator resource.
- The list of all available zones.
Each policy orchestrator can perform one of the following actions:
- Create or update (upsert) an existing OS policy
- Delete an OS policy
In addition to the action type, the policy orchestrator contains a policy ID and a policy payload. For each project-zone pair from the orchestration scope, policy orchestrator creates a resource that is specific to the policy payload and the given policy ID. To delete OS policy assignments using policy orchestrator, you must specify this policy ID.
What's next?
- Learn about the prerequisites for using policy orchestrator.
- Learn how to manage OS policy assignments using policy orchestrator.