Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/c7n_gcp/resources/logging.py: 80%

76 statements  

« prev     ^ index     » next       coverage.py v7.3.2, created at 2023-12-08 06:51 +0000

1# Copyright The Cloud Custodian Authors. 

2# SPDX-License-Identifier: Apache-2.0 

3from c7n.utils import local_session, type_schema 

4from c7n.filters.core import ValueFilter 

5 

6from c7n_gcp.actions import MethodAction 

7from c7n_gcp.provider import resources 

8from c7n_gcp.query import QueryResourceManager, TypeInfo 

9 

10# TODO .. folder, billing account, org sink 

11# how to map them given a project level root entity sans use of c7n-org 

12 

13 

14@resources.register('log-project-sink') 

15class LogProjectSink(QueryResourceManager): 

16 """ 

17 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks 

18 """ 

19 

20 class resource_type(TypeInfo): 

21 service = 'logging' 

22 version = 'v2' 

23 component = 'projects.sinks' 

24 enum_spec = ('list', 'sinks[]', None) 

25 scope_key = 'parent' 

26 scope_template = 'projects/{}' 

27 name = id = 'name' 

28 default_report_fields = [ 

29 "name", "description", "destination", "filter", "writerIdentity", "createTime"] 

30 asset_type = "logging.googleapis.com/LogSink" 

31 urn_component = "project-sink" 

32 

33 @staticmethod 

34 def get(client, resource_info): 

35 return client.execute_query('get', { 

36 'sinkName': 'projects/{project_id}/sinks/{name}'.format( 

37 **resource_info)}) 

38 

39 

40@LogProjectSink.filter_registry.register('bucket') 

41class LogProjectSinkBucketFilter(ValueFilter): 

42 """ 

43 Allows filtering on the bucket targeted by the log sink. If the sink does not target a bucket 

44 it does not match this filter. 

45 

46 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks 

47 https://cloud.google.com/storage/docs/json_api/v1/buckets#resource 

48 

49 :example: 

50 

51 Find Sinks that target a bucket which is not using Bucket Lock 

52 

53 .. code-block:: yaml 

54 

55 policies: 

56 - name: sink-target-bucket-not-locked 

57 resource: gcp.log-project-sink 

58 filters: 

59 - type: bucket 

60 key: retentionPolicy.isLocked 

61 op: ne 

62 value: true 

63 

64 """ 

65 

66 schema = type_schema('bucket', rinherit=ValueFilter.schema) 

67 permissions = ('storage.buckets.get',) 

68 cache_key = 'c7n:bucket' 

69 

70 def __call__(self, sink): 

71 # no match if the target is not a bucket 

72 if not sink['destination'].startswith('storage.googleapis.com'): 

73 return False 

74 

75 if self.cache_key not in sink: 

76 bucket_name = sink['destination'].rsplit('/', 1)[-1] 

77 

78 session = local_session(self.manager.session_factory) 

79 client = session.client('storage', 'v1', 'buckets') 

80 bucket = client.execute_command('get', {'bucket': bucket_name}) 

81 

82 sink[self.cache_key] = bucket 

83 

84 # call value filter on the bucket object 

85 return super().__call__(sink[self.cache_key]) 

86 

87 

88@LogProjectSink.action_registry.register('delete') 

89class DeletePubSubTopic(MethodAction): 

90 

91 schema = type_schema('delete') 

92 method_spec = {'op': 'delete'} 

93 

94 def get_resource_params(self, m, r): 

95 session = local_session(self.manager.session_factory) 

96 project = session.get_default_project() 

97 return {'sinkName': 'projects/{}/sinks/{}'.format(project, r['name'])} 

98 

99 

100@resources.register('log-project-metric') 

101class LogProjectMetric(QueryResourceManager): 

102 """ 

103 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics 

104 """ 

105 class resource_type(TypeInfo): 

106 service = 'logging' 

107 version = 'v2' 

108 component = 'projects.metrics' 

109 enum_spec = ('list', 'metrics[]', None) 

110 scope_key = 'parent' 

111 scope_template = 'projects/{}' 

112 name = id = 'name' 

113 default_report_fields = [ 

114 "name", "description", "createTime", "filter"] 

115 asset_type = "logging.googleapis.com/LogMetric" 

116 permissions = ('logging.logMetrics.list',) 

117 urn_component = "project-metric" 

118 

119 @staticmethod 

120 def get(client, resource_info): 

121 return client.execute_query('get', { 

122 'metricName': 'projects/{}/metrics/{}'.format( 

123 resource_info['project_id'], 

124 resource_info['name'].split('/')[-1], 

125 )}) 

126 

127 

128@resources.register('log-exclusion') 

129class LogExclusion(QueryResourceManager): 

130 """ 

131 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions 

132 """ 

133 class resource_type(TypeInfo): 

134 service = 'logging' 

135 version = 'v2' 

136 component = 'exclusions' 

137 enum_spec = ('list', 'exclusions[]', None) 

138 scope_key = 'parent' 

139 scope_template = 'projects/{}' 

140 name = id = 'name' 

141 default_report_fields = ["name", "description", "createTime", "disabled", "filter"] 

142 urn_component = "exclusion" 

143 

144 @staticmethod 

145 def get(client, resource_info): 

146 return client.execute_query('get', { 

147 'name': 'projects/{project_id}/exclusions/{name}'.format( 

148 **resource_info)})