gcp - project - propagate-labels from resource hierarchy

[kapilt]

Propagate labels from the organization hierarchy to a project.
folder-labels should resolve to a json data mapping of folder path
to labels that should be applied to contained projects.
as a worked example assume the following resource hierarchy

      - /dev
           /network
              /project-a
           /ml
              /project-b

Given a folder-labels json with contents like

      {"dev": {"env": "dev", "owner": "dev"},
       "dev/network": {"owner": "network"},
       "dev/ml": {"owner": "ml"}

Running the following policy

      policies:
       - name: tag-projects
         resource: gcp.project
         # use a server side filter to only look at projects
         # under the /dev folder the id for the dev folder needs
         # to be manually resolved outside of the policy.
         query:
           - filter: "parent.id:389734459211 parent.type:folder"
         filters:
           - "tag:owner": absent
         actions:
           - type: propagate-tags
             folder-labels:
                url: file://folder-labels.json

Will result in project-a being tagged with owner: network and env: dev and project-b being tagged with owner: ml and env: dev

note gcp is restrictive on labels and we don't perform any pre-validation of labels.