GCP Common Actions¶
policies: - name: bad-instance-get resource: gcp.instance filters: - Name: bad-instance actions: - type: notify to: - email@address # which template for the email should we use template: policy-template transport: type: pubsub topic: projects/yourproject/topics/yourtopic
addtionalProperties: false anyOf: - required: - type - transport - to - required: - type - transport - to_from properties: cc: items: type: string type: array cc_from: additionalProperties: 'False' properties: expr: oneOf: - type: integer - type: string format: enum: - csv - json - txt - csv2dict url: type: string required: - url type: object cc_manager: type: boolean from: type: string owner_absent_contact: items: type: string type: array subject: type: string template: type: string to: items: type: string type: array to_from: additionalProperties: 'False' properties: expr: oneOf: - type: integer - type: string format: enum: - csv - json - txt - csv2dict url: type: string required: - url type: object transport: oneOf: - properties: topic: type: string type: enum: - pubsub required: - type - topic type: object type: enum: - notify
Post finding for matched resources to Cloud Security Command Center.
policies: - name: gcp-instances-with-label resource: gcp.instance filters: - "tag:name": "bad-instance" actions: - type: post-finding org-domain: example.io category: MEDIUM_INTERNET_SECURITY
The source for custodian can either be specified inline to the policy, or custodian can generate one at runtime if it doesn’t exist given a org-domain or org-id.
Finding updates are not currently supported, due to upstream api issues.
properties: category: type: string org-domain: type: string org-id: type: integer source: description: qualified name of source to post to CSCC as type: string type: enum: - post-finding required: - type
Sets IAM policy. It works with bindings only.
The action supports two lists for modifying the existing IAM policy: add-bindings and remove-bindings. The add-bindings records are merged with the existing bindings, hereby no changes are made if all the required bindings are already present in the applicable resource. The remove-bindings records are used to filter out the existing bindings, so the action will take no effect if there are no matches. For more information, please refer to the _add_bindings and _remove_bindings methods respectively.
Considering a record added both to the add-bindings and remove-bindings lists, which though is not a recommended thing to do in general, the latter is designed to be a more restrictive one, so the record will be removed from the existing IAM bindings in the end.
There following member types are available to work with: - allUsers, - allAuthenticatedUsers, - user, - group, - domain, - serviceAccount.
Note the resource field in the example that could be changed to another resource that has both setIamPolicy and getIamPolicy methods (such as gcp.spanner-database-instance).
policies: - name: gcp-spanner-instance-set-iam-policy resource: gcp.spanner-instance actions: - type: set-iam-policy add-bindings: - members: - user:email@example.com - user:firstname.lastname@example.org role: roles/owner - members: - user:email@example.com role: roles/viewer remove-bindings: - members: - user:firstname.lastname@example.org role: roles/owner - members: - user:email@example.com - user:firstname.lastname@example.org role: roles/viewer
properties: add-bindings: items: members: items: type: string minItems: 1 type: array role: type: string minItems: 1 type: array additionalProperties: false minProperties: 1 remove-bindings: items: members: oneOf: - items: type: string minItems: 1 type: array - enum: - '*' role: type: string minItems: 1 type: array type: enum: - set-iam-policy required: - type
Calls a webhook with optional parameters and body populated from JMESPath queries.
policies: - name: call-webhook resource: ec2 description: | Call webhook with list of resource groups actions: - type: webhook url: http://foo.com query-params: resource_name: resource.name policy_name: policy.name
properties: batch: type: boolean batch-size: type: number body: type: string headers: additionalProperties: description: header values type: string type: object method: enum: - PUT - POST - GET - PATCH - DELETE type: string query-params: additionalProperties: description: query string values type: string type: object type: enum: - webhook url: type: string required: - url - type