def create_alerts(config):
""""Creates Stackdriver alerts for logs-based metrics."""
# Stackdriver alerts can't yet be created in Deployment Manager, so create
# them here.
alert_email = config.project.get('stackdriver_alert_email')
if alert_email is None:
logging.warning(
'No Stackdriver alert email specified, skipping creation '
'of Stackdriver alerts.')
return
project_id = config.project['project_id']
# Create an email notification channel for alerts.
logging.info('Creating Stackdriver notification channel.')
channel = utils.create_notification_channel(alert_email, project_id)
logging.info('Creating Stackdriver alerts.')
utils.create_alert_policy(
['global', 'pubsub_topic', 'pubsub_subscription', 'gce_instance'],
'iam-policy-change-count', 'IAM Policy Change Alert',
('This policy ensures the designated user/group is notified when IAM '
'policies are altered.'), channel, project_id)
utils.create_alert_policy(
['gcs_bucket'], 'bucket-permission-change-count',
'Bucket Permission Change Alert',
('This policy ensures the designated user/group is notified when '
'bucket/object permissions are altered.'), channel, project_id)
utils.create_alert_policy(
['global'], 'bigquery-settings-change-count', 'Bigquery update Alert',
('This policy ensures the designated user/group is notified when '
'Bigquery dataset settings are altered.'), channel, project_id)
for data_bucket in config.project.get('data_buckets', []):
# Every bucket with 'expected_users' has an expected-access alert.
if 'expected_users' in data_bucket:
bucket_name = project_id + data_bucket['name_suffix']
metric_name = 'unexpected-access-' + bucket_name
utils.create_alert_policy(
'gcs_bucket', metric_name,
'Unexpected Access to {} Alert'.format(bucket_name),
('This policy ensures the designated user/group is notified when '
'bucket {} is accessed by an unexpected user.'.format(
bucket_name)), channel, project_id)
def create_alerts(config):
""""Creates Stackdriver alerts for logs-based metrics."""
# Stackdriver alerts can't yet be created in Deployment Manager, so create
# them here.
alert_email = config.project.get('stackdriver_alert_email')
if alert_email is None:
logging.warning('No Stackdriver alert email specified, skipping creation '
'of Stackdriver alerts.')
return
project_id = config.project['project_id']
existing_channels_str = runner.run_gcloud_command([
'alpha', 'monitoring', 'channels', 'list', '--format',
'value(name,labels.email_address)'
],
project_id=project_id)
existing_channels = existing_channels_str.split(
'\n') if existing_channels_str else []
email_to_channel = {}
for existing_channel in existing_channels:
channel, email = existing_channel.split()
# assume only one channel exists per email
email_to_channel[email] = channel
if alert_email in email_to_channel:
logging.info('Stackdriver notification channel already exists for %s',
alert_email)
channel = email_to_channel[alert_email]
else:
logging.info('Creating Stackdriver notification channel.')
channel = utils.create_notification_channel(alert_email, project_id)
existing_alerts = runner.run_gcloud_command([
'alpha', 'monitoring', 'policies', 'list', '--format',
'value(displayName)'
],
project_id=project_id).split('\n')
existing_alerts = set(existing_alerts)
logging.info('Creating Stackdriver alerts.')
display_name = 'IAM Policy Change Alert'
if display_name not in existing_alerts:
utils.create_alert_policy(
['global', 'pubsub_topic', 'pubsub_subscription', 'gce_instance'],
'iam-policy-change-count', display_name,
('This policy ensures the designated user/group is notified when IAM '
'policies are altered.'), channel, project_id)
display_name = 'Bucket Permission Change Alert'
if display_name not in existing_alerts:
utils.create_alert_policy(
['gcs_bucket'], 'bucket-permission-change-count', display_name,
('This policy ensures the designated user/group is notified when '
'bucket/object permissions are altered.'), channel, project_id)
display_name = 'Bigquery Update Alert'
if display_name not in existing_alerts:
utils.create_alert_policy(
['global'], 'bigquery-settings-change-count', display_name,
('This policy ensures the designated user/group is notified when '
'Bigquery dataset settings are altered.'), channel, project_id)
for data_bucket in config.project.get('data_buckets', []):
# Every bucket with 'expected_users' has an expected-access alert.
if 'expected_users' not in data_bucket:
continue
bucket_name = get_data_bucket_name(data_bucket, project_id)
metric_name = 'unexpected-access-' + bucket_name
display_name = 'Unexpected Access to {} Alert'.format(bucket_name)
if display_name not in existing_alerts:
utils.create_alert_policy(
['gcs_bucket'], metric_name, display_name,
('This policy ensures the designated user/group is notified when '
'bucket {} is accessed by an unexpected user.'.format(bucket_name)),
channel, project_id)