OSConfigOSPolicyAssignment

Stay organized with collections Save and categorize content based on your preferences.
Property Value
Google Cloud Service Name OS Config
Google Cloud Service Documentation /compute/docs/osconfig/rest/
Google Cloud REST Resource Name v1.projects.locations.osPolicyAssignments
Google Cloud REST Resource Documentation /compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments
Config Connector Resource Short Names gcposconfigospolicyassignment
gcposconfigospolicyassignments
osconfigospolicyassignment
Config Connector Service Name osconfig.googleapis.com
Config Connector Resource Fully Qualified Name osconfigospolicyassignments.osconfig.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/state-into-spec

Spec

Schema

description: string
instanceFilter:
  all: boolean
  exclusionLabels:
  - labels:
      string: string
  inclusionLabels:
  - labels:
      string: string
  inventories:
  - osShortName: string
    osVersion: string
location: string
osPolicies:
- allowNoResourceGroupMatch: boolean
  description: string
  id: string
  mode: string
  resourceGroups:
  - inventoryFilters:
    - osShortName: string
      osVersion: string
    resources:
    - exec:
        enforce:
          args:
          - string
          file:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
          interpreter: string
          outputFilePath: string
          script: string
        validate:
          args:
          - string
          file:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
          interpreter: string
          outputFilePath: string
          script: string
      file:
        content: string
        file:
          allowInsecure: boolean
          gcs:
            bucket: string
            generation: integer
            object: string
          localPath: string
          remote:
            sha256Checksum: string
            uri: string
        path: string
        permissions: string
        state: string
      id: string
      pkg:
        apt:
          name: string
        deb:
          pullDeps: boolean
          source:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
        desiredState: string
        googet:
          name: string
        msi:
          properties:
          - string
          source:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
        rpm:
          pullDeps: boolean
          source:
            allowInsecure: boolean
            gcs:
              bucket: string
              generation: integer
              object: string
            localPath: string
            remote:
              sha256Checksum: string
              uri: string
        yum:
          name: string
        zypper:
          name: string
      repository:
        apt:
          archiveType: string
          components:
          - string
          distribution: string
          gpgKey: string
          uri: string
        goo:
          name: string
          url: string
        yum:
          baseUrl: string
          displayName: string
          gpgKeys:
          - string
          id: string
        zypper:
          baseUrl: string
          displayName: string
          gpgKeys:
          - string
          id: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
rollout:
  disruptionBudget:
    fixed: integer
    percent: integer
  minWaitDuration: string
Fields

description

Optional

string

OS policy assignment description. Length of the description is limited to 1024 characters.

instanceFilter

Required

object

Required. Filter to select VMs.

instanceFilter.all

Optional

boolean

Target all VMs in the project. If true, no other criteria is permitted.

instanceFilter.exclusionLabels

Optional

list (object)

List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.

instanceFilter.exclusionLabels[]

Optional

object

instanceFilter.exclusionLabels[].labels

Optional

map (key: string, value: string)

Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

instanceFilter.inclusionLabels

Optional

list (object)

List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.

instanceFilter.inclusionLabels[]

Optional

object

instanceFilter.inclusionLabels[].labels

Optional

map (key: string, value: string)

Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

instanceFilter.inventories

Optional

list (object)

List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.

instanceFilter.inventories[]

Optional

object

instanceFilter.inventories[].osShortName

Required*

string

Required. The OS short name

instanceFilter.inventories[].osVersion

Optional

string

The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.

location

Required

string

Immutable. The location for the resource

osPolicies

Required

list (object)

Required. List of OS policies to be applied to the VMs.

osPolicies[]

Required

object

osPolicies[].allowNoResourceGroupMatch

Optional

boolean

This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.

osPolicies[].description

Optional

string

Policy description. Length of the description is limited to 1024 characters.

osPolicies[].id

Required

string

Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.

osPolicies[].mode

Required

string

Required. Policy mode Possible values: MODE_UNSPECIFIED, VALIDATION, ENFORCEMENT

osPolicies[].resourceGroups

Required

list (object)

Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`

osPolicies[].resourceGroups[]

Required

object

osPolicies[].resourceGroups[].inventoryFilters

Optional

list (object)

List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally.

osPolicies[].resourceGroups[].inventoryFilters[]

Optional

object

osPolicies[].resourceGroups[].inventoryFilters[].osShortName

Required*

string

Required. The OS short name

osPolicies[].resourceGroups[].inventoryFilters[].osVersion

Optional

string

The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.

osPolicies[].resourceGroups[].resources

Required

list (object)

Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.

osPolicies[].resourceGroups[].resources[]

Required

object

osPolicies[].resourceGroups[].resources[].exec

Optional

object

Exec resource

osPolicies[].resourceGroups[].resources[].exec.enforce

Optional

object

What to run to bring this resource into the desired state. An exit code of 100 indicates "success", any other exit code indicates a failure running enforce.

osPolicies[].resourceGroups[].resources[].exec.enforce.args

Optional

list (string)

Optional arguments to pass to the source during execution.

osPolicies[].resourceGroups[].resources[].exec.enforce.args[]

Optional

string

osPolicies[].resourceGroups[].resources[].exec.enforce.file

Optional

object

A remote or local file.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].exec.enforce.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].exec.enforce.interpreter

Required*

string

Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

osPolicies[].resourceGroups[].resources[].exec.enforce.outputFilePath

Optional

string

Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

osPolicies[].resourceGroups[].resources[].exec.enforce.script

Optional

string

An inline script. The size of the script is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].exec.validate

Required*

object

Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate.

osPolicies[].resourceGroups[].resources[].exec.validate.args

Optional

list (string)

Optional arguments to pass to the source during execution.

osPolicies[].resourceGroups[].resources[].exec.validate.args[]

Optional

string

osPolicies[].resourceGroups[].resources[].exec.validate.file

Optional

object

A remote or local file.

osPolicies[].resourceGroups[].resources[].exec.validate.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].exec.validate.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].exec.validate.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].exec.validate.interpreter

Required*

string

Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

osPolicies[].resourceGroups[].resources[].exec.validate.outputFilePath

Optional

string

Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

osPolicies[].resourceGroups[].resources[].exec.validate.script

Optional

string

An inline script. The size of the script is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].file

Optional

object

File resource

osPolicies[].resourceGroups[].resources[].file.content

Optional

string

A a file with this content. The size of the content is limited to 1024 characters.

osPolicies[].resourceGroups[].resources[].file.file

Optional

object

A remote or local source.

osPolicies[].resourceGroups[].resources[].file.file.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].file.file.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].file.file.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].file.file.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].file.file.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].file.file.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].file.path

Required*

string

Required. The absolute path of the file within the VM.

osPolicies[].resourceGroups[].resources[].file.permissions

Optional

string

Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4

osPolicies[].resourceGroups[].resources[].file.state

Required*

string

Required. Desired state of the file. Possible values: OS_POLICY_COMPLIANCE_STATE_UNSPECIFIED, COMPLIANT, NON_COMPLIANT, UNKNOWN, NO_OS_POLICIES_APPLICABLE

osPolicies[].resourceGroups[].resources[].id

Required

string

Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.

osPolicies[].resourceGroups[].resources[].pkg

Optional

object

Package resource

osPolicies[].resourceGroups[].resources[].pkg.apt

Optional

object

A package managed by Apt.

osPolicies[].resourceGroups[].resources[].pkg.apt.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.deb

Optional

object

A deb package file.

osPolicies[].resourceGroups[].resources[].pkg.deb.pullDeps

Optional

boolean

Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb`

osPolicies[].resourceGroups[].resources[].pkg.deb.source

Required*

object

Required. A deb package.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.deb.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.desiredState

Required*

string

Required. The desired state the agent should maintain for this package. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED

osPolicies[].resourceGroups[].resources[].pkg.googet

Optional

object

A package managed by GooGet.

osPolicies[].resourceGroups[].resources[].pkg.googet.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.msi

Optional

object

An MSI package.

osPolicies[].resourceGroups[].resources[].pkg.msi.properties

Optional

list (string)

Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.

osPolicies[].resourceGroups[].resources[].pkg.msi.properties[]

Optional

string

osPolicies[].resourceGroups[].resources[].pkg.msi.source

Required*

object

Required. The MSI package.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.msi.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.rpm

Optional

object

An rpm package file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.pullDeps

Optional

boolean

Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`

osPolicies[].resourceGroups[].resources[].pkg.rpm.source

Required*

object

Required. An rpm package.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.allowInsecure

Optional

boolean

Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs

Optional

object

A Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.bucket

Required*

string

Required. Bucket of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.generation

Optional

integer

Generation number of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.gcs.object

Required*

string

Required. Name of the Cloud Storage object.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.localPath

Optional

string

A local path within the VM to use.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote

Optional

object

A generic remote file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote.sha256Checksum

Optional

string

SHA256 checksum of the remote file.

osPolicies[].resourceGroups[].resources[].pkg.rpm.source.remote.uri

Required*

string

Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.

osPolicies[].resourceGroups[].resources[].pkg.yum

Optional

object

A package managed by YUM.

osPolicies[].resourceGroups[].resources[].pkg.yum.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].pkg.zypper

Optional

object

A package managed by Zypper.

osPolicies[].resourceGroups[].resources[].pkg.zypper.name

Required*

string

Required. Package name.

osPolicies[].resourceGroups[].resources[].repository

Optional

object

Package repository resource

osPolicies[].resourceGroups[].resources[].repository.apt

Optional

object

An Apt Repository.

osPolicies[].resourceGroups[].resources[].repository.apt.archiveType

Required*

string

Required. Type of archive files in this repository. Possible values: ARCHIVE_TYPE_UNSPECIFIED, DEB, DEB_SRC

osPolicies[].resourceGroups[].resources[].repository.apt.components

Required*

list (string)

Required. List of components for this repository. Must contain at least one item.

osPolicies[].resourceGroups[].resources[].repository.apt.components[]

Required*

string

osPolicies[].resourceGroups[].resources[].repository.apt.distribution

Required*

string

Required. Distribution of this repository.

osPolicies[].resourceGroups[].resources[].repository.apt.gpgKey

Optional

string

URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.

osPolicies[].resourceGroups[].resources[].repository.apt.uri

Required*

string

Required. URI for this repository.

osPolicies[].resourceGroups[].resources[].repository.goo

Optional

object

A Goo Repository.

osPolicies[].resourceGroups[].resources[].repository.goo.name

Required*

string

Required. The name of the repository.

osPolicies[].resourceGroups[].resources[].repository.goo.url

Required*

string

Required. The url of the repository.

osPolicies[].resourceGroups[].resources[].repository.yum

Optional

object

A Yum Repository.

osPolicies[].resourceGroups[].resources[].repository.yum.baseUrl

Required*

string

Required. The location of the repository directory.

osPolicies[].resourceGroups[].resources[].repository.yum.displayName

Optional

string

The display name of the repository.

osPolicies[].resourceGroups[].resources[].repository.yum.gpgKeys

Optional

list (string)

URIs of GPG keys.

osPolicies[].resourceGroups[].resources[].repository.yum.gpgKeys[]

Optional

string

osPolicies[].resourceGroups[].resources[].repository.yum.id

Required*

string

Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.

osPolicies[].resourceGroups[].resources[].repository.zypper

Optional

object

A Zypper Repository.

osPolicies[].resourceGroups[].resources[].repository.zypper.baseUrl

Required*

string

Required. The location of the repository directory.

osPolicies[].resourceGroups[].resources[].repository.zypper.displayName

Optional

string

The display name of the repository.

osPolicies[].resourceGroups[].resources[].repository.zypper.gpgKeys

Optional

list (string)

URIs of GPG keys.

osPolicies[].resourceGroups[].resources[].repository.zypper.gpgKeys[]

Optional

string

osPolicies[].resourceGroups[].resources[].repository.zypper.id

Required*

string

Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

rollout

Required

object

Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.

rollout.disruptionBudget

Required

object

Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.

rollout.disruptionBudget.fixed

Optional

integer

Specifies a fixed value.

rollout.disruptionBudget.percent

Optional

integer

Specifies the relative value defined as a percentage, which will be multiplied by a reference value.

rollout.minWaitDuration

Required

string

Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.

* Field is required when parent field is specified

Status

Schema

baseline: boolean
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
deleted: boolean
etag: string
observedGeneration: integer
reconciling: boolean
revisionCreateTime: string
revisionId: string
rolloutState: string
uid: string
Fields
baseline

boolean

Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

deleted

boolean

Output only. Indicates that this revision deletes the OS policy assignment.

etag

string

The etag for this OS policy assignment. If this is provided on update, it must match the server's etag.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

reconciling

boolean

Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING

revisionCreateTime

string

Output only. The timestamp that the revision was created.

revisionId

string

Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment

rolloutState

string

Output only. OS policy assignment rollout state Possible values: ROLLOUT_STATE_UNSPECIFIED, IN_PROGRESS, CANCELLING, CANCELLED, SUCCEEDED

uid

string

Output only. Server generated unique id for the OS policy assignment resource.

Sample YAML(s)

Fixed Os Policy Assignment

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: osconfig.cnrm.cloud.google.com/v1beta1
kind: OSConfigOSPolicyAssignment
metadata:
  name: osconfigospolicyassignment-sample-fixedospolicyassignment
spec:
  projectRef:
     # Replace ${PROJECT_ID?} with your project ID
     external: "projects/${PROJECT_ID?}"
  location: "us-west2-a"
  description: "A test os policy assignment"
  osPolicies:
  - id: "policy"
    description: "A test os policy"
    mode: "VALIDATION"
    resourceGroups:
    - inventoryFilters:
      - osShortName: "centos"
        osVersion: "8.*"
      resources:
      - id: "apt"
        pkg:
          desiredState: "INSTALLED"
          apt:
            name: "bazel"
      - id: "deb1"
        pkg:
          desiredState: "INSTALLED"
          deb:
            source:
              localPath: "$HOME/package.deb"
      - id: "deb2"
        pkg:
          desiredState: "INSTALLED"
          deb:
            pullDeps: true
            source:
              allowInsecure: true
              remote:
                uri: "ftp.us.debian.org/debian/package.deb"
                sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
      - id: "deb3"
        pkg:
          desiredState: "INSTALLED"
          deb:
            pullDeps: true
            source:
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
      - id: "yum"
        pkg:
          desiredState: "INSTALLED"
          yum:
            name: "gstreamer-plugins-base-devel.x86_64"
      - id: "zypper"
        pkg:
          desiredState: "INSTALLED"
          zypper:
            name: "gcc"
      - id: "rpm1"
        pkg:
          desiredState: "INSTALLED"
          rpm:
            pullDeps: true
            source:
              localPath: "$HOME/package.rpm"
      - id: "rpm2"
        pkg:
          desiredState: "INSTALLED"
          rpm:
            source:
              allowInsecure: true
              remote:
                uri: "https://mirror.jaleco.com/centos/8.3.2011/BaseOS/x86_64/os/Packages/efi-filesystem-3-2.el8.noarch.rpm"
                sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
      - id: "rpm3"
        pkg:
          desiredState: "INSTALLED"
          rpm:
            source:
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
    - resources:
      - id: "apt-to-deb"
        pkg:
          desiredState: "INSTALLED"
          apt:
            name: "bazel"
      - id: "deb-local-path-to-gcs"
        pkg:
          desiredState: "INSTALLED"
          deb:
            source:
              localPath: "$HOME/package.deb"
      - id: "googet"
        pkg:
          desiredState: "INSTALLED"
          googet:
            name: "gcc"
      - id: "msi1"
        pkg:
          desiredState: "INSTALLED"
          msi:
            source:
              localPath: "$HOME/package.msi"
            properties:
            - "REBOOT=ReallySuppress"
      - id: "msi2"
        pkg:
          desiredState: "INSTALLED"
          msi:
            source:
              allowInsecure: true
              remote:
                uri: "https://remote.uri.com/package.msi"
                sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
              sha256Checksum: "3bbfd1043cd7afdb78cf9afec36c0c5370d2fea98166537b4e67f3816f256025"
      - id: "msi3"
        pkg:
          desiredState: "INSTALLED"
          msi:
            source:
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
    allowNoResourceGroupMatch: false
  instanceFilter:
    all: false
    inclusionLabels:
    - labels:
        label-one: "value-one"
    exclusionLabels:
    - labels:
        label-two: "value-two"
    inventories:
    - osShortName: "centos"
      osVersion: "8.*"
  rollout:
    disruptionBudget:
      fixed: 1
    minWaitDuration: "3.5s"

Percent Os Policy Assignment

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: osconfig.cnrm.cloud.google.com/v1beta1
kind: OSConfigOSPolicyAssignment
metadata:
  name: osconfigospolicyassignment-sample-percentospolicyassignment
spec:
  projectRef:
     # Replace ${PROJECT_ID?} with your project ID
     external: "projects/${PROJECT_ID?}"
  location: "us-west2-a"
  description: "A test os policy assignment"
  osPolicies:
  - id: "policy"
    mode: "VALIDATION"
    resourceGroups:
    - resources:
      - id: "apt-to-yum"
        repository:
          apt:
            archiveType: "DEB"
            uri: "https://atl.mirrors.clouvider.net/debian"
            distribution: "debian"
            components:
            - "doc"
            gpgKey: ".gnupg/pubring.kbx"
      - id: "yum"
        repository:
          yum:
            id: "yum"
            displayName: "yum"
            baseUrl: "http://centos.s.uw.edu/centos/"
            gpgKeys:
            - "RPM-GPG-KEY-CentOS-7"
      - id: "zypper"
        repository:
          zypper:
            id: "zypper"
            displayName: "zypper"
            baseUrl: "http://mirror.dal10.us.leaseweb.net/opensuse"
            gpgKeys:
            - "sample-key-uri"
      - id: "goo"
        repository:
          goo:
            name: "goo"
            url: "https://foo.com/googet/bar"
      - id: "exec1"
        exec:
          validate:
            args:
            - "arg1"
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              localPath: "$HOME/script.sh"
          enforce:
            args:
            - "arg1"
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              allowInsecure: true
              remote:
                uri: "https://www.example.com/script.sh"
                sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
      - id: "exec2"
        exec:
          validate:
            args:
            - "arg1"
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              allowInsecure: true
              remote:
                uri: "https://www.example.com/script.sh"
                sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
          enforce:
            args:
            - "arg1"
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              localPath: "$HOME/script.sh"
      - id: "exec3"
        exec:
          validate:
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              allowInsecure: true
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
          enforce:
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            script: "pwd"
      - id: "exec4"
        exec:
          validate:
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            script: "pwd"
          enforce:
            interpreter: "SHELL"
            outputFilePath: "$HOME/out"
            file:
              allowInsecure: true
              gcs:
                bucket: "test-bucket"
                object: "test-object"
                generation: 1
      - id: "file1"
        file:
          path: "$HOME/file"
          state: "PRESENT"
          file:
            localPath: "$HOME/file"
    - resources:
      - id: "file2"
        file:
          path: "$HOME/file"
          state: "PRESENT"
          permissions: "755"
          file:
            allowInsecure: true
            remote:
              uri: "https://www.example.com/file"
              sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"
      - id: "file3"
        file:
          path: "$HOME/file"
          state: "PRESENT"
          file:
            gcs:
              bucket: "test-bucket"
              object: "test-object"
              generation: 1
      - id: "file4"
        file:
          path: "$HOME/file"
          state: "PRESENT"
          content: "sample-content"
  instanceFilter:
    all: true
  rollout:
    disruptionBudget:
      percent: 1
    minWaitDuration: "3.5s"