Watchdog that monitors Google Cloud Platform (GCP) services. Creates a HTML report file which lists the following across all your projects:
- Compute instances
- Identity and Access Management (IAM)
- Firewall rules
This allows you to monitor all your GCP projects in a convenient way. For example, use it to:
- Track running instances (you might have forgotten about)
- Check people's access and roles
- Find open ports
All put together in a HTML report which can be sent out via email. The report can be customized with a configuration file (watchdog.yaml), so certain projects, instances, firewalls etc. can be ignored or highlighted.
Install with:
cd gcp-watchdog/
pip install .
-
Create a service account on GCP to use with the gcp-watchdog. You can also use your user account but its good practice to use a service account with a limited scope, especially if you run the watchdog on a compute instance.
-
Set viewer permissions on GCP for all the projects you want to include in the report. Viewer permissions in GCP can be set for either
- Each project individually
- On the organization level with the organization node. (https://cloud.google.com/resource-manager/docs/quickstart)
-
Activate Compute Engine for the projects you want to include in the report. (GCP-watchdog requires the Compute Engine to be configured to get information about instances)
-
Set your service account credentials as environment variable:
export GOOGLE_APPLICATION_CREDENTIALS=path_to_json -
Create your configuration file (watchdog.yaml). See below for a template.
-
Optional: If you use the email function to send out an email with the report via Sendgrid, you need to set your Sendgrid api key as environment variable.
export SENDGRID_API_KEY=path_to_sendgrid_key -
Run with:
gcp-watchdog --config watchdog.yaml
Create your Sendgrid account here: https://sendgrid.com/, or configure any other email client yourself.
send report as email (receivers are specified in watchdog.yaml. Needs email client to be configured in send_email.py):
gcp-watchdog --email
Specify the name of the report HTML file:
gcp-watchdog --output daily_report.html
Don't write HTML report to file:
gcp-watchdog --no-output
You can configure the report by specifying rules in the config file. Just add keywords to the rules.
There are three types of rules:
- Notify-rules: Whitelisting (Filters out everything you don't add here. If left empty, everything will be whitelisted)
- Ignore-rules: Blacklisting (Filters out everything you add here)
- Alert-rules: Highlighting (Highlights everything you add here in the report in orange)
You don't have to specify the whole name or string. The watchdog will apply the rule to everything that includes the string.
Example:
ignore-zones:
name:
- string: asia
Will ignore all zones where the string asia appears: asia-east1-a, asia-east1-b, asia-northeast1-a ...
If you add multiple rules for a keyword use the - string key:
For example:
ignore-zones:
name:
- string: us
- string: europe
You will find an example of the configuration file in the templates folder