c7n_gcp/resources/network.py SetFlowLog Fails with Invalid Value

[khalilnkhaliln]

Describe the bug

Policy -
resource: gcp.subnet
mode:
type: gcp-audit
methods:
-v1.compute.subnetworks.insert
-v1.compute.subnetworks.patch
filters:
- not:
- enableFlowLogs: true
actions:

• set-flow-log

When this policy runs the following error occurs -
Invalid value for field 'resource.enableFlowLogs': 'true'. If enable flow logging and enable in LogConfig are both set, they must also match.

Midway on this page this issue is discussed -
https://gitter.im/cloud-custodian/cloud-custodian?at=5e278ba4b674071d4ed2b285

The only way we could get this to work was with this update to the SetFlowLog member function get_resource_params -
From:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
params['body'] = dict(r)
params['body']['enableFlowLogs'] = self.data.get('state', True)
return params
To:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
return {
'project': params['project'],
'project': params['region'],
'subnetwork': params['subnetwork'],
'body': {'fingerprint': r['fingerprint'], 'enableFlowLogs': self.data.get('state', True)}

With this the policy runs and flow log enabled for specified subnet.

What did you expect to happen?

Specifying the set-flow-log action for the gcp.subnet resource results in that subnet executed against having flow logs enabled.

Cloud Provider

Google Cloud (GCP)

Cloud Custodian version and dependency information

$ custodian version --debug
 
Please copy/paste the following info along with any bug reports:
 
Custodian:   0.9.13
Python:      3.9.6 (tags/v3.9.6:db3ff76, Jun 28 2021, 15:26:21) [MSC v.1929 64 bit (AMD64)]
Platform:   win32
Using venv:  False
Docker: False
Installed:
 
argcomplete==1.12.3
attrs==21.2.0
boto3==1.17.102
botocore==1.20.102
c7n==0.9.13
cachetools==4.2.2
certifi==2021.5.30
cffi==1.14.5
chardet==4.0.0
google-api-core==1.30.0
google-api-python-client==1.12.8
google-auth==1.32.0
google-auth-httplib2==0.1.0
google-cloud-core==1.7.1
google-cloud-logging==1.15.1
google-cloud-monitoring==0.34.0
google-cloud-storage==1.40.0
google-crc32c==1.1.2
google-resumable-media==1.3.1
googleapis-common-protos==1.53.0
grpcio==1.38.1
httplib2==0.19.1
idna==2.10
importlib-metadata==4.6.0
jmespath==0.10.0
jsonschema==3.2.0
packaging==20.9
protobuf==3.17.3
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
pyparsing==2.4.7
pyrsistent==0.18.0
python-dateutil==2.8.1
pytz==2021.1
pyyaml==5.4.1
ratelimiter==1.2.0.post0
requests==2.25.1
retrying==1.3.3
rsa==4.7.2
s3transfer==0.4.2
setuptools==56.0.0
six==1.16.0
tabulate==0.8.9
typing-extensions==3.10.0.0
uritemplate==3.0.1
urllib3==1.26.6
zipp==3.4.1

Policy

policies:
  - name: vpc-flow-logs-enabled-audit
    description: |
      guardrail_description: Detects vpc subnets that do not have flow logs enabled
      filters: Trigger on vpc subnet creation and vpc subnet update
      actions: None
      guardrail_type: Detective
    resource: gcp.subnet
    mode:
      type: gcp-audit
      methods:
        - v1.compute.subnetworks.insert
        - v1.compute.subnetworks.patch
    filters:
      - not:
        - enableFlowLogs: true
    actions:
      - set-flow-log

Relevant log/traceback output

Invalid value for field 'resource.enableFlowLogs': 'true'. If enable flow logging and enable in LogConfig are both set, they must also match.

Extra information or context

No response

[kapilt]

fix merged, thanks!