Updated Pubsub2Inbox to version 1.2.0

Added: - New projects processor for fetching project details from CRM. - BigQuery output for writing data to BigQuery datasets. - New recommenders/insights types and quota project support to recommender processor. - contains -filter in Jinja - New live GCP environment tests. - Processor documentation. Changed: - Updated dependencies to latest plus refactored code. - Improved Terraform code. - "All mail transports failed" is now an error.
GoogleCloudPlatform · Oct 7, 2021 · 6707d43 · 6707d43
1 parent 9fa3894
commit 6707d43
Show file tree

Hide file tree

Showing 51 changed files with 2,114 additions and 417 deletions.
diff --git a/tools/pubsub2inbox/PROCESSORS.md b/tools/pubsub2inbox/PROCESSORS.md
@@ -0,0 +1,241 @@
+# Processors
+
+## Projects
+
+Permissions:
+
+  - Browser (`roles/browser`) to fetch project details.
+
+Input parameters: 
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| get | list | List of projects for get (either specify `get` or `filter`) |
+| filter | string | Search for projects, see [format in filter](https://cloud.google.com/resource-manager/reference/rest/v1/projects/list) |
+| indexing | enum | How to index results: `projectId`, `parent` or `list` |
+| jinjaFilter | string | Additional Jinja filter to filter projects (output anything to include, output empty to exclude ) |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| projects | varies | List of projects according to desired indexing |
+
+## Budget
+
+Permissions:
+
+  - Billing Account Viewer (`roles/billing.viewer`) to retrieve budget details.
+  - Browser (`roles/browser`) to fetch project details.
+
+The budget processor is designed to accept Pub/Sub messages from budget notifications, where part
+of the data is passed through the Pub/Sub message attributes (eg. out-side of the message content).
+
+Pub/Sub attributes used:
+
+| Field | Description | 
+| ----------- | ----------- |
+| budgetId | Budget ID |
+| billingAccountID | Billing account ID |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| projects | list | List of projects |
+| budget | object | Budget details |
+| budget.name | string | Budget name |
+| budget.display_name | string | Budget display name |
+| budget.cost_amount | float | Current costs |
+| budget.cost_interval_start | string | Cost interval start |
+| budget.alert_threshold_exceeded | string | |
+| budget.forecast_threshold_exceeded | string | |
+| budget.credit_types_treatment | string | |
+| budget.amount_type | enum | last_period or specified |
+| budget.amount_units | string | Current unit |
+| budget.amounts_currency_code | string | Currency code |
+
+## Generic JSON
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| data | any | Loads the message body as JSON data |
+
+## Recommendations
+
+Permissions:
+
+  - Organization level:
+     - Browser (`roles/browser`) to fetch project details.
+     - Compute Recommender Viewer (`roles/recommender.computeViewer`), Firewall
+     Recommender Viewer (`roles/recommender.firewallViewer`), IAM Recommender
+     Viewer (`roles/recommender.iamViewer`), Product Suggestion Recommender
+     Viewer (`roles/recommender.productSuggestionViewer`), Viewer of Billing 
+     Account Usage Commitment Recommender (`roles/recommender.billingAccountCudViewer`)
+     and/or Project Usage Commitment Recommender Viewer (`roles/recommender.projectCudViewer`).
+     If you want billing account level recommendations, also add Billing Account Viewer
+     (`roles/billing.viewer`) and Billing Account Usage Commitment Recommender Viewer
+     (`roles/recommender.billingAccountCudViewer`) on the billing account
+     itself.
+  - Quota project:
+     - Compute Viewer (`roles/compute.viewer`)
+  - If writing to a bucket, `roles/storage.objectAdmin` on the bucket.
+
+Input parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| quota_project_id | string | Project to issue API calls against (Compute Engine and Recommender API) |
+| fetch_recommendations | bool | Fetch the configured recommender_types from the API |
+| fetch_insights | bool | Fetch the configured insights_types from the API |
+| recommender_types | list | List of recommenders that will be queried from the API - for full supported list, see the processor code |
+| recommendation_filter | string | Filter recommendations (eg. active, closed) |
+| insights_types | list | List of insights that will be queried from the API |
+| insight_filter | Filter insights (eg. active, closed) |
+| projects | list | List of project IDs where to fetch recommendations/insights from |
+| organizations | list | List of organizations where to fetch recommendations (note that specifying organization ID does not mean recommendations are fetched from all projects in the organization - it means recommendations pertaining to the organization node) |
+| folders | list | List of folders for fetching recommendations (see above about org) |
+| billingAccounts | list | List of billing accounts for fetch recommendations (see above about org) |
+| locations | list | Locations where to fetch recommendations from (eg. global, eu, us, specific zones). If you want to fetch eg. rightsizing recommendations for VMs, specify the zones here. Supports wildcards, like `europe-north1*` |
+| vars | object | Additional parameters are registered and become available through Jinja expansion |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| recommendations | list | List of recommendations (see [format](https://cloud.google.com/recommender/docs/reference/rest/v1/billingAccounts.locations.recommenders.recommendations#Recommendation)) |
+| insights | list | List of insights (see [format](https://cloud.google.com/recommender/docs/reference/rest/v1/billingAccounts.locations.insightTypes.insights#Insight)) |
+| recommendations_rollup | object | Roll up of recommendations per parent (eg. `recommendations_rollup[parent][subtype] = { link: "...", parent: "...", type: "...", count: 123, cost: { currency_code: "...", nanos: 123, units: 456} }`) |
+| insights_rollup | object | Roll up of insights per parent (eg. `insights_rollup[parent][subtype] = { link: "...", parent: "...", type: "...", count: 123 }`) |
+
+## Security Command Center
+
+Permissions:
+
+  - Browser (`roles/browser`) to fetch project details.
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| organization | string | Organization ID |
+| projects | string | Expanded projects (see project format at the end) |
+| finding | object | Findings details from SCC |
+
+## Groups
+
+Permissions:
+
+  - Groups: `Groups Reader` permission in Google Workspace for the service account.
+
+Input parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| serviceAccountEmail | string | Service account to use for getting scoped tokens (needs Groups Reader access in Workspace) |
+| query | string | Query for searching groups (see [format](https://cloud.google.com/identity/docs/reference/rest/v1/groups/search)) |
+| filter | string | Regular expression for filtering groups |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| all_groups | object | All groups indexed by group email, format is output from Cloud Identity API with added field `memberships` |
+| groups_by_owner | object | All groups indexed by the owner(s) |
+| groups_by_manager | object | All grups indexed by the manager |
+
+## Directory
+
+Permissions:
+
+  - Groups: `Groups Reader` permission in Google Workspace for the service account for groups. 
+
+Input parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| api | enum | Type of API to call: groups, users, members, groupsettings |
+| groupUniqueIds | string | Group unique ID when calling groupsettings |
+| groupKey | string | Group key (group email address) when fetching members |
+| query | string | Query when searching [users](https://developers.google.com/admin-sdk/directory/v1/guides/search-users) or [groups](https://developers.google.com/admin-sdk/directory/v1/guides/search-groups) |
+| customerId | string | Customer (directory ID) ID when searching users or groups |
+| domain | string | Domain when searching for users or groups |
+| orderBy, sortOrder, maxResults, projection, showDeleted, viewType, customFieldMask, roles | varies | Additional parameters for searching groups and users |
+
+## Monitoring
+
+Permissions:
+
+  - Monitoring Viewer (`roles/monitoring.viewer`)
+
+Input parameters: 
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| timeSeries | list | List of time series to query |
+| pageSize | number | Page size for query (defaults to `10`) |
+| project | string | Project (Metrics Scope host) to query |
+| key | string | Key to index results by |
+| query | string | MQL query for |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| time_series | object | List of fetched timeseries |
+
+## Cloud Asset Inventory
+
+Permissions:
+
+  - Cloud Asset Viewer (`roles/cloudasset.viewer`) on the correct level.
+
+Input parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| parent | string | Parent for querying the CAI API |
+| readTime | string | Snapshot time for CAI (optional) |
+| pageSize | number | Amount of objects to read at once |
+| contentType | string | Content type for query (set to `resource` to get all information) |
+| indexing | enum | How to index the results: `asset_type` (by asset type), `list` (simple list) |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| assets | object or list | List of found assets |
+
+## BigQuery
+
+Permissions:
+
+  - BigQuery Job User (`roles/bigquery.jobUser`) and BigQuery Data Viewer
+    (`roles/bigquery.dataViewer`) to read data.
+
+Input parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| query | string | BigQuery query |
+| dialect | enum | Query dialect: legacy or standard (defaults to standard) |
+| project | string | Project to issue BigQuery queries against |
+| labels | object | Labels for the BigQuery query |
+
+Output parameters:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| records | list | List of found records |
+
+## Common
+
+### Expanded project list
+
+Many processors expand a project list which may be list of project IDs or numbers, the format is:
+
+| Field | Type | Description |
+| ----------- | ----------- | ----------- |
+| projects | list | List of projects in format: `[projectId, projectNumber, projectDisplayName, projectLabels]` |
diff --git a/tools/pubsub2inbox/README.md b/tools/pubsub2inbox/README.md
@@ -6,7 +6,7 @@ and output processors. Input processors can enrich the incoming messages with de
 (for example, fetching the budget from Cloud Billing Budgets API). Multiple output
 processors can be chained together. 
 
-Pubsub2Inbox is written in Python 3 and can be deployed as a Cloud Function easily.
+Pubsub2Inbox is written in Python 3.8+ and can be deployed as a Cloud Function easily.
 To guard credentials and other sensitive information, the tool can fetch its
 YAML configuration from Google Cloud Secret Manager.
 
@@ -31,7 +31,7 @@ Out of the box, you'll have the following functionality:
     - For example, you can turn any BigQuery query results into CSV files or email messages.
   - [Recommendations and Insights reports](examples/recommendations-example.yaml)
      - From [Recommender API](https://cloud.google.com/recommender/docs/overview).
-     - Also see [example with attached spreadsheet](examples/recommendations-example-2.yaml).
+     - Also see [example with attached spreadsheet](examples/recommendations-example-2.yaml) and [example with with GCS and BigQuery output](examples/recommendations-example-3.yaml)..
   - [Cloud Monitoring alerts](examples/monitoring-alert-config.yaml)
   - [Cloud Monitoring metrics](examples/cai.yaml)
   - [Cloud Asset Inventory search](examples/cai.yaml)
@@ -41,23 +41,31 @@ Out of the box, you'll have the following functionality:
      - Retrieves group and membership information from [Cloud Identity Groups API](https://cloud.google.com/identity/docs/apis)
      - Useful for example building membership review reports
   - [Groups that allow external members](examples/external-groups-example.yaml) ([general example for Directory API](examples/directory-example.yaml))
+  - [GCP projects](examples/projects-example.yaml)
+     - Retrieves a list of projects using Cloud Resource Manager API
   - Any JSON
     - [See the example of generic JSON processing](examples/generic-config.yaml)
 
 ## Input processors
 
 Available input processors are:
 
- - [budget.py](processors/budget.py): retrieves details from Cloud Billing Budgets
-   API and presents.
- - [scc.py](processors/scc.py): enriches Cloud Security Command Center
-   findings notifications.
- - [bigquery.py](processors/bigquery.py): queries from BigQuery datasets.
- - [genericjson.py](processors/genericjson.py): Parses message data as JSON and
-   presents it to output processors.
- - [recommendations.py](processors/recommendations.py): Retrieves recommendations
-   and insights from the [Recommender API](https://cloud.google.com/recommender/docs/overview).
- - [groups.py](processors/groups.py): Retrieves Cloud Identity Groups 
+  - [budget.py](processors/budget.py): retrieves details from Cloud Billing Budgets
+    API and presents.
+  - [scc.py](processors/scc.py): enriches Cloud Security Command Center
+    findings notifications.
+  - [bigquery.py](processors/bigquery.py): queries from BigQuery datasets.
+  - [genericjson.py](processors/genericjson.py): Parses message data as JSON and
+    presents it to output processors.
+  - [recommendations.py](processors/recommendations.py): Retrieves recommendations
+    and insights from the [Recommender API](https://cloud.google.com/recommender/docs/overview).
+  - [groups.py](processors/groups.py): Retrieves Cloud Identity Groups 
+  - [directory.py](processors/groups.py): Retrieves users, groups, group members and group settings
+  - [monitoring.py](processors/monitoring.py): Retrieves time series data from Cloud Ops Monitoring
+  - [projects.py](processors/projects.py): Searches or gets GCP project details
+  - [cai.py](processors/cai.py): Fetch assets from Cloud Asset Inventory
+
+For full documentation of permissions, processor input and output parameters, see [PROCESSORS.md](PROCESSORS.md).
 
 Please note that the input processors have some IAM requirements to be able to
 pull information from GCP:
@@ -66,29 +74,6 @@ pull information from GCP:
     - Storage Object Admin (`roles/storage.objectAdmin`)
  - Signed URL generation (see `filters/strings.py:generate_signed_url`)
     - Storage Admin on the bucket (`roles/storage.admin`)
- - Budgets: `budget.py`
-    - Billing Account Viewer (`roles/billing.viewer`) to retrieve budget details.
-    - Browser (`roles/browser`) to fetch project details.
- - Security Command Center: `scc.py`
-    - Browser (`roles/browser`) to fetch project details.
- - BigQuery: `bigquery.py`
-   - BigQuery Job User (`roles/bigquery.jobUser`) and BigQuery Data Viewer
-     (`roles/bigquery.dataViewer`) to read data.
-- Recommendations: `recommendations.py`
-   - Browser (`roles/browser`) to fetch project details.
-   - Compute Viewer (`roles/compute.viewer`)
-   - Compute Recommender Viewer (`roles/recommender.computeViewer`), Firewall
-     Recommender Viewer (`roles/recommender.firewallViewer`), IAM Recommender
-     Viewer (`roles/recommender.iamViewer`), Product Suggestion Recommender
-     Viewer (`roles/recommender.productSuggestionViewer`), Viewer of Billing 
-     Account Usage Commitment Recommender (`roles/recommender.billingAccountCudViewer`)
-     and/or Project Usage Commitment Recommender Viewer (`roles/recommender.projectCudViewer`).
-     If you want billing account level recommendations, also add Billing Account Viewer
-     (`roles/billing.viewer`) and Billing Account Usage Commitment Recommender Viewer
-     (`roles/recommender.billingAccountCudViewer`) on the billing account
-     itself.
-  - Groups: `Groups Reader` permission in admin.google.com for the serviec account.
-
 
 ## Output processors
 
@@ -102,6 +87,7 @@ Available output processors are:
   - [gcscopy.py](output/gcscopy.py): copies files between buckets.
   - [logger.py](output/logger.py): Logs message in Cloud Logging.
   - [pubsub.py](output/pubsub.py): Sends one or more Pub/Sub messages.
+  - [bigquery.py](output/bigquery.py): Sends output to a BigQuery table via a load job.
 
 Please note that the output processors have some IAM requirements to be able to
 pull information from GCP:
@@ -136,6 +122,25 @@ on the bucket.
 
 ## Deploying as Cloud Function
 
+### Deploying via Terraform
+
+Sample Terraform module is provided in `main.tf`, `variables.tf` and `outputs.tf`. Pass the following
+parameters in when using as a module:
+
+  - `project_id` (string): where to deploy the function
+  - `organization_id` (number): organization ID (for organization level permissions)
+  - `function_name` (string): name for the Cloud Function
+  - `function_roles` (list(string)): list of curated permissions roles for the function (eg. `scc`, `budgets`, `bigquery_reader`, `bigquery_writer`, `cai`, `recommender`, `monitoring`)
+  - `pubsub_topic` (string): Pub/Sub topic in the format of `projects/project-id/topics/topic-id` which the Cloud Function should be triggered on
+  - `region` (string, optional): region where to deploy the function
+  - `secret_id` (string, optional): name for the Cloud Secrets Manager secrets (defaults to `function_name`)
+  - `config_file` (string, optional): function configuration YAML file location (defaults to `config.yaml`)
+  - `service_account` (string, optional): service account name for the function (defaults to `function_name`)
+  - `bucket_name` (string, optional): bucket where to host the Cloud Function archive (defaults to `cf-pubsub2inbox`)
+  - `helper_bucket_name` (string, optional): specify an additional Cloud Storage bucket where the service account is granted `storage.objectAdmin` on
+  - `function_timeout` (number, optional): a timeout for the Cloud Function (defaults to `240` seconds)
+
+
 ### Deploying manually
 
 First, we have the configuration in `config.yaml` and we're going to store the configuration for
@@ -196,17 +201,12 @@ gcloud functions deploy $FUNCTION_NAME \
     --project $PROJECT_ID
 ```
 
-If you change the configuration, you can update it via:
-
-
-### Deploying via Terraform
-
-Sample Terraform scripts are provided in `main.tf`, `variables.tf` and `outputs.tf`.
-
 ### Running tests
 
 Run the command:
 
 ```
 # python3 -m unittest discover
-```
+```
+
+To set against a real cloud project, set `PROJECT_ID` environment variable.