def split_by_resource(self, metric_list):
for m in metric_list:
resource_name = jmespath.search(self.metric_key, m)
self.resource_metric_dict[resource_name] = m
def process_resource(self, resource):
resource_metric = resource.setdefault('c7n.metrics', {})
resource_name = self.manager.resource_type.get_metric_resource_name(
resource)
metric = self.resource_metric_dict.get(resource_name)
if not metric and not self.missing_value:
return False
if not metric:
metric_value = self.missing_value
else:
metric_value = float(
list(metric["points"][0]["value"].values())[0])
resource_metric[self.c7n_metric_key] = metric
matched = self.op(metric_value, self.value)
return matched
@classmethod
def register_resources(klass, registry, resource_class):
resource_class.filter_registry.register('metrics', klass)
gcp_resources.subscribe(GCPMetricsFilter.register_resources)
message = {
'event': event,
'account_id': project,
'account': project,
'region': 'all',
'policy': self.manager.data
}
message['action'] = self.expand_variables(message)
for batch in utils.chunks(resources, self.batch_size):
message['resources'] = batch
self.publish_message(message, client)
# Methods to handle GCP Pub Sub topic publishing
def publish_message(self, message, client):
"""Publish message to a GCP pub/sub topic
"""
return client.execute_command('publish', {
'topic': self.data['transport']['topic'],
'body': {
'messages': {
'data': self.pack(message)
}
}
})
gcp_resources.subscribe(
gcp_resources.EVENT_FINAL, Notify.register_notify_action)
rid = r.get('organizationId')
rtype = 'organizations'
return "//cloudresourcemanager.googleapis.com/{}/{}".format(
rtype, rid)
def name_container(r):
return "//container.googleapis.com/{}".format(
"/".join(urlparse(r['selfLink']).path.strip('/').split('/')[1:]))
def name_storage(r):
return "//storage.googleapis.com/{}".format(r['name'])
def name_appengine(r):
return "//appengine.googleapis.com/{}".format(r['name'])
ResourceNameAdapters = {
'appengine': name_appengine,
'cloudresourcemanager': name_resourcemanager,
'compute': name_compute,
'container': name_container,
'iam': name_iam,
'storage': name_storage,
}
gcp_resources.subscribe(
gcp_resources.EVENT_FINAL, PostFinding.register_resource)
def _get_current_labels(self, resource):
return resource.get('labels', {})
@classmethod
def register_resources(cls, registry, resource_class):
if resource_class.resource_type.labels:
resource_class.action_registry.register('set-labels',
SetLabelsAction)
resource_class.action_registry.register('mark-for-op',
LabelDelayedAction)
resource_class.filter_registry.register('marked-for-op',
LabelActionFilter)
gcp_resources.subscribe(BaseLabelAction.register_resources)
class SetLabelsAction(BaseLabelAction):
"""Set labels to GCP resources
:example:
This policy will label all existing resource groups with a value such as environment
.. code-block:: yaml
policies:
- name: gcp-add-multiple-labels
resource: gcp.instance
description: |
rtype = 'projects'
else:
rid = r.get('organizationId')
rtype = 'organizations'
return "//cloudresourcemanager.googleapis.com/{}/{}".format(rtype, rid)
def name_container(r):
return "//container.googleapis.com/{}".format("/".join(
urlparse(r['selfLink']).path.strip('/').split('/')[1:]))
def name_storage(r):
return "//storage.googleapis.com/{}".format(r['name'])
def name_appengine(r):
return "//appengine.googleapis.com/{}".format(r['name'])
ResourceNameAdapters = {
'appengine': name_appengine,
'cloudresourcemanager': name_resourcemanager,
'compute': name_compute,
'container': name_container,
'iam': name_iam,
'storage': name_storage,
}
gcp_resources.subscribe(PostFinding.register_resource)
'region': 'all',
'policy': self.manager.data
}
message['action'] = self.expand_variables(message)
for batch in utils.chunks(resources, self.batch_size):
message['resources'] = batch
self.publish_message(message, client)
# Methods to handle GCP Pub Sub topic publishing
def publish_message(self, message, client):
"""Publish message to a GCP pub/sub topic
"""
return client.execute_command(
'publish', {
'topic': self.data['transport']['topic'],
'body': {
'messages': {
'data': self.pack(message)
}
}
})
@classmethod
def register_resource(cls, registry, resource_class):
resource_class.action_registry.register('notify', Notify)
gcp_resources.subscribe(Notify.register_resource)
for r in resources:
resource_filter.append('resourceName:"{}"'.format(r[self.manager.resource_type.name]))
resource_filter.append(' OR ')
resource_filter.pop()
return ''.join(resource_filter)
def split_by_resource(self, finding_list):
for f in finding_list:
resource_name = f["finding"]["resourceName"].split('/')[-1]
resource_findings = self.findings_by_resource.get(resource_name, [])
resource_findings.append(f['finding'])
self.findings_by_resource[resource_name] = resource_findings
def process_resource(self, resource):
if not resource.get(self.annotation_key):
resource_name = resource[self.manager.resource_type.name]
resource[self.annotation_key] = self.findings_by_resource.get(resource_name, [])
if self.data.get('key'):
resource[self.annotation_key] = [
finding for finding in resource[self.annotation_key] if self.match(finding)]
return len(resource[self.annotation_key]) > 0
@classmethod
def register_resources(klass, registry, resource_class):
resource_class.filter_registry.register('scc-findings', klass)
gcp_resources.subscribe(SecurityComandCenterFindingsFilter.register_resources)
return model.get_label_params(resource, all_labels)
def _get_current_labels(self, resource):
return resource.get('labels', {})
@classmethod
def register_resources(cls, registry, resource_class):
if resource_class.resource_type.labels:
resource_class.action_registry.register('set-labels', SetLabelsAction)
resource_class.action_registry.register('mark-for-op', LabelDelayedAction)
resource_class.filter_registry.register('marked-for-op', LabelActionFilter)
gcp_resources.subscribe(gcp_resources.EVENT_REGISTER, BaseLabelAction.register_resources)
class SetLabelsAction(BaseLabelAction):
"""Set labels to GCP resources
:example:
This policy will label all existing resource groups with a value such as environment
.. code-block:: yaml
policies:
- name: gcp-add-multiple-labels
resource: gcp.instance
description: |
rid = r.get('organizationId')
rtype = 'organizations'
return "//cloudresourcemanager.googleapis.com/{}/{}".format(
rtype, rid)
def name_container(r):
return "//container.googleapis.com/{}".format(
"/".join(urlparse(r['selfLink']).path.strip('/').split('/')[1:]))
def name_storage(r):
return "//storage.googleapis.com/{}".format(r['name'])
def name_appengine(r):
return "//appengine.googleapis.com/{}".format(r['name'])
ResourceNameAdapters = {
'appengine': name_appengine,
'cloudresourcemanager': name_resourcemanager,
'compute': name_compute,
'container': name_container,
'iam': name_iam,
'storage': name_storage,
}
gcp_resources.subscribe(
gcp_resources.EVENT_FINAL, PostFinding.register_resource)
