GCP Common Filters

Filters

access-approval

Filter Resources based on access approval configuration

- name: project-access-approval
  resource: gcp.project
  filters:
  - type: access-approval
    key: enrolledServices.cloudProduct
    value: "all"
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - access-approval
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

alerts

GCP Filter to find Alerts for a Log Metric Filter.

- name: log-metric-filter-has-alert
  resource: gcp.log-project-metric
  filters:
  - type: alerts
properties:
  type:
    enum:
    - alerts
required:
- type

bucket

Allows filtering on the bucket targeted by the log sink. If the sink does not target a bucket it does not match this filter.

https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks https://cloud.google.com/storage/docs/json_api/v1/buckets#resource

example:

Find Sinks that target a bucket which is not using Bucket Lock

policies:
  - name: sink-target-bucket-not-locked
    resource: gcp.log-project-sink
    filters:
      - type: bucket
        key: retentionPolicy.isLocked
        op: ne
        value: true
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - bucket
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

compute-meta

Allows filtering on project-level compute metadata including common instance metadata and quotas.

example:

Find Projects that have not enabled OS Login for compute instances

policies:
  - name: project-compute-os-login-not-enabled
    resource: gcp.project
    filters:
      - type: compute-meta
        key: "commonInstanceMetadata.items[?key==`enable-oslogin`].value | [0]"
        op: ne
        value_type: normalize
        value: true
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - compute-meta
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

effective-firewall

Filters instances by their effective firewall rules. See getEffectiveFirewalls for valid fields.

example:

Filter all instances that have a firewall rule that allows public acess

policies:
   - name: find-publicly-accessable-instances
     resource: gcp.instance
     filters:
     - type: effective-firewall
       key: firewalls[*].sourceRanges[]
       op: contains
       value: "0.0.0.0/0"
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - effective-firewall
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

essential-contacts

Filter Resources based on essential contacts configuration

- name: org-essential-contacts
  resource: gcp.organization
  filters:
  - type: essential-contacts
    count: 2
    count_op: gte
    attrs:
      - validationState: VALID
      - type: value
        key: notificationCategorySubscriptions
        value: TECHNICAL
        op: contains
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - essential-contacts
required:
- type

event

Filter a resource based on an event.

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - event
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

firewall

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  type:
    enum:
    - firewall
required:
- type

list-item

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  key:
    type: string
  type:
    enum:
    - list-item
required:
- type

offhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  offhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - offhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- offhour
- default_tz
- type

onhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  onhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - onhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- onhour
- default_tz
- type

org-policy

Filter Resources based on orgpolicy configuration

- name: org-policy
  resource: gcp.organization
  filters:
  - type: org-policy
    attrs:
      - type: value
        key: constraint
        value: constraints/iam.allowedPolicyMemberDomains
        op: contains
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  type:
    enum:
    - org-policy
required:
- type

recommend

Use GCP Resource Recommendations to filter resources

for a complete list and applicable resource types see https://cloud.google.com/recommender/docs/recommenders

ie. find idle compute disks to snapshot and delete.

example:

policies:
  - name: gcp-unused-disk
    resource: gcp.disk
    filters:
     - type: recommend
       id: google.compute.disk.IdleResourceRecommender
    actions:
     - snapshot
     - delete
properties:
  id:
    type: string
  type:
    enum:
    - recommend
required:
- id

records-sets

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  type:
    enum:
    - records-sets
required:
- type

reduce

Generic reduce filter to group, sort, and limit your resources.

This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.

example:

- name: oldest-instance-by-asg
  resource: ec2
  filters:
    - "tag:aws:autoscaling:groupName": present
    - type: reduce
      group-by: "tag:aws:autoscaling:groupName"
      sort-by: "LaunchTime"
      order: asc
      limit: 1

Or you might want to randomly select a 10 percent of your resources, but no more than 15.

example:

- name: random-selection
  resource: ec2
  filters:
    - type: reduce
      order: randomize
      limit: 15
      limit-percent: 10
properties:
  discard:
    minimum: 0
    type: number
  discard-percent:
    maximum: 100
    minimum: 0
    type: number
  group-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  limit:
    minimum: 0
    type: number
  limit-percent:
    maximum: 100
    minimum: 0
    type: number
  null-order:
    enum:
    - first
    - last
  order:
    enum:
    - asc
    - desc
    - reverse
    - randomize
  sort-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  type:
    enum:
    - reduce
required:
- type

scc-findings

Filters resources based on their Security Command Center (SCC) findings.

- name: bucket-contains-high-finding
  resource: gcp.bucket
  filters:
  - type: scc-findings
    org: 11111111111111
    key: severity
    value: HIGH
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  org:
    type: integer
  type:
    enum:
    - scc-findings
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- org
- type

server-config

Filters kubernetes clusters or nodepools by their server config. See getServerConfig https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations/getServerConfig for valid fields.

example:

Filter all clusters that is not running a supported version

policies:
   - name: find-unsupported-cluster-version
     resource: gcp.gke-cluster
     filters:
     - type: server-config
       key: contains(serverConfig.validMasterVersions, resource.currentMasterVersion)
       value: false

Filter all nodepools that is not running a supported version

policies:
   - name: find-unsupported-cluster-nodepools-version
     resource: gcp.gke-nodepool
     filters:
     - type: server-config
       key: contains(serverConfig.validNodeVersions, resource.version)
       value: false
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - server-config
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

value

Generic value filter using jmespath

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - value
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type