class ProjectEnforcer(project_id, global_configs=None, compute_client=None, dry_run=False, project_sema=None, max_running_operations=0)[source]¶

Bases: object

Manages enforcement of policies for a single cloud project.

_apply_firewall_policy(firewall_enforcer, expected_rules, networks, allow_empty_ruleset, prechange_callback, add_rule_callback, retry_on_dry_run, maximum_retries)[source]¶

Attempt to enforce the expected rules until successful.

Parameters:

Parameters:	firewall_enforcer (fe.FirewallEnforcer) – The firewall enforcer instance to use for updating the firewall rules. expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project. networks (list) – A list of networks on the project that the policy applies to. allow_empty_ruleset (bool) – If set to true and firewall_policy has no rules, all current firewall rules will be deleted from the project. prechange_callback (Callable) – See FirewallEnforcer.apply_firewall() docstring for more details. add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified. retry_on_dry_run (bool) – Set to True to retry applying firewall rules when the expected policy does not match the current policy when dry_run is enabled. maximum_retries (int) – The number of times enforce_firewall_policy will attempt to set the current firewall policy to the expected firewall policy. Set to 0 to disable retry behavior.
Returns:	A FirewallRules instance with the firewall rules configured on the project after enforcement.
Return type:	fe.FirewallRules

firewall_enforcer (fe.FirewallEnforcer) – The firewall enforcer instance to use for updating the firewall rules.
expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project.
networks (list) – A list of networks on the project that the policy applies to.
allow_empty_ruleset (bool) – If set to true and firewall_policy has no rules, all current firewall rules will be deleted from the project.
prechange_callback (Callable) – See FirewallEnforcer.apply_firewall() docstring for more details.
add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
retry_on_dry_run (bool) – Set to True to retry applying firewall rules when the expected policy does not match the current policy when dry_run is enabled.
maximum_retries (int) – The number of times enforce_firewall_policy will attempt to set the current firewall policy to the expected firewall policy. Set to 0 to disable retry behavior.

Returns:

A FirewallRules instance with the firewall rules: configured on the project after enforcement.

Return type:

fe.FirewallRules

_get_current_fw_rules(add_rule_callback=None)[source]¶

Create a new FirewallRules object with the current rules.

Parameters:	add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
Returns:	A new FirewallRules object with the current rules added to it.
Return type:	fe.FirewallRules
Raises:	`ProjectDeletedError` – Raised if the project has been deleted. `ComputeApiDisabledError` – Raised if the Compute API is not enabled on the project. `EnforcementError` – Raised if there are any exceptions raised while adding the firewall rules.

_get_expected_rules(networks, firewall_policy)[source]¶

Builds a FirewallRules object with the rules that should be defined.

Parameters:	networks (list) – A list of networks on the project that the policy applies to. firewall_policy (list) – A list of firewall rules that should be configured on the project networks.
Returns:	A new FirewallRules object with the expected policy.
Return type:	fe.FirewallRules
Raises:	`EnforcementError` – Raised if one or more firewall rules in the policy are invalid.

_get_project_networks()[source]¶

Enumerate the current project networks and returns a sorted list.

Returns:	A sorted list of network names.
Return type:	list
Raises:	`ProjectDeletedError` – Raised if the project has been deleted. `ComputeApiDisabledError` – Raised if the Compute API is not enabled on the project. `EnforcementError` – Raised if there are any exceptions raised while adding the firewall rules.

_initialize_firewall_enforcer(expected_rules, rules_before_enforcement, add_rule_callback=None)[source]¶

Gets current and expected rules, returns a FirewallEnforcer object.

Parameters:

Parameters:	expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project. rules_before_enforcement (fe.FirewallRules) – The list of current firewall rules configured on the project. add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
Returns:	A new FirewallEnforcer object configured with the expected policy for the project.
Return type:	fe.FirewallEnforcer

expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project.
rules_before_enforcement (fe.FirewallRules) – The list of current firewall rules configured on the project.
add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.

Returns:

A new FirewallEnforcer object configured with: the expected policy for the project.

Return type:

fe.FirewallEnforcer

_set_deleted_status(e)[source]¶

Set status of result to DELETED and update reason string.

Parameters:	e (Exception) – The exception raised.

_set_error_status(msg, *args)[source]¶

Set status to result ERROR and update the reason string from msg.

Parameters:	msg (str) – The error message to use as the status reason. args (list*) – Optional args to format the msg string with.

_update_fw_results(firewall_enforcer, rules_before_enforcement, rules_after_enforcement)[source]¶

Update the result proto with details on any changes made.

Parameters:	firewall_enforcer (fe.FirewallEnforcer) – The firewall enforcer instance to use for updating the firewall rules. rules_before_enforcement (fe.FirewallRules) – The firewall rules before enforcer made any changes. rules_after_enforcement (fe.FirewallRules) – The firewall rules after enforcer made any changes.

enforce_firewall_policy(firewall_policy, networks=None, allow_empty_ruleset=False, prechange_callback=None, add_rule_callback=None, retry_on_dry_run=False, maximum_retries=3)[source]¶

Enforces the firewall policy on the project.

Parameters:	firewall_policy (list) – A list of firewall rules that should be configured on the project networks. networks (list) – A list of networks on the project that the policy applies to. If undefined, then the policy will be applied to all networks. allow_empty_ruleset (bool) – If set to true and firewall_policy has no rules, all current firewall rules will be deleted from the project. prechange_callback (Callable) – See FirewallEnforcer.apply_firewall() docstring for more details. add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified. retry_on_dry_run (bool) – Set to True to retry applying firewall rules when the expected policy does not match the current policy when dry_run is enabled. maximum_retries (int) – The number of times enforce_firewall_policy will attempt to set the current firewall policy to the expected firewall policy. Set to 0 to disable retry behavior.
Returns:	A proto with details on the status of the enforcement and an audit log with any changes made.
Return type:	enforcer_log_pb2.ProjectResult

_is_project_deleted_error(err)[source]¶

Checks if the error is due to the project having been deleted.

Parameters:	err (HttpError) – The error message returned by the API call.
Returns:	True if the project was deleted, else False.
Return type:	bool