From 34fa2676afcd68b5adfc34e2a4299000dc8fca7d Mon Sep 17 00:00:00 2001 From: megan07 Date: Thu, 16 Jul 2020 14:17:14 -0500 Subject: [PATCH] add os config guest policies (#3743) * add os config guest policies * update self link to be full path for name --- products/osconfig/api.yaml | 704 ++++++++++++++++++ products/osconfig/terraform.yaml | 48 ++ .../os_config_guest_policies_basic.tf.erb | 42 ++ .../os_config_guest_policies_packages.tf.erb | 54 ++ .../os_config_guest_policies_recipes.tf.erb | 29 + 5 files changed, 877 insertions(+) create mode 100644 templates/terraform/examples/os_config_guest_policies_basic.tf.erb create mode 100644 templates/terraform/examples/os_config_guest_policies_packages.tf.erb create mode 100644 templates/terraform/examples/os_config_guest_policies_recipes.tf.erb diff --git a/products/osconfig/api.yaml b/products/osconfig/api.yaml index 3c4b8e539a10..2efb4e6b6ae8 100644 --- a/products/osconfig/api.yaml +++ b/products/osconfig/api.yaml @@ -18,6 +18,9 @@ versions: - !ruby/object:Api::Product::Version name: ga base_url: https://osconfig.googleapis.com/v1/ + - !ruby/object:Api::Product::Version + name: beta + base_url: https://osconfig.googleapis.com/v1beta/ apis_required: - !ruby/object:Api::Product::ApiReference name: Identity and Access Management (IAM) API @@ -838,3 +841,704 @@ objects: One day of the month. 1-31 indicates the 1st to the 31st day. -1 indicates the last day of the month. Months without the target day will be skipped. For example, a schedule to run "every month on the 31st" will not run in February, April, June, etc. + - !ruby/object:Api::Resource + name: 'GuestPolicies' + base_url: "projects/{{project}}/guestPolicies" + create_url: "projects/{{project}}/guestPolicies?guestPolicyId={{guest_policy_id}}" + update_verb: :PATCH + self_link: "projects/{{project}}/guestPolicies/{{guest_policy_id}}" + min_version: beta + description: | + An OS Config resource representing a guest configuration policy. These policies represent + the desired state for VM instance guest environments including packages to install or remove, + package repository configurations, and software to install. + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Official Documentation': + 'https://cloud.google.com/compute/docs/os-config-management' + api: 'https://cloud.google.com/compute/docs/osconfig/rest' + parameters: + - !ruby/object:Api::Type::String + name: 'guestPolicyId' + description: | + The logical name of the guest policy in the project with the following restrictions: + * Must contain only lowercase letters, numbers, and hyphens. + * Must start with a letter. + * Must be between 1-63 characters. + * Must end with a number or a letter. + * Must be unique within the project. + required: true + url_param_only: true + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + Unique name of the resource in this project using one of the following forms: projects/{project_number}/guestPolicies/{guestPolicyId}. + output: true + - !ruby/object:Api::Type::String + name: 'description' + description: | + Description of the guest policy. Length of the description is limited to 1024 characters. + - !ruby/object:Api::Type::NestedObject + name: 'assignment' + required: true + description: | + Specifies the VM instances that are assigned to this policy. This allows you to target sets + or groups of VM instances by different parameters such as labels, names, OS, or zones. + If left empty, all VM instances underneath this policy are targeted. + At the same level in the resource hierarchy (that is within a project), the service prevents + the creation of multiple policies that conflict with each other. + For more information, see how the service + [handles assignment conflicts](https://cloud.google.com/compute/docs/os-config-management/create-guest-policy#handle-conflicts). + properties: + - !ruby/object:Api::Type::Array + name: 'groupLabels' + at_least_one_of: + - assignment.0.group_labels + - assignment.0.zones + - assignment.0.instances + - assignment.0.instance_name_prefixes + - assignment.0.os_types + description: | + Targets instances matching at least one of these label sets. This allows an assignment to target disparate groups, + for example "env=prod or env=staging". + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::KeyValuePairs + name: 'labels' + required: true + description: | + Google Compute Engine instance labels that must be present for an instance to be included in this assignment group. + - !ruby/object:Api::Type::Array + name: 'zones' + at_least_one_of: + - assignment.0.group_labels + - assignment.0.zones + - assignment.0.instances + - assignment.0.instance_name_prefixes + - assignment.0.os_types + description: | + Targets instances in any of these zones. Leave empty to target instances in any zone. + Zonal targeting is uncommon and is supported to facilitate the management of changes by zone. + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'instances' + at_least_one_of: + - assignment.0.group_labels + - assignment.0.zones + - assignment.0.instances + - assignment.0.instance_name_prefixes + - assignment.0.os_types + description: | + Targets any of the instances specified. Instances are specified by their URI in the form + zones/[ZONE]/instances/[INSTANCE_NAME]. + Instance targeting is uncommon and is supported to facilitate the management of changes + by the instance or to target specific VM instances for development and testing. + Only supported for project-level policies and must reference instances within this project. + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'instanceNamePrefixes' + at_least_one_of: + - assignment.0.group_labels + - assignment.0.zones + - assignment.0.instances + - assignment.0.instance_name_prefixes + - assignment.0.os_types + description: | + Targets VM instances whose name starts with one of these prefixes. + Like labels, this is another way to group VM instances when targeting configs, + for example prefix="prod-". + Only supported for project-level policies. + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'osTypes' + at_least_one_of: + - assignment.0.group_labels + - assignment.0.zones + - assignment.0.instances + - assignment.0.instance_name_prefixes + - assignment.0.os_types + description: | + Targets VM instances matching at least one of the following OS types. + VM instances must match all supplied criteria for a given OsType to be included. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'osShortName' + description: | + Targets VM instances with OS Inventory enabled and having the following OS short name, for example "debian" or "windows". + - !ruby/object:Api::Type::String + name: 'osVersion' + description: | + Targets VM instances with OS Inventory enabled and having the following following OS version. + - !ruby/object:Api::Type::String + name: 'osArchitecture' + description: | + Targets VM instances with OS Inventory enabled and having the following OS architecture. + - !ruby/object:Api::Type::Array + name: 'packages' + description: | + The software packages to be managed by this policy. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + The name of the package. A package is uniquely identified for conflict validation + by checking the package name and the manager(s) that the package targets. + required: true + - !ruby/object:Api::Type::Enum + name: 'desiredState' + description: | + The desiredState the agent should maintain for this package. The default is to ensure the package is installed. + values: + - :INSTALLED + - :UPDATED + - :REMOVED + - !ruby/object:Api::Type::Enum + name: 'manager' + description: | + Type of package manager that can be used to install this package. If a system does not have the package manager, + the package is not installed or removed no error message is returned. By default, or if you specify ANY, + the agent attempts to install and remove this package using the default package manager. + This is useful when creating a policy that applies to different types of systems. + The default behavior is ANY. + default_value: :ANY + values: + - :ANY + - :APT + - :YUM + - :ZYPPER + - :GOO + - !ruby/object:Api::Type::Array + name: 'packageRepositories' + description: | + A list of package repositories to configure on the VM instance. + This is done before any other configs are applied so they can use these repos. + Package repositories are only configured if the corresponding package manager(s) are available. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'apt' + description: | + An Apt Repository. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::Enum + name: 'archiveType' + description: | + Type of archive files in this repository. The default behavior is DEB. + default_value: :DEB + values: + - :DEB + - :DEB_SRC + - !ruby/object:Api::Type::String + name: 'uri' + description: | + URI for this repository. + required: true + - !ruby/object:Api::Type::String + name: 'distribution' + description: | + Distribution of this repository. + required: true + - !ruby/object:Api::Type::Array + name: 'components' + description: | + List of components for this repository. Must contain at least one item. + required: true + item_type: Api::Type::String + - !ruby/object:Api::Type::String + name: 'gpgKey' + description: | + URI of the key file for this repository. The agent maintains a keyring at + /etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg containing all the keys in any applied guest policy. + - !ruby/object:Api::Type::NestedObject + name: 'yum' + description: | + A Yum Repository. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'id' + description: | + A one word, unique name for this repository. This is the repo id in the Yum config file and also the displayName + if displayName is omitted. This id is also used as the unique identifier when checking for guest policy conflicts. + required: true + - !ruby/object:Api::Type::String + name: 'displayName' + description: | + The display name of the repository. + - !ruby/object:Api::Type::String + name: 'baseUrl' + description: | + The location of the repository directory. + required: true + - !ruby/object:Api::Type::Array + name: 'gpgKeys' + description: | + URIs of GPG keys. + item_type: Api::Type::String + - !ruby/object:Api::Type::NestedObject + name: 'zypper' + description: | + A Zypper Repository. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'id' + description: | + A one word, unique name for this repository. This is the repo id in the zypper config file and also the displayName + if displayName is omitted. This id is also used as the unique identifier when checking for guest policy conflicts. + required: true + - !ruby/object:Api::Type::String + name: 'displayName' + description: | + The display name of the repository. + - !ruby/object:Api::Type::String + name: 'baseUrl' + description: | + The location of the repository directory. + required: true + - !ruby/object:Api::Type::Array + name: 'gpgKeys' + description: | + URIs of GPG keys. + item_type: Api::Type::String + - !ruby/object:Api::Type::NestedObject + name: 'goo' + description: | + A Goo Repository. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + The name of the repository. + required: true + - !ruby/object:Api::Type::String + name: 'url' + description: | + The url of the repository. + required: true + - !ruby/object:Api::Type::Array + name: 'recipes' + description: | + A list of Recipes to install on the VM instance. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + Unique identifier for the recipe. Only one recipe with a given name is installed on an instance. + Names are also used to identify resources which helps to determine whether guest policies have conflicts. + This means that requests to create multiple recipes with the same name and version are rejected since they + could potentially have conflicting assignments. + required: true + - !ruby/object:Api::Type::String + name: 'version' + description: | + The version of this software recipe. Version can be up to 4 period separated numbers (e.g. 12.34.56.78). + - !ruby/object:Api::Type::Array + name: 'artifacts' + description: | + Resources available to be used in the steps in the recipe. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'id' + description: | + Id of the artifact, which the installation and update steps of this recipe can reference. + Artifacts in a recipe cannot have the same id. + required: true + - !ruby/object:Api::Type::Boolean + name: 'allowInsecure' + description: | + Defaults to false. When false, recipes are subject to validations based on the artifact type: + Remote: A checksum must be specified, and only protocols with transport-layer security are permitted. + GCS: An object generation number must be specified. + default_value: false + - !ruby/object:Api::Type::NestedObject + name: 'remote' + description: | + A generic remote artifact. + # TODO (mbang): add conflicts_with when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'uri' + description: | + URI from which to fetch the object. It should contain both the protocol and path following the format {protocol}://{location}. + - !ruby/object:Api::Type::String + name: 'checkSum' + description: | + Must be provided if allowInsecure is false. SHA256 checksum in hex format, to compare to the checksum of the artifact. + If the checksum is not empty and it doesn't match the artifact then the recipe installation fails before running any + of the steps. + - !ruby/object:Api::Type::NestedObject + name: 'gcs' + description: | + A Google Cloud Storage artifact. + # TODO (mbang): add conflicts_with when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'bucket' + description: | + Bucket of the Google Cloud Storage object. Given an example URL: https://storage.googleapis.com/my-bucket/foo/bar#1234567 + this value would be my-bucket. + - !ruby/object:Api::Type::String + name: 'object' + description: | + Name of the Google Cloud Storage object. Given an example URL: https://storage.googleapis.com/my-bucket/foo/bar#1234567 + this value would be foo/bar. + - !ruby/object:Api::Type::Integer + name: 'generation' + description: | + Must be provided if allowInsecure is false. Generation number of the Google Cloud Storage object. + https://storage.googleapis.com/my-bucket/foo/bar#1234567 this value would be 1234567. + - !ruby/object:Api::Type::Array + name: 'installSteps' + description: | + Actions to be taken for installing this recipe. On failure it stops executing steps and does not attempt another installation. + Any steps taken (including partially completed steps) are not rolled back. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'fileCopy' + description: | + Copies a file onto the instance. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::String + name: 'destination' + description: | + The absolute path on the instance to put the file. + required: true + - !ruby/object:Api::Type::Boolean + name: 'overwrite' + description: | + Whether to allow this step to overwrite existing files.If this is false and the file already exists the file + is not overwritten and the step is considered a success. Defaults to false. + default_value: false + - !ruby/object:Api::Type::String + name: 'permissions' + description: | + Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users + for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit + number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one + bit corresponds to the execute permission. Default behavior is 755. + + Below are some examples of permissions and their associated values: + read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 + - !ruby/object:Api::Type::NestedObject + name: 'archiveExtraction' + description: | + Extracts an archive into the specified directory. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::String + name: 'destination' + description: | + Directory to extract archive to. Defaults to / on Linux or C:\ on Windows. + - !ruby/object:Api::Type::Enum + name: 'type' + description: | + The type of the archive to extract. + required: true + values: + - :TAR + - :TAR_GZIP + - :TAR_BZIP + - :TAR_LZMA + - :TAR_XZ + - :ZIP + - !ruby/object:Api::Type::NestedObject + name: 'msiInstallation' + description: | + Installs an MSI file. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::Array + name: 'flags' + description: | + The flags to use when installing the MSI defaults to ["/i"] (i.e. the install flag). + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'allowedExitCodes' + description: | + Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] + item_type: Api::Type::Integer + - !ruby/object:Api::Type::NestedObject + name: 'dpkgInstallation' + description: | + Installs a deb file via dpkg. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'rpmInstallation' + description: | + Installs an rpm file via the rpm utility. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'fileExec' + description: | + Executes an artifact or local file. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::Array + name: 'args' + description: | + Arguments to be passed to the provided executable. + item_type: Api::Type::String + - !ruby/object:Api::Type::String + name: 'allowedExitCodes' + description: | + A list of possible return values that the program can return to indicate a success. Defaults to [0]. + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + - !ruby/object:Api::Type::String + name: 'localPath' + description: | + The absolute path of the file on the local filesystem. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + - !ruby/object:Api::Type::NestedObject + name: 'scriptRun' + description: | + Runs commands in a shell. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'script' + description: | + The shell script to be executed. + required: true + - !ruby/object:Api::Type::Array + name: 'allowedExitCodes' + description: | + Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] + item_type: Api::Type::Integer + - !ruby/object:Api::Type::Enum + name: 'interpreter' + description: | + The script interpreter to use to run the script. If no interpreter is specified the script is executed directly, + which likely only succeed for scripts with shebang lines. + values: + - :SHELL + - :POWERSHELL + - !ruby/object:Api::Type::Array + name: 'updateSteps' + description: | + Actions to be taken for updating this recipe. On failure it stops executing steps and does not attempt another update for this recipe. + Any steps taken (including partially completed steps) are not rolled back. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'fileCopy' + description: | + Copies a file onto the instance. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::String + name: 'destination' + description: | + The absolute path on the instance to put the file. + required: true + - !ruby/object:Api::Type::Boolean + name: 'overwrite' + description: | + Whether to allow this step to overwrite existing files.If this is false and the file already exists the file + is not overwritten and the step is considered a success. Defaults to false. + default_value: false + - !ruby/object:Api::Type::String + name: 'permissions' + description: | + Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users + for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit + number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one + bit corresponds to the execute permission. Default behavior is 755. + + Below are some examples of permissions and their associated values: + read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 + - !ruby/object:Api::Type::NestedObject + name: 'archiveExtraction' + description: | + Extracts an archive into the specified directory. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::String + name: 'destination' + description: | + Directory to extract archive to. Defaults to / on Linux or C:\ on Windows. + - !ruby/object:Api::Type::Enum + name: 'type' + description: | + The type of the archive to extract. + required: true + values: + - :TAR + - :TAR_GZIP + - :TAR_BZIP + - :TAR_LZMA + - :TAR_XZ + - :ZIP + - !ruby/object:Api::Type::NestedObject + name: 'msiInstallation' + description: | + Installs an MSI file. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::Array + name: 'flags' + description: | + The flags to use when installing the MSI defaults to ["/i"] (i.e. the install flag). + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'allowedExitCodes' + description: | + Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] + item_type: Api::Type::Integer + - !ruby/object:Api::Type::NestedObject + name: 'dpkgInstallation' + description: | + Installs a deb file via dpkg. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'rpmInstallation' + description: | + Installs an rpm file via the rpm utility. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'fileExec' + description: | + Executes an artifact or local file. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::Array + name: 'args' + description: | + Arguments to be passed to the provided executable. + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'allowedExitCodes' + description: | + A list of possible return values that the program can return to indicate a success. Defaults to [0]. + item_type: Api::Type::Integer + - !ruby/object:Api::Type::String + name: 'artifactId' + description: | + The id of the relevant artifact in the recipe. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + - !ruby/object:Api::Type::String + name: 'localPath' + description: | + The absolute path of the file on the local filesystem. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + - !ruby/object:Api::Type::NestedObject + name: 'scriptRun' + description: | + Runs commands in a shell. + # TODO (mbang): add exactly_one_of when it can be applied to lists (https://github.com/hashicorp/terraform-plugin-sdk/issues/470) + properties: + - !ruby/object:Api::Type::String + name: 'script' + description: | + The shell script to be executed. + required: true + - !ruby/object:Api::Type::Array + name: 'allowedExitCodes' + description: | + Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] + item_type: Api::Type::Integer + - !ruby/object:Api::Type::Enum + name: 'interpreter' + description: | + The script interpreter to use to run the script. If no interpreter is specified the script is executed directly, + which likely only succeed for scripts with shebang lines. + values: + - :SHELL + - :POWERSHELL + - !ruby/object:Api::Type::Enum + name: 'desiredState' + description: | + Default is INSTALLED. The desired state the agent should maintain for this recipe. + + INSTALLED: The software recipe is installed on the instance but won't be updated to new versions. + INSTALLED_KEEP_UPDATED: The software recipe is installed on the instance. The recipe is updated to a higher version, + if a higher version of the recipe is assigned to this instance. + REMOVE: Remove is unsupported for software recipes and attempts to create or update a recipe to the REMOVE state is rejected. + default_value: :INSTALLED + values: + - :INSTALLED + - :UPDATED + - :REMOVED + - !ruby/object:Api::Type::String + name: 'createTime' + output: true + description: | + Time this guest policy was created. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. + Example: "2014-10-02T15:01:23.045123456Z". + - !ruby/object:Api::Type::String + name: 'updateTime' + output: true + description: | + Last time this guest policy was updated. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. + Example: "2014-10-02T15:01:23.045123456Z". + - !ruby/object:Api::Type::String + name: 'etag' + description: | + The etag for this guest policy. If this is provided on update, it must match the server's etag. diff --git a/products/osconfig/terraform.yaml b/products/osconfig/terraform.yaml index 3913a7250544..913b88b85bd9 100644 --- a/products/osconfig/terraform.yaml +++ b/products/osconfig/terraform.yaml @@ -63,6 +63,54 @@ overrides: !ruby/object:Overrides::ResourceOverrides encoder: templates/terraform/encoders/os_config_patch_deployment.go.erb decoder: templates/terraform/decoders/os_config_patch_deployment.go.erb custom_import: templates/terraform/custom_import/self_link_as_name.erb + GuestPolicies: !ruby/object:Overrides::Terraform::ResourceOverride + id_format: "{{name}}" + examples: + - !ruby/object:Provider::Terraform::Examples + name: "os_config_guest_policies_basic" + primary_resource_id: "guest_policies" + vars: + instance_name: "guest-policy-inst" + guest_policy_id: "guest-policy" + - !ruby/object:Provider::Terraform::Examples + name: "os_config_guest_policies_packages" + primary_resource_id: "guest_policies" + vars: + guest_policy_id: "guest-policy" + - !ruby/object:Provider::Terraform::Examples + name: "os_config_guest_policies_recipes" + primary_resource_id: "guest_policies" + vars: + guest_policy_id: "guest-policy" + properties: + guestPolicyId: !ruby/object:Overrides::Terraform::PropertyOverride + validation: !ruby/object:Provider::Terraform::Validation + regex: "(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))" + recipes.installSteps.archiveExtraction.destination: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.installSteps.msiInstallation.flags: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.installSteps.msiInstallation.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.installSteps.fileExec.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.installSteps.scriptRun.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.updateSteps.archiveExtraction.destination: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.updateSteps.msiInstallation.flags: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.updateSteps.msiInstallation.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.updateSteps.fileExec.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + recipes.updateSteps.scriptRun.allowedExitCodes: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + etag: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true + custom_code: !ruby/object:Provider::Terraform::CustomCode + post_create: templates/terraform/post_create/set_computed_name.erb + custom_import: templates/terraform/custom_import/self_link_as_name.erb # This is for copying files over files: !ruby/object:Provider::Config::Files diff --git a/templates/terraform/examples/os_config_guest_policies_basic.tf.erb b/templates/terraform/examples/os_config_guest_policies_basic.tf.erb new file mode 100644 index 000000000000..29eadc0991ee --- /dev/null +++ b/templates/terraform/examples/os_config_guest_policies_basic.tf.erb @@ -0,0 +1,42 @@ +data "google_compute_image" "my_image" { + provider = google-beta + family = "debian-9" + project = "debian-cloud" +} + +resource "google_compute_instance" "foobar" { + provider = google-beta + name = "<%= ctx[:vars]['instance_name'] %>" + machine_type = "n1-standard-1" + zone = "us-central1-a" + can_ip_forward = false + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = data.google_compute_image.my_image.self_link + } + } + + network_interface { + network = "default" + } + + metadata = { + foo = "bar" + } +} + +resource "google_os_config_guest_policies" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + guest_policy_id = "<%= ctx[:vars]['guest_policy_id'] %>" + + assignment { + instances = [google_compute_instance.foobar.id] + } + + packages { + name = "my-package" + desired_state = "UPDATED" + } +} \ No newline at end of file diff --git a/templates/terraform/examples/os_config_guest_policies_packages.tf.erb b/templates/terraform/examples/os_config_guest_policies_packages.tf.erb new file mode 100644 index 000000000000..a8fe5e23332b --- /dev/null +++ b/templates/terraform/examples/os_config_guest_policies_packages.tf.erb @@ -0,0 +1,54 @@ +resource "google_os_config_guest_policies" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + guest_policy_id = "<%= ctx[:vars]['guest_policy_id'] %>" + + assignment { + group_labels { + labels = { + color = "red", + env = "test" + } + } + + group_labels { + labels = { + color = "blue", + env = "test" + } + } + } + + packages { + name = "my-package" + desired_state = "INSTALLED" + } + + packages { + name = "bad-package-1" + desired_state = "REMOVED" + } + + packages { + name = "bad-package-2" + desired_state = "REMOVED" + manager = "APT" + } + + package_repositories { + apt { + uri = "https://packages.cloud.google.com/apt" + archive_type = "DEB" + distribution = "cloud-sdk-stretch" + components = ["main"] + } + } + + package_repositories { + yum { + id = "google-cloud-sdk" + display_name = "Google Cloud SDK" + base_url = "https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64" + gpg_keys = ["https://packages.cloud.google.com/yum/doc/yum-key.gpg", "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"] + } + } +} \ No newline at end of file diff --git a/templates/terraform/examples/os_config_guest_policies_recipes.tf.erb b/templates/terraform/examples/os_config_guest_policies_recipes.tf.erb new file mode 100644 index 000000000000..718ca22a1154 --- /dev/null +++ b/templates/terraform/examples/os_config_guest_policies_recipes.tf.erb @@ -0,0 +1,29 @@ +resource "google_os_config_guest_policies" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + guest_policy_id = "<%= ctx[:vars]['guest_policy_id'] %>" + + assignment { + zones = ["us-east1-b", "us-east1-d"] + } + + recipes { + name = "<%= ctx[:vars]['guest_policy_id'] %>-recipe" + desired_state = "INSTALLED" + + artifacts { + id = "<%= ctx[:vars]['guest_policy_id'] %>-artifact-id" + + gcs { + bucket = "my-bucket" + object = "executable.msi" + generation = 1546030865175603 + } + } + + install_steps { + msi_installation { + artifact_id = "<%= ctx[:vars]['guest_policy_id'] %>-artifact-id" + } + } + } +} \ No newline at end of file