gcp.project

GCP resource: https://cloud.google.com/compute/docs/reference/rest/v1/projects

Filters

iam-policy

Overrides the base implementation to process Project resources correctly.

properties:
  doc:
    additionalProperties: false
    properties:
      default:
        type: object
      key:
        type: string
      op:
        enum:
        - eq
        - equal
        - ne
        - not-equal
        - gt
        - greater-than
        - ge
        - gte
        - le
        - lte
        - lt
        - less-than
        - glob
        - regex
        - regex-case
        - in
        - ni
        - not-in
        - contains
        - difference
        - intersect
        - mod
      type:
        enum:
        - value
      value:
        oneOf:
        - type: array
        - type: string
        - type: boolean
        - type: number
        - type: 'null'
      value_from:
        additionalProperties: 'False'
        properties:
          expr:
            oneOf:
            - type: integer
            - type: string
          format:
            enum:
            - csv
            - json
            - txt
            - csv2dict
          headers:
            patternProperties:
              ? ''
              : type: string
            type: object
          query:
            type: string
          url:
            type: string
        required:
        - url
        type: object
      value_path:
        type: string
      value_regex:
        type: string
      value_type:
        enum:
        - age
        - integer
        - expiration
        - normalize
        - size
        - cidr
        - cidr_size
        - swap
        - resource_count
        - expr
        - unique_size
        - date
        - version
        - float
    type: object
  type:
    enum:
    - iam-policy
  user-role:
    additionalProperties: false
    properties:
      has:
        type: boolean
      role:
        type: string
      user:
        type: string
    required:
    - user
    - role
    type: object
required:
- type

Permissions - resourcemanager.projects.getIamPolicy

marked-for-op

Filter resources for label specified future action

Filters resources by a ‘custodian_status’ label which specifies a future date for an action.

The filter parses the label values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.

The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.

The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.

Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)

example:

policies:
 - name: vm-stop-marked
   resource: gcp.instance
   filters:
     - type: marked-for-op
       # The default label used is custodian_status
       # but that is configurable
       label: custodian_status
       op: stop
       # Another optional label is skew
       tz: utc
properties:
  label:
    type: string
  op:
    type: string
  skew:
    minimum: 0
    type: number
  skew_hours:
    minimum: 0
    type: number
  type:
    enum:
    - marked-for-op
  tz:
    type: string
required:
- type

metrics

Supports metrics filters on resources.

All resources that have cloud watch metrics are supported.

Docs on cloud watch metrics

- name: firewall-hit-count
  resource: gcp.firewall
  filters:
  - type: metrics
    name: firewallinsights.googleapis.com/subnet/firewall_hit_count
    aligner: ALIGN_COUNT
    days: 14
    value: 1
    op: greater-than
properties:
  aligner:
    enum:
    - ALIGN_NONE
    - ALIGN_DELTA
    - ALIGN_RATE
    - ALIGN_INTERPOLATE
    - ALIGN_MIN
    - ALIGN_MAX
    - ALIGN_MEAN
    - ALIGN_COUNT
    - ALIGN_SUM
    - REDUCE_COUNT_FALSE
    - ALIGN_STDDEV
    - ALIGN_COUNT_TRUE
    - ALIGN_COUNT_FALSE
    - ALIGN_FRACTION_TRUE
    - ALIGN_PERCENTILE_99
    - ALIGN_PERCENTILE_95
    - ALIGN_PERCENTILE_50
    - ALIGN_PERCENTILE_05
    - ALIGN_PERCENT_CHANG
    type: string
  days:
    type: number
  filter:
    type: string
  group-by-fields:
    items:
      type: string
    type: array
  metric-key:
    type: string
  missing-value:
    type: number
  name:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
    type: string
  reducer:
    enum:
    - REDUCE_NONE
    - REDUCE_MEAN
    - REDUCE_MIN
    - REDUCE_MAX
    - REDUCE_MEAN
    - REDUCE_SUM
    - REDUCE_STDDEV
    - REDUCE_COUNT
    - REDUCE_COUNT_TRUE
    - REDUCE_COUNT_FALSE
    - REDUCE_FRACTION_TRUE
    - REDUCE_PERCENTILE_99
    - REDUCE_PERCENTILE_95
    - REDUCE_PERCENTILE_50
    - REDUCE_PERCENTILE_05
    type: string
  type:
    enum:
    - metrics
  value:
    type: number
required:
- value
- name
- op

Permissions - monitoring.timeSeries.list

missing

Assert the absence of a particular resource.

Intended for use at a logical account/subscription/project level

This works as an effectively an embedded policy thats evaluated.

example:

Notify if an s3 bucket is missing

policies:
  - name: missing-s3-bucket
    resource: account
    filters:
      - type: missing
        policy:
          resource: s3
          filters:
            - Name: my-bucket
    actions:
      - notify
properties:
  policy:
    properties:
      resource:
        type: string
    required:
    - resource
    type: object
  type:
    enum:
    - missing
required:
- policy
- type

Actions

delete

Delete a GCP Project

Note this will also schedule deletion of assets contained within the project. The project will not be accessible, and assets contained within the project may continue to accrue costs within a 30 day period. For details see https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - resourcemanager.projects.delete

mark-for-op

Label resources for future action.

The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.

If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.

example:

policies:
 - name: vm-mark-for-stop
   resource: gcp.instance
   filters:
     - type: value
       key: name
       value: instance-to-stop-in-four-days
   actions:
     - type: mark-for-op
       op: stop
       days: 2
properties:
  days:
    exclusiveMinimum: false
    minimum: 0
    type: number
  hours:
    exclusiveMinimum: false
    minimum: 0
    type: number
  label:
    type: string
  msg:
    type: string
  op:
    type: string
  type:
    enum:
    - mark-for-op
  tz:
    type: string
required:
- type

Permissions - resourcemanager.projects.update

propagate-labels

Propagate labels from the organization hierarchy to a project.

folder-labels should resolve to a json data mapping of folder path to labels that should be applied to contained projects.

as a worked example assume the following resource hierarchy

- /dev
     /network
        /project-a
     /ml
        /project-b

Given a folder-labels json with contents like

{"dev": {"env": "dev", "owner": "dev"},
 "dev/network": {"owner": "network"},
 "dev/ml": {"owner": "ml"}

Running the following policy

policies:
 - name: tag-projects
   resource: gcp.project
   # use a server side filter to only look at projects
   # under the /dev folder the id for the dev folder needs
   # to be manually resolved outside of the policy.
   query:
     - filter: "parent.id:389734459211 parent.type:folder"
   filters:
     - "tag:owner": absent
   actions:
     - type: propagate-labels
       folder-labels:
          url: file://folder-labels.json

Will result in project-a being tagged with owner: network and env: dev and project-b being tagged with owner: ml and env: dev

properties:
  folder-labels:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  type:
    enum:
    - propagate-labels
required:
- folder-labels

Permissions - resourcemanager.folders.get, resourcemanager.projects.update

set-labels

Set labels to GCP resources

example:

This policy will label all existing resource groups with a value such as environment

policies:
  - name: gcp-add-multiple-labels
    resource: gcp.instance
    description: |
      Label all existing instances with multiple labels
    actions:
     - type: set-labels
       labels:
         environment: test
         env_type: customer

  - name: gcp-add-label-from-resource-attr
    resource: gcp.instance
    description: |
      Label all existing instances with label taken from resource attribute
    actions:
     - type: set-labels
       labels:
         environment:
          type: resource
          key: name
          default-value: name_not_found

  - name: gcp-remove-label
    resource: gcp.instance
    description: |
      Remove label from all instances
    actions:
     - type: set-labels
       remove: [env]
properties:
  labels:
    additionalProperties:
      oneOf:
      - oneOf:
        - additionalProperties: false
          properties:
            default-value:
              type: string
            key:
              type: string
            type:
              enum:
              - resource
              type: string
          required:
          - type
          - key
        type: object
      - type: string
    type: object
  remove:
    items:
      type: string
    type: array
  type:
    enum:
    - set-labels
required:
- type

Permissions - resourcemanager.projects.update