gcp.bucket

Filters

iam-policy

Overrides the base implementation to process bucket resources correctly.

properties:
  doc:
    additionalProperties: false
    properties:
      default:
        type: object
      key:
        type: string
      op:
        enum:
        - eq
        - equal
        - ne
        - not-equal
        - gt
        - greater-than
        - ge
        - gte
        - le
        - lte
        - lt
        - less-than
        - glob
        - regex
        - regex-case
        - in
        - ni
        - not-in
        - contains
        - difference
        - intersect
      type:
        enum:
        - value
      value:
        oneOf:
        - type: array
        - type: string
        - type: boolean
        - type: number
        - type: 'null'
      value_from:
        additionalProperties: 'False'
        properties:
          expr:
            oneOf:
            - type: integer
            - type: string
          format:
            enum:
            - csv
            - json
            - txt
            - csv2dict
          url:
            type: string
        required:
        - url
        type: object
      value_regex:
        type: string
      value_type:
        enum:
        - age
        - integer
        - expiration
        - normalize
        - size
        - cidr
        - cidr_size
        - swap
        - resource_count
        - expr
        - unique_size
        - date
        - version
    type: object
  type:
    enum:
    - iam-policy
  user-role:
    additionalProperties: false
    properties:
      has:
        type: boolean
      role:
        type: string
      user:
        type: string
    required:
    - user
    - role
    type: object
required:
- type

Permissions - storage.buckets.getIamPolicy

metrics

Supports metrics filters on resources.

All resources that have cloud watch metrics are supported.

Docs on cloud watch metrics

- name: firewall-hit-count
  resource: gcp.firewall
  filters:
  - type: metrics
    name: firewallinsights.googleapis.com/subnet/firewall_hit_count
    aligner: ALIGN_COUNT
    days: 14
    value: 1
    op: greater-than
properties:
  aligner:
    enum:
    - ALIGN_NONE
    - ALIGN_DELTA
    - ALIGN_RATE
    - ALIGN_INTERPOLATE
    - ALIGN_MIN
    - ALIGN_MAX
    - ALIGN_MEAN
    - ALIGN_COUNT
    - ALIGN_SUM
    - REDUCE_COUNT_FALSE
    - ALIGN_STDDEV
    - ALIGN_COUNT_TRUE
    - ALIGN_COUNT_FALSE
    - ALIGN_FRACTION_TRUE
    - ALIGN_PERCENTILE_99
    - ALIGN_PERCENTILE_95
    - ALIGN_PERCENTILE_50
    - ALIGN_PERCENTILE_05
    - ALIGN_PERCENT_CHANG
    type: string
  days:
    type: number
  filter:
    type: string
  group-by-fields:
    items:
      type: string
    type: array
  metric-key:
    type: string
  missing-value:
    type: number
  name:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    type: string
  reducer:
    enum:
    - REDUCE_NONE
    - REDUCE_MEAN
    - REDUCE_MIN
    - REDUCE_MAX
    - REDUCE_MEAN
    - REDUCE_SUM
    - REDUCE_STDDEV
    - REDUCE_COUNT
    - REDUCE_COUNT_TRUE
    - REDUCE_COUNT_FALSE
    - REDUCE_FRACTION_TRUE
    - REDUCE_PERCENTILE_99
    - REDUCE_PERCENTILE_95
    - REDUCE_PERCENTILE_50
    - REDUCE_PERCENTILE_05
    type: string
  type:
    enum:
    - metrics
  value:
    type: number
required:
- value
- name
- op

Permissions - monitoring.timeSeries.list

Actions

set-uniform-access

Uniform access disables object ACLs on a bucket.

Enabling this means only bucket policies (and organization bucket policies) govern access to a bucket.

When enabled, users can only specify bucket level IAM policies and not Object level ACL’s.

Example Policy:

policies:
 - name: enforce-uniform-bucket-level-access
   resource: gcp.bucket
   filters:
    - iamConfiguration.uniformBucketLevelAccess.enable: false
   actions:
    - type: set-uniform-access
      # The following is also the default
      state: true
properties:
  state:
    type: boolean
  type:
    enum:
    - set-uniform-access
required:
- type

Permissions - storage.buckets.update