gcp.project
GCP resource: https://cloud.google.com/compute/docs/reference/rest/v1/projects
Filters
iam-policy
Overrides the base implementation to process Project resources correctly.
properties:
doc:
additionalProperties: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
type: object
type:
enum:
- iam-policy
user-role:
additionalProperties: false
properties:
has:
type: boolean
role:
type: string
user:
type: string
required:
- user
- role
type: object
required:
- type
Permissions - resourcemanager.projects.getIamPolicy
marked-for-op
Filter resources for label specified future action
Filters resources by a ‘custodian_status’ label which specifies a future date for an action.
The filter parses the label values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.
The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.
The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.
Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)
- example:
policies:
- name: vm-stop-marked
resource: gcp.instance
filters:
- type: marked-for-op
# The default label used is custodian_status
# but that is configurable
label: custodian_status
op: stop
# Another optional label is skew
tz: utc
properties:
label:
type: string
op:
type: string
skew:
minimum: 0
type: number
skew_hours:
minimum: 0
type: number
type:
enum:
- marked-for-op
tz:
type: string
required:
- type
metrics
Supports metrics filters on resources.
All resources that have cloud watch metrics are supported.
Docs on cloud watch metrics
Google Supported Metrics https://cloud.google.com/monitoring/api/metrics_gcp
Custom Metrics https://cloud.google.com/monitoring/api/v3/metric-model#intro-custom-metrics
- name: firewall-hit-count
resource: gcp.firewall
filters:
- type: metrics
name: firewallinsights.googleapis.com/subnet/firewall_hit_count
aligner: ALIGN_COUNT
days: 14
value: 1
op: greater-than
properties:
aligner:
enum:
- ALIGN_NONE
- ALIGN_DELTA
- ALIGN_RATE
- ALIGN_INTERPOLATE
- ALIGN_MIN
- ALIGN_MAX
- ALIGN_MEAN
- ALIGN_COUNT
- ALIGN_SUM
- REDUCE_COUNT_FALSE
- ALIGN_STDDEV
- ALIGN_COUNT_TRUE
- ALIGN_COUNT_FALSE
- ALIGN_FRACTION_TRUE
- ALIGN_PERCENTILE_99
- ALIGN_PERCENTILE_95
- ALIGN_PERCENTILE_50
- ALIGN_PERCENTILE_05
- ALIGN_PERCENT_CHANG
type: string
days:
type: number
filter:
type: string
group-by-fields:
items:
type: string
type: array
metric-key:
type: string
missing-value:
type: number
name:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type: string
reducer:
enum:
- REDUCE_NONE
- REDUCE_MEAN
- REDUCE_MIN
- REDUCE_MAX
- REDUCE_MEAN
- REDUCE_SUM
- REDUCE_STDDEV
- REDUCE_COUNT
- REDUCE_COUNT_TRUE
- REDUCE_COUNT_FALSE
- REDUCE_FRACTION_TRUE
- REDUCE_PERCENTILE_99
- REDUCE_PERCENTILE_95
- REDUCE_PERCENTILE_50
- REDUCE_PERCENTILE_05
type: string
type:
enum:
- metrics
value:
type: number
required:
- value
- name
- op
Permissions - monitoring.timeSeries.list
missing
Assert the absence of a particular resource.
Intended for use at a logical account/subscription/project level
This works as an effectively an embedded policy thats evaluated.
- example:
Notify if an s3 bucket is missing
policies:
- name: missing-s3-bucket
resource: account
filters:
- type: missing
policy:
resource: s3
filters:
- Name: my-bucket
actions:
- notify
properties:
policy:
properties:
resource:
type: string
required:
- resource
type: object
type:
enum:
- missing
required:
- policy
- type
Actions
delete
Delete a GCP Project
Note this will also schedule deletion of assets contained within the project. The project will not be accessible, and assets contained within the project may continue to accrue costs within a 30 day period. For details see https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects
properties:
type:
enum:
- delete
required:
- type
Permissions - resourcemanager.projects.delete
mark-for-op
Label resources for future action.
The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.
If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.
- example:
policies:
- name: vm-mark-for-stop
resource: gcp.instance
filters:
- type: value
key: name
value: instance-to-stop-in-four-days
actions:
- type: mark-for-op
op: stop
days: 2
properties:
days:
exclusiveMinimum: false
minimum: 0
type: number
hours:
exclusiveMinimum: false
minimum: 0
type: number
label:
type: string
msg:
type: string
op:
type: string
type:
enum:
- mark-for-op
tz:
type: string
required:
- type
Permissions - resourcemanager.projects.update
propagate-labels
Propagate labels from the organization hierarchy to a project.
folder-labels should resolve to a json data mapping of folder path to labels that should be applied to contained projects.
as a worked example assume the following resource hierarchy
- /dev
/network
/project-a
/ml
/project-b
Given a folder-labels json with contents like
{"dev": {"env": "dev", "owner": "dev"},
"dev/network": {"owner": "network"},
"dev/ml": {"owner": "ml"}
Running the following policy
policies:
- name: tag-projects
resource: gcp.project
# use a server side filter to only look at projects
# under the /dev folder the id for the dev folder needs
# to be manually resolved outside of the policy.
query:
- filter: "parent.id:389734459211 parent.type:folder"
filters:
- "tag:owner": absent
actions:
- type: propagate-labels
folder-labels:
url: file://folder-labels.json
Will result in project-a being tagged with owner: network and env: dev and project-b being tagged with owner: ml and env: dev
properties:
folder-labels:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
type:
enum:
- propagate-labels
required:
- folder-labels
Permissions - resourcemanager.folders.get, resourcemanager.projects.update
set-labels
Set labels to GCP resources
- example:
This policy will label all existing resource groups with a value such as environment
policies:
- name: gcp-add-multiple-labels
resource: gcp.instance
description: |
Label all existing instances with multiple labels
actions:
- type: set-labels
labels:
environment: test
env_type: customer
- name: gcp-add-label-from-resource-attr
resource: gcp.instance
description: |
Label all existing instances with label taken from resource attribute
actions:
- type: set-labels
labels:
environment:
type: resource
key: name
default-value: name_not_found
- name: gcp-remove-label
resource: gcp.instance
description: |
Remove label from all instances
actions:
- type: set-labels
remove: [env]
properties:
labels:
additionalProperties:
oneOf:
- oneOf:
- additionalProperties: false
properties:
default-value:
type: string
key:
type: string
type:
enum:
- resource
type: string
required:
- type
- key
type: object
- type: string
type: object
remove:
items:
type: string
type: array
type:
enum:
- set-labels
required:
- type
Permissions - resourcemanager.projects.update