gcp.instance

Filters

marked-for-op

Filter resources for label specified future action

Filters resources by a ‘custodian_status’ label which specifies a future date for an action.

The filter parses the label values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.

The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.

The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.

Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)

example:

policies:
 - name: vm-stop-marked
   resource: gcp.instance
   filters:
     - type: marked-for-op
       # The default label used is custodian_status
       # but that is configurable
       label: custodian_status
       op: stop
       # Another optional label is skew
       tz: utc
properties:
  label:
    type: string
  op:
    type: string
  skew:
    minimum: 0
    type: number
  skew_hours:
    minimum: 0
    type: number
  type:
    enum:
    - marked-for-op
  tz:
    type: string
required:
- type

metrics

Supports metrics filters on resources.

All resources that have cloud watch metrics are supported.

Docs on cloud watch metrics

- name: firewall-hit-count
  resource: gcp.firewall
  filters:
  - type: metrics
    name: firewallinsights.googleapis.com/subnet/firewall_hit_count
    aligner: ALIGN_COUNT
    days: 14
    value: 1
    op: greater-than
properties:
  aligner:
    enum:
    - ALIGN_NONE
    - ALIGN_DELTA
    - ALIGN_RATE
    - ALIGN_INTERPOLATE
    - ALIGN_MIN
    - ALIGN_MAX
    - ALIGN_MEAN
    - ALIGN_COUNT
    - ALIGN_SUM
    - REDUCE_COUNT_FALSE
    - ALIGN_STDDEV
    - ALIGN_COUNT_TRUE
    - ALIGN_COUNT_FALSE
    - ALIGN_FRACTION_TRUE
    - ALIGN_PERCENTILE_99
    - ALIGN_PERCENTILE_95
    - ALIGN_PERCENTILE_50
    - ALIGN_PERCENTILE_05
    - ALIGN_PERCENT_CHANG
    type: string
  days:
    type: number
  filter:
    type: string
  group-by-fields:
    items:
      type: string
    type: array
  metric-key:
    type: string
  missing-value:
    type: number
  name:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
    type: string
  reducer:
    enum:
    - REDUCE_NONE
    - REDUCE_MEAN
    - REDUCE_MIN
    - REDUCE_MAX
    - REDUCE_MEAN
    - REDUCE_SUM
    - REDUCE_STDDEV
    - REDUCE_COUNT
    - REDUCE_COUNT_TRUE
    - REDUCE_COUNT_FALSE
    - REDUCE_FRACTION_TRUE
    - REDUCE_PERCENTILE_99
    - REDUCE_PERCENTILE_95
    - REDUCE_PERCENTILE_50
    - REDUCE_PERCENTILE_05
    type: string
  type:
    enum:
    - metrics
  value:
    type: number
required:
- value
- name
- op

Permissions - monitoring.timeSeries.list

Actions

create-machine-image

Creates

Machine Image from instance.

The name_format specifies name of image in python format string <https://pyformat.info/>

Inside format string there are defined variables:
  • now: current time

  • instance: whole instance resource

Default name format is {instance[name]}

Example:

policies:
  - name: gcp-create-machine-image
    resource: gcp.instance
    filters:
      - type: value
        key: name
        value: instance-create-to-make-image
    actions:
      - type: create-machine-image
        name_format: "{instance[name]:.50}-{now:%Y-%m-%d}"
properties:
  name_format:
    type: string
  type:
    enum:
    - create-machine-image
required:
- type

Permissions - compute.machineImages.create

delete

Invoke an api call on each resource.

Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - compute.instances.delete

detach-disks

Detaches all disks from instance. The action does not specify any parameters.

It may be useful to be used before deleting instances to not delete disks that are set to auto delete.

Example:

policies:
  - name: gcp-instance-detach-disks
    resource: gcp.instance
    filters:
      - type: value
        key: name
        value: instance-template-to-detahc
    actions:
      - type: detach-disks
properties:
  type:
    enum:
    - detach-disks
required:
- type

Permissions - compute.instances.detachDisk

mark-for-op

Label resources for future action.

The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.

If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.

example:

policies:
 - name: vm-mark-for-stop
   resource: gcp.instance
   filters:
     - type: value
       key: name
       value: instance-to-stop-in-four-days
   actions:
     - type: mark-for-op
       op: stop
       days: 2
properties:
  days:
    exclusiveMinimum: false
    minimum: 0
    type: number
  hours:
    exclusiveMinimum: false
    minimum: 0
    type: number
  label:
    type: string
  msg:
    type: string
  op:
    type: string
  type:
    enum:
    - mark-for-op
  tz:
    type: string
required:
- type

Permissions - compute.instances.update

resume

Invoke an api call on each resource.

Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.

properties:
  type:
    enum:
    - resume
required:
- type

Permissions - compute.instances.resume

set-labels

Set labels to GCP resources

example:

This policy will label all existing resource groups with a value such as environment

policies:
  - name: gcp-add-multiple-labels
    resource: gcp.instance
    description: |
      Label all existing instances with multiple labels
    actions:
     - type: set-labels
       labels:
         environment: test
         env_type: customer

  - name: gcp-add-label-from-resource-attr
    resource: gcp.instance
    description: |
      Label all existing instances with label taken from resource attribute
    actions:
     - type: set-labels
       labels:
         environment:
          type: resource
          key: name
          default-value: name_not_found

  - name: gcp-remove-label
    resource: gcp.instance
    description: |
      Remove label from all instances
    actions:
     - type: set-labels
       remove: [env]
properties:
  labels:
    additionalProperties:
      oneOf:
      - oneOf:
        - additionalProperties: false
          properties:
            default-value:
              type: string
            key:
              type: string
            type:
              enum:
              - resource
              type: string
          required:
          - type
          - key
        type: object
      - type: string
    type: object
  remove:
    items:
      type: string
    type: array
  type:
    enum:
    - set-labels
required:
- type

Permissions - compute.instances.update

start

Invoke an api call on each resource.

Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.

properties:
  type:
    enum:
    - start
required:
- type

Permissions - compute.instances.start

stop

Caution: stop in GCP is closer to terminate in terms of effect.

suspend is closer to stop in other providers.

See https://cloud.google.com/compute/docs/instances/instance-life-cycle

properties:
  type:
    enum:
    - stop
required:
- type

Permissions - compute.instances.stop

suspend

Invoke an api call on each resource.

Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.

properties:
  type:
    enum:
    - suspend
required:
- type

Permissions - compute.instances.suspend