Cloud SQL - Check Users

One of security best practices is to control list of your users with extended permissions (e.g. ‘postresql’, ‘root’, etc). In the example below, Custodian lists existing users which are not included into an approved set.

policies:
- name: sql-user
  description: |
    check basic work of Cloud SQL filter on users: lists instance superusers which are not included into a standard user set
  resource: gcp.sql-user
  filters:
    - type: value
      key: name
      op: not-in
      value: [postgres, jamesbond]
  actions:
    - type: notify
      to:
       - email@address
      # address doesnt matter
      format: txt
      transport:
        type: pubsub
        topic: projects/river-oxygen-233508/topics/first