c7n_gcp package

Submodules

c7n_gcp.client module

Base GCP client which uses the discovery API.

exception c7n_gcp.client.PaginationNotSupported[source]

Bases: Exception

Pagination not supported on this api.

class c7n_gcp.client.ServiceClient(gcp_service, credentials, component=None, num_retries=5, key_field='project', entity_field=None, list_key_field=None, get_key_field=None, max_results_field='maxResults', search_query_field='query', rate_limiter=None, use_cached_http=True, http=None)[source]

Bases: object

Base class for GCP APIs.

execute_command(verb, verb_arguments)[source]

Executes command (ex. add) via a dedicated http object.

Async APIs may take minutes to complete. Therefore, callers are encouraged to leverage concurrent.futures (or similar) to place long running commands on a separate threads.

Args:

verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _build_request.

Returns:

dict: An async operation Service Response.

execute_paged_query(verb, verb_arguments)[source]

Executes query (ex. list) via a dedicated http object.

Args:

verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.

Yields:

dict: Service Response.

Raises:

PaginationNotSupportedError: When an API does not support paging.

execute_query(verb, verb_arguments)[source]

Executes query (ex. get) via a dedicated http object.

Args:

verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.

Returns:

dict: Service Response.

execute_search_query(verb, verb_arguments)[source]

Executes query (ex. search) via a dedicated http object.

Args:

verb (str): Method to execute on the component (ex. search). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.

Yields:

dict: Service Response.

get_http()[source]

Return an http instance sans credentials

http

A thread local instance of httplib2.Http.

Returns:

httplib2.Http: An Http instance authorized by the credentials.

supports_pagination(verb)[source]

Determines if the API action supports pagination.

Args:

verb (str): Request verb (ex. insert, update, delete).

Returns:

bool: True when API supports pagination, False otherwise.

class c7n_gcp.client.Session(credentials=None, quota_max_calls=None, quota_period=None, use_rate_limiter=False, http=None, project_id=None, **kwargs)[source]

Bases: object

Base class for API repository for a specified Cloud API.

client(service_name, version, component, **kw)[source]

Safely initialize a repository class to a property.

Args:

repository_class (class): The class to initialize. version (str): The gcp service version for the repository.

Returns:

object: An instance of repository_class.

get_default_project()[source]
get_default_region()[source]
get_default_zone()[source]
c7n_gcp.client.is_retryable_exception(e)[source]

Whether exception should be retried.

Args:

e (Exception): Exception object.

Returns:

bool: True for exceptions to retry. False otherwise.

c7n_gcp.entry module

c7n_gcp.entry.initialize_gcp()[source]

c7n_gcp.handler module

c7n_gcp.handler.get_tmp_output_dir()[source]
c7n_gcp.handler.run(event, context=None)[source]

c7n_gcp.mu module

class c7n_gcp.mu.ApiSubscriber(session, data)[source]

Bases: c7n_gcp.mu.EventSource

Subscribe to individual api calls

via audit log -> filtered sink -> pub/sub topic -> cloud function.

add(func)[source]

Default no-op

get_config(func)[source]
get_subscription(func)[source]
remove(func)[source]

Default no-op

class c7n_gcp.mu.BucketEvent(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

collection_id = 'cloudfunctions.projects.buckets'
events = ['google.storage.object.finalize', 'google.storage.object.archive', 'google.storage.object.delete', 'google.storage.object.metadataUpdate', 'providers/cloud.storage/eventTypes/object.change']
get_config(func)[source]
trigger = 'google.storage.object.finalize'
class c7n_gcp.mu.CloudFunction(func_data, archive=None)[source]

Bases: object

environment
events
get_archive()[source]
get_config()[source]
labels
max_instances
memory_size
name
network
runtime
service_account
timeout
class c7n_gcp.mu.CloudFunctionManager(session_factory, region='us-central1')[source]

Bases: object

get(func_name, qualifier=None)[source]

Get the details on a given function.

list_functions(prefix=None)[source]

List extant cloud functions.

logs(func, start, end)[source]

Get the logs for a given function.

metrics(funcs, start, end, period=300)[source]

Get the metrics for a set of functions.

publish(func)[source]

publish the given function.

remove(func)[source]
class c7n_gcp.mu.EventSource(session, data=None)[source]

Bases: object

add(func)[source]

Default no-op

get_config(func)[source]
prefix
remove(func)[source]

Default no-op

class c7n_gcp.mu.HTTPEvent(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

Internet exposed http endpoint for cloud function

get_config(func)[source]
class c7n_gcp.mu.LogInfo(name, scope_type, scope_id, id)

Bases: tuple

id

Alias for field number 3

name

Alias for field number 0

scope_id

Alias for field number 2

scope_type

Alias for field number 1

class c7n_gcp.mu.LogSubscriber(session, data)[source]

Bases: c7n_gcp.mu.EventSource

Composite as a log sink

subscriber = LogSubscriber(dict(

log=’projects/custodian-1291/logs/cloudaudit.googleapis.com%2Factivity’))

function = CloudFunction(dict(name=’log-sub’, events=[subscriber])

add(func)[source]

Create any configured log sink if doesn’t exist.

ensure_sink()[source]

Ensure the log sink and its pub sub topic exist.

get_config(func)[source]
get_log()[source]
get_log_filter()[source]
get_parent(log_info)[source]

Get the parent container for the log sink

get_sink(topic_info='')[source]
remove(func)[source]

Remove any provisioned log sink if auto created

class c7n_gcp.mu.PeriodicEvent(session, data)[source]

Bases: c7n_gcp.mu.EventSource

Periodic serverless execution.

Supports both http and pub/sub triggers.

Note periodic requires the setup of app engine and is restricted to app engine locations. https://cloud.google.com/scheduler/docs/setup

Schedule can be specified in either cron syntax or app engine schedule expression. https://cloud.google.com/scheduler/docs/configuring/cron-job-schedules

Examples of schedule expressions. https://cloud.google.com/appengine/docs/standard/python/config/cronref

add(func)[source]

Default no-op

diff_job(client, target_job)[source]
get_config(func)[source]
get_job_config(func, target)[source]
get_target(func)[source]
remove(func)[source]

Default no-op

target_type
class c7n_gcp.mu.PolicyFunction(policy, archive=None, events=())[source]

Bases: c7n_gcp.mu.CloudFunction

events
get_archive()[source]
get_config()[source]
name
class c7n_gcp.mu.PubSubSource(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

add()[source]

Default no-op

collection_id = 'pubsub.projects.topics'
ensure_iam(publisher=None)[source]

Ensure the given identities are in the iam role bindings for the topic.

ensure_topic()[source]

Verify the pub/sub topic exists.

Returns the topic qualified name.

get_config(func)[source]
get_topic_param(topic=None, project=None)[source]
remove()[source]

Default no-op

trigger = 'providers/cloud.pubsub/eventTypes/topic.publish'
c7n_gcp.mu.custodian_archive(packages=None)[source]
c7n_gcp.mu.delta_resource(old_config, new_config, ignore=())[source]

c7n_gcp.output module

TODO: provider policy execution initialization for outputs

class c7n_gcp.output.GCPStorageOutput(ctx, config=None)[source]

Bases: c7n.output.DirectoryOutput

type = 'gs'
upload()[source]
class c7n_gcp.output.StackDriverLogging(ctx, config=None)[source]

Bases: c7n.output.LogOutput

get_handler()[source]
leave_log()[source]
class c7n_gcp.output.StackDriverMetrics(ctx, config=None)[source]

Bases: c7n.output.Metrics

DESCRIPTOR_COMMON = {'labels': [{'key': 'policy', 'valueType': 'STRING', 'description': 'Custodian Policy'}], 'metricsKind': 'GAUGE'}
METRICS_DESCRIPTORS = {'actiontime': {'description': 'Time to perform actions for a given policy', 'displayName': 'Action Time', 'type': '%s/%s', 'units': 's', 'valueType': 'DOUBLE'}, 'resourcecount': {'description': 'Number of resources that matched the given policy', 'displayName': 'Resources', 'type': '%s/%', 'units': 'items', 'valueType': 'INT64'}, 'resourcetime': {'description': 'Time to query the resources for a given policy', 'displayName': 'Query Time', 'type': '%s/%s', 'units': 's', 'valueType': 'DOUBLE'}}
METRICS_PREFIX = 'custom.googleapis.com/custodian/policy'
initialize()[source]

One time initialization of metrics descriptors.

# tbd - unclear if this adding significant value.

log = <Logger c7n_gcp.metrics (INFO)>
type = 'gcp'
c7n_gcp.output.parse_gs(gs_path)[source]

c7n_gcp.policy module

class c7n_gcp.policy.ApiAuditMode(policy)[source]

Bases: c7n_gcp.policy.FunctionMode

Custodian policy execution on gcp api audit logs

resolve_resources(event)[source]

Resolve a gcp resource from its audit trail metadata.

run(event, context)[source]

Execute a gcp serverless model

schema = {'additionalProperties': False, 'properties': {'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'labels': {'type': 'object'}, 'max-instances': {'type': 'integer'}, 'memory-size': {'type': 'integer'}, 'methods': {'items': {'type': 'string'}, 'type': 'array'}, 'network': {'type': 'string'}, 'region': {'type': 'string'}, 'service-account': {'type': 'string'}, 'timeout': {'type': 'string'}, 'type': {'enum': ['gcp-audit']}}, 'required': ['methods', 'type'], 'type': 'object'}
type = 'gcp-audit'
validate()[source]

Validate configuration settings for execution mode.

class c7n_gcp.policy.FunctionMode(policy)[source]

Bases: c7n.policy.ServerlessExecutionMode

deprovision()[source]
provision()[source]

Provision any resources needed for the policy.

run()[source]

Run the actual policy.

schema = {'additionalProperties': False, 'properties': {'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'labels': {'type': 'object'}, 'max-instances': {'type': 'integer'}, 'memory-size': {'type': 'integer'}, 'network': {'type': 'string'}, 'region': {'type': 'string'}, 'service-account': {'type': 'string'}, 'timeout': {'type': 'string'}, 'type': {'enum': ['gcp']}}, 'required': ['type'], 'type': 'object'}
validate()[source]

Validate configuration settings for execution mode.

class c7n_gcp.policy.PeriodicMode(policy)[source]

Bases: c7n_gcp.policy.FunctionMode, c7n.policy.PullMode

run(event, context)[source]

Run the actual policy.

schema = {'additionalProperties': False, 'properties': {'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'labels': {'type': 'object'}, 'max-instances': {'type': 'integer'}, 'memory-size': {'type': 'integer'}, 'network': {'type': 'string'}, 'region': {'type': 'string'}, 'schedule': {'type': 'string'}, 'service-account': {'type': 'string'}, 'timeout': {'type': 'string'}, 'trigger-type': {'enum': ['http', 'pubsub']}, 'type': {'enum': ['gcp-periodic']}, 'tz': {'type': 'string'}}, 'required': ['schedule', 'type'], 'type': 'object'}
type = 'gcp-periodic'
validate()[source]

Validate configuration settings for execution mode.

c7n_gcp.provider module

class c7n_gcp.provider.GoogleCloud[source]

Bases: c7n.provider.Provider

get_session_factory(options)[source]

Get a credential/session factory for api usage.

initialize(options)[source]

Perform any provider specific initialization

initialize_policies(policy_collection, options)[source]

Perform any initialization of policies.

Common usage is expanding policy collection for per region execution and filtering policies for applicable regions.

resource_prefix = 'gcp'
resources = <c7n.registry.PluginRegistry object>
type = 'gcp'

c7n_gcp.query module

class c7n_gcp.query.ChildResourceManager(data, options)[source]

Bases: c7n_gcp.query.QueryResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>
filter_registry = <c7n.filters.core.FilterRegistry object>
get_resource(resource_info)[source]
class c7n_gcp.query.ChildTypeInfo[source]

Bases: c7n_gcp.query.TypeInfo

classmethod get_parent_annotation_key()[source]
parent_spec = None
class c7n_gcp.query.DescribeSource(manager)[source]

Bases: object

augment(resources)[source]
get_permissions()[source]
get_resources(query)[source]
type = 'describe-gcp'
class c7n_gcp.query.QueryMeta[source]

Bases: type

metaclass to have consistent action/filter registry for new resources.

class c7n_gcp.query.QueryResourceManager(data, options)[source]

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.core.ActionRegistry object>
augment(resources)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
get_cache_key(query)[source]
get_client()[source]
get_model()[source]

Returns the resource meta-model.

get_permissions()[source]
get_resource(resource_info)[source]
get_resource_query()[source]
get_source(source_type)[source]
resources(query=None)[source]
source_type
class c7n_gcp.query.ResourceQuery(session_factory)[source]

Bases: object

filter(resource_manager, **params)[source]
class c7n_gcp.query.TypeInfo[source]

Bases: object

component = None
enum_spec = ('list', 'items[]', None)
get = None
get_requires_event = False
scope = 'project'
scope_key = None
scope_template = None
service = None
version = None
class c7n_gcp.query.TypeMeta[source]

Bases: type

c7n_gcp.query.extract_error(e)[source]

Module contents