forked from lacework-dev/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlw_gcp_inventory.sh
executable file
·102 lines (83 loc) · 3.07 KB
/
lw_gcp_inventory.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/bash
# Script to fetch GCP inventory for Lacework sizing.
# Requirements: gcloud, jq
# This script can be run from Google Cloud Shell.
# Set the initial counts to zero.
GCE_INSTANCES=0
GKE_INSTANCES=0
SQL_INSTANCES=0
LOAD_BALANCERS=0
GATEWAYS=0
# Uncomment and replace with your own list of projects. Otherwise the script
# scans all the projects in your organization. You must use the Project ID.
#PROJECT_IDS=(stitch-dev-289221 stitch-vault stitch-jenkins-288315 stitch-infra)
function getProjects {
gcloud projects list --format json | jq -r ".[] | .projectId"
}
function isComputeEnabled {
gcloud services list --format json | jq -r '.[] | .name' | grep -q "compute.googleapis.com"
}
# NOTE - it is technically possible to have a CloudSQL instance without the
# sqladmin API enabled; but you cannot check the instance programatically
# without the API enabled
function isCloudSQLEnabled {
gcloud services list --format json | jq -r '.[] | .name' | grep -q "sqladmin.googleapis.com"
}
function getGKEInstances {
gcloud compute instances list --format json | jq '[.[] | select(.name | contains("gke-"))] | length'
}
function getGCEInstances {
gcloud compute instances list --format json | jq '[.[] | select(.name | contains("gke-") | not)] | length'
}
function getSQLInstances {
gcloud sql instances list --format json | jq length
}
function getLoadBalancers {
gcloud compute forwarding-rules list --format json | jq length
}
function getGateways {
gcloud compute routers list --format json | jq '[.[] | .nats | length] | add'
}
# Define PROJECT_IDS above to scan a subset of projects. Otherwise we scan
# all of the projects in the organization.
if [[ -z $PROJECT_IDS ]]; then
PROJECT_IDS=$(getProjects)
fi
# Loop through all the projects and take inventory
for project in ${PROJECT_IDS[@]}; do
echo ""
echo "######################################################################"
echo "Project: $project"
gcloud config set project $project
if isComputeEnabled; then
echo "Checking for compute resources."
# Update the GCE instances
gce_inst=$(getGCEInstances)
GCE_INSTANCES=$(($GCE_INSTANCES + $gce_inst))
# Update the GKE instances
gke_inst=$(getGKEInstances)
GKE_INSTANCES=$(($GKE_INSTANCES + $gke_inst))
# Update the load balancers
lbs=$(getLoadBalancers)
LOAD_BALANCERS=$(($LOAD_BALANCERS + $lbs))
# Update the gateways
gateways=$(getGateways)
GATEWAYS=$(($GATEWAYS + $gateways))
fi
# Check for SQL instances
if isCloudSQLEnabled; then
echo "Checking for Cloud SQL instances."
sqls=$(getSQLInstances)
SQL_INSTANCES=$(($SQL_INSTANCES + $sqls))
fi
done
echo "######################################################################"
echo "Lacework inventory collection complete."
echo ""
echo "GCE Instances: $GCE_INSTANCES"
echo "GKE Instances: $GKE_INSTANCES"
echo "Load Balancers: $LOAD_BALANCERS"
echo "Gateways: $GATEWAYS"
echo "SQL Instances: $SQL_INSTANCES"
echo "===================="
echo "Total Resources: $(($GCE_INSTANCES + $GKE_INSTANCES + $LOAD_BALANCERS + $GATEWAYS + $SQL_INSTANCES))"