gcp.project

GCP resource: https://cloud.google.com/compute/docs/reference/rest/v1/projects

Filters

marked-for-op

Filter resources for label specified future action

Filters resources by a ‘custodian_status’ label which specifies a future date for an action.

The filter parses the label values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.

The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.

The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.

Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)

example

policies:
 - name: vm-stop-marked
   resource: gcp.instance
   filters:
     - type: marked-for-op
       # The default label used is custodian_status
       # but that is configurable
       label: custodian_status
       op: stop
       # Another optional label is skew
       tz: utc
properties:
  label:
    type: string
  op:
    type: string
  skew:
    minimum: 0
    type: number
  skew_hours:
    minimum: 0
    type: number
  type:
    enum:
    - marked-for-op
  tz:
    type: string
required:
- type

Actions

delete

Delete a GCP Project

Note this will also schedule deletion of assets contained within the project. The project will not be accessible, and assets contained within the project may continue to accrue costs within a 30 day period. For details see https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - resourcemanager.projects.delete

mark-for-op

Label resources for future action.

The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.

If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.

example

policies:
 - name: vm-mark-for-stop
   resource: gcp.instance
   filters:
     - type: value
       key: name
       value: instance-to-stop-in-four-days
   actions:
     - type: mark-for-op
       op: stop
       days: 2
properties:
  days:
    exclusiveMinimum: false
    minimum: 0
    type: number
  hours:
    exclusiveMinimum: false
    minimum: 0
    type: number
  label:
    type: string
  msg:
    type: string
  op:
    type: string
  type:
    enum:
    - mark-for-op
  tz:
    type: string
required:
- type

Permissions - resourcemanager.projects.update

propagate-labels

Propagate labels from the organization hierarchy to a project.

folder-labels should resolve to a json data mapping of folder path to labels that should be applied to contained projects.

as a worked example assume the following resource hierarchy

- /dev
     /network
        /project-a
     /ml
        /project-b

Given a folder-labels json with contents like

{"dev": {"env": "dev", "owner": "dev"},
 "dev/network": {"owner": "network"},
 "dev/ml": {"owner": "ml"}

Running the following policy

policies:
 - name: tag-projects
   resource: gcp.project
   # use a server side filter to only look at projects
   # under the /dev folder the id for the dev folder needs
   # to be manually resolved outside of the policy.
   query:
     - filter: "parent.id:389734459211 parent.type:folder"
   filters:
     - "tag:owner": absent
   actions:
     - type: propagate-labels
       folder-labels:
          url: file://folder-labels.json

Will result in project-a being tagged with owner: network and env: dev and project-b being tagged with owner: ml and env: dev

properties:
  folder-labels:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  type:
    enum:
    - propagate-labels
required:
- folder-labels

Permissions - resourcemanager.folders.get, resourcemanager.projects.update

set-labels

Set labels to GCP resources

example

This policy will label all existing resource groups with a value such as environment

policies:
  - name: gcp-add-multiple-labels
    resource: gcp.instance
    description: |
      Label all existing instances with multiple labels
    actions:
     - type: set-labels
       labels:
         environment: test
         env_type: customer

  - name: gcp-add-label-from-resource-attr
    resource: gcp.instance
    description: |
      Label all existing instances with label taken from resource attribute
    actions:
     - type: set-labels
       labels:
         environment:
          type: resource
          key: name
          default-value: name_not_found

  - name: gcp-remove-label
    resource: gcp.instance
    description: |
      Remove label from all instances
    actions:
     - type: set-labels
       remove: [env]
properties:
  labels:
    additionalProperties:
      oneOf:
      - oneOf:
        - additionalProperties: false
          properties:
            default-value:
              type: string
            key:
              type: string
            type:
              enum:
              - resource
              type: string
          required:
          - type
          - key
        type: object
      - type: string
    type: object
  remove:
    items:
      type: string
    type: array
  type:
    enum:
    - set-labels
required:
- type

Permissions - resourcemanager.projects.update