gcpdiag.queries.orgpolicy
Queries related to organization policy constraints.
PREFETCH_ORG_CONSTRAINTS =
('constraints/compute.disableSerialPortAccess', 'constraints/compute.requireOsLogin', 'constraints/compute.requireShieldedVm', 'constraints/iam.automaticIamGrantsForDefaultServiceAccounts', 'constraints/compute.disableSerialPortLogging', 'constraints/compute.disableSshInBrowser', 'constraints/iam.disableCrossProjectServiceAccountUsage')
class
PolicyConstraint:
36class PolicyConstraint: 37 38 def __init__(self, name, resource_data): 39 self.name = name 40 self._resource_data = resource_data 41 42 def __str__(self): 43 return self.name + ': ' + self._resource_data.__str__() 44 45 pass
48class BooleanPolicyConstraint(PolicyConstraint): 49 50 def is_enforced(self) -> bool: 51 return self._resource_data.get('enforced', False)
Inherited Members
54class ListPolicyConstraint(PolicyConstraint): 55 56 def allowed_values(self) -> List[str]: 57 return self._resource_data.get('allowedValues', []) 58 59 def denied_values(self) -> List[str]: 60 return self._resource_data.get('deniedValues', [])
Inherited Members
63class RestoreDefaultPolicyConstraint(PolicyConstraint): 64 65 def is_default_restored(self) -> bool: 66 """Indicates that the constraintDefault enforcement behavior is restored.""" 67 return True
def
is_default_restored(self) -> bool:
65 def is_default_restored(self) -> bool: 66 """Indicates that the constraintDefault enforcement behavior is restored.""" 67 return True
Indicates that the constraintDefault enforcement behavior is restored.
Inherited Members
def
get_effective_org_policy(project_id: str, constraint: str):
107def get_effective_org_policy(project_id: str, constraint: str): 108 all_constraints = _get_effective_org_policy_all_constraints(project_id) 109 if constraint not in all_constraints: 110 raise ValueError( 111 f'constraint {constraint} not supported {list(all_constraints)}') 112 return all_constraints[constraint]
@caching.cached_api_call
def
get_all_project_org_policies(project_id: str):
115@caching.cached_api_call 116def get_all_project_org_policies(project_id: str): 117 """list all the org policies set for a particular resource. 118 119 Args: 120 project_id: The project ID. 121 122 Returns: 123 A dictionary of PolicyConstraint objects, keyed by constraint name. 124 125 Raises: 126 utils.GcpApiError: on API errors. 127 """ 128 crm_api = apis.get_api('cloudresourcemanager', 'v1', project_id) 129 resource = f'projects/{project_id}' 130 all_constraints: Dict[str, PolicyConstraint] = {} 131 logging.info('listing org policies of %s', project_id) 132 133 request = crm_api.projects().listOrgPolicies(resource=resource) 134 135 while request: 136 try: 137 response = request.execute(num_retries=config.API_RETRIES) 138 except googleapiclient.errors.HttpError as err: 139 raise utils.GcpApiError(err) from err 140 141 policies_list = response.get('policies', []) 142 143 for policy in policies_list: 144 constraint_name = policy.get('constraint') 145 146 if 'booleanPolicy' in policy: 147 all_constraints[constraint_name] = BooleanPolicyConstraint( 148 constraint_name, policy['booleanPolicy']) 149 elif 'listPolicy' in policy: 150 all_constraints[constraint_name] = ListPolicyConstraint( 151 constraint_name, policy['listPolicy']) 152 elif 'restoreDefault' in policy: 153 all_constraints[constraint_name] = RestoreDefaultPolicyConstraint( 154 constraint_name, policy['restoreDefault']) 155 else: 156 logging.warning('unknown constraint type: %s', policy) 157 158 request = crm_api.projects().listOrgPolicies_next(request, response) 159 160 return all_constraints
list all the org policies set for a particular resource.
Arguments:
- project_id: The project ID.
Returns:
A dictionary of PolicyConstraint objects, keyed by constraint name.
Raises:
- utils.GcpApiError: on API errors.
