1

I am working on a small project, to update an org policy constraints by using python. I want to use python because I have set up Secret Manager and Impersonation. Right now I am at this final stage, of modifying the org policy constraint

I have found the repo https://github.com/googleapis/python-org-policy/tree/40faa07298b3baa9a4d0ca26927b28fdd80aa03b/samples/generated_samples

With a code sample for creating a constraint.

I would like to modify this: "projects/project-id-from-gcp/policies/compute.skipDefaultNetworkCreation" to Enforced.

The code I have so far, is this:

from google.cloud import orgpolicy_v2


def sample_update_policy():
    # Create a client
    client = orgpolicy_v2.OrgPolicyClient()

    # Initialize request argument(s)
    request = orgpolicy_v2.UpdatePolicyRequest(
        policy="""
        name: "projects/project-id-from-gcp/policies/compute.skipDefaultNetworkCreation"
        spec {
          rules {
            enforce: true
            }
          }
        """
        
    )

    # Make the request
    response = client.update_policy(request=request)
    #
    # Handle the response
    print(response)
    
sample_update_policy()

But I get the error google.api_core.exceptions.InvalidArgument: 400 Request contains an invalid argument. I do not understand what to write exactly in "CreatePolicyRequest". I also found this, https://googleapis.dev/python/orgpolicy/1.0.2/orgpolicy_v2/types.html#google.cloud.orgpolicy_v2.types.Policy but it is not exactly clear to me.

I was looking at this https://cloud.google.com/python/docs/reference/orgpolicy/latest/google.cloud.orgpolicy_v2.services.org_policy.OrgPolicyClient#google_cloud_orgpolicy_v2_services_org_policy_OrgPolicyClient_update_policy But i honestly do not understand how to do it.

(I do not think what I modified it is even correct. )

Could you, please, point me in the right direction?

Thank you

John Hanley
  • 74,467
  • 6
  • 95
  • 159
motoTrail
  • 79
  • 3

1 Answers1

3

Your problem is that you are passing a YAML string as the parameter to UpdatePolicyRequest(). You were on the correct path with your links.

from google.cloud import orgpolicy_v2
from google.cloud.orgpolicy_v2 import types

def build_policy():
    rule = types.PolicySpec.PolicyRule()
    rule.enforce = True

    spec = types.PolicySpec()
    spec.rules.append(rule)

    policy = types.Policy(
        name="projects/project-id-from-gcp/policies/compute.skipDefaultNetworkCreation",
        spec = spec
    )

    return policy

def sample_update_policy():
    # Create a client
    client = orgpolicy_v2.OrgPolicyClient()

    policy = build_policy()

    # Debug - view created policy
    print(policy)

    # Initialize request argument(s)
    request = orgpolicy_v2.UpdatePolicyRequest(
        policy=policy
    )

    # Make the request
    response = client.update_policy(request=request)
    #
    # Handle the response
    print(response)

sample_update_policy()
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Hello It is working, thank you. But if i want to set it inherited from parent? I have tried to remove the rules and add to types.PolicySpec.PolicyRule() as inherit_from_parent = True, but it does not recognize it. – motoTrail Feb 28 '22 at 10:12
  • @motoTrail Your original question has been answered. Create a new question with details. Do not forget to accept this answer so that the question does not remain open forever. – John Hanley Feb 28 '22 at 17:02