GCP Common Actions

Actions

• notify

• post-finding

• set-iam-policy

• webhook

notify

example:

policies:
  - name: bad-instance-get
    resource: gcp.instance
    filters:
     - Name: bad-instance
    actions:
     - type: notify
       to:
        - email@address
       # which template for the email should we use
       template: policy-template
       transport:
         type: pubsub
         topic: projects/yourproject/topics/yourtopic

addtionalProperties: false
anyOf:
- required:
  - type
  - transport
  - to
- required:
  - type
  - transport
  - to_from
properties:
  cc:
    items:
      type: string
    type: array
  cc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  cc_manager:
    type: boolean
  from:
    type: string
  owner_absent_contact:
    items:
      type: string
    type: array
  subject:
    type: string
  template:
    type: string
  to:
    items:
      type: string
    type: array
  to_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  transport:
    oneOf:
    - properties:
        topic:
          type: string
        type:
          enum:
          - pubsub
      required:
      - type
      - topic
      type: object
  type:
    enum:
    - notify

post-finding

Post finding for matched resources to Cloud Security Command Center.

Example:

policies:
  - name: gcp-instances-with-label
    resource: gcp.instance
    filters:
      - "tag:name": "bad-instance"
    actions:
      - type: post-finding
        org-domain: example.io
        category: MEDIUM_INTERNET_SECURITY

The source for custodian can either be specified inline to the policy, or custodian can generate one at runtime if it doesn’t exist given a org-domain or org-id.

Finding updates are not currently supported, due to upstream api issues.

properties:
  category:
    type: string
  org-domain:
    type: string
  org-id:
    type: integer
  severity:
    enum:
    - LOW
    - MEDIUM
    - HIGH
    - SEVERITY_UNSPECIFIED
    type: string
  source:
    description: qualified name of source to post to CSCC as
    type: string
  type:
    enum:
    - post-finding
required:
- type

set-iam-policy

Sets IAM policy. It works with bindings only.

The action supports two lists for modifying the existing IAM policy: add-bindings and remove-bindings. The add-bindings records are merged with the existing bindings, hereby no changes are made if all the required bindings are already present in the applicable resource. The remove-bindings records are used to filter out the existing bindings, so the action will take no effect if there are no matches. For more information, please refer to the _add_bindings and _remove_bindings methods respectively.

Considering a record added both to the add-bindings and remove-bindings lists, which though is not a recommended thing to do in general, the latter is designed to be a more restrictive one, so the record will be removed from the existing IAM bindings in the end.

There following member types are available to work with: - allUsers, - allAuthenticatedUsers, - user, - group, - domain, - serviceAccount.

Note the resource field in the example that could be changed to another resource that has both setIamPolicy and getIamPolicy methods (such as gcp.spanner-database-instance).

Example:

policies:
  - name: gcp-spanner-instance-set-iam-policy
    resource: gcp.spanner-instance
    actions:
      - type: set-iam-policy
        add-bindings:
          - members:
              - user:user1@test.com
              - user:user2@test.com
            role: roles/owner
          - members:
              - user:user3@gmail.com
            role: roles/viewer
        remove-bindings:
          - members:
              - user:user4@test.com
            role: roles/owner
          - members:
              - user:user5@gmail.com
              - user:user6@gmail.com
            role: roles/viewer

properties:
  add-bindings:
    items:
      members:
        items:
          type: string
        minItems: 1
        type: array
      role:
        type: string
    minItems: 1
    type: array
  additionalProperties: false
  minProperties: 1
  remove-bindings:
    items:
      members:
        oneOf:
        - items:
            type: string
          minItems: 1
          type: array
        - enum:
          - '*'
      role:
        type: string
    minItems: 1
    type: array
  type:
    enum:
    - set-iam-policy
required:
- type

webhook

Calls a webhook with optional parameters and body populated from JMESPath queries.

policies:
  - name: call-webhook
    resource: ec2
    description: |
      Call webhook with list of resource groups
    actions:
     - type: webhook
       url: http://foo.com
       query-params:
          resource_name: resource.name
          policy_name: policy.name

properties:
  batch:
    type: boolean
  batch-size:
    type: number
  body:
    type: string
  headers:
    additionalProperties:
      description: header values
      type: string
    type: object
  method:
    enum:
    - PUT
    - POST
    - GET
    - PATCH
    - DELETE
    type: string
  query-params:
    additionalProperties:
      description: query string values
      type: string
    type: object
  type:
    enum:
    - webhook
  url:
    type: string
required:
- url
- type