Manages enforcement of policies for a single cloud project.
ComputeApiDisabledError
[source]¶Bases: google.cloud.forseti.enforcer.project_enforcer.Error
Error raised if a project to be enforced has the compute API disabled.
EnforcementError
(status, reason)[source]¶Bases: google.cloud.forseti.enforcer.project_enforcer.Error
Error encountered while enforcing firewall on project.
ProjectDeletedError
[source]¶Bases: google.cloud.forseti.enforcer.project_enforcer.Error
Error raised if a project to be enforced has been marked for deletion.
ProjectEnforcer
(project_id, global_configs=None, compute_client=None, dry_run=False, project_sema=None, max_running_operations=0)[source]¶Bases: object
Manages enforcement of policies for a single cloud project.
_apply_firewall_policy
(firewall_enforcer, expected_rules, networks, allow_empty_ruleset, prechange_callback, add_rule_callback, retry_on_dry_run, maximum_retries)[source]¶Attempt to enforce the expected rules until successful.
Parameters: |
|
---|---|
Returns: |
|
Return type: | fe.FirewallRules |
_get_current_fw_rules
(add_rule_callback=None)[source]¶Create a new FirewallRules object with the current rules.
Parameters: | add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified. |
---|---|
Returns: |
|
Return type: | fe.FirewallRules |
Raises: |
|
_get_expected_rules
(networks, firewall_policy)[source]¶Builds a FirewallRules object with the rules that should be defined.
Parameters: |
|
---|---|
Returns: |
|
Return type: | fe.FirewallRules |
Raises: |
|
_get_project_networks
()[source]¶Enumerate the current project networks and returns a sorted list.
Returns: | A sorted list of network names. |
---|---|
Return type: | list |
Raises: |
|
_initialize_firewall_enforcer
(expected_rules, rules_before_enforcement, add_rule_callback=None)[source]¶Gets current and expected rules, returns a FirewallEnforcer object.
Parameters: |
|
---|---|
Returns: |
|
Return type: | fe.FirewallEnforcer |
_set_deleted_status
(e)[source]¶Set status of result to DELETED and update reason string.
Parameters: | e (Exception) – The exception raised. |
---|
_set_error_status
(msg, *args)[source]¶Set status to result ERROR and update the reason string from msg.
Parameters: |
|
---|
_update_fw_results
(firewall_enforcer, rules_before_enforcement, rules_after_enforcement)[source]¶Update the result proto with details on any changes made.
Parameters: |
|
---|
enforce_firewall_policy
(firewall_policy, networks=None, allow_empty_ruleset=False, prechange_callback=None, add_rule_callback=None, retry_on_dry_run=False, maximum_retries=3)[source]¶Enforces the firewall policy on the project.
Parameters: |
|
---|---|
Returns: | A proto with details on the status of the enforcement and an audit log with any changes made. |
Return type: | enforcer_log_pb2.ProjectResult |