gcpdiag.queries.orgpolicy

Queries related to organization policy constraints.
RESOURCE_TYPE_PROJECT = 'projects'
RESOURCE_TYPE_ORGANIZATION = 'organizations'
class PolicyConstraint:
29class PolicyConstraint:
30
31  def __init__(self, name, resource_data):
32    self.name = name
33    self._resource_data = resource_data
34
35  def __str__(self):
36    return self.name + ': ' + self._resource_data.__str__()
37
38  pass
PolicyConstraint(name, resource_data)
31  def __init__(self, name, resource_data):
32    self.name = name
33    self._resource_data = resource_data
name
class BooleanPolicyConstraint(PolicyConstraint):
41class BooleanPolicyConstraint(PolicyConstraint):
42
43  def is_enforced(self) -> bool:
44    return self._resource_data.get('enforced', False)
def is_enforced(self) -> bool:
43  def is_enforced(self) -> bool:
44    return self._resource_data.get('enforced', False)
class ListPolicyConstraint(PolicyConstraint):
47class ListPolicyConstraint(PolicyConstraint):
48
49  def allowed_values(self) -> List[str]:
50    return self._resource_data.get('allowedValues', [])
51
52  def denied_values(self) -> List[str]:
53    return self._resource_data.get('deniedValues', [])
def allowed_values(self) -> List[str]:
49  def allowed_values(self) -> List[str]:
50    return self._resource_data.get('allowedValues', [])
def denied_values(self) -> List[str]:
52  def denied_values(self) -> List[str]:
53    return self._resource_data.get('deniedValues', [])
class RestoreDefaultPolicyConstraint(PolicyConstraint):
56class RestoreDefaultPolicyConstraint(PolicyConstraint):
57
58  def is_default_restored(self) -> bool:
59    """Indicates that the constraintDefault enforcement behavior is restored."""
60    return True
def is_default_restored(self) -> bool:
58  def is_default_restored(self) -> bool:
59    """Indicates that the constraintDefault enforcement behavior is restored."""
60    return True

Indicates that the constraintDefault enforcement behavior is restored.

def get_effective_org_policy(project_id: str, constraint: str):
150def get_effective_org_policy(project_id: str, constraint: str):
151  all_constraints = _get_effective_org_policy_all_constraints(project_id)
152  if constraint not in all_constraints:
153    raise ValueError(
154        f'constraint {constraint} not supported {list(all_constraints)}')
155  return all_constraints[constraint]
@caching.cached_api_call
def get_all_project_org_policies(project_id: str):
158@caching.cached_api_call
159def get_all_project_org_policies(project_id: str):
160  """list all the org policies set for a particular resource.
161
162  Args:
163      project_id: The project ID.
164
165  Returns:
166      A dictionary of PolicyConstraint objects, keyed by constraint name.
167
168  Raises:
169      utils.GcpApiError: on API errors.
170  """
171  crm_api = apis.get_api('cloudresourcemanager', 'v1', project_id)
172  resource = f'projects/{project_id}'
173  all_constraints: Dict[str, PolicyConstraint] = {}
174  logging.debug('listing org policies of %s', project_id)
175
176  request = crm_api.projects().listOrgPolicies(resource=resource)
177
178  while request:
179    try:
180      response = request.execute(num_retries=config.API_RETRIES)
181    except googleapiclient.errors.HttpError as err:
182      raise utils.GcpApiError(err) from err
183
184    policies_list = response.get('policies', [])
185
186    for policy in policies_list:
187      constraint_name = policy.get('constraint')
188
189      if 'booleanPolicy' in policy:
190        all_constraints[constraint_name] = BooleanPolicyConstraint(
191            constraint_name, policy['booleanPolicy'])
192      elif 'listPolicy' in policy:
193        all_constraints[constraint_name] = ListPolicyConstraint(
194            constraint_name, policy['listPolicy'])
195      elif 'restoreDefault' in policy:
196        all_constraints[constraint_name] = RestoreDefaultPolicyConstraint(
197            constraint_name, policy['restoreDefault'])
198      else:
199        logging.warning('unknown constraint type: %s', policy)
200
201    request = crm_api.projects().listOrgPolicies_next(request, response)
202
203  return all_constraints

list all the org policies set for a particular resource.

Arguments:
  • project_id: The project ID.
Returns:

A dictionary of PolicyConstraint objects, keyed by constraint name.

Raises:
  • utils.GcpApiError: on API errors.