Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/c7n_gcp/resources/storage.py: 86%
36 statements
« prev ^ index » next coverage.py v7.3.2, created at 2023-12-08 06:51 +0000
« prev ^ index » next coverage.py v7.3.2, created at 2023-12-08 06:51 +0000
1# Copyright The Cloud Custodian Authors.
2# SPDX-License-Identifier: Apache-2.0
3from c7n.utils import type_schema
4from c7n_gcp.actions import MethodAction
5from c7n_gcp.provider import resources
6from c7n_gcp.query import QueryResourceManager, TypeInfo
7from c7n_gcp.filters import IamPolicyFilter
10@resources.register('bucket')
11class Bucket(QueryResourceManager):
13 class resource_type(TypeInfo):
14 service = 'storage'
15 version = 'v1'
16 component = 'buckets'
17 scope = 'project'
18 enum_spec = ('list', 'items[]', {'projection': 'full'})
19 name = id = 'name'
20 default_report_fields = [
21 "name", "timeCreated", "location", "storageClass"]
22 asset_type = "storage.googleapis.com/Bucket"
23 scc_type = "google.cloud.storage.Bucket"
24 metric_key = 'resource.labels.bucket_name'
25 urn_component = "bucket"
27 @staticmethod
28 def get(client, resource_info):
29 return client.execute_command(
30 'get', {'bucket': resource_info['bucket_name']})
33@Bucket.filter_registry.register('iam-policy')
34class BucketIamPolicyFilter(IamPolicyFilter):
35 """
36 Overrides the base implementation to process bucket resources correctly.
37 """
38 permissions = ('storage.buckets.getIamPolicy',)
40 def _verb_arguments(self, resource):
41 verb_arguments = {{"bucket": resource["name"]}}
42 return verb_arguments
45@Bucket.action_registry.register('set-uniform-access')
46class BucketLevelAccess(MethodAction):
47 '''Uniform access disables object ACLs on a bucket.
49 Enabling this means only bucket policies (and organization bucket
50 policies) govern access to a bucket.
52 When enabled, users can only specify bucket level IAM policies
53 and not Object level ACL's.
55 Example Policy:
57 .. code-block:: yaml
59 policies:
60 - name: enforce-uniform-bucket-level-access
61 resource: gcp.bucket
62 filters:
63 - iamConfiguration.uniformBucketLevelAccess.enable: false
64 actions:
65 - type: set-uniform-access
66 # The following is also the default
67 state: true
68 '''
70 schema = type_schema('set-uniform-access', state={'type': 'boolean'})
71 method_spec = {'op': 'patch'}
72 method_perm = 'update'
74 # the google docs and example on this api appear to broken.
75 # https://cloud.google.com/storage/docs/using-uniform-bucket-level-access#rest-apis
76 #
77 # instead we observe the behavior gsutil interaction to effect the same.
78 # the key seems to be the undocumented projection parameter
79 #
80 def get_resource_params(self, model, resource):
81 enabled = self.data.get('state', True)
82 return {'bucket': resource['name'],
83 'fields': 'iamConfiguration',
84 'projection': 'noAcl', # not documented but
85 'body': {'iamConfiguration': {'uniformBucketLevelAccess': {'enabled': enabled}}}}