Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/c7n_gcp/resources/logging.py: 80%
76 statements
« prev ^ index » next coverage.py v7.3.2, created at 2023-12-08 06:51 +0000
« prev ^ index » next coverage.py v7.3.2, created at 2023-12-08 06:51 +0000
1# Copyright The Cloud Custodian Authors.
2# SPDX-License-Identifier: Apache-2.0
3from c7n.utils import local_session, type_schema
4from c7n.filters.core import ValueFilter
6from c7n_gcp.actions import MethodAction
7from c7n_gcp.provider import resources
8from c7n_gcp.query import QueryResourceManager, TypeInfo
10# TODO .. folder, billing account, org sink
11# how to map them given a project level root entity sans use of c7n-org
14@resources.register('log-project-sink')
15class LogProjectSink(QueryResourceManager):
16 """
17 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks
18 """
20 class resource_type(TypeInfo):
21 service = 'logging'
22 version = 'v2'
23 component = 'projects.sinks'
24 enum_spec = ('list', 'sinks[]', None)
25 scope_key = 'parent'
26 scope_template = 'projects/{}'
27 name = id = 'name'
28 default_report_fields = [
29 "name", "description", "destination", "filter", "writerIdentity", "createTime"]
30 asset_type = "logging.googleapis.com/LogSink"
31 urn_component = "project-sink"
33 @staticmethod
34 def get(client, resource_info):
35 return client.execute_query('get', {
36 'sinkName': 'projects/{project_id}/sinks/{name}'.format(
37 **resource_info)})
40@LogProjectSink.filter_registry.register('bucket')
41class LogProjectSinkBucketFilter(ValueFilter):
42 """
43 Allows filtering on the bucket targeted by the log sink. If the sink does not target a bucket
44 it does not match this filter.
46 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks
47 https://cloud.google.com/storage/docs/json_api/v1/buckets#resource
49 :example:
51 Find Sinks that target a bucket which is not using Bucket Lock
53 .. code-block:: yaml
55 policies:
56 - name: sink-target-bucket-not-locked
57 resource: gcp.log-project-sink
58 filters:
59 - type: bucket
60 key: retentionPolicy.isLocked
61 op: ne
62 value: true
64 """
66 schema = type_schema('bucket', rinherit=ValueFilter.schema)
67 permissions = ('storage.buckets.get',)
68 cache_key = 'c7n:bucket'
70 def __call__(self, sink):
71 # no match if the target is not a bucket
72 if not sink['destination'].startswith('storage.googleapis.com'):
73 return False
75 if self.cache_key not in sink:
76 bucket_name = sink['destination'].rsplit('/', 1)[-1]
78 session = local_session(self.manager.session_factory)
79 client = session.client('storage', 'v1', 'buckets')
80 bucket = client.execute_command('get', {'bucket': bucket_name})
82 sink[self.cache_key] = bucket
84 # call value filter on the bucket object
85 return super().__call__(sink[self.cache_key])
88@LogProjectSink.action_registry.register('delete')
89class DeletePubSubTopic(MethodAction):
91 schema = type_schema('delete')
92 method_spec = {'op': 'delete'}
94 def get_resource_params(self, m, r):
95 session = local_session(self.manager.session_factory)
96 project = session.get_default_project()
97 return {'sinkName': 'projects/{}/sinks/{}'.format(project, r['name'])}
100@resources.register('log-project-metric')
101class LogProjectMetric(QueryResourceManager):
102 """
103 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics
104 """
105 class resource_type(TypeInfo):
106 service = 'logging'
107 version = 'v2'
108 component = 'projects.metrics'
109 enum_spec = ('list', 'metrics[]', None)
110 scope_key = 'parent'
111 scope_template = 'projects/{}'
112 name = id = 'name'
113 default_report_fields = [
114 "name", "description", "createTime", "filter"]
115 asset_type = "logging.googleapis.com/LogMetric"
116 permissions = ('logging.logMetrics.list',)
117 urn_component = "project-metric"
119 @staticmethod
120 def get(client, resource_info):
121 return client.execute_query('get', {
122 'metricName': 'projects/{}/metrics/{}'.format(
123 resource_info['project_id'],
124 resource_info['name'].split('/')[-1],
125 )})
128@resources.register('log-exclusion')
129class LogExclusion(QueryResourceManager):
130 """
131 https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions
132 """
133 class resource_type(TypeInfo):
134 service = 'logging'
135 version = 'v2'
136 component = 'exclusions'
137 enum_spec = ('list', 'exclusions[]', None)
138 scope_key = 'parent'
139 scope_template = 'projects/{}'
140 name = id = 'name'
141 default_report_fields = ["name", "description", "createTime", "disabled", "filter"]
142 urn_component = "exclusion"
144 @staticmethod
145 def get(client, resource_info):
146 return client.execute_query('get', {
147 'name': 'projects/{project_id}/exclusions/{name}'.format(
148 **resource_info)})