gcp.instance
Filters
marked-for-op
Filter resources for label specified future action
Filters resources by a ‘custodian_status’ label which specifies a future date for an action.
The filter parses the label values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.
The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.
The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.
Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)
- example:
policies:
- name: vm-stop-marked
resource: gcp.instance
filters:
- type: marked-for-op
# The default label used is custodian_status
# but that is configurable
label: custodian_status
op: stop
# Another optional label is skew
tz: utc
properties:
label:
type: string
op:
type: string
skew:
minimum: 0
type: number
skew_hours:
minimum: 0
type: number
type:
enum:
- marked-for-op
tz:
type: string
required:
- type
metrics
Supports metrics filters on resources.
All resources that have cloud watch metrics are supported.
Docs on cloud watch metrics
Google Supported Metrics https://cloud.google.com/monitoring/api/metrics_gcp
Custom Metrics https://cloud.google.com/monitoring/api/v3/metric-model#intro-custom-metrics
- name: firewall-hit-count
resource: gcp.firewall
filters:
- type: metrics
name: firewallinsights.googleapis.com/subnet/firewall_hit_count
aligner: ALIGN_COUNT
days: 14
value: 1
op: greater-than
properties:
aligner:
enum:
- ALIGN_NONE
- ALIGN_DELTA
- ALIGN_RATE
- ALIGN_INTERPOLATE
- ALIGN_MIN
- ALIGN_MAX
- ALIGN_MEAN
- ALIGN_COUNT
- ALIGN_SUM
- REDUCE_COUNT_FALSE
- ALIGN_STDDEV
- ALIGN_COUNT_TRUE
- ALIGN_COUNT_FALSE
- ALIGN_FRACTION_TRUE
- ALIGN_PERCENTILE_99
- ALIGN_PERCENTILE_95
- ALIGN_PERCENTILE_50
- ALIGN_PERCENTILE_05
- ALIGN_PERCENT_CHANG
type: string
days:
type: number
filter:
type: string
group-by-fields:
items:
type: string
type: array
metric-key:
type: string
missing-value:
type: number
name:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type: string
reducer:
enum:
- REDUCE_NONE
- REDUCE_MEAN
- REDUCE_MIN
- REDUCE_MAX
- REDUCE_MEAN
- REDUCE_SUM
- REDUCE_STDDEV
- REDUCE_COUNT
- REDUCE_COUNT_TRUE
- REDUCE_COUNT_FALSE
- REDUCE_FRACTION_TRUE
- REDUCE_PERCENTILE_99
- REDUCE_PERCENTILE_95
- REDUCE_PERCENTILE_50
- REDUCE_PERCENTILE_05
type: string
type:
enum:
- metrics
value:
type: number
required:
- value
- name
- op
Permissions - monitoring.timeSeries.list
Actions
create-machine-image
- Creates
Machine Image from instance.
The name_format specifies name of image in python format string <https://pyformat.info/>
- Inside format string there are defined variables:
now: current time
instance: whole instance resource
Default name format is {instance[name]}
- Example:
policies:
- name: gcp-create-machine-image
resource: gcp.instance
filters:
- type: value
key: name
value: instance-create-to-make-image
actions:
- type: create-machine-image
name_format: "{instance[name]:.50}-{now:%Y-%m-%d}"
properties:
name_format:
type: string
type:
enum:
- create-machine-image
required:
- type
Permissions - compute.machineImages.create
delete
Invoke an api call on each resource.
Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.
properties:
type:
enum:
- delete
required:
- type
Permissions - compute.instances.delete
detach-disks
Detaches all disks from instance. The action does not specify any parameters.
It may be useful to be used before deleting instances to not delete disks that are set to auto delete.
- Example:
policies:
- name: gcp-instance-detach-disks
resource: gcp.instance
filters:
- type: value
key: name
value: instance-template-to-detahc
actions:
- type: detach-disks
properties:
type:
enum:
- detach-disks
required:
- type
Permissions - compute.instances.detachDisk
mark-for-op
Label resources for future action.
The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.
If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.
- example:
policies:
- name: vm-mark-for-stop
resource: gcp.instance
filters:
- type: value
key: name
value: instance-to-stop-in-four-days
actions:
- type: mark-for-op
op: stop
days: 2
properties:
days:
exclusiveMinimum: false
minimum: 0
type: number
hours:
exclusiveMinimum: false
minimum: 0
type: number
label:
type: string
msg:
type: string
op:
type: string
type:
enum:
- mark-for-op
tz:
type: string
required:
- type
Permissions - compute.instances.update
resume
Invoke an api call on each resource.
Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.
properties:
type:
enum:
- resume
required:
- type
Permissions - compute.instances.resume
set-labels
Set labels to GCP resources
- example:
This policy will label all existing resource groups with a value such as environment
policies:
- name: gcp-add-multiple-labels
resource: gcp.instance
description: |
Label all existing instances with multiple labels
actions:
- type: set-labels
labels:
environment: test
env_type: customer
- name: gcp-add-label-from-resource-attr
resource: gcp.instance
description: |
Label all existing instances with label taken from resource attribute
actions:
- type: set-labels
labels:
environment:
type: resource
key: name
default-value: name_not_found
- name: gcp-remove-label
resource: gcp.instance
description: |
Remove label from all instances
actions:
- type: set-labels
remove: [env]
properties:
labels:
additionalProperties:
oneOf:
- oneOf:
- additionalProperties: false
properties:
default-value:
type: string
key:
type: string
type:
enum:
- resource
type: string
required:
- type
- key
type: object
- type: string
type: object
remove:
items:
type: string
type: array
type:
enum:
- set-labels
required:
- type
Permissions - compute.instances.update
start
Invoke an api call on each resource.
Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.
properties:
type:
enum:
- start
required:
- type
Permissions - compute.instances.start
stop
Caution: stop in GCP is closer to terminate in terms of effect.
The discard_local_ssd specifies if local SSD should be discarded or not while stopping the instance. The default behavior from Google Cloud console is to keep the local SSD. Default discard_local_ssd is False. https://cloud.google.com/compute/docs/instances/stop-start-instance#stop-vm-local-ssd
suspend is closer to stop in other providers.
See https://cloud.google.com/compute/docs/instances/instance-life-cycle
properties:
discard_local_ssd:
type: boolean
type:
enum:
- stop
required:
- type
Permissions - compute.instances.stop
suspend
Invoke an api call on each resource.
Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.
properties:
type:
enum:
- suspend
required:
- type
Permissions - compute.instances.suspend