402 lines
14 KiB
Python
402 lines
14 KiB
Python
# -*- coding: utf-8 -*- #
|
|
# Copyright 2020 Google LLC. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Utilities for constructing Assured api messages."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
from googlecloudsdk.api_lib.assured import util
|
|
from googlecloudsdk.calliope import base as calliope_base
|
|
from googlecloudsdk.command_lib.util.apis import arg_utils
|
|
|
|
ReleaseTrack = calliope_base.ReleaseTrack
|
|
|
|
|
|
def GetMessages(release_track):
|
|
return util.GetMessagesModule(release_track)
|
|
|
|
|
|
def GetWorkloadMessage(release_track):
|
|
return WORKLOAD_MAP.get(release_track)
|
|
|
|
|
|
def GetComplianceRegimesEnum(release_track):
|
|
return GetWorkloadMessage(release_track).ComplianceRegimeValueValuesEnum
|
|
|
|
|
|
def GetPartnersEnum(release_track):
|
|
return GetWorkloadMessage(release_track).PartnerValueValuesEnum
|
|
|
|
|
|
def GetKmsSettings(release_track):
|
|
return KMS_SETTINGS_MAP.get(release_track)
|
|
|
|
|
|
def GetResourceSettings(release_track):
|
|
return RESOURCE_SETTINGS_MAP.get(release_track)
|
|
|
|
|
|
def GetPartnerPermissions(release_track):
|
|
return PARTNER_PERMISSIONS_MAP.get(release_track)
|
|
|
|
|
|
def CreateAssuredParent(organization_id, location):
|
|
return 'organizations/{}/locations/{}'.format(organization_id, location)
|
|
|
|
|
|
def CreateAssuredWorkload(
|
|
display_name=None,
|
|
compliance_regime=None,
|
|
partner=None,
|
|
partner_services_billing_account=None,
|
|
partner_permissions=None,
|
|
billing_account=None,
|
|
next_rotation_time=None,
|
|
rotation_period=None,
|
|
labels=None,
|
|
etag=None,
|
|
provisioned_resources_parent=None,
|
|
resource_settings=None,
|
|
enable_sovereign_controls=None,
|
|
violation_notifications_enabled=None,
|
|
release_track=ReleaseTrack.GA,
|
|
):
|
|
"""Construct an Assured Workload message for Assured Workloads Beta API requests.
|
|
|
|
Args:
|
|
display_name: str, display name of the Assured Workloads environment.
|
|
compliance_regime: str, the compliance regime, which is one of:
|
|
FEDRAMP_MODERATE, FEDRAMP_HIGH, IL4 or CJIS.
|
|
partner: str, the partner regime/controls.
|
|
partner_services_billing_account: str, the billing account of the partner
|
|
service in the form: billingAccounts/{BILLING_ACCOUNT_ID}
|
|
partner_permissions: dict, dictionary of permission names and values for the
|
|
partner regime.
|
|
billing_account: str, the billing account of the Assured Workloads
|
|
environment in the form: billingAccounts/{BILLING_ACCOUNT_ID}
|
|
next_rotation_time: str, the next key rotation time for the Assured
|
|
Workloads environment, for example: 2020-12-30T10:15:00.00Z
|
|
rotation_period: str, the time between key rotations, for example: 172800s.
|
|
labels: dict, dictionary of label keys and values of the Assured Workloads
|
|
environment.
|
|
etag: str, the etag of the Assured Workloads environment.
|
|
provisioned_resources_parent: str, parent of provisioned projects, e.g.
|
|
folders/{FOLDER_ID}.
|
|
resource_settings: list of key=value pairs to set customized resource
|
|
settings, which can be one of the following: consumer-project-id,
|
|
consumer-project-name, encryption-keys-project-id,
|
|
encryption-keys-project-name or keyring-id, for example:
|
|
consumer-project-id={ID1},encryption-keys-project-id={ID2}
|
|
enable_sovereign_controls: bool, whether to enable sovereign controls for
|
|
the Assured Workloads environment.
|
|
violation_notifications_enabled: bool, whether email notifications are
|
|
enabled or disabled
|
|
release_track: ReleaseTrack, gcloud release track being used
|
|
|
|
Returns:
|
|
A populated Assured Workloads message for the Assured Workloads Beta API.
|
|
"""
|
|
|
|
workload_message = GetWorkloadMessage(release_track)
|
|
workload = workload_message()
|
|
if etag:
|
|
workload.etag = etag
|
|
if billing_account:
|
|
workload.billingAccount = billing_account
|
|
if display_name:
|
|
workload.displayName = display_name
|
|
if violation_notifications_enabled:
|
|
workload.violationNotificationsEnabled = GetViolationNotificationsEnabled(
|
|
violation_notifications_enabled
|
|
)
|
|
if labels:
|
|
workload.labels = CreateLabels(labels, workload_message)
|
|
if compliance_regime:
|
|
workload.complianceRegime = arg_utils.ChoiceToEnum(
|
|
compliance_regime, GetComplianceRegimesEnum(release_track)
|
|
)
|
|
if partner:
|
|
workload.partner = arg_utils.ChoiceToEnum(
|
|
partner, GetPartnersEnum(release_track)
|
|
)
|
|
if partner_services_billing_account:
|
|
workload.partnerServicesBillingAccount = partner_services_billing_account
|
|
if partner_permissions:
|
|
workload.partnerPermissions = GetPartnerPermissions(release_track)(
|
|
dataLogsViewer=partner_permissions['data-logs-viewer']
|
|
)
|
|
if provisioned_resources_parent:
|
|
workload.provisionedResourcesParent = provisioned_resources_parent
|
|
if next_rotation_time and rotation_period:
|
|
workload.kmsSettings = GetKmsSettings(release_track)(
|
|
nextRotationTime=next_rotation_time, rotationPeriod=rotation_period
|
|
)
|
|
if resource_settings:
|
|
workload.resourceSettings = CreateResourceSettingsList(
|
|
resource_settings, release_track
|
|
)
|
|
if enable_sovereign_controls:
|
|
workload.enableSovereignControls = enable_sovereign_controls
|
|
return workload
|
|
|
|
|
|
def CreateAssuredWorkloadsParent(organization_id, location, workload_id):
|
|
return 'organizations/{}/locations/{}/workloads/{}'.format(
|
|
organization_id, location, workload_id
|
|
)
|
|
|
|
|
|
def GetViolationNotificationsEnabled(violation_notifications_enabled):
|
|
if violation_notifications_enabled.lower() == 'true':
|
|
return True
|
|
if violation_notifications_enabled.lower() == 'false':
|
|
return False
|
|
else:
|
|
return violation_notifications_enabled
|
|
|
|
|
|
def CreateLabels(labels, workload_message):
|
|
workload_labels = []
|
|
for key, value in labels.items():
|
|
new_label = workload_message.LabelsValue.AdditionalProperty(
|
|
key=key, value=value
|
|
)
|
|
workload_labels.append(new_label)
|
|
return workload_message.LabelsValue(additionalProperties=workload_labels)
|
|
|
|
|
|
def CreateResourceSettingsList(resource_settings, release_track):
|
|
"""Construct a list of ResourceSettings for Assured Workload object.
|
|
|
|
Args:
|
|
resource_settings: a list of key=value pairs of customized resource
|
|
settings.
|
|
release_track: ReleaseTrack, gcloud release track being used.
|
|
|
|
Returns:
|
|
A list of ResourceSettings for the Assured Workload object.
|
|
"""
|
|
resource_settings_dict = {}
|
|
for key, value in resource_settings.items():
|
|
resource_type = GetResourceType(key, release_track)
|
|
resource_settings = (
|
|
resource_settings_dict[resource_type]
|
|
if resource_type in resource_settings_dict
|
|
else CreateResourceSettings(resource_type, release_track)
|
|
)
|
|
if key.endswith('-id'):
|
|
resource_settings.resourceId = value
|
|
elif key.endswith('-name'):
|
|
resource_settings.displayName = value
|
|
resource_settings_dict[resource_type] = resource_settings
|
|
return list(resource_settings_dict.values())
|
|
|
|
|
|
def GetResourceType(key, release_track):
|
|
"""Returns a resource settings type from the key.
|
|
|
|
Args:
|
|
key: str, the setting name, which can be one of the following -
|
|
consumer-project-id, consumer-project-name, encryption-keys-project-id,
|
|
encryption-keys-project-name or keyring-id.
|
|
release_track: ReleaseTrack, gcloud release track being used.
|
|
"""
|
|
resource_settings_message = GetResourceSettings(release_track)
|
|
if key.startswith('consumer-project'):
|
|
return (
|
|
resource_settings_message.ResourceTypeValueValuesEnum.CONSUMER_PROJECT
|
|
)
|
|
elif key.startswith('encryption-keys-project'):
|
|
return (
|
|
resource_settings_message.ResourceTypeValueValuesEnum.ENCRYPTION_KEYS_PROJECT
|
|
)
|
|
elif key.startswith('keyring'):
|
|
return resource_settings_message.ResourceTypeValueValuesEnum.KEYRING
|
|
|
|
|
|
def CreateResourceSettings(resource_type, release_track):
|
|
resource_settings_message = GetResourceSettings(release_track)
|
|
return resource_settings_message(resourceType=resource_type)
|
|
|
|
|
|
def CreateUpdateMask(display_name, labels, violation_notifications_enabled):
|
|
update_mask = []
|
|
if display_name:
|
|
update_mask.append('workload.display_name')
|
|
if labels:
|
|
update_mask.append('workload.labels')
|
|
if violation_notifications_enabled:
|
|
update_mask.append('workload.violation_notifications_enabled')
|
|
return ','.join(update_mask)
|
|
|
|
|
|
def CreateCreateRequest(
|
|
external_id, parent, workload, release_track=ReleaseTrack.GA
|
|
):
|
|
"""Construct an Assured Workload Create Request for Assured Workloads API requests.
|
|
|
|
Args:
|
|
external_id: str, the identifier that identifies this Assured Workloads
|
|
environment externally.
|
|
parent: str, the parent organization of the Assured Workloads environment to
|
|
be created, in the form: organizations/{ORG_ID}/locations/{LOCATION}.
|
|
workload: Workload, new Assured Workloads environment containing the values
|
|
to be used.
|
|
release_track: ReleaseTrack, gcloud release track being used
|
|
|
|
Returns:
|
|
A populated Assured Workloads Update Request for the Assured Workloads API.
|
|
"""
|
|
if release_track == ReleaseTrack.GA:
|
|
return util.GetMessagesModule(
|
|
release_track
|
|
).AssuredworkloadsOrganizationsLocationsWorkloadsCreateRequest(
|
|
externalId=external_id,
|
|
parent=parent,
|
|
googleCloudAssuredworkloadsV1Workload=workload,
|
|
)
|
|
else:
|
|
return util.GetMessagesModule(
|
|
release_track
|
|
).AssuredworkloadsOrganizationsLocationsWorkloadsCreateRequest(
|
|
externalId=external_id,
|
|
parent=parent,
|
|
googleCloudAssuredworkloadsV1beta1Workload=workload,
|
|
)
|
|
|
|
|
|
def CreateUpdateRequest(
|
|
workload, name, update_mask, release_track=ReleaseTrack.GA
|
|
):
|
|
"""Construct an Assured Workload Update Request for Assured Workloads API requests.
|
|
|
|
Args:
|
|
workload: googleCloudAssuredworkloadsV1beta1Workload, new Assured Workloads
|
|
environment containing the new configuration values to be used.
|
|
name: str, the name for the Assured Workloads environment being updated in
|
|
the form:
|
|
organizations/{ORG_ID}/locations/{LOCATION}/workloads/{WORKLOAD_ID}.
|
|
update_mask: str, list of the fields to be updated, for example,
|
|
workload.display_name,workload.labels
|
|
release_track: ReleaseTrack, gcloud release track being used
|
|
|
|
Returns:
|
|
A populated Assured Workloads Update Request for the Assured Workloads API.
|
|
"""
|
|
messages = util.GetMessagesModule(release_track)
|
|
if release_track == ReleaseTrack.GA:
|
|
return messages.AssuredworkloadsOrganizationsLocationsWorkloadsPatchRequest(
|
|
googleCloudAssuredworkloadsV1Workload=workload,
|
|
name=name,
|
|
updateMask=update_mask,
|
|
)
|
|
else:
|
|
return messages.AssuredworkloadsOrganizationsLocationsWorkloadsPatchRequest(
|
|
googleCloudAssuredworkloadsV1beta1Workload=workload,
|
|
name=name,
|
|
updateMask=update_mask,
|
|
)
|
|
|
|
|
|
def CreateAcknowledgeRequest(
|
|
name, comment, acknowledge_type=None, release_track=ReleaseTrack.GA
|
|
):
|
|
"""Construct an Assured Workload Violation Acknowledgement Request.
|
|
|
|
Args:
|
|
name: str, the name for the Assured Workloads violation being described in
|
|
the form:
|
|
organizations/{ORG_ID}/locations/{LOCATION}/workloads/{WORKLOAD_ID}/violations/{VIOLATION_ID}.
|
|
comment: str, the business justification which the user wants to add while
|
|
acknowledging a violation.
|
|
acknowledge_type: str, the acknowledge type for specified violation, which
|
|
is one of: SINGLE_VIOLATION - to acknowledge specified violation,
|
|
EXISTING_CHILD_RESOURCE_VIOLATIONS - to acknowledge specified org policy
|
|
violation and all associated child resource violations.
|
|
release_track: ReleaseTrack, gcloud release track being used
|
|
|
|
Returns:
|
|
A populated Assured Workloads Violation Acknowledgement Request.
|
|
"""
|
|
messages = util.GetMessagesModule(release_track)
|
|
if acknowledge_type:
|
|
acknowledge_type = messages.GoogleCloudAssuredworkloadsV1beta1AcknowledgeViolationRequest.AcknowledgeTypeValueValuesEnum(
|
|
acknowledge_type
|
|
)
|
|
if release_track == ReleaseTrack.GA:
|
|
return messages.AssuredworkloadsOrganizationsLocationsWorkloadsViolationsAcknowledgeRequest(
|
|
googleCloudAssuredworkloadsV1AcknowledgeViolationRequest=messages.GoogleCloudAssuredworkloadsV1AcknowledgeViolationRequest(
|
|
comment=comment
|
|
),
|
|
name=name,
|
|
)
|
|
else:
|
|
return messages.AssuredworkloadsOrganizationsLocationsWorkloadsViolationsAcknowledgeRequest(
|
|
googleCloudAssuredworkloadsV1beta1AcknowledgeViolationRequest=messages.GoogleCloudAssuredworkloadsV1beta1AcknowledgeViolationRequest(
|
|
comment=comment, acknowledgeType=acknowledge_type
|
|
),
|
|
name=name,
|
|
)
|
|
|
|
|
|
WORKLOAD_MAP = {
|
|
ReleaseTrack.ALPHA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1Workload,
|
|
ReleaseTrack.BETA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1Workload,
|
|
ReleaseTrack.GA: GetMessages(
|
|
ReleaseTrack.GA
|
|
).GoogleCloudAssuredworkloadsV1Workload,
|
|
}
|
|
|
|
KMS_SETTINGS_MAP = {
|
|
ReleaseTrack.ALPHA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadKMSSettings,
|
|
ReleaseTrack.BETA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadKMSSettings,
|
|
ReleaseTrack.GA: GetMessages(
|
|
ReleaseTrack.GA
|
|
).GoogleCloudAssuredworkloadsV1WorkloadKMSSettings,
|
|
}
|
|
|
|
RESOURCE_SETTINGS_MAP = {
|
|
ReleaseTrack.ALPHA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadResourceSettings,
|
|
ReleaseTrack.BETA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadResourceSettings,
|
|
ReleaseTrack.GA: GetMessages(
|
|
ReleaseTrack.GA
|
|
).GoogleCloudAssuredworkloadsV1WorkloadResourceSettings,
|
|
}
|
|
|
|
PARTNER_PERMISSIONS_MAP = {
|
|
ReleaseTrack.ALPHA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadPartnerPermissions,
|
|
ReleaseTrack.BETA: GetMessages(
|
|
ReleaseTrack.BETA
|
|
).GoogleCloudAssuredworkloadsV1beta1WorkloadPartnerPermissions,
|
|
ReleaseTrack.GA: GetMessages(
|
|
ReleaseTrack.GA
|
|
).GoogleCloudAssuredworkloadsV1WorkloadPartnerPermissions,
|
|
}
|