Os
OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see OS policy and OS policy assignment. To get more information about OSPolicyAssignment, see:
How-to Guides
Example Usage
Os Config Os Policy Assignment Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.osconfig.OsPolicyAssignment("primary", {
instanceFilter: {
all: false,
exclusionLabels: [{
labels: {
"label-two": "value-two",
},
}],
inclusionLabels: [{
labels: {
"label-one": "value-one",
},
}],
inventories: [{
osShortName: "centos",
osVersion: "8.*",
}],
},
location: "us-central1-a",
name: "policy-assignment",
osPolicies: [{
id: "policy",
mode: "VALIDATION",
resourceGroups: [{
resources: [
{
id: "apt-to-yum",
repository: {
apt: {
archiveType: "DEB",
components: ["doc"],
distribution: "debian",
uri: "https://atl.mirrors.clouvider.net/debian",
gpgKey: ".gnupg/pubring.kbx",
},
},
},
{
id: "exec1",
exec: {
validate: {
interpreter: "SHELL",
args: ["arg1"],
file: {
localPath: "$HOME/script.sh",
},
outputFilePath: "$HOME/out",
},
enforce: {
interpreter: "SHELL",
args: ["arg1"],
file: {
allowInsecure: true,
remote: {
uri: "https://www.example.com/script.sh",
sha256Checksum: "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063",
},
},
outputFilePath: "$HOME/out",
},
},
},
],
inventoryFilters: [{
osShortName: "centos",
osVersion: "8.*",
}],
}],
allowNoResourceGroupMatch: false,
description: "A test os policy",
}],
rollout: {
disruptionBudget: {
percent: 100,
},
minWaitDuration: "3s",
},
description: "A test os policy assignment",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
primary = gcp.osconfig.OsPolicyAssignment("primary",
instance_filter={
"all": False,
"exclusion_labels": [{
"labels": {
"label_two": "value-two",
},
}],
"inclusion_labels": [{
"labels": {
"label_one": "value-one",
},
}],
"inventories": [{
"os_short_name": "centos",
"os_version": "8.*",
}],
},
location="us-central1-a",
name="policy-assignment",
os_policies=[{
"id": "policy",
"mode": "VALIDATION",
"resource_groups": [{
"resources": [
{
"id": "apt-to-yum",
"repository": {
"apt": {
"archive_type": "DEB",
"components": ["doc"],
"distribution": "debian",
"uri": "https://atl.mirrors.clouvider.net/debian",
"gpg_key": ".gnupg/pubring.kbx",
},
},
},
{
"id": "exec1",
"exec_": {
"validate": {
"interpreter": "SHELL",
"args": ["arg1"],
"file": {
"local_path": "$HOME/script.sh",
},
"output_file_path": "$HOME/out",
},
"enforce": {
"interpreter": "SHELL",
"args": ["arg1"],
"file": {
"allow_insecure": True,
"remote": {
"uri": "https://www.example.com/script.sh",
"sha256_checksum": "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063",
},
},
"output_file_path": "$HOME/out",
},
},
},
],
"inventory_filters": [{
"os_short_name": "centos",
"os_version": "8.*",
}],
}],
"allow_no_resource_group_match": False,
"description": "A test os policy",
}],
rollout={
"disruption_budget": {
"percent": 100,
},
"min_wait_duration": "3s",
},
description="A test os policy assignment")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.OsConfig.OsPolicyAssignment("primary", new()
{
InstanceFilter = new Gcp.OsConfig.Inputs.OsPolicyAssignmentInstanceFilterArgs
{
All = false,
ExclusionLabels = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentInstanceFilterExclusionLabelArgs
{
Labels =
{
{ "label-two", "value-two" },
},
},
},
InclusionLabels = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentInstanceFilterInclusionLabelArgs
{
Labels =
{
{ "label-one", "value-one" },
},
},
},
Inventories = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentInstanceFilterInventoryArgs
{
OsShortName = "centos",
OsVersion = "8.*",
},
},
},
Location = "us-central1-a",
Name = "policy-assignment",
OsPolicies = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyArgs
{
Id = "policy",
Mode = "VALIDATION",
ResourceGroups = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupArgs
{
Resources = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceArgs
{
Id = "apt-to-yum",
Repository = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryArgs
{
Apt = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryAptArgs
{
ArchiveType = "DEB",
Components = new[]
{
"doc",
},
Distribution = "debian",
Uri = "https://atl.mirrors.clouvider.net/debian",
GpgKey = ".gnupg/pubring.kbx",
},
},
},
new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceArgs
{
Id = "exec1",
Exec = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecArgs
{
Validate = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateArgs
{
Interpreter = "SHELL",
Args = new[]
{
"arg1",
},
File = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateFileArgs
{
LocalPath = "$HOME/script.sh",
},
OutputFilePath = "$HOME/out",
},
Enforce = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceArgs
{
Interpreter = "SHELL",
Args = new[]
{
"arg1",
},
File = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileArgs
{
AllowInsecure = true,
Remote = new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileRemoteArgs
{
Uri = "https://www.example.com/script.sh",
Sha256Checksum = "c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063",
},
},
OutputFilePath = "$HOME/out",
},
},
},
},
InventoryFilters = new[]
{
new Gcp.OsConfig.Inputs.OsPolicyAssignmentOsPolicyResourceGroupInventoryFilterArgs
{
OsShortName = "centos",
OsVersion = "8.*",
},
},
},
},
AllowNoResourceGroupMatch = false,
Description = "A test os policy",
},
},
Rollout = new Gcp.OsConfig.Inputs.OsPolicyAssignmentRolloutArgs
{
DisruptionBudget = new Gcp.OsConfig.Inputs.OsPolicyAssignmentRolloutDisruptionBudgetArgs
{
Percent = 100,
},
MinWaitDuration = "3s",
},
Description = "A test os policy assignment",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/osconfig"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := osconfig.NewOsPolicyAssignment(ctx, "primary", &osconfig.OsPolicyAssignmentArgs{
InstanceFilter: &osconfig.OsPolicyAssignmentInstanceFilterArgs{
All: pulumi.Bool(false),
ExclusionLabels: osconfig.OsPolicyAssignmentInstanceFilterExclusionLabelArray{
&osconfig.OsPolicyAssignmentInstanceFilterExclusionLabelArgs{
Labels: pulumi.StringMap{
"label-two": pulumi.String("value-two"),
},
},
},
InclusionLabels: osconfig.OsPolicyAssignmentInstanceFilterInclusionLabelArray{
&osconfig.OsPolicyAssignmentInstanceFilterInclusionLabelArgs{
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
},
},
Inventories: osconfig.OsPolicyAssignmentInstanceFilterInventoryArray{
&osconfig.OsPolicyAssignmentInstanceFilterInventoryArgs{
OsShortName: pulumi.String("centos"),
OsVersion: pulumi.String("8.*"),
},
},
},
Location: pulumi.String("us-central1-a"),
Name: pulumi.String("policy-assignment"),
OsPolicies: osconfig.OsPolicyAssignmentOsPolicyArray{
&osconfig.OsPolicyAssignmentOsPolicyArgs{
Id: pulumi.String("policy"),
Mode: pulumi.String("VALIDATION"),
ResourceGroups: osconfig.OsPolicyAssignmentOsPolicyResourceGroupArray{
&osconfig.OsPolicyAssignmentOsPolicyResourceGroupArgs{
Resources: osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceArray{
&osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceArgs{
Id: pulumi.String("apt-to-yum"),
Repository: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryArgs{
Apt: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryAptArgs{
ArchiveType: pulumi.String("DEB"),
Components: pulumi.StringArray{
pulumi.String("doc"),
},
Distribution: pulumi.String("debian"),
Uri: pulumi.String("https://atl.mirrors.clouvider.net/debian"),
GpgKey: pulumi.String(".gnupg/pubring.kbx"),
},
},
},
&osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceArgs{
Id: pulumi.String("exec1"),
Exec: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecArgs{
Validate: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateArgs{
Interpreter: pulumi.String("SHELL"),
Args: pulumi.StringArray{
pulumi.String("arg1"),
},
File: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateFileArgs{
LocalPath: pulumi.String("$HOME/script.sh"),
},
OutputFilePath: pulumi.String("$HOME/out"),
},
Enforce: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceArgs{
Interpreter: pulumi.String("SHELL"),
Args: pulumi.StringArray{
pulumi.String("arg1"),
},
File: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileArgs{
AllowInsecure: pulumi.Bool(true),
Remote: &osconfig.OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileRemoteArgs{
Uri: pulumi.String("https://www.example.com/script.sh"),
Sha256Checksum: pulumi.String("c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063"),
},
},
OutputFilePath: pulumi.String("$HOME/out"),
},
},
},
},
InventoryFilters: osconfig.OsPolicyAssignmentOsPolicyResourceGroupInventoryFilterArray{
&osconfig.OsPolicyAssignmentOsPolicyResourceGroupInventoryFilterArgs{
OsShortName: pulumi.String("centos"),
OsVersion: pulumi.String("8.*"),
},
},
},
},
AllowNoResourceGroupMatch: pulumi.Bool(false),
Description: pulumi.String("A test os policy"),
},
},
Rollout: &osconfig.OsPolicyAssignmentRolloutArgs{
DisruptionBudget: &osconfig.OsPolicyAssignmentRolloutDisruptionBudgetArgs{
Percent: pulumi.Int(100),
},
MinWaitDuration: pulumi.String("3s"),
},
Description: pulumi.String("A test os policy assignment"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.osconfig.OsPolicyAssignment;
import com.pulumi.gcp.osconfig.OsPolicyAssignmentArgs;
import com.pulumi.gcp.osconfig.inputs.OsPolicyAssignmentInstanceFilterArgs;
import com.pulumi.gcp.osconfig.inputs.OsPolicyAssignmentOsPolicyArgs;
import com.pulumi.gcp.osconfig.inputs.OsPolicyAssignmentRolloutArgs;
import com.pulumi.gcp.osconfig.inputs.OsPolicyAssignmentRolloutDisruptionBudgetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new OsPolicyAssignment("primary", OsPolicyAssignmentArgs.builder()
.instanceFilter(OsPolicyAssignmentInstanceFilterArgs.builder()
.all(false)
.exclusionLabels(OsPolicyAssignmentInstanceFilterExclusionLabelArgs.builder()
.labels(Map.of("label-two", "value-two"))
.build())
.inclusionLabels(OsPolicyAssignmentInstanceFilterInclusionLabelArgs.builder()
.labels(Map.of("label-one", "value-one"))
.build())
.inventories(OsPolicyAssignmentInstanceFilterInventoryArgs.builder()
.osShortName("centos")
.osVersion("8.*")
.build())
.build())
.location("us-central1-a")
.name("policy-assignment")
.osPolicies(OsPolicyAssignmentOsPolicyArgs.builder()
.id("policy")
.mode("VALIDATION")
.resourceGroups(OsPolicyAssignmentOsPolicyResourceGroupArgs.builder()
.resources(
OsPolicyAssignmentOsPolicyResourceGroupResourceArgs.builder()
.id("apt-to-yum")
.repository(OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryArgs.builder()
.apt(OsPolicyAssignmentOsPolicyResourceGroupResourceRepositoryAptArgs.builder()
.archiveType("DEB")
.components("doc")
.distribution("debian")
.uri("https://atl.mirrors.clouvider.net/debian")
.gpgKey(".gnupg/pubring.kbx")
.build())
.build())
.build(),
OsPolicyAssignmentOsPolicyResourceGroupResourceArgs.builder()
.id("exec1")
.exec(OsPolicyAssignmentOsPolicyResourceGroupResourceExecArgs.builder()
.validate(OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateArgs.builder()
.interpreter("SHELL")
.args("arg1")
.file(OsPolicyAssignmentOsPolicyResourceGroupResourceExecValidateFileArgs.builder()
.localPath("$HOME/script.sh")
.build())
.outputFilePath("$HOME/out")
.build())
.enforce(OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceArgs.builder()
.interpreter("SHELL")
.args("arg1")
.file(OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileArgs.builder()
.allowInsecure(true)
.remote(OsPolicyAssignmentOsPolicyResourceGroupResourceExecEnforceFileRemoteArgs.builder()
.uri("https://www.example.com/script.sh")
.sha256Checksum("c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063")
.build())
.build())
.outputFilePath("$HOME/out")
.build())
.build())
.build())
.inventoryFilters(OsPolicyAssignmentOsPolicyResourceGroupInventoryFilterArgs.builder()
.osShortName("centos")
.osVersion("8.*")
.build())
.build())
.allowNoResourceGroupMatch(false)
.description("A test os policy")
.build())
.rollout(OsPolicyAssignmentRolloutArgs.builder()
.disruptionBudget(OsPolicyAssignmentRolloutDisruptionBudgetArgs.builder()
.percent(100)
.build())
.minWaitDuration("3s")
.build())
.description("A test os policy assignment")
.build());
}
}Content copied to clipboard
resources:
primary:
type: gcp:osconfig:OsPolicyAssignment
properties:
instanceFilter:
all: false
exclusionLabels:
- labels:
label-two: value-two
inclusionLabels:
- labels:
label-one: value-one
inventories:
- osShortName: centos
osVersion: 8.*
location: us-central1-a
name: policy-assignment
osPolicies:
- id: policy
mode: VALIDATION
resourceGroups:
- resources:
- id: apt-to-yum
repository:
apt:
archiveType: DEB
components:
- doc
distribution: debian
uri: https://atl.mirrors.clouvider.net/debian
gpgKey: .gnupg/pubring.kbx
- id: exec1
exec:
validate:
interpreter: SHELL
args:
- arg1
file:
localPath: $HOME/script.sh
outputFilePath: $HOME/out
enforce:
interpreter: SHELL
args:
- arg1
file:
allowInsecure: true
remote:
uri: https://www.example.com/script.sh
sha256Checksum: c7938fed83afdccbb0e86a2a2e4cad7d5035012ca3214b4a61268393635c3063
outputFilePath: $HOME/out
inventoryFilters:
- osShortName: centos
osVersion: 8.*
allowNoResourceGroupMatch: false
description: A test os policy
rollout:
disruptionBudget:
percent: 100
minWaitDuration: 3s
description: A test os policy assignmentContent copied to clipboard
Import
OSPolicyAssignment can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/osPolicyAssignments/{{name}}{{project}}/{{location}}/{{name}}{{location}}/{{name}}When using thepulumi importcommand, OSPolicyAssignment can be imported using one of the formats above. For example:
$ pulumi import gcp:osconfig/osPolicyAssignment:OsPolicyAssignment default projects/{{project}}/locations/{{location}}/osPolicyAssignments/{{name}}Content copied to clipboard
$ pulumi import gcp:osconfig/osPolicyAssignment:OsPolicyAssignment default {{project}}/{{location}}/{{name}}Content copied to clipboard
$ pulumi import gcp:osconfig/osPolicyAssignment:OsPolicyAssignment default {{location}}/{{name}}Content copied to clipboard
Properties
Link copied to clipboard
Link copied to clipboard
OS policy assignment description. Length of the description is limited to 1024 characters.
Link copied to clipboard
Filter to select VMs. Structure is documented below.
Link copied to clipboard
List of OS policies to be applied to the VMs. Structure is documented below.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Output only. Indicates that reconciliation is in progress for the revision. This value is true when the rollout_state is one of:
Link copied to clipboard
Output only. The timestamp that the revision was created.
Link copied to clipboard
Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment
Link copied to clipboard
Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created.
Link copied to clipboard
Output only. OS policy assignment rollout state
Link copied to clipboard
Set to true to skip awaiting rollout during resource creation and update.