c7n_gcp package

Submodules

c7n_gcp.actions module

class c7n_gcp.actions.Action(data=None, manager=None, log_dir=None)[source]

Bases: c7n.actions.Action

class c7n_gcp.actions.MethodAction(data=None, manager=None, log_dir=None)[source]

Bases: c7n_gcp.actions.Action

Invoke an api call on each resource.

Quite a number of procedural actions are simply invoking an api call on a filtered set of resources. The exact handling is mostly boilerplate at that point following an 80/20 rule. This class is an encapsulation of the 80%.

attr_filter = ()
chunk_size = 20
filter_resources(resources)[source]
get_resource_params(m, r)[source]
method_spec = ()
process(resources)[source]
process_resource_set(client, model, resources)[source]
validate()[source]

c7n_gcp.client module

Base GCP client which uses the discovery API.

exception c7n_gcp.client.PaginationNotSupported[source]

Bases: exceptions.Exception

Pagination not supported on this api.

class c7n_gcp.client.ServiceClient(gcp_service, credentials, component=None, num_retries=5, key_field=u'project', entity_field=None, list_key_field=None, get_key_field=None, max_results_field=u'maxResults', search_query_field=u'query', rate_limiter=None, use_cached_http=True, http=None)[source]

Bases: object

Base class for GCP APIs.

execute_command(verb, verb_arguments)[source]

Executes command (ex. add) via a dedicated http object.

Async APIs may take minutes to complete. Therefore, callers are encouraged to leverage concurrent.futures (or similar) to place long running commands on a separate threads.

Args:
verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _build_request.
Returns:
dict: An async operation Service Response.
execute_paged_query(verb, verb_arguments)[source]

Executes query (ex. list) via a dedicated http object.

Args:
verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.
Yields:
dict: Service Response.
Raises:
PaginationNotSupportedError: When an API does not support paging.
execute_query(verb, verb_arguments)[source]

Executes query (ex. get) via a dedicated http object.

Args:
verb (str): Method to execute on the component (ex. get, list). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.
Returns:
dict: Service Response.
execute_search_query(verb, verb_arguments)[source]

Executes query (ex. search) via a dedicated http object.

Args:
verb (str): Method to execute on the component (ex. search). verb_arguments (dict): key-value pairs to be passed to _BuildRequest.
Yields:
dict: Service Response.
get_http()[source]

Return an http instance sans credentials

http

A thread local instance of httplib2.Http.

Returns:
httplib2.Http: An Http instance authorized by the credentials.
supports_pagination(verb)[source]

Determines if the API action supports pagination.

Args:
verb (str): Request verb (ex. insert, update, delete).
Returns:
bool: True when API supports pagination, False otherwise.
class c7n_gcp.client.Session(credentials=None, quota_max_calls=None, quota_period=None, use_rate_limiter=False, http=None, project_id=None, **kwargs)[source]

Bases: object

Base class for API repository for a specified Cloud API.

client(service_name, version, component, **kw)[source]

Safely initialize a repository class to a property.

Args:
repository_class (class): The class to initialize. version (str): The gcp service version for the repository.
Returns:
object: An instance of repository_class.
get_default_project()[source]
get_default_region()[source]
get_default_zone()[source]
c7n_gcp.client.is_retryable_exception(e)[source]

Whether exception should be retried.

Args:
e (Exception): Exception object.
Returns:
bool: True for exceptions to retry. False otherwise.

c7n_gcp.entry module

c7n_gcp.entry.initialize_gcp()[source]

c7n_gcp.handler module

c7n_gcp.handler.get_tmp_output_dir()[source]
c7n_gcp.handler.run(event, context=None)[source]

c7n_gcp.mu module

class c7n_gcp.mu.ApiSubscriber(session, data)[source]

Bases: c7n_gcp.mu.EventSource

Subscribe to individual api calls

via audit log -> filtered sink -> pub/sub topic -> cloud function.

add(func)[source]

Default no-op

get_config(func)[source]
get_subscription(func)[source]
remove(func)[source]

Default no-op

class c7n_gcp.mu.BucketEvent(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

collection_id = 'cloudfunctions.projects.buckets'
events = ['google.storage.object.finalize', 'google.storage.object.archive', 'google.storage.object.delete', 'google.storage.object.metadataUpdate', 'providers/cloud.storage/eventTypes/object.change']
get_config(func)[source]
trigger = 'google.storage.object.finalize'
class c7n_gcp.mu.CloudFunction(func_data, archive=None)[source]

Bases: object

environment
events
get_archive()[source]
get_config()[source]
labels
max_instances
memory_size
name
network
runtime
timeout
class c7n_gcp.mu.CloudFunctionManager(session_factory, region='us-central1')[source]

Bases: object

get(func_name, qualifier=None)[source]

Get the details on a given function.

list_functions(prefix=None)[source]

List extant cloud functions.

logs(func, start, end)[source]

Get the logs for a given function.

metrics(funcs, start, end, period=300)[source]

Get the metrics for a set of functions.

publish(func)[source]

publish the given function.

remove(func)[source]
class c7n_gcp.mu.EventSource(session, data=None)[source]

Bases: object

add(func)[source]

Default no-op

get_config(func)[source]
remove(func)[source]

Default no-op

class c7n_gcp.mu.HTTPEvent(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

Internet exposed http endpoint for cloud function

get_config(func)[source]
class c7n_gcp.mu.LogInfo(name, scope_type, scope_id, id)

Bases: tuple

id

Alias for field number 3

name

Alias for field number 0

scope_id

Alias for field number 2

scope_type

Alias for field number 1

class c7n_gcp.mu.LogSubscriber(session, data)[source]

Bases: c7n_gcp.mu.EventSource

Composite as a log sink

subscriber = LogSubscriber(dict(
log=’projects/custodian-1291/logs/cloudaudit.googleapis.com%2Factivity’))

function = CloudFunction(dict(name=’log-sub’, events=[subscriber])

add(func)[source]

Create any configured log sink if doesn’t exist.

ensure_sink()[source]

Ensure the log sink and its pub sub topic exist.

get_config(func)[source]
get_log()[source]
get_log_filter()[source]
get_parent(log_info)[source]

Get the parent container for the log sink

get_sink(topic_info='')[source]
remove(func)[source]

Remove any provisioned log sink if auto created

class c7n_gcp.mu.PolicyFunction(policy, archive=None, events=())[source]

Bases: c7n_gcp.mu.CloudFunction

events
get_archive()[source]
get_config()[source]
name
class c7n_gcp.mu.PubSubSource(session, data=None)[source]

Bases: c7n_gcp.mu.EventSource

add()[source]

Default no-op

collection_id = 'pubsub.projects.topics'
ensure_iam(publisher=None)[source]

Ensure the given identities are in the iam role bindings for the topic.

ensure_topic()[source]

Verify the pub/sub topic exists.

Returns the topic qualified name.

get_config(func)[source]
get_topic_param(topic=None, project=None)[source]
remove()[source]

Default no-op

trigger = 'providers/cloud.pubsub/eventTypes/topic.publish'
c7n_gcp.mu.custodian_archive(packages=None)[source]
c7n_gcp.mu.delta_resource(old_config, new_config, ignore=())[source]

c7n_gcp.output module

TODO: provider policy execution initialization for outputs

class c7n_gcp.output.GCPStorageOutput(ctx, config=None)[source]

Bases: c7n.output.DirectoryOutput

type = 'gs'
upload()[source]
class c7n_gcp.output.StackDriverLogging(ctx, config=None)[source]

Bases: c7n.output.LogOutput

get_handler()[source]
leave_log()[source]
class c7n_gcp.output.StackDriverMetrics(ctx, config=None)[source]

Bases: c7n.output.Metrics

DESCRIPTOR_COMMON = {'labels': [{'key': 'policy', 'valueType': 'STRING', 'description': 'Custodian Policy'}], 'metricsKind': 'GAUGE'}
METRICS_DESCRIPTORS = {'actiontime': {'displayName': 'Action Time', 'valueType': 'DOUBLE', 'units': 's', 'description': 'Time to perform actions for a given policy', 'type': '%s/%s'}, 'resourcecount': {'displayName': 'Resources', 'valueType': 'INT64', 'units': 'items', 'description': 'Number of resources that matched the given policy', 'type': '%s/%'}, 'resourcetime': {'displayName': 'Query Time', 'valueType': 'DOUBLE', 'units': 's', 'description': 'Time to query the resources for a given policy', 'type': '%s/%s'}}
METRICS_PREFIX = 'custom.googleapis.com/custodian/policy'
initialize()[source]

One time initialization of metrics descriptors.

# tbd - unclear if this adding significant value.

log = <logging.Logger object>
type = 'gcp'
c7n_gcp.output.parse_gs(gs_path)[source]

c7n_gcp.policy module

class c7n_gcp.policy.ApiAuditMode(policy)[source]

Bases: c7n_gcp.policy.FunctionMode

Custodian policy execution on gcp api audit logs

deprovision()[source]
provision()[source]
resolve_resources(event)[source]

Resolve a gcp resource from its audit trail metadata.

run(event, context)[source]

Execute a gcp serverless model

schema = {u'additionalProperties': False, u'properties': {'environment': {'type': 'object'}, 'network': {'type': 'string'}, 'execution-options': {'type': 'object'}, 'max-instances': {'type': 'integer'}, 'labels': {'type': 'object'}, 'memory-size': {'type': 'integer'}, 'methods': {'items': {'type': 'string'}, 'type': 'array'}, 'timeout': {'type': 'string'}, u'type': {u'enum': ['gcp-audit']}}, u'required': ['methods', u'type'], u'type': u'object'}
type = 'gcp-audit'
validate()[source]
class c7n_gcp.policy.FunctionMode(policy)[source]

Bases: c7n.policy.ServerlessExecutionMode

run()[source]
schema = {u'additionalProperties': False, u'properties': {'environment': {'type': 'object'}, 'network': {'type': 'string'}, 'execution-options': {'type': 'object'}, 'max-instances': {'type': 'integer'}, 'labels': {'type': 'object'}, 'memory-size': {'type': 'integer'}, 'timeout': {'type': 'string'}, u'type': {u'enum': ['gcp-audit']}}, u'required': [u'type'], u'type': u'object'}
validate()[source]

c7n_gcp.provider module

class c7n_gcp.provider.GoogleCloud[source]

Bases: c7n.provider.Provider

get_session_factory(options)[source]

Get a credential/session factory for api usage.

initialize(options)[source]
initialize_policies(policy_collection, options)[source]
resource_prefix = 'gcp'
resources = <c7n.registry.PluginRegistry object>
type = 'gcp'

c7n_gcp.query module

class c7n_gcp.query.DescribeSource(manager)[source]

Bases: object

augment(resources)[source]
get_permissions()[source]
get_resources(query)[source]
type = 'describe-gcp'
class c7n_gcp.query.QueryMeta[source]

Bases: type

metaclass to have consistent action/filter registry for new resources.

class c7n_gcp.query.QueryResourceManager(data, options)[source]

Bases: c7n.manager.ResourceManager

action_registry = <c7n.actions.ActionRegistry object>
augment(resources)[source]
filter_registry = <c7n.filters.core.FilterRegistry object>
get_cache_key(query)[source]
get_client()[source]
get_model()[source]
get_permissions()[source]
get_resource(resource_info)[source]
get_resource_query()[source]
get_source(source_type)[source]
resources(query=None)[source]
source_type
class c7n_gcp.query.ResourceQuery(session_factory)[source]

Bases: object

filter(resource_manager, **params)[source]
class c7n_gcp.query.TypeInfo[source]

Bases: object

component = None
enum_spec = ('list', 'items[]', None)
get = None
scope = 'project'
scope_key = None
scope_template = None
service = None
version = None
class c7n_gcp.query.TypeMeta[source]

Bases: type

c7n_gcp.query.extract_error(e)[source]

Module contents