def Patch(self, policy_ref, title=None):
"""Patch an access policy.
Args:
policy_ref: resources.Resource, reference to the policy to patch
title: str, title of the policy or None if not updating
Returns:
AccessPolicy, the updated access policy
"""
policy = self.messages.AccessPolicy()
update_mask = []
if title is not None:
update_mask.append('title')
policy.title = title
update_mask.sort() # For ease-of-testing
m = self.messages
request_type = m.AccesscontextmanagerAccessPoliciesPatchRequest
request = request_type(
accessPolicy=policy,
name=policy_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies.Patch(request)
poller = waiter.CloudOperationPoller(self.client.accessPolicies,
self.client.operations)
poller = util.OperationPoller(self.client.accessPolicies,
self.client.operations, policy_ref)
operation_ref = resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def Patch(self,
level_ref,
description=None,
title=None,
combine_function=None,
basic_level_conditions=None):
"""Patch an access level.
Args:
level_ref: resources.Resource, reference to the level to patch
description: str, description of the level or None if not updating
title: str, title of the level or None if not updating
combine_function: ZoneTypeValueValuesEnum, combine function enum value of
the level or None if not updating
basic_level_conditions: list of Condition, the conditions for a basic
level or None if not updating
Returns:
AccessLevel, the updated access level
"""
level = self.messages.AccessLevel()
update_mask = []
if description is not None:
update_mask.append('description')
level.description = description
if title is not None:
update_mask.append('title')
level.title = title
if combine_function is not None:
update_mask.append('basic.combiningFunction')
level.basic = level.basic or self.messages.BasicLevel()
level.basic.combiningFunction = combine_function
if basic_level_conditions is not None:
update_mask.append('basic.conditions')
level.basic = level.basic or self.messages.BasicLevel()
level.basic.conditions = basic_level_conditions
update_mask.sort() # For ease-of-testing
m = self.messages
request_type = m.AccesscontextmanagerAccessPoliciesAccessLevelsPatchRequest
request = request_type(
accessLevel=level,
name=level_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_accessLevels.Patch(request)
poller = util.OperationPoller(self.client.accessPolicies_accessLevels,
self.client.operations, level_ref)
operation_ref = resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def _ApplyPatch(self, perimeter_ref, perimeter, update_mask):
"""Applies a PATCH to the provided Service Perimeter."""
m = self.messages
update_mask = sorted(update_mask) # For ease-of-testing
request_type = (
m.AccesscontextmanagerAccessPoliciesServicePerimetersPatchRequest)
request = request_type(
servicePerimeter=perimeter,
name=perimeter_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_servicePerimeters.Patch(request)
poller = util.OperationPoller(self.client.accessPolicies_servicePerimeters,
self.client.operations, perimeter_ref)
operation_ref = core_resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def Patch(self,
perimeter_ref,
description=None,
title=None,
perimeter_type=None,
resources=None,
restricted_services=None,
unrestricted_services=None,
levels=None,
ingress_allowed_services=None,
vpc_allowed_services=None,
bridge_allowed_services=None,
enable_ingress_service_restriction=None,
enable_vpc_service_restriction=None,
enable_bridge_service_restriction=None):
"""Patch a service perimeter.
Any non-None fields will be included in the update mask.
Args:
perimeter_ref: resources.Resource, reference to the perimeter to patch
description: str, description of the zone or None if not updating
title: str, title of the zone or None if not updating
perimeter_type: PerimeterTypeValueValuesEnum type enum value for the level
or None if not updating
resources: list of str, the names of resources (for now, just
'projects/...') in the zone or None if not updating.
restricted_services: list of str, the names of services
('example.googleapis.com') that *are* restricted by the access zone or
None if not updating.
unrestricted_services: list of str, the names of services
('example.googleapis.com') that *are not* restricted by the access zone
or None if not updating.
levels: list of Resource, the access levels (in the same policy) that must
be satisfied for calls into this zone or None if not updating.
ingress_allowed_services: list of str, the names of services
('example.googleapis.com') that *are* allowed to use Access Levels to
make a cross access zone boundary call, or None if not updating.
vpc_allowed_services: list of str, the names of services
('example.googleapis.com') that *are* allowed to be made within the
access zone, or None if not updating.
bridge_allowed_services: list of str, the names of services
('example.googleapis.com') that *are* allowed to use the bridge access
zone, or None if not updating.
enable_ingress_service_restriction: bool, whether to restrict the set of
APIs callable outside the access zone via Access Levels, or None if not
updating.
enable_vpc_service_restriction: bool, whether to restrict the set of APIs
callable within the access zone, or None if not updating.
enable_bridge_service_restriction: bool, whether to restrict the set of
APIs callable using the bridge access zone, or None if not updating.
Returns:
AccessZone, the updated access zone
"""
m = self.messages
perimeter = m.ServicePerimeter()
update_mask = []
if description is not None:
update_mask.append('description')
perimeter.description = description
if title is not None:
update_mask.append('title')
perimeter.title = title
if perimeter_type is not None:
update_mask.append('perimeterType')
perimeter.perimeterType = perimeter_type
status = m.ServicePerimeterConfig()
status_mutated = False
if resources is not None:
update_mask.append('status.resources')
status.resources = resources
status_mutated = True
if self.include_unrestricted_services and unrestricted_services is not None:
update_mask.append('status.unrestrictedServices')
status.unrestrictedServices = unrestricted_services
status_mutated = True
if restricted_services is not None:
update_mask.append('status.restrictedServices')
status.restrictedServices = restricted_services
status_mutated = True
if levels is not None:
update_mask.append('status.accessLevels')
status.accessLevels = [l.RelativeName() for l in levels]
status_mutated = True
def AddServiceRestrictionFields(allowed_services, enable_restriction,
restriction_type):
"""Utility function for adding service restriction fields."""
if allowed_services is None and enable_restriction is None:
return False
full_restriction_name = restriction_type + 'ServiceRestriction'
# Set empty message if absent.
if getattr(status, full_restriction_name) is None:
restriction_message = getattr(
m,
restriction_type.capitalize() + 'ServiceRestriction')()
setattr(status, full_restriction_name, restriction_message)
if allowed_services is not None:
update_mask.append('status.' + full_restriction_name +
'.allowedServices')
restriction_message = getattr(status, full_restriction_name)
restriction_message.allowedServices = allowed_services
if enable_restriction is not None:
update_mask.append('status.' + full_restriction_name +
'.enableRestriction')
restriction_message = getattr(status, full_restriction_name)
restriction_message.enableRestriction = enable_restriction
return True
status_mutated |= AddServiceRestrictionFields(
allowed_services=ingress_allowed_services,
enable_restriction=enable_ingress_service_restriction,
restriction_type='ingress')
status_mutated |= AddServiceRestrictionFields(
allowed_services=vpc_allowed_services,
enable_restriction=enable_vpc_service_restriction,
restriction_type='vpc')
status_mutated |= AddServiceRestrictionFields(
allowed_services=bridge_allowed_services,
enable_restriction=enable_bridge_service_restriction,
restriction_type='bridge')
if status_mutated:
perimeter.status = status
update_mask.sort() # For ease-of-testing
# No update mask implies no fields were actually edited, so this is a no-op.
if not update_mask:
log.warning(
'The update specified results in an identical resource. Skipping request.'
)
return perimeter
request_type = (
m.AccesscontextmanagerAccessPoliciesServicePerimetersPatchRequest)
request = request_type(
servicePerimeter=perimeter,
name=perimeter_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_servicePerimeters.Patch(request)
poller = util.OperationPoller(
self.client.accessPolicies_servicePerimeters,
self.client.operations, perimeter_ref)
operation_ref = core_resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def Patch(self,
perimeter_ref,
description=None,
title=None,
perimeter_type=None,
resources=None,
restricted_services=None,
unrestricted_services=None,
levels=None,
vpc_allowed_services=None,
enable_vpc_accessible_services=None,
apply_to_dry_run_config=False,
clear_dry_run=False):
"""Patch a service perimeter.
Args:
perimeter_ref: resources.Resource, reference to the perimeter to patch
description: str, description of the zone or None if not updating
title: str, title of the zone or None if not updating
perimeter_type: PerimeterTypeValueValuesEnum type enum value for the level
or None if not updating
resources: list of str, the names of resources (for now, just
'projects/...') in the zone or None if not updating.
restricted_services: list of str, the names of services
('example.googleapis.com') that *are* restricted by the access zone or
None if not updating.
unrestricted_services: list of str, the names of services
('example.googleapis.com') that *are not* restricted by the access zone
or None if not updating.
levels: list of Resource, the access levels (in the same policy) that must
be satisfied for calls into this zone or None if not updating.
vpc_allowed_services: list of str, the names of services
('example.googleapis.com') that *are* allowed to be made within the
access zone, or None if not updating.
enable_vpc_accessible_services: bool, whether to restrict the set of APIs
callable within the access zone, or None if not updating.
apply_to_dry_run_config: When true, the configuration will be place in the
'spec' field instead of the 'status' field of the Service Perimeter.
clear_dry_run: When true, the ServicePerimeterConfig field for dry-run
(i.e. 'spec') will be cleared and dryRun will be set to False.
Returns:
ServicePerimeter, the updated Service Perimeter.
"""
m = self.messages
perimeter = m.ServicePerimeter()
update_mask = []
if description is not None:
update_mask.append('description')
perimeter.description = description
if title is not None:
update_mask.append('title')
perimeter.title = title
if perimeter_type is not None:
update_mask.append('perimeterType')
perimeter.perimeterType = perimeter_type
if not clear_dry_run:
mask_prefix = 'status' if not apply_to_dry_run_config else 'spec'
config, config_mask_additions = _CreateServicePerimeterConfig(
m, mask_prefix, self.include_unrestricted_services, resources,
restricted_services, unrestricted_services, levels,
vpc_allowed_services, enable_vpc_accessible_services)
if not apply_to_dry_run_config:
perimeter.status = config
else:
perimeter.useExplicitDryRunSpec = True
perimeter.spec = config
update_mask += config_mask_additions
if apply_to_dry_run_config and config_mask_additions:
update_mask.append('useExplicitDryRunSpec')
else:
update_mask.append('spec')
update_mask.append('useExplicitDryRunSpec')
perimeter.spec = None
perimeter.useExplicitDryRunSpec = False
update_mask.sort() # For ease-of-testing
# No update mask implies no fields were actually edited, so this is a no-op.
if not update_mask:
log.warning(
'The update specified results in an identical resource. Skipping request.'
)
return perimeter
request_type = (
m.AccesscontextmanagerAccessPoliciesServicePerimetersPatchRequest)
request = request_type(
servicePerimeter=perimeter,
name=perimeter_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_servicePerimeters.Patch(request)
poller = util.OperationPoller(
self.client.accessPolicies_servicePerimeters,
self.client.operations, perimeter_ref)
operation_ref = core_resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def Patch(self,
perimeter_ref,
description=None,
title=None,
perimeter_type=None,
resources=None,
restricted_services=None,
unrestricted_services=None,
levels=None):
"""Patch a service perimeter.
Any non-None fields will be included in the update mask.
Args:
perimeter_ref: resources.Resource, reference to the perimeter to patch
description: str, description of the zone or None if not updating
title: str, title of the zone or None if not updating
perimeter_type: PerimeterTypeValueValuesEnum type enum value for the level
or None if not updating
resources: list of str, the names of resources (for now, just
'projects/...') in the zone or None if not updating.
restricted_services: list of str, the names of services
('example.googleapis.com') that *are* restricted by the access zone or
None if not updating.
unrestricted_services: list of str, the names of services
('example.googleapis.com') that *are not* restricted by the access zone
or None if not updating.
levels: list of Resource, the access levels (in the same policy) that must
be satisfied for calls into this zone or None if not updating.
Returns:
AccessZone, the updated access zone
"""
m = self.messages
perimeter = m.ServicePerimeter()
update_mask = []
if description is not None:
update_mask.append('description')
perimeter.description = description
if title is not None:
update_mask.append('title')
perimeter.title = title
if perimeter_type is not None:
update_mask.append('perimeterType')
perimeter.perimeterType = perimeter_type
status = m.ServicePerimeterConfig()
status_mutated = False
if resources is not None:
update_mask.append('status.resources')
status.resources = resources
status_mutated = True
if self.include_unrestricted_services and unrestricted_services is not None:
update_mask.append('status.unrestrictedServices')
status.unrestrictedServices = unrestricted_services
status_mutated = True
if restricted_services is not None:
update_mask.append('status.restrictedServices')
status.restrictedServices = restricted_services
status_mutated = True
if levels is not None:
update_mask.append('status.accessLevels')
status.accessLevels = [l.RelativeName() for l in levels]
status_mutated = True
if status_mutated:
perimeter.status = status
update_mask.sort() # For ease-of-testing
request_type = (
m.AccesscontextmanagerAccessPoliciesServicePerimetersPatchRequest)
request = request_type(
servicePerimeter=perimeter,
name=perimeter_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_servicePerimeters.Patch(request)
poller = util.OperationPoller(self.client.accessPolicies_servicePerimeters,
self.client.operations, perimeter_ref)
operation_ref = core_resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
def Patch(self,
zone_ref,
description=None,
title=None,
zone_type=None,
resources=None,
restricted_services=None,
unrestricted_services=None,
levels=None):
"""Patch an access zone.
Any non-None fields will be included in the update mask.
Args:
zone_ref: resources.Resource, reference to the zone to patch
description: str, description of the zone or None if not updating
title: str, title of the zone or None if not updating
zone_type: ZoneTypeValueValuesEnum, zone type enum value for
the level or None if not updating
resources: list of str, the names of resources (for now, just
'projects/...') in the zone or None if not updating.
restricted_services: list of str, the names of services
('example.googleapis.com') that *are* restricted by the access zone or
None if not updating.
unrestricted_services: list of str, the names of services
('example.googleapis.com') that *are not* restricted by the access zone
or None if not updating.
levels: list of Resource, the access levels (in the same policy) that must
be satisfied for calls into this zone or None if not updating.
Returns:
AccessZone, the updated access zone
"""
zone = self.messages.AccessZone()
update_mask = []
if description is not None:
update_mask.append('description')
zone.description = description
if title is not None:
update_mask.append('title')
zone.title = title
if zone_type is not None:
update_mask.append('zoneType')
zone.zoneType = zone_type
if resources is not None:
update_mask.append('resources')
zone.resources = resources
if unrestricted_services is not None:
update_mask.append('unrestrictedServices')
zone.unrestrictedServices = unrestricted_services
if restricted_services is not None:
update_mask.append('restrictedServices')
zone.restrictedServices = restricted_services
if levels is not None:
update_mask.append('accessLevels')
zone.accessLevels = [l.RelativeName() for l in levels]
update_mask.sort() # For ease-of-testing
m = self.messages
request_type = m.AccesscontextmanagerAccessPoliciesAccessZonesPatchRequest
request = request_type(
accessZone=zone,
name=zone_ref.RelativeName(),
updateMask=','.join(update_mask),
)
operation = self.client.accessPolicies_accessZones.Patch(request)
poller = util.OperationPoller(self.client.accessPolicies_accessZones,
self.client.operations, zone_ref)
operation_ref = core_resources.REGISTRY.Parse(
operation.name, collection='accesscontextmanager.operations')
return waiter.WaitFor(
poller, operation_ref,
'Waiting for PATCH operation [{}]'.format(operation_ref.Name()))
