Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
lastRunId
string
Unique identifier of the last attempted run to apply the OS policies associated with this assignment on the VM.
This ID is logged by the OS Config agent while applying the OS policies associated with this assignment on the VM. NOTE: If the service is unable to successfully connect to the agent for this run, then this id will not be available in the agent logs.
The reason for the OS policy to be in an unknown compliance state. This field is always populated when complianceState is UNKNOWN.
If populated, the field can contain one of the following values:
vm-not-running: The VM was not running.
os-policies-not-supported-by-agent: The version of the OS Config agent running on the VM does not support running OS policies.
no-agent-detected: The OS Config agent is not detected for the VM.
resource-execution-errors: The OS Config agent encountered errors while executing one or more resources in the policy. See osPolicyResourceCompliances for details.
task-timeout: The task sent to the agent to apply the policy timed out.
unexpected-agent-state: The OS Config agent did not report the final status of the task that attempted to apply the policy. Instead, the agent unexpectedly started working on a different task. This mostly happens when the agent or VM unexpectedly restarts while applying OS policies.
internal-service-errors: Internal service errors were encountered while attempting to apply the policy.
os-policy-execution-pending: OS policy was assigned to the given VM, but was not executed yet. Typically this is a transient condition that will go away after the next policy execution cycle.
Compliance data for each resource within the policy that is applied to the VM.
ComplianceState
Possible compliance states for an os policy.
Enums
UNKNOWN
The policy is in an unknown compliance state.
Refer to the field complianceStateReason to learn the exact reason for the policy to be in this compliance state.
COMPLIANT
Policy is compliant.
The policy is compliant if all the underlying resources are also compliant.
NON_COMPLIANT
Policy is non-compliant.
The policy is non-compliant if one or more underlying resources are non-compliant.
OSPolicyResourceCompliance
Compliance data for an OS policy resource.
JSON representation
{"osPolicyResourceId": string,"configSteps": [{object (OSPolicyResourceConfigStep)}],"complianceState": enum (ComplianceState),"complianceStateReason": string,// Union field output can be only one of the following:"execResourceOutput": {object (ExecResourceOutput)}// End of list of possible types for union field output.}
A reason for the resource to be in the given compliance state. This field is always populated when complianceState is UNKNOWN.
The following values are supported when complianceState == UNKNOWN
execution-errors: Errors were encountered by the agent while executing the resource and the compliance state couldn't be determined.
execution-skipped-by-agent: Resource execution was skipped by the agent because errors were encountered while executing prior resources in the OS policy.
os-policy-execution-attempt-failed: The execution of the OS policy containing this resource failed and the compliance state couldn't be determined.
os-policy-execution-pending: OS policy that owns this resource was assigned to the given VM, but was not executed yet.
Union field output. Resource specific output. output can be only one of the following:
An error message recorded during the execution of this step. Only populated if errors were encountered during this step execution.
Type
Supported configuration step types
Enums
TYPE_UNSPECIFIED
Default value. This value is unused.
VALIDATION
Checks for resource conflicts such as schema errors.
DESIRED_STATE_CHECK
Checks the current status of the desired state for a resource.
DESIRED_STATE_ENFORCEMENT
Enforces the desired state for a resource that is not in desired state.
DESIRED_STATE_CHECK_POST_ENFORCEMENT
Re-checks the status of the desired state. This check is done for a resource after the enforcement of all OS policies.
This step is used to determine the final desired state status for the resource. It accounts for any resources that might have drifted from their desired state due to side effects from executing other resources.
ComplianceState
Possible compliance states for a resource.
Enums
UNKNOWN
The resource is in an unknown compliance state.
To get more details about why the policy is in this state, review the output of the complianceStateReason field.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-31 UTC."],[[["The `OSPolicyAssignmentReport` provides a comprehensive overview of the OS policy assignment status for a given VM instance, including details like the instance name, associated policy assignment, and the last time the report was generated."],["`OSPolicyCompliance` details the compliance data for each OS policy applied to a VM, encompassing the policy ID, compliance state (e.g., `COMPLIANT`, `NON_COMPLIANT`, `UNKNOWN`), and a reason if the compliance state is `UNKNOWN`."],["`OSPolicyResourceCompliance` offers compliance data for each resource within a policy, including the resource ID, configuration steps taken, and the resource's compliance state."],["`ComplianceState` is an enumeration that outlines the possible compliance states for both OS policies and resources, including `COMPLIANT`, `NON_COMPLIANT`, and `UNKNOWN`, with further explanation provided by the `complianceStateReason`."],["`OSPolicyResourceConfigStep` describes the configuration steps taken by the OS Config agent for a given resource, which may include validation, state checks, and enforcement, with an optional error message if an error occurred."]]],[]]
