GCP Tags Filter - Custodian doesn't support filtering resources based on the tags attached to them

[a-manchal]

Describe the feature

Our organization, Cruise, currently requires filtering resources based on the tags attached to them and further use these filtered resources to manage exemptions. I am currently working on adding this as a common filter for any service that supports tags using Cloud Asset Inventory to fetch resources. PR on the way!

Here is an example of a policy that filters based on tags :

 policies:
    - name : cloudsql-public-instances-with-tags
        resource: gcp.sql-instance # Any resource that supports tags
        filters:
        - type: tags
          scope: "organizations/123" # or folders/1234 or projects/12345
          has: true
          tagvalue: "123/resource_is_exempt_sql.restrictPublicIp/TRUE" # parentNamespace/tagKeyShortName/tagValueShortName

Extra information or context

No response

[kapilt]

do you mean gcp organization tags? that term is a little overloaded in custodian, since we also use it to reference gcp resource level labels. but a tag filter sounds good.

fwiw, cloud asset inventory is already supported in custodian, using the source: inventory configuration on a policy.

[a-manchal]

Yes, GCP org tags https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing

[a-manchal]

@kapilt can you show some examples for using the Cloud Asset Inventory in Custodian? I am interested to see if I can use it to filter resources with tags. Thanks!

[syed-awais-ali]

I think the following can be an example of filtering the VMs with specific tag and are running

  - name: gcp-running-instances-with-tag
    resource: gcp.instance
    source: inventory
    filters:
      - "tag:environment": "production"
      - type: value
        key: status
        value: RUNNING