cloud-custodian · kapilt · Apr 12, 2023 · Apr 4, 2023 · Apr 4, 2023
diff --git a/tools/c7n_gcp/c7n_gcp/resources/logging.py b/tools/c7n_gcp/c7n_gcp/resources/logging.py
@@ -1,6 +1,7 @@
 # Copyright The Cloud Custodian Authors.
 # SPDX-License-Identifier: Apache-2.0
 from c7n.utils import local_session, type_schema
+from c7n.filters.core import ValueFilter
 
 from c7n_gcp.actions import MethodAction
 from c7n_gcp.provider import resources
@@ -36,6 +37,54 @@ def get(client, resource_info):
                     **resource_info)})
 
 
+@LogProjectSink.filter_registry.register('bucket')
+class LogProjectSinkBucketFilter(ValueFilter):
+    """
+    Allows filtering on the bucket targeted by the log sink. If the sink does not target a bucket
+    it does not match this filter.
+
+    https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks
+    https://cloud.google.com/storage/docs/json_api/v1/buckets#resource
+
+    :example:
+
+    Find Sinks that target a bucket which is not using Bucket Lock
+
+    .. code-block:: yaml
+
+        policies:
+          - name: sink-target-bucket-not-locked
+            resource: gcp.log-project-sink
+            filters:
+              - type: bucket
+                key: retentionPolicy.isLocked
+                op: ne
+                value: true
+
+    """
+
+    schema = type_schema('bucket', rinherit=ValueFilter.schema)
+    permissions = ('storage.buckets.get',)
+    cache_key = 'c7n:bucket'
+
+    def __call__(self, sink):
+        # no match if the target is not a bucket
+        if not sink['destination'].startswith('storage.googleapis.com'):
+            return False
+
+        if self.cache_key not in sink:
+            bucket_name = sink['destination'].rsplit('/', 1)[-1]
+
+            session = local_session(self.manager.session_factory)
+            client = session.client('storage', 'v1', 'buckets')
+            bucket = client.execute_command('get', {'bucket': bucket_name})
+
+            sink[self.cache_key] = bucket
+
+        # call value filter on the bucket object
+        return super().__call__(sink[self.cache_key])
+
+
 @LogProjectSink.action_registry.register('delete')
 class DeletePubSubTopic(MethodAction):
 

diff --git a/...cp/tests/data/flights/log-project-sink-bucket-filter/get-storage-v1-b-cfb-gcuvtiqb_1.json b/...cp/tests/data/flights/log-project-sink-bucket-filter/get-storage-v1-b-cfb-gcuvtiqb_1.json
@@ -0,0 +1,40 @@
+{
+  "headers": {
+    "x-guploader-uploadid": "ADPycdvDLTjxmXSIj89WY5k_-x_YoTfSuN92brWk3oiu7inceaZn5s7dGEBQpzlaqiznF8TI_OZT4Lt_2pKfGrN1_A2uVbyt4OHo",
+    "etag": "CAE=",
+    "content-type": "application/json; charset=UTF-8",
+    "date": "Tue, 04 Apr 2023 14:09:04 GMT",
+    "vary": "Origin, X-Origin",
+    "cache-control": "private, max-age=0, must-revalidate, no-transform",
+    "expires": "Tue, 04 Apr 2023 14:09:04 GMT",
+    "content-length": "687",
+    "server": "UploadServer",
+    "status": "200",
+    "content-location": "https://storage.googleapis.com/storage/v1/b/cfb-gcuvtiqb?alt=json"
+  },
+  "body": {
+    "kind": "storage#bucket",
+    "selfLink": "https://www.googleapis.com/storage/v1/b/cfb-gcuvtiqb",
+    "id": "cfb-gcuvtiqb",
+    "name": "cfb-gcuvtiqb",
+    "projectNumber": "365206961407",
+    "metageneration": "1",
+    "location": "US-CENTRAL1",
+    "storageClass": "STANDARD",
+    "etag": "CAE=",
+    "timeCreated": "2023-04-04T14:08:42.044Z",
+    "updated": "2023-04-04T14:08:42.044Z",
+    "iamConfiguration": {
+      "bucketPolicyOnly": {
+        "enabled": true,
+        "lockedTime": "2023-07-03T14:08:42.044Z"
+      },
+      "uniformBucketLevelAccess": {
+        "enabled": true,
+        "lockedTime": "2023-07-03T14:08:42.044Z"
+      },
+      "publicAccessPrevention": "inherited"
+    },
+    "locationType": "region"
+  }
+}
diff --git a/.../data/flights/log-project-sink-bucket-filter/get-v2-projects-cloud-custodian-sinks_1.json b/.../data/flights/log-project-sink-bucket-filter/get-v2-projects-cloud-custodian-sinks_1.json
@@ -0,0 +1,38 @@
+{
+  "headers": {
+    "content-type": "application/json; charset=UTF-8",
+    "vary": "Origin, X-Origin, Referer",
+    "date": "Tue, 04 Apr 2023 14:09:04 GMT",
+    "server": "ESF",
+    "cache-control": "private",
+    "x-xss-protection": "0",
+    "x-frame-options": "SAMEORIGIN",
+    "x-content-type-options": "nosniff",
+    "transfer-encoding": "chunked",
+    "status": "200",
+    "content-length": "1369",
+    "-content-encoding": "gzip",
+    "content-location": "https://logging.googleapis.com/v2/projects/cloud-custodian/sinks?alt=json"
+  },
+  "body": {
+    "sinks": [
+      {
+        "name": "DDB92BD9-F4FA-49EF-88E4-E8C0838C31C7",
+        "destination": "storage.googleapis.com/cfb-gcuvtiqb",
+        "writerIdentity": "serviceAccount:cloud-logs@system.gserviceaccount.com",
+        "createTime": "2023-04-04T14:08:42.768933875Z",
+        "updateTime": "2023-04-04T14:08:42.768933875Z"
+      },
+      {
+        "name": "_Required",
+        "destination": "logging.googleapis.com/projects/cloud-custodian/locations/global/buckets/_Required",
+        "filter": "LOG_ID(\"cloudaudit.googleapis.com/activity\") OR LOG_ID(\"externalaudit.googleapis.com/activity\") OR LOG_ID(\"cloudaudit.googleapis.com/system_event\") OR LOG_ID(\"externalaudit.googleapis.com/system_event\") OR LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") OR LOG_ID(\"externalaudit.googleapis.com/access_transparency\")"
+      },
+      {
+        "name": "_Default",
+        "destination": "logging.googleapis.com/projects/cloud-custodian/locations/global/buckets/_Default",
+        "filter": "NOT LOG_ID(\"cloudaudit.googleapis.com/activity\") AND NOT LOG_ID(\"externalaudit.googleapis.com/activity\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"externalaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") AND NOT LOG_ID(\"externalaudit.googleapis.com/access_transparency\")"
+      }
+    ]
+  }
+}
diff --git a/tools/c7n_gcp/tests/test_logging.py b/tools/c7n_gcp/tests/test_logging.py
@@ -69,6 +69,29 @@ def test_delete_project_sink(self):
         with self.assertRaises(HttpError):
             client.execute_query('get', {'sinkName': sinkName})
 
+    def test_bucket_filter(self):
+        factory = self.replay_flight_data(
+            'log-project-sink-bucket-filter',
+            'cloud-custodian'
+        )
+        policy_data = {
+            'name': 'log-project-sink-bucket-filter',
+            'resource': 'gcp.log-project-sink',
+            'filters': [
+                {
+                    'type': 'bucket',
+                    'key': 'retentionPolicy.isLocked',
+                    'op': 'ne',
+                    'value': True
+                }
+            ]
+        }
+
+        policy = self.load_policy(policy_data, session_factory=factory)
+        resources = policy.run()
+
+        self.assertEqual(len(resources), 1)
+
 
 class LogProjectMetricTest(BaseTest):