VM Manager - OS Policy Assignment for a Windows VM in GCP

Question

I am trying to create a couple of os policy assignments to configure - run some scripts with PowerShell - and install some security agents on a Windows VM (Windows Server 2022), by using the VM Manager. I am following the official Google documentation to setup the os policies. The VM Manager is already enabled, nevertheless I have difficulties creating the appropriate .yaml file which is required for the policy assignment since I haven't found any detailed examples.

Related topics I have found:

• Google documentation offers a very simple example of installing an .msi file - Example OS policies.
• An example of a fixed policy assignment in Terraform registry - google_os_config_os_policy_assignment, from where I managed to better comprehend the required structure for the .yaml file even though it is in a .json format.
• Few examples provided at GCP GitHub repository (OSPolicyAssignments).
• OS Policy resources in JSON representation - REST Resource, from where you can navigate to sample cases based on the selected resource.

But, it is still not very clear how to create the desired .yaml file. (ie. Copy some files, run a PowerShell script to perform an installation or an authentication). According to the Google documentation pkg, repository, exec, and file are the supported resource types.

Are there any more detailed examples I could use to understand what is needed? Have you already tried something similar?

Update: Adding an additional source.

Answer 1

You need to follow these steps:

1. Ensure that the OS Config agent is installed in your VM by running the below command in PowerShell:

PowerShell Get-Service google_osconfig_agent

you should see an output like this:

Status   Name               DisplayName
------   ----               -----------
Running  google_osconfig... Google OSConfig Agent

if the agent is not installed, refer to this tutorial.

2. Set the metadata values to enable OSConfig agent with Cloud Shell command:

gcloud compute instances add-metadata $YOUR_VM_NAME \
  --metadata=enable-osconfig=TRUE

3. Generate an OS policy and OS policy assignment yaml file. As an example, I am generating an OS policy that installs a msi file retrieved from a GCS bucket, and an OS policy assignment to run it in all Windows VMs:

# An OS policy assignment to install a Windows MSI downloaded from a Google Cloud Storage bucket
# on all VMs running Windows Server OS.
osPolicies:
  - id: install-msi-policy
    mode: ENFORCEMENT
    resourceGroups:
      - resources:
          - id: install-msi
            pkg:
              desiredState: INSTALLED
              msi:
                source:
                  gcs:
                    bucket: <your_bucket_name>
                    object: chrome.msi
                    generation: 1656698823636455
instanceFilter:
  inventories:
    - osShortName: windows
rollout:
  disruptionBudget:
    fixed: 10
  minWaitDuration: 300s

Note: Every file has its own generation number, you can get it with the command gsutil stat gs://<your_bucket_name>/<your_file_name>.

4. Apply the policies created in the previous step using Cloud Shell command:

gcloud compute os-config os-policy-assignments create $POLICY_NAME --location=$YOUR_ZONE --file=/<your-file-path>/<your_file_name.yaml> --async

Refer to the Examples of OS policy assignments for more scenarios, and check out this example of a PowerShell script.