Manage Google Cloud environments is often a complex task. You need to take care of the resource provisioning and keep all services up and running, but also may need understand the service usage and by proxy their costs, who is using your resources and what projects have certain APIs active. This escalates quickly as your company adopts more and more Cloud services, and you end up with a very high risk to have some shadow IT in the cloud.
One of the tasks you may need to do is to visualize all your Cloud Assets and, eventually, answer some specific questions on them, like "which project has a specific API enabled?". An asset in this context is any resource you may have created using any of the APIs, in any of your organization projects.
Cloud Asset Inventory is available from the IAM > Asset Inventory page on Cloud Console. From there, you can see all your cloud resources at a glance using a pretty geographic visualization:
This visualization is great for quickly browsing and or searching for specific items using the UI filters. For instance, you can check all your Cloud Storage buckets filtering them on the left pane:
Doing this in the UI is cool and all but then you may need to run some more complex filtering and we may need to use a different approach. One of the cool things that I find on Google Cloud is that the almost all tasks you can do on the Cloud Console, usually can also be done both via REST APIs and via the gcloud command line interface.
Let's say you need to export all the assets you have in Google Cloud for a spreadsheet to do a report to your management. First, we need grab our Organization numeric identifier. This can be done using the Cloud Shell (a free VM Google gives you integrated in the Cloud Console):
gcloud organizations list
This will print out some info, and we need to grab one of them for later use. Let's store it in an environment variable to use in the next commands:
export ORG_ID="$(gcloud organizations list --format='value(name)')"
Now, let's export all resources underneath our organization with the Asset Inventory sub-command:
gcloud asset list \ --organization="$ORG_ID" \ --content-type=resource \ --format=json
This will print to the standard output of the terminal all your assets in JSON format. Now, you can already use the data for, say, do some shell-script foo like grep commands to find specific items. But let's go a bit further with the gcloud command line options.
First, you may need to export specific types of assets. This can be done using the --asset-types parameter. You pass a coma separated list of asset types, like compute.googleapis.com/Instance, to export only VM Instances, or storage.googleapis.com/Buckets for Storage Buckets. Let's combine both to see all VMs and Buckets in our organization:
gcloud asset list \ --organization="$ORG_ID" \ --content-type=resource \ --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \ --format=json
This filtered the items but still shows up all the JSON attributes. Let's trim it a bit by projecting only a few attributes. For instance, let's export:
- The asset type
- The resource API endpoint
- The resource location
- The last update time
gcloud asset list \ --organization="$ORG_ID" \ --content-type=resource \ --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \ --format='csv(assetType, resource.data.selfLink, resource.data.location, updateTime)'
Here we used the --format=csv() to project the desired columns and print that into a convenient format to import somewhere else, like in a Google Sheet, for reporting purposes. Let's wrap it up directing the command output into a file:
gcloud asset list \ --organization="$ORG_ID" \ --content-type=resource \ --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \ --format='csv(assetType, resource.location, updateTime, resource.data.selfLink)' \ > assets.csv
Now, if you executed the command in Cloud Shell, you can use the Explorer to browse to it and then right click on the file name and download it, then upload it to a spreadsheet:
What we discussed here for the Asset Inventory commands works also for other gcloud sub-commands. Check out this page to learn more about all the nice things you can do with it!
Happy Hacking!
Comments
Post a Comment