OSConfigOSPolicyAssignment

Property Value
Google Cloud Service Name OS Config
Google Cloud Service Documentation /compute/docs/osconfig/rest/
Google Cloud REST Resource Name v1.projects.locations.osPolicyAssignments
Google Cloud REST Resource Documentation /compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments
Config Connector Resource Short Names gcposconfigospolicyassignment
gcposconfigospolicyassignments
osconfigospolicyassignment
Config Connector Service Name osconfig.googleapis.com
Config Connector Resource Fully Qualified Name osconfigospolicyassignments.osconfig.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Spec

Schema

  description: string
  instanceFilter:
    all: boolean
    exclusionLabels:
    - labels:
        string: string
    inclusionLabels:
    - labels:
        string: string
    inventories:
    - osShortName: string
      osVersion: string
  location: string
  osPolicies:
  - allowNoResourceGroupMatch: boolean
    description: string
    id: string
    mode: string
    resourceGroups:
    - inventoryFilters:
      - osShortName: string
        osVersion: string
      resources:
      - exec:
          enforce:
            args:
            - string
            file:
              allowInsecure: boolean
              gcs:
                bucket: string
                generation: integer
                object: string
              localPath: string
              remote:
                sha256Checksum: string
                uri: string
            interpreter: string
            outputFilePath: string
            script: string
          validate:
            args:
            - string
            file:
              allowInsecure: boolean
              gcs:
                bucket: string
                generation: integer
                object: string
              localPath: string
              remote:
                sha256Checksum: string
                uri: string
            interpreter: string
            outputFilePath: string
            script: string
        file:
          content: string
          file:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
          path: string
          permissions: string
          state: string
        id: string
        pkg:
          apt:
            name: string
          deb:
            pullDeps: boolean
            source:
              allowInsecure: boolean
              gcs:
                bucket: string
                generation: integer
                object: string
              localPath: string
              remote:
                sha256Checksum: string
                uri: string
          desiredState: string
          googet:
            name: string
          msi:
            properties:
            - string
            source:
              allowInsecure: boolean
              gcs:
                bucket: string
                generation: integer
                object: string
              localPath: string
              remote:
                sha256Checksum: string
                uri: string
          rpm:
            pullDeps: boolean
            source:
              allowInsecure: boolean
              gcs:
                bucket: string
                generation: integer
                object: string
              localPath: string
              remote:
                sha256Checksum: string
                uri: string
          yum:
            name: string
          zypper:
            name: string
        repository:
          apt:
            archiveType: string
            components:
            - string
            distribution: string
            gpgKey: string
            uri: string
          goo:
            name: string
            url: string
          yum:
            baseUrl: string
            displayName: string
            gpgKeys:
            - string
            id: string
          zypper:
            baseUrl: string
            displayName: string
            gpgKeys:
            - string
            id: string
  projectRef:
    external: string
    name: string
    namespace: string
  resourceID: string
  rollout:
    disruptionBudget:
      fixed: integer
      percent: integer
    minWaitDuration: string
Fields

description

Optional

string

OS policy assignment description. Length of the description is limited to 1024 characters.

instanceFilter

Required

object

Required. Filter to select VMs.

instanceFilter.all

Optional

boolean

Target all VMs in the project. If true, no other criteria is permitted.

instanceFilter.exclusionLabels

Optional

list (object)

List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.

instanceFilter.exclusionLabels[]

Optional

object

instanceFilter.exclusionLabels[].labels

Optional

map (key: string, value: string)

Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

instanceFilter.inclusionLabels

Optional

list (object)

List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.

instanceFilter.inclusionLabels[]

Optional

object

instanceFilter.inclusionLabels[].labels

Optional

map (key: string, value: string)

Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

instanceFilter.inventories

Optional

list (object)

List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.

instanceFilter.inventories[]

Optional

object

instanceFilter.inventories[].osShortName

Required*

string

Required. The OS short name

instanceFilter.inventories[].osVersion

Optional

string

The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.

location

Required

string

The location for the resource

osPolicies

Required

list (object)

Required. List of OS policies to be applied to the VMs.

osPolicies[]

Required

object

osPolicies[].allowNoResourceGroupMatch

Optional

boolean

This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.

osPolicies[].description

Optional

string

Policy description. Length of the description is limited to 1024 characters.

osPolicies[].id

Required

string

Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.

osPolicies[].mode

Required

string

Required. Policy mode Possible values: MODE_UNSPECIFIED, VALIDATION, ENFORCEMENT

osPolicies[].resourceGroups

Required

list (object)

Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`

osPolicies[].resourceGroups[]

Required

object

osPolicies[].resourceGroups[].inventoryFilters

Optional

list (object)

List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally.

osPolicies[].resourceGroups[].inventoryFilters[]

Optional

object

osPolicies[].resourceGroups[].inventoryFilters[].osShortName

Required*

string

Required. The OS short name

osPolicies[].resourceGroups[].inventoryFilters[].osVersion

Optional

string

The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.

osPolicies[].resourceGroups[].resources

Required

list (object)

Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.

osPolicies[].resourceGroups[].resources[]

Required

object

osPolicies[].resourceGroups[].resources[].exec

Optional

object

Exec resource

osPolicies[].resourceGroups[].resources[].exec.enforce

Optional

object

Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate.

osPolicies[].resourceGroups[].resources[].exec.enforce.args

Optional

list (string)

Optional arguments to pass to the source during execution.

osPolicies[].resourceGroups[].resources[].exec.enforce.args[]

Optional

string

osPolicies[].resourceGroups[].resources[].exec.enforce.file

Optional

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].exec.enforce.interpreter

Required*

string

Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

osPolicies[].resourceGroups[].resources[].exec.enforce.outputFilePath

Optional

string

Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

osPolicies[].resourceGroups[].resources[].exec.enforce.script

Optional

string

An inline script. The size of the script is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].exec.validate

Required*

object

Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate.

osPolicies[].resourceGroups[].resources[].exec.validate.args

Optional

list (string)

Optional arguments to pass to the source during execution.

osPolicies[].resourceGroups[].resources[].exec.validate.args[]

Optional

string

osPolicies[].resourceGroups[].resources[].exec.validate.file

Optional

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].exec.validate.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].exec.validate.interpreter

Required*

string

Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

osPolicies[].resourceGroups[].resources[].exec.validate.outputFilePath

Optional

string

Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

osPolicies[].resourceGroups[].resources[].exec.validate.script

Optional

string

An inline script. The size of the script is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].file

Optional

object

File resource

osPolicies[].resourceGroups[].resources[].file.content

Optional

string

A a file with this content. The size of the content is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].file.file

Optional

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].file.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].file.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].file.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].file.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].file.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].file.path

Required*

string

Required. The absolute path of the file within the VM.

osPolicies[].resourceGroups[].resources[].file.permissions

Optional

string

Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4

osPolicies[].resourceGroups[].resources[].file.state

Required*

string

Required. Desired state of the file. Possible values: OS_POLICY_COMPLIANCE_STATE_UNSPECIFIED, COMPLIANT, NON_COMPLIANT, UNKNOWN, NO_OS_POLICIES_APPLICABLE

osPolicies[].resourceGroups[].resources[].id

Required

string

Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.

osPolicies[].resourceGroups[].resources[].pkg

Optional

object

Package resource

osPolicies[].resourceGroups[].resources[].pkg.apt

Optional

object

A package managed by Apt.

osPolicies[].resourceGroups[].resources[].pkg.apt.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.deb

Optional

object

A deb package file.

osPolicies[].resourceGroups[].resources[].pkg.deb.pullDeps

Optional

boolean

Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb`

osPolicies[].resourceGroups[].resources[].pkg.deb.source

Required*

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.desiredState

Required*

string

Required. The desired state the agent should maintain for this package. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED

osPolicies[].resourceGroups[].resources[].pkg.googet

Optional

object

A package managed by GooGet.

osPolicies[].resourceGroups[].resources[].pkg.googet.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.msi

Optional

object

An MSI package.

osPolicies[].resourceGroups[].resources[].pkg.msi.properties

Optional

list (string)

Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.

osPolicies[].resourceGroups[].resources[].pkg.msi.properties[]

Optional

string

osPolicies[].resourceGroups[].resources[].pkg.msi.source

Required*

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.rpm

Optional

object

An rpm package file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.pullDeps

Optional

boolean

Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`

osPolicies[].resourceGroups[].resources[].pkg.rpm.source

Required*

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.yum

Optional

object

A package managed by YUM.

osPolicies[].resourceGroups[].resources[].pkg.yum.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.zypper

Optional

object

A package managed by Zypper.

osPolicies[].resourceGroups[].resources[].pkg.zypper.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].repository

Optional

object

Package repository resource

osPolicies[].resourceGroups[].resources[].repository.apt

Optional

object

An Apt Repository.

osPolicies[].resourceGroups[].resources[].repository.apt.archiveType

Required*

string

Required. Type of archive files in this repository. Possible values: ARCHIVE_TYPE_UNSPECIFIED, DEB, DEB_SRC

osPolicies[].resourceGroups[].resources[].repository.apt.components

Required*

list (string)

Required. List of components for this repository. Must contain at least one item.

osPolicies[].resourceGroups[].resources[].repository.apt.components[]

Required*

string

osPolicies[].resourceGroups[].resources[].repository.apt.distribution

Required*

string

Required. Distribution of this repository.

osPolicies[].resourceGroups[].resources[].repository.apt.gpgKey

Optional

string

URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.

osPolicies[].resourceGroups[].resources[].repository.apt.uri

Required*

string

Required. URI for this repository.

osPolicies[].resourceGroups[].resources[].repository.goo

Optional

object

A Goo Repository.

osPolicies[].resourceGroups[].resources[].repository.goo.name

Required*

string

Required. The name of the repository.

osPolicies[].resourceGroups[].resources[].repository.goo.url

Required*

string

Required. The url of the repository.

osPolicies[].resourceGroups[].resources[].repository.yum

Optional

object

A Yum Repository.

osPolicies[].resourceGroups[].resources[].repository.yum.baseUrl

Required*

string

Required. The location of the repository directory.

osPolicies[].resourceGroups[].resources[].repository.yum.displayName

Optional

string

The display name of the repository.

osPolicies[].resourceGroups[].resources[].repository.yum.gpgKeys

Optional

list (string)

URIs of GPG keys.

osPolicies[].resourceGroups[].resources[].repository.yum.gpgKeys[]

Optional

string

osPolicies[].resourceGroups[].resources[].repository.yum.id

Required*

string

Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.

osPolicies[].resourceGroups[].resources[].repository.zypper

Optional

object

A Zypper Repository.

osPolicies[].resourceGroups[].resources[].repository.zypper.baseUrl

Required*

string

Required. The location of the repository directory.

osPolicies[].resourceGroups[].resources[].repository.zypper.displayName

Optional

string

The display name of the repository.

osPolicies[].resourceGroups[].resources[].repository.zypper.gpgKeys

Optional

list (string)

URIs of GPG keys.

osPolicies[].resourceGroups[].resources[].repository.zypper.gpgKeys[]

Optional

string

osPolicies[].resourceGroups[].resources[].repository.zypper.id

Required*

string

Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.

projectRef

Required

object

The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

rollout

Required

object

Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.

rollout.disruptionBudget

Required

object

Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.

rollout.disruptionBudget.fixed

Optional

integer

Specifies a fixed value.

rollout.disruptionBudget.percent

Optional

integer

Specifies the relative value defined as a percentage, which will be multiplied by a reference value.

rollout.minWaitDuration

Required

string

Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.

* Field is required when parent field is specified

Status

Schema

  baseline: boolean
  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  deleted: boolean
  etag: string
  observedGeneration: integer
  reconciling: boolean
  revisionCreateTime: string
  revisionId: string
  rolloutState: string
  uid: string
Fields
baseline

boolean

Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

deleted

boolean

Output only. Indicates that this revision deletes the OS policy assignment.

etag

string

The etag for this OS policy assignment. If this is provided on update, it must match the server's etag.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

reconciling

boolean

Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING

revisionCreateTime

string

Output only. The timestamp that the revision was created.

revisionId

string

Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment

rolloutState

string

Output only. OS policy assignment rollout state Possible values: ROLLOUT_STATE_UNSPECIFIED, IN_PROGRESS, CANCELLING, CANCELLED, SUCCEEDED

uid

string

Output only. Server generated unique id for the OS policy assignment resource.

Sample YAML(s)

Fixed Os Policy Assignment

  # Copyright 2021 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: osconfig.cnrm.cloud.google.com/v1beta1
  kind: OSConfigOSPolicyAssignment
  metadata:
    name: osconfigospolicyassignment-sample-fixedospolicyassignment
  spec:
    projectRef:
       # Replace ${PROJECT_ID?} with your project ID
       external: "projects/${PROJECT_ID?}"
    location: "us-west2-a"
    description: "A test os policy assignment"
    osPolicies:
    - id: "policy"
      description: "A test os policy"
      mode: "VALIDATION"
      resourceGroups:
      - inventoryFilters:
        - osShortName: "centos"
          osVersion: "8.*"
        resources:
        - id: "apt"
          pkg:
            desiredState: "INSTALLED"
            apt:
              name: "bazel"
        - id: "deb1"
          pkg:
            desiredState: "INSTALLED"
            deb:
              source:
                localPath: "$HOME/package.deb"
        - id: "deb2"
          pkg:
            desiredState: "INSTALLED"
            deb:
              pullDeps: true
              source:
                allowInsecure: true
                remote:
                  uri: "ftp.us.debian.org/debian/package.deb"
                  sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
        - id: "deb3"
          pkg:
            desiredState: "INSTALLED"
            deb:
              pullDeps: true
              source:
                gcs:
                  bucket: "test-bucket"
                  object: "test-object"
                  generation: 1
        - id: "yum"
          pkg:
            desiredState: "INSTALLED"
            yum:
              name: "gstreamer-plugins-base-devel.x86_64"
        - id: "zypper"
          pkg:
            desiredState: "INSTALLED"
            zypper:
              name: "gcc"
        - id: "rpm1"
          pkg:
            desiredState: "INSTALLED"
            rpm:
              pullDeps: true
              source:
                localPath: "$HOME/package.rpm"
        - id: "rpm2"
          pkg:
            desiredState: "INSTALLED"
            rpm:
              source:
                allowInsecure: true
                remote:
                  uri: "https://mirror.jaleco.com/centos/8.3.2011/BaseOS/x86_64/os/Packages/efi-filesystem-3-2.el8.noarch.rpm"
                  sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
        - id: "rpm3"
          pkg:
            desiredState: "INSTALLED"
            rpm:
              source:
                gcs:
                  bucket: "test-bucket"
                  object: "test-object"
                  generation: 1
      - resources:
        - id: "apt-to-deb"
          pkg:
            desiredState: "INSTALLED"
            apt:
              name: "bazel"
        - id: "deb-local-path-to-gcs"
          pkg:
            desiredState: "INSTALLED"
            deb:
              source:
                localPath: "$HOME/package.deb"
        - id: "googet"
          pkg:
            desiredState: "INSTALLED"
            googet:
              name: "gcc"
        - id: "msi1"
          pkg:
            desiredState: "INSTALLED"
            msi:
              source:
                localPath: "$HOME/package.msi"
              properties:
              - "REBOOT=ReallySuppress"
        - id: "msi2"
          pkg:
            desiredState: "INSTALLED"
            msi:
              source:
                allowInsecure: true
                remote:
                  uri: "https://remote.uri.com/package.msi"
                  sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
                sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
        - id: "msi3"
          pkg:
            desiredState: "INSTALLED"
            msi:
              source:
                gcs:
                  bucket: "test-bucket"
                  object: "test-object"
                  generation: 1
      allowNoResourceGroupMatch: false
    instanceFilter:
      all: false
      inclusionLabels:
      - labels:
          label-one: "value-one"
      exclusionLabels:
      - labels:
          label-two: "value-two"
      inventories:
      - osShortName: "centos"
        osVersion: "8.*"
    rollout:
      disruptionBudget:
        fixed: 1
      minWaitDuration: "3.5s"

Percent Os Policy Assignment

  # Copyright 2021 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: osconfig.cnrm.cloud.google.com/v1beta1
  kind: OSConfigOSPolicyAssignment
  metadata:
    name: osconfigospolicyassignment-sample-percentospolicyassignment
  spec:
    projectRef:
       # Replace ${PROJECT_ID?} with your project ID
       external: "projects/${PROJECT_ID?}"
    location: "us-west2-a"
    description: "A test os policy assignment"
    osPolicies:
    - id: "policy"
      mode: "VALIDATION"
      resourceGroups:
      - resources:
        - id: "apt-to-yum"
          repository:
            apt:
              archiveType: "DEB"
              uri: "https://atl.mirrors.clouvider.net/debian"
              distribution: "debian"
              components:
              - "doc"
              gpgKey: ".gnupg/pubring.kbx"
        - id: "yum"
          repository:
            yum:
              id: "yum"
              displayName: "yum"
              baseUrl: "http://centos.s.uw.edu/centos/"
              gpgKeys:
              - "RPM-GPG-KEY-CentOS-7"
        - id: "zypper"
          repository:
            zypper:
              id: "zypper"
              displayName: "zypper"
              baseUrl: "http://mirror.dal10.us.leaseweb.net/opensuse"
              gpgKeys:
              - "sample-key-uri"
        - id: "goo"
          repository:
            goo:
              name: "goo"
              url: "https://foo.com/googet/bar"
        - id: "exec1"
          exec:
            validate:
              args:
              - "arg1"
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                localPath: "$HOME/script.sh"
            enforce:
              args:
              - "arg1"
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                allowInsecure: true
                remote:
                  uri: "https://www.example.com/script.sh"
                  sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
        - id: "exec2"
          exec:
            validate:
              args:
              - "arg1"
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                allowInsecure: true
                remote:
                  uri: "https://www.example.com/script.sh"
                  sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
            enforce:
              args:
              - "arg1"
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                localPath: "$HOME/script.sh"
        - id: "exec3"
          exec:
            validate:
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                allowInsecure: true
                gcs:
                  bucket: "test-bucket"
                  object: "test-object"
                  generation: 1
            enforce:
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              script: "pwd"
        - id: "exec4"
          exec:
            validate:
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              script: "pwd"
            enforce:
              interpreter: "SHELL"
              outputFilePath: "$HOME/out"
              file:
                allowInsecure: true
                gcs:
                  bucket: "test-bucket"
                  object: "test-object"
                  generation: 1
        - id: "file1"
          file:
            path: "$HOME/file"
            state: "PRESENT"
            file:
              localPath: "$HOME/file"
      - resources:
        - id: "file2"
          file:
            path: "$HOME/file"
            state: "PRESENT"
            permissions: "755"
            file:
              allowInsecure: true
              remote:
                uri: "https://www.example.com/file"
                sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
        - id: "file3"
          file:
            path: "$HOME/file"
            state: "PRESENT"
            file:
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
        - id: "file4"
          file:
            path: "$HOME/file"
            state: "PRESENT"
            content: "sample-content"
    instanceFilter:
      all: true
    rollout:
      disruptionBudget:
        percent: 1
      minWaitDuration: "3.5s"