如何创建有条件的组织策略约束? - 控制点
How to create an Org Policy Constraint with conditions? - GCP
我正在 python 中开展一个小项目,通过它我可以将组织政策 gcp.disableSerialPortAccess 创建为“未强制执行”的组织政策,条件为“tagValues/776487819778” .
我能感觉到它很简单,但我不明白如何创建请求...
我尝试使用此请求 https://github.com/googleapis/python-org-policy/blob/main/samples/generated_samples/orgpolicy_v2_generated_org_policy_create_policy_sync.py,但我不知道如何构造它。
这就是我试图结束的方式:
https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy#boolean_policy_example
规范:规则执行条件为“tagValues/776487819778”
有人可以帮忙吗?
from google.cloud import orgpolicy_v2
from google.cloud.orgpolicy_v2 import types
Exp=(
"expression" : "tagValues/776487819778",
"title" : "this is the title",
"description" : "this is a description",
)
def build_policy():
rule = types.PolicySpec.PolicyRule()
rule.enforce = False
rule.condition = (Exp)
print(types.PolicySpec.PolicyRule)
spec = types.PolicySpec()
spec.rules.append(rule)
policy = types.Policy(
name="projects/project-id/policies/gcp.disableSerialPortAccess",
spec = spec
)
return policy
def sample_update_policy():
# Create a client
client = orgpolicy_v2.OrgPolicyClient()
policy = build_policy()
# Debug - view created policy
print(policy)
# Initialize request argument(s)
request = orgpolicy_v2.UpdatePolicyRequest(
policy=policy,
)
# Make the request
response = client.update_policy(request=request)
# Handle the response
print(response)
sample_update_policy()
您在 Exp 中的表达式字段需要使用 IAM 属性 resource.matchTagId(tagKey, tagValues) 才能成为有效的表达式。来自 IAM 文档:
Checks whether the resource for the request has a tag with the specified key and value.
还有一点要注意,Exp 字典必须使用大括号而不是圆括号,以防无法编译(或者可能是拼写错误):
#Using the IAM attribute
Exp = {
"expression" : "resource.matchTagId('tagKeys/1234', 'tagValues/776487819778')",
"title" : "this is the title",
"description" : "this is a description",
}
This 如果您需要有关 Policy 类型(包括 CEL 表达式语法)中的字段的更多示例和详细信息,另一个页面也很有用。
Exp 是字典 (Key/Value)。
要复制您 link 中的示例,请使用以下代码:
def build_policy():
Exp = {
"expression" : "resource.matchTagId('org-id-from-gcp/disableSerialAccess', 'yes')",
"title" : "this is the title",
"description" : "this is a description",
}
rule1 = types.PolicySpec.PolicyRule()
rule1.enforce = True
rule1.condition = Exp
rule2 = types.PolicySpec.PolicyRule()
rule2.enforce = False
spec = types.PolicySpec()
spec.rules.append(rule1)
spec.rules.append(rule2)
policy = types.Policy(
name="projects/project-id-from-gcp/policies/gcp.disableSerialPortAccess",
spec = spec
)
return policy
我正在 python 中开展一个小项目,通过它我可以将组织政策 gcp.disableSerialPortAccess 创建为“未强制执行”的组织政策,条件为“tagValues/776487819778” .
我能感觉到它很简单,但我不明白如何创建请求...
我尝试使用此请求 https://github.com/googleapis/python-org-policy/blob/main/samples/generated_samples/orgpolicy_v2_generated_org_policy_create_policy_sync.py,但我不知道如何构造它。
这就是我试图结束的方式: https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy#boolean_policy_example
规范:规则执行条件为“tagValues/776487819778”
有人可以帮忙吗?
from google.cloud import orgpolicy_v2
from google.cloud.orgpolicy_v2 import types
Exp=(
"expression" : "tagValues/776487819778",
"title" : "this is the title",
"description" : "this is a description",
)
def build_policy():
rule = types.PolicySpec.PolicyRule()
rule.enforce = False
rule.condition = (Exp)
print(types.PolicySpec.PolicyRule)
spec = types.PolicySpec()
spec.rules.append(rule)
policy = types.Policy(
name="projects/project-id/policies/gcp.disableSerialPortAccess",
spec = spec
)
return policy
def sample_update_policy():
# Create a client
client = orgpolicy_v2.OrgPolicyClient()
policy = build_policy()
# Debug - view created policy
print(policy)
# Initialize request argument(s)
request = orgpolicy_v2.UpdatePolicyRequest(
policy=policy,
)
# Make the request
response = client.update_policy(request=request)
# Handle the response
print(response)
sample_update_policy()
您在 Exp 中的表达式字段需要使用 IAM 属性 resource.matchTagId(tagKey, tagValues) 才能成为有效的表达式。来自 IAM 文档:
Checks whether the resource for the request has a tag with the specified key and value.
还有一点要注意,Exp 字典必须使用大括号而不是圆括号,以防无法编译(或者可能是拼写错误):
#Using the IAM attribute
Exp = {
"expression" : "resource.matchTagId('tagKeys/1234', 'tagValues/776487819778')",
"title" : "this is the title",
"description" : "this is a description",
}
This 如果您需要有关 Policy 类型(包括 CEL 表达式语法)中的字段的更多示例和详细信息,另一个页面也很有用。
Exp 是字典 (Key/Value)。
要复制您 link 中的示例,请使用以下代码:
def build_policy():
Exp = {
"expression" : "resource.matchTagId('org-id-from-gcp/disableSerialAccess', 'yes')",
"title" : "this is the title",
"description" : "this is a description",
}
rule1 = types.PolicySpec.PolicyRule()
rule1.enforce = True
rule1.condition = Exp
rule2 = types.PolicySpec.PolicyRule()
rule2.enforce = False
spec = types.PolicySpec()
spec.rules.append(rule1)
spec.rules.append(rule2)
policy = types.Policy(
name="projects/project-id-from-gcp/policies/gcp.disableSerialPortAccess",
spec = spec
)
return policy