google.cloud.forseti.enforcer.project_enforcer module

Manages enforcement of policies for a single cloud project.

exception ComputeApiDisabledError[source]

Bases: google.cloud.forseti.enforcer.project_enforcer.Error

Error raised if a project to be enforced has the compute API disabled.

exception EnforcementError(status, reason)[source]

Bases: google.cloud.forseti.enforcer.project_enforcer.Error

Error encountered while enforcing firewall on project.

__str__()[source]

Stringify.

Returns:The stringified error message.
Return type:str
reason()[source]

Return reason.

Returns:Status reason.
Return type:str
status()[source]

Return status.

Returns:Status code.
Return type:int
exception Error[source]

Bases: Exception

Base error class for the module.

exception ProjectDeletedError[source]

Bases: google.cloud.forseti.enforcer.project_enforcer.Error

Error raised if a project to be enforced has been marked for deletion.

class ProjectEnforcer(project_id, global_configs=None, compute_client=None, dry_run=False, project_sema=None, max_running_operations=0)[source]

Bases: object

Manages enforcement of policies for a single cloud project.

_apply_firewall_policy(firewall_enforcer, expected_rules, networks, allow_empty_ruleset, prechange_callback, add_rule_callback, retry_on_dry_run, maximum_retries)[source]

Attempt to enforce the expected rules until successful.

Parameters:
  • firewall_enforcer (fe.FirewallEnforcer) – The firewall enforcer instance to use for updating the firewall rules.
  • expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project.
  • networks (list) – A list of networks on the project that the policy applies to.
  • allow_empty_ruleset (bool) – If set to true and firewall_policy has no rules, all current firewall rules will be deleted from the project.
  • prechange_callback (Callable) – See FirewallEnforcer.apply_firewall() docstring for more details.
  • add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
  • retry_on_dry_run (bool) – Set to True to retry applying firewall rules when the expected policy does not match the current policy when dry_run is enabled.
  • maximum_retries (int) – The number of times enforce_firewall_policy will attempt to set the current firewall policy to the expected firewall policy. Set to 0 to disable retry behavior.
Returns:

A FirewallRules instance with the firewall rules

configured on the project after enforcement.

Return type:

fe.FirewallRules

_get_current_fw_rules(add_rule_callback=None)[source]

Create a new FirewallRules object with the current rules.

Parameters:

add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.

Returns:

A new FirewallRules object with the current rules

added to it.

Return type:

fe.FirewallRules

Raises:
_get_expected_rules(networks, firewall_policy)[source]

Builds a FirewallRules object with the rules that should be defined.

Parameters:
  • networks (list) – A list of networks on the project that the policy applies to.
  • firewall_policy (list) – A list of firewall rules that should be configured on the project networks.
Returns:

A new FirewallRules object with the expected

policy.

Return type:

fe.FirewallRules

Raises:

EnforcementError – Raised if one or more firewall rules in the policy are invalid.

_get_project_networks()[source]

Enumerate the current project networks and returns a sorted list.

Returns:

A sorted list of network names.

Return type:

list

Raises:
_initialize_firewall_enforcer(expected_rules, rules_before_enforcement, add_rule_callback=None)[source]

Gets current and expected rules, returns a FirewallEnforcer object.

Parameters:
  • expected_rules (fe.FirewallRules) – A list of expected firewall rules to apply to the project.
  • rules_before_enforcement (fe.FirewallRules) – The list of current firewall rules configured on the project.
  • add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
Returns:

A new FirewallEnforcer object configured with

the expected policy for the project.

Return type:

fe.FirewallEnforcer

_set_deleted_status(e)[source]

Set status of result to DELETED and update reason string.

Parameters:e (Exception) – The exception raised.
_set_error_status(msg, *args)[source]

Set status to result ERROR and update the reason string from msg.

Parameters:
  • msg (str) – The error message to use as the status reason.
  • *args (list) – Optional args to format the msg string with.
_update_fw_results(firewall_enforcer, rules_before_enforcement, rules_after_enforcement)[source]

Update the result proto with details on any changes made.

Parameters:
  • firewall_enforcer (fe.FirewallEnforcer) – The firewall enforcer instance to use for updating the firewall rules.
  • rules_before_enforcement (fe.FirewallRules) – The firewall rules before enforcer made any changes.
  • rules_after_enforcement (fe.FirewallRules) – The firewall rules after enforcer made any changes.
enforce_firewall_policy(firewall_policy, networks=None, allow_empty_ruleset=False, prechange_callback=None, add_rule_callback=None, retry_on_dry_run=False, maximum_retries=3)[source]

Enforces the firewall policy on the project.

Parameters:
  • firewall_policy (list) – A list of firewall rules that should be configured on the project networks.
  • networks (list) – A list of networks on the project that the policy applies to. If undefined, then the policy will be applied to all networks.
  • allow_empty_ruleset (bool) – If set to true and firewall_policy has no rules, all current firewall rules will be deleted from the project.
  • prechange_callback (Callable) – See FirewallEnforcer.apply_firewall() docstring for more details.
  • add_rule_callback (Callable) – A callback function that checks whether a firewall rule should be applied. If the callback returns False, that rule will not be modified.
  • retry_on_dry_run (bool) – Set to True to retry applying firewall rules when the expected policy does not match the current policy when dry_run is enabled.
  • maximum_retries (int) – The number of times enforce_firewall_policy will attempt to set the current firewall policy to the expected firewall policy. Set to 0 to disable retry behavior.
Returns:

A proto with details on the status of the enforcement and an audit log with any changes made.

Return type:

enforcer_log_pb2.ProjectResult

_is_project_deleted_error(err)[source]

Checks if the error is due to the project having been deleted.

Parameters:err (HttpError) – The error message returned by the API call.
Returns:True if the project was deleted, else False.
Return type:bool