Skip to content

googleOsConfigOsPolicyAssignment

Represents an OSPolicyAssignment resource.

Example Usage - fixed_os_policy_assignment

An example of an osconfig os policy assignment with fixed rollout disruption budget

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.osConfigOsPolicyAssignment.OsConfigOsPolicyAssignment(
  this,
  "primary",
  {
    description: "A test os policy assignment",
    instance_filter: [
      {
        all: false,
        exclusion_labels: [
          {
            labels: [
              {
                "label-two": "value-two",
              },
            ],
          },
        ],
        inclusion_labels: [
          {
            labels: [
              {
                "label-one": "value-one",
              },
            ],
          },
        ],
        inventories: [
          {
            os_short_name: "centos",
            os_version: "8.*",
          },
        ],
      },
    ],
    location: "us-west1-a",
    name: "assignment",
    os_policies: [
      {
        allow_no_resource_group_match: false,
        description: "A test os policy",
        id: "policy",
        mode: "VALIDATION",
        resource_groups: [
          {
            inventory_filters: [
              {
                os_short_name: "centos",
                os_version: "8.*",
              },
            ],
            resources: [
              {
                id: "apt",
                pkg: [
                  {
                    apt: [
                      {
                        name: "bazel",
                      },
                    ],
                    desired_state: "INSTALLED",
                  },
                ],
              },
            ],
          },
        ],
      },
    ],
    project: "my-project-name",
    rollout: [
      {
        disruption_budget: [
          {
            fixed: 1,
          },
        ],
        min_wait_duration: "3.5s",
      },
    ],
  }
);

Argument Reference

The following arguments are supported:

  • instanceFilter - (Required) Required. Filter to select VMs.

  • location - (Required) The location for the resource

  • name - (Required) Resource name.

  • osPolicies - (Required) Required. List of OS policies to be applied to the VMs.

  • rollout - (Required) Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.

The instanceFilter block supports:

  • all - (Optional) Target all VMs in the project. If true, no other criteria is permitted.

  • exclusionLabels - (Optional) List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.

  • inclusionLabels - (Optional) List of label sets used for VM inclusion. If the list has more than one labelSet, the VM is included if any of the label sets are applicable for the VM.

  • inventories - (Optional) List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.

The osPolicies block supports:

  • allowNoResourceGroupMatch - (Optional) This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to true if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.

  • description - (Optional) Policy description. Length of the description is limited to 1024 characters.

  • id - (Required) Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.

  • mode - (Required) Required. Policy mode Possible values: MODE_UNSPECIFIED, VALIDATION, ENFORCEMENT

  • resourceGroups - (Required) Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag allowNoResourceGroupMatch

The resourceGroups block supports:

  • inventoryFilters - (Optional) List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either rhel or centOs operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally.

  • resources - (Required) Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.

The resources block supports:

  • exec - (Optional) Exec resource

  • file - (Optional) File resource

  • id - (Required) Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.

  • pkg - (Optional) Package resource

  • repository - (Optional) Package repository resource

The validate block supports:

  • args - (Optional) Optional arguments to pass to the source during execution.

  • file - (Optional) A remote or local file.

  • interpreter - (Required) Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

  • outputFilePath - (Optional) Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

  • script - (Optional) An inline script. The size of the script is limited to 1024 characters.

The source block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The source block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The source block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The rollout block supports:

  • disruptionBudget - (Required) Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.

  • minWaitDuration - (Required) Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the disruptionBudget at least until this duration of time has passed after configuration changes are applied.

The disruptionBudget block supports:

  • fixed - (Optional) Specifies a fixed value.

  • percent - (Optional) Specifies the relative value defined as a percentage, which will be multiplied by a reference value.

  • description - (Optional) OS policy assignment description. Length of the description is limited to 1024 characters.

  • project - (Optional) The project for the resource

  • skipAwaitRollout - (Optional) Set to true to skip awaiting rollout during resource creation and update.

The exclusionLabels block supports:

  • labels - (Optional) Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

The inclusionLabels block supports:

  • labels - (Optional) Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.

The inventories block supports:

  • osShortName - (Required) Required. The OS short name

  • osVersion - (Optional) The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of 7, specify the following value for this field 7.* An empty string matches all OS versions.

The inventoryFilters block supports:

  • osShortName - (Required) Required. The OS short name

  • osVersion - (Optional) The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of 7, specify the following value for this field 7.* An empty string matches all OS versions.

The exec block supports:

  • enforce - (Optional) What to run to bring this resource into the desired state. An exit code of 100 indicates "success", any other exit code indicates a failure running enforce.

  • validate - (Required) Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate.

The enforce block supports:

  • args - (Optional) Optional arguments to pass to the source during execution.

  • file - (Optional) A remote or local file.

  • interpreter - (Required) Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL

  • outputFilePath - (Optional) Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes.

  • script - (Optional) An inline script. The size of the script is limited to 1024 characters.

The file block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The file block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The file block supports:

  • content - (Optional) A a file with this content. The size of the content is limited to 1024 characters.

  • file - (Optional) A remote or local source.

  • path - (Required) Required. The absolute path of the file within the VM.

  • permissions - Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4

  • state - (Required) Required. Desired state of the file. Possible values: OS_POLICY_COMPLIANCE_STATE_UNSPECIFIED, COMPLIANT, NON_COMPLIANT, UNKNOWN, NO_OS_POLICIES_APPLICABLE

The file block supports:

  • allowInsecure - (Optional) Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.

  • gcs - (Optional) A Cloud Storage object.

  • localPath - (Optional) A local path within the VM to use.

  • remote - (Optional) A generic remote file.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The pkg block supports:

  • apt - (Optional) A package managed by Apt.

  • deb - (Optional) A deb package file.

  • desiredState - (Required) Required. The desired state the agent should maintain for this package. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED

  • googet - (Optional) A package managed by GooGet.

  • msi - (Optional) An MSI package.

  • rpm - (Optional) An rpm package file.

  • yum - (Optional) A package managed by YUM.

  • zypper - (Optional) A package managed by Zypper.

The apt block supports:

  • name - (Required) Required. Package name.

The deb block supports:

  • pullDeps - (Optional) Whether dependencies should also be installed. - install when false: dpkgIPackage - install when true: aptGetUpdate &&AptGetYInstallPackageDeb

  • source - (Required) Required. A deb package.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The googet block supports:

  • name - (Required) Required. Package name.

The msi block supports:

  • properties - (Optional) Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of action=installReboot=reallySuppress.

  • source - (Required) Required. The MSI package.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The rpm block supports:

  • pullDeps - (Optional) Whether dependencies should also be installed. - install when false: rpmUpgradeReplacepkgsPackageRpm - install when true: yumYInstallPackageRpm or zypperYInstallPackageRpm

  • source - (Required) Required. An rpm package.

The gcs block supports:

  • bucket - (Required) Required. Bucket of the Cloud Storage object.

  • generation - (Optional) Generation number of the Cloud Storage object.

  • object - (Required) Required. Name of the Cloud Storage object.

The remote block supports:

  • sha256Checksum - (Optional) SHA256 checksum of the remote file.

  • uri - (Required) Required. URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}.

The yum block supports:

  • name - (Required) Required. Package name.

The zypper block supports:

  • name - (Required) Required. Package name.

The repository block supports:

  • apt - (Optional) An Apt Repository.

  • goo - (Optional) A Goo Repository.

  • yum - (Optional) A Yum Repository.

  • zypper - (Optional) A Zypper Repository.

The apt block supports:

  • archiveType - (Required) Required. Type of archive files in this repository. Possible values: ARCHIVE_TYPE_UNSPECIFIED, DEB, DEB_SRC

  • components - (Required) Required. List of components for this repository. Must contain at least one item.

  • distribution - (Required) Required. Distribution of this repository.

  • gpgKey - (Optional) URI of the key file for this repository. The agent maintains a keyring at /etc/apt/trustedGpgD/osconfigAgentManagedGpg.

  • uri - (Required) Required. URI for this repository.

The goo block supports:

  • name - (Required) Required. The name of the repository.

  • url - (Required) Required. The url of the repository.

The yum block supports:

  • baseUrl - (Required) Required. The location of the repository directory.

  • displayName - (Optional) The display name of the repository.

  • gpgKeys - (Optional) URIs of GPG keys.

  • id - (Required) Required. A one word, unique name for this repository. This is the repoId in the yum config file and also the displayName if displayName is omitted. This id is also used as the unique identifier when checking for resource conflicts.

The zypper block supports:

  • baseUrl - (Required) Required. The location of the repository directory.

  • displayName - (Optional) The display name of the repository.

  • gpgKeys - (Optional) URIs of GPG keys.

  • id - (Required) Required. A one word, unique name for this repository. This is the repoId in the zypper config file and also the displayName if displayName is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/locations/{{location}}/osPolicyAssignments/{{name}}

  • baseline - Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of true for this field.

  • deleted - Output only. Indicates that this revision deletes the OS policy assignment.

  • etag - The etag for this OS policy assignment. If this is provided on update, it must match the server's etag.

  • reconciling - Output only. Indicates that reconciliation is in progress for the revision. This value is true when the rolloutState is one of: * IN_PROGRESS * CANCELLING

  • revisionCreateTime - Output only. The timestamp that the revision was created.

  • revisionId - Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment

  • rolloutState - Output only. OS policy assignment rollout state Possible values: ROLLOUT_STATE_UNSPECIFIED, IN_PROGRESS, CANCELLING, CANCELLED, SUCCEEDED

  • uid - Output only. Server generated unique id for the OS policy assignment resource.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

OSPolicyAssignment can be imported using any of these accepted formats:

$ terraform import google_os_config_os_policy_assignment.default projects/{{project}}/locations/{{location}}/osPolicyAssignments/{{name}}
$ terraform import google_os_config_os_policy_assignment.default {{project}}/{{location}}/{{name}}
$ terraform import google_os_config_os_policy_assignment.default {{location}}/{{name}}