VM Manager - OS Policy Assignment for a Windows VM in GCP

Question

I am trying to create a couple of os policy assignments to configure - run some scripts with PowerShell - and install some security agents on a Windows VM (Windows Server 2022), by using the VM Manager. I am following the official Google documentation to setup the os policies. The VM Manager is already enabled, nevertheless I have difficulties creating the appropriate .yaml file which is required for the policy assignment since I haven't found any detailed examples.

Related topics I have found:

• Google documentation offers a very simple example of installing an .msi file - Example OS policies.
• An example of a fixed policy assignment in Terraform registry - google_os_config_os_policy_assignment, from where I managed to better comprehend the required structure for the .yaml file even though it is in a .json format.
• Few examples provided at GCP GitHub repository (OSPolicyAssignments).
• OS Policy resources in JSON representation - REST Resource, from where you can navigate to sample cases based on the selected resource.

But, it is still not very clear how to create the desired .yaml file. (ie. Copy some files, run a PowerShell script to perform an installation or an authentication). According to the Google documentation pkg, repository, exec, and file are the supported resource types.

Are there any more detailed examples I could use to understand what is needed? Have you already tried something similar?

Update: Adding an additional source.

Answer 1

Down below you can find the the .yaml file that worked, in my case. It copies a file, and executes a PowerShell command, so as to configure and deploy a sample agent (TrendMicro) - again this is specifically for a Windows VM.

.yaml file:

id: trendmicro-windows-policy
mode: ENFORCEMENT
resourceGroups:
  - resources:
      - id: copy-exe-file
        file:
          path: C:/Program Files/TrendMicro_Windows.ps1
          state: CONTENTS_MATCH          
          permissions: '755'
          file:
            gcs:
              bucket: [your_bucket_name]
              generation: [your_generation_number] 
              object: Windows/TrendMicro/TrendMicro_Windows.ps1
      - id: validate-running
        exec:
          validate:
            interpreter: POWERSHELL
            script: |
              $service = Get-Service -Name 'ds_agent'
              if ($service.Status -eq 'Running') {exit 100} else {exit 101}
          enforce:
            interpreter: POWERSHELL
            script: |
              Start-Process PowerShell -ArgumentList '-ExecutionPolicy Unrestricted','-File "C:\Program Files\TrendMicro_Windows.ps1"' -Verb RunAs

To elaborate a bit more, this .yaml file:

• copy-exe-file: It copies the necessary installation script from GCS to a specified location on the VM. Generation number can be easily found on "VERSION HISTORY" when you select the object on GCS.
• validate-running: This stage contains two different steps. On the validate it checks if the specific agent is up and running on the VM. If not, then it proceeds with the enforce step, where it executes the "TrendMicro_Windows.ps1" file with PowerShell. This .ps1 file downloads, configures and installs the agent. Note 1: This command is executed as Administrator and the full path of the file is specified. Note 2: Instead of Start-Process PowerShell a Start-Process pwsh can also be utilized. It was vital for one of my cases.

Essentially, a PowerShell command can be directly run at the enforce step, nonetheless, I found it much easier to pass it first to a .ps1 file, and then just run this file. There are some restriction with the .yaml file anywise.

PS: Passing osconfig-log-level - debug as a key-value pair as Metadata - directly to a VM or applied to all of them (Compute Engine > Setting - Metadata > EDIT > ADD ITEM) - provide some additional information and may help you on dealing with errors.

Answer 2

You need to follow these steps:

1. Ensure that the OS Config agent is installed in your VM by running the below command in PowerShell:

PowerShell Get-Service google_osconfig_agent

you should see an output like this:

Status   Name               DisplayName
------   ----               -----------
Running  google_osconfig... Google OSConfig Agent

if the agent is not installed, refer to this tutorial.

2. Set the metadata values to enable OSConfig agent with Cloud Shell command:

gcloud compute instances add-metadata $YOUR_VM_NAME \
  --metadata=enable-osconfig=TRUE

3. Generate an OS policy and OS policy assignment yaml file. As an example, I am generating an OS policy that installs a msi file retrieved from a GCS bucket, and an OS policy assignment to run it in all Windows VMs:

# An OS policy assignment to install a Windows MSI downloaded from a Google Cloud Storage bucket
# on all VMs running Windows Server OS.
osPolicies:
  - id: install-msi-policy
    mode: ENFORCEMENT
    resourceGroups:
      - resources:
          - id: install-msi
            pkg:
              desiredState: INSTALLED
              msi:
                source:
                  gcs:
                    bucket: <your_bucket_name>
                    object: chrome.msi
                    generation: 1656698823636455
instanceFilter:
  inventories:
    - osShortName: windows
rollout:
  disruptionBudget:
    fixed: 10
  minWaitDuration: 300s

Note: Every file has its own generation number, you can get it with the command gsutil stat gs://<your_bucket_name>/<your_file_name>.

4. Apply the policies created in the previous step using Cloud Shell command:

gcloud compute os-config os-policy-assignments create $POLICY_NAME --location=$YOUR_ZONE --file=/<your-file-path>/<your_file_name.yaml> --async

Refer to the Examples of OS policy assignments for more scenarios, and check out this example of a PowerShell script.