google.cloud.forseti.enforcer.batch_enforcer module

Manages enforcement of policies for multiple cloud projects in parallel.

class BatchFirewallEnforcer(global_configs=None, dry_run=False, concurrent_workers=1, project_sema=None, max_running_operations=0)[source]

Bases: object

Manage the parallel enforcement of firewall policies across projects.

_enforce_project(project_id, firewall_policy, prechange_callback=None, add_rule_callback=None)[source]

Enforces the policy on the project.

Parameters:
  • project_id (str) – The project id to enforce.
  • firewall_policy (list) – A list of rules which are used to construct a fe.FirewallRules object of expected rules to enforce.
  • prechange_callback (Callable) – See docstring for self.Run().
  • add_rule_callback (Callable) – See docstring for self.Run().
Returns:

The result proto.

Return type:

enforcer_log_pb2.GceFirewallEnforcementResult

_enforce_projects(project_policies, prechange_callback=None, new_result_callback=None, add_rule_callback=None)[source]

Do a single enforcement run on the projects.

Parameters:
  • project_policies (iterable) – An iterable of (project_id, firewall_policy) tuples to enforce.
  • prechange_callback (Callable) – See docstring for self.Run().
  • new_result_callback (Callable) – See docstring for self.Run().
  • add_rule_callback (Callable) – See docstring for self.Run().
Returns:

The number of projects that were enforced.

Return type:

int

_summarize_results()[source]

Parse enforcement results into the BatchResult summary proto.

compute_client

A thread local instance of compute.ComputeClient.

Returns:A Compute API client instance.
Return type:compute.ComputeClient
run(project_policies, prechange_callback=None, new_result_callback=None, add_rule_callback=None)[source]

Runs the enforcer over all projects passed in to the function.

Parameters:
  • project_policies (iterable) – An iterable of (project_id, firewall_policy) tuples to enforce or a dictionary in the format {project_id: firewall_policy}
  • prechange_callback (Callable) –

    A callback function that will get called if the firewall policy for a project does not match the expected policy, before any changes are actually applied. If the callback returns False then no changes will be made to the project. If it returns True then the changes will be pushed.

    See FirewallEnforcer.apply_firewall() docstring for more details.

  • new_result_callback (Callable) – An optional function to call with each new result proto message as they are returned from a ProjectEnforcer thread.
  • add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
Returns:

The EnforcerLog proto for the last run, including individual results for each project, and a summary of all results.

Return type:

enforcer_log_pb2.EnforcerLog