GCloud One-liners, Tips & Tricks

Some cli-fu to get required results from GCP using gcloud. To execute these commands please make sure that jq is installed and gcloud is configured on your system.

Note
When you are save the code in a file, say gcp.sh and pipe the file output using command like bash gcp.sh > gcp_output, the standard errors of gcloud will not be piped to the file. So you need not worry about any permission errors, but do check them manually as you might miss out some cloud resources.

Get list of VMs and their OS in all GCP projects

Executing the following will display project name, disk name and source image type – all values separated by comma. Saving the standard output to a file allows you to create a CSV file which can be later parsed by other automation tools.

1
2
3
4
5
6
7
8
9
echo Project Name,Disk Name,Source Image
for projectname in `gcloud projects list --format json | jq -r '.[].projectId'`; do
  gcloud compute disks list -q --project $projectname --format json |\
  jq -r '.[] | ["\(.name)", "\(.sourceImage)"] | @tsv' | \
  while IFS=$'\t' read -r diskname sourceimage; do
    os=`echo $sourceimage | awk -F "/" '{print $NF}'`;
    echo $projectname,$diskname,$os;
  done;
done

Get list of firewall rules (per project) which allows IP range 0.0.0.0/0

Allowing public access to non-standard ports can sometimes be deadly. The following command gives a list of firewall rules, their name, allowed ports and target tags.

1
2
3
4
5
gcloud compute firewall-rules list --project PROJECT_NAME --filter="sourceRanges.list()='0.0.0.0/0'" --format="table(
        name,
        allowed[].map().firewall_rule().list():label=ALLOW,
        targetTags.list():label=[TARGET_TAGS]
        )"

To get a very detailed list of firewall rules:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
gcloud compute firewall-rules list --project PROJECT_NAME --filter="sourceRanges.list()='0.0.0.0/0'" --sort-by priority --format="table(
        name,
        network,
        sourceRanges.list():label=[SRC_RANGES],
        destinationRanges.list():label=[DEST_RANGES],
        allowed[].map().firewall_rule().list():label=ALLOW,
        denied[].map().firewall_rule().list():label=DENY,
        sourceTags.list():label=[SRC_TAGS],
        targetTags.list():label=[TARGET_TAGS]
        )"

Get a detailed CSV of all the firewall rules in all GCP projects

GCloud supports CSV format of results. To get a detailed list of all firewall rules across all GCP projects:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
echo Project Name, Firewall Name, Network, Source Range, Destination Range, Allowed Ports, Denied Ports, Source Tags, Target Tags
for projectname in `gcloud projects list --format json | jq -r '.[].projectId'`; do 
    gcloud compute firewall-rules list -q --project $projectname --sort-by priority --format="csv(
        name,
        network,
        sourceRanges.list():label='src ranges',
        destinationRanges.list():label='dest ranges',
        allowed[].map().firewall_rule().list():label='allow',
        denied[].map().firewall_rule().list():label='deny',
        sourceTags.list():label='src tags',
        targetTags.list():label='target tags')" 2>/dev/null |\
    sed 1d |\
    while read line; do 
          echo $projectname,$line;
    done;
done;

Get a detailed CSV of all the kubernetes clusters in all GCP projects

We can use the following to get all the kubernetes projects along with the current master and node versions, look if k8s dashboard and network config policies are disabled.

1
2
3
4
echo '"Project Name","Cluster Name","Endpoint","Master Version","Node Version","K8S Dashboard Disabled","Network Policy Config"'
for projectname in `gcloud projects list --format json | jq -r '.[].projectId'`; do 
  gcloud container clusters list --project $projectname --format json | jq --arg projname $projectname -r '.[] | [$projname, .name, .endpoint, .currentMasterVersion, .currentNodeVersion, .addonsConfig.kubernetesDashboard.disabled, .addonsConfig.networkPolicyConfig.disabled] | @csv'; 
done

Get list of all A and CNAME records in a GCP project

1
2
3
for zone in `gcloud dns managed-zones list -q --project ProjectName --format json | jq -r '.[].name'`; do 
    gcloud dns record-sets list --zone $zone --project ProjectName --format json | jq -r '.[] | if .type =="A" or .type == "CNAME" then .name else empty end'; 
done