GCP Shortcuts

Article Purpose.

GCP has improved by leaps and bounds over the past few years, however, it’s not always easy to do things. The purpose of this article

Assumptions

You have gcloud installed, up to date, and appropriately configured. Additionally, these documents assume that you have the appropriate IAM policies associated with your user to execute these updates.

Securing VPCs

Private Google access

A best practices with VPC design is to have Private Google access configured on all subnets in your VPCs. This is configured at the subnet level, however if you don’t have it enabled with an existing VPC, it’s a tedious process to go through all subnets in all regions to update. Going through 20 subnets manually takes a while and the VPC UI doesn’t show whether the setting is enabled or disabled, so you may need to go through a few times.

The solution: a one liner to collect all usable subnets and have awk call gcloud to enable Private IP Google access on all subnets in all regions:

$ export $PROJECT=network-123456  # Replace with network project id
$ gcloud compute networks subnets list-usable --project $PROJECT | awk '{if(NR>1)system("gcloud compute networks subnets update --project " $1 " --enable-private-ip-google-access --region " $2 " " $4)}'

There are situations where subnets of deleted VPCs may show up with the list-usable verb and you may end up with errors like this:

ERROR: (gcloud.compute.networks.subnets.update) Could not fetch resource:
 - The resource 'projects/networking-123456/regions/europe-west3/subnetworks/default' was not found

Enabling flow logs

The following is an example of enabling flow logs across all subnets:

$ export $PROJECT=network-123456  # Replace with network project id
$ export AGGREGATION_INTERVAL=interval-5-sec
  # Valid choices are [interval-1-min, interval-10-min, interval-15-min, interval-30-sec, interval-5-min, interval-5-sec]
$ export $FLOW_SAMPLING=0.1  # Replace with sampling percentage, value between 0.0 (none) and 1.0 (all)
$ gcloud compute networks subnets list-usable --project $PROJECT | awk '{if(NR>1)system("gcloud compute networks subnets update --project " $1 " --enable-flow-logs --region " $2 " --logging-aggregation-interval=" ENVIRON["AGGREGATION_INTERVAL"] " --logging-flow-sampling=" ENVIRON["FLOW_SAMPLING"] " " $4)}'