website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by archbee 

Project

17min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on a GCP Project:

GraphQL
|
query {
  querygcpProject {
    id
    name
    parent
    projectId
    state
    displayName
    createTime
    updateTime
    deleteTime
    etag
    labels {
      id
      key
      value
    }
    dnsManagedZones {
      id
      # Other attributes and connections here...
    }
    dnsPolicies {
      id
      # Other attributes and connections here...
    }
    iamPolicies {
      id
      # Other attributes and connections here...
    }
    logBuckets {
      id
      # Other attributes and connections here...
    }
    logViews {
      id
      # Other attributes and connections here...
    }
    logSinks {
      id
      # Other attributes and connections here...
    }
    storageBuckets {
      id
      # Other attributes and connections here...
    }
    firewalls {
      id
      # Other attributes and connections here...
    }
    folder {
      id
      # Other attributes and connections here...
    }
    organization {
      id
      # Other attributes and connections here...
    }
    secrets {
      id
      # Other attributes and connections here...
    }
    networks {
      id
      # Other attributes and connections here...
    }
    subnets {
      id
      # Other attributes and connections here...
    }
    vmInstances {
      id
      # Other attributes and connections here...
    }
  }
}


Filtering

Get data for a single GCP Project that you know the ID for:

GraphQL
|
query {
  getgcpProject(id: "12345") {
    id
    # Other attributes and connections here...
  }
}

# Or you can query using the "querygcpProject" method

query {
  querygcpProject(filter: { projectId: { eq: "12345" } }) {
    id
    # Other attributes and connections here...
  }
}

# Note that in addition to "accountId" you can
# Filter based on any of the following attributes:

# id
# name
# parent
# projectId
# state
# displayName
# createTime
# updateTime
# deleteTime
# etag

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp(regular expressions)

# fulltext filters

# alloftext
# anyoftext


Get data for all of the GCP projects that do NOT match certain projectId:

GraphQL
|
query {
  querygcpProject(filter: { not: { projectId: { eq: "12345" } } }) {
    id
    # Other attributes and connections here...
  }
}


Advanced Filtering

Get data for all of the GCP projects that have Storage Buckets in them:

GraphQL
|
query {
  querygcpProject(filter: { has: storageBuckets }) {
    id
    # Other attributes and connections here...
  }
}

# Note that in addition to "storageBuckets" you can filter
# Using "has" based on any of the following attributes:

# id
# name
# parent
# projectId
# state
# displayName
# createTime
# updateTime
# deleteTime
# etag
# labels
# alertPolicies
# apiKeys
# cdnBackendBucket
# cdnBackendService
# cdnUrlMap
# cloudFunctions
# computeProject
# dnsManagedZones
# dnsPolicies
# bigQueryDataset
# bigQueryConnection
# bigQueryReservation
# bigQueryReservationCapacityCommitment
# bigQueryDataTransfer
# bigQueryDataTransferRun
# vpcConnectors
# kmsKeyRing
# cloudRouters
# iamPolicies
# logBuckets
# logMetrics
# logViews
# logSinks
# storageBuckets
# firewalls
# folder
# organization
# secrets
# sslPolicies
# networks
# subnets
# targetSslProxies
# targetHttpsProxies
# vmInstances
# assets
# sqlInstances
# serviceAccounts
# kmsCryptoKeys
# dataprocClusters
# dataprocAutoscalingPolicies
# dataprocJobs
# dataprocWorkflowTemplates
# aiPlatformNotebooks
# apiGatewayGateways
# apiGatewayApis
# apiGatewayApiConfigs
# firestoreDatabases
# CISFindings


Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the GCP projects that have Cloud Functions AND VMs OR that do not have Folders. Note that you can use has, and, not, or completely independently of each other:

GraphQL
|
query {
  querygcpProject(
    filter: {
      has: cloudFunctions
      and: { has: vmInstances }
      or: { not: { has: folder } }
    }
  ) {
    id
     # Other attributes and connections here...
  }
}


You may also filter using a regex when filtering on a string field like name if you want to look for a value that matches say, "name-of-project":

GraphQL
|
query {
  querygcpProject(filter: { name: { regexp: "/.*name-of-project*/" } }) {
    id
    # Other attributes and connections here...
  }
}


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  querygcpProject(order: { asc: projectId }) {
    id
    # Other attributes and connections here...
  }
}

# Note that in addition to "projectId" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# name
# parent
# projectId
# state
# displayName
# createTime
# updateTime
# deleteTime
# etag


Only select and return the first two Projects that are found:

GraphQL
|
query {
  querygcpProject(first: 2, order: { desc: projectId }) {
    projectId
    # Other attributes and connections here...
  }
}


Only select and return the first two Projects that are found, but offset by one so Projects two & three are returned:

GraphQL
|
query {
  querygcpProject(first: 2, order: { desc: projectId }, offset: 1) {
    projectId
    # Other attributes and connections here...
  }
}


Aggregation

Count the number of GCP Projects across all scanned GCP projects:

GraphQL
|
query {
  aggregategcpProject {
    count
    # Other attributes and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your project

#idMin
#idMax
#nameMin
#nameMax
#parentMin
#parentMax
#projectIdMin
#projectIdMax
#stateMin
#stateMax
#displayNameMin
#displayNameMax
#createTimeMin
#createTimeMax
#updateTimeMin
#updateTimeMax
#deleteTimeMin
#deleteTimeMax
#etagMin
#etagMax


Count the number of GCP projects that were created at a certian time. Note that you can apply all of the same filters that are listed above to aggregate queries.

GraphQL
|
query {
  aggregategcpProject(filter: { createTime: { eq: "sometime" } }) {
    count
    # Other attributes and connections here...
  }
}


Examples

Search across all of your GCP projects to get their networks and each CIDR for each network:

GraphQL
|
query {
  querygcpProject {
    networks {
      ipV4Range
    }
  }
}



Get the VM Instances for a given project using advanced filtering:

GraphQL
|
query {
  querygcpProject(
    filter: {
      createTime: { eq: "sometime" }
      name: { regexp: "/.*name-of-project*/" }
      has: vmInstances
    }
  ) {
    networks {
      ipV4Range
      subnets {
        id
        vmInstances {
          id
        }
      }
    }
  }
}



With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:

GraphQL
|
query {
  querygcpProject(
    filter: {
      createTime: { eq: "sometime" }
      name: { regexp: "/.*name-of-project*/" }
      has: vmInstances
    }
  ) {
    networks {
      ipV4Range
      subnets {
        id
        vmInstances {
          id
        }
      }
    }
  }
  aggregategcpProject(filter: { createTime: { eq: "sometime" } }) {
    count
    # Other attributes and connections here...
  }
}


Kitchen Sink

Putting it all together; get all data for all GCP Projects across all regions for all scanned GCP projects in a single query. For the purposes of this example we will only get direct children of the Projects but if you want to it's easy to go from say, Project VPC -> Subnet -> VM...etc:

GraphQL
|
query {
  querygcpProject {
    id
    name
    parent
    projectId
    state
    displayName
    createTime
    updateTime
    deleteTime
    etag
    labels {
      id
      key
      value
    }
    dnsManagedZones {
      id
      projectId
      region
      name
      kind
      dnsName
      description
      nameServers
      dnssecConfigKind
      dnssecConfigState
      dnssecConfigDefaultKeySpecs {
        id
        # Other attributes and connections here...
      }
      dnssecConfigNonExistence
      nameServerSet
      visibility
      privateVisibilityConfigKind
      privateVisibilityConfigNetworks {
        id
        # Other attributes and connections here...
      }
      forwardingConfigKind
      forwardingConfigTargetNameServers {
        id
        # Other attributes and connections here...
      }
      labels {
        id
        # Other attributes and connections here...
      }
      peeringConfigKind
      peeringConfigTargetNetworkKind
      peeringConfigTargetNetworkUrl
      peeringConfigTargetNetworkDeactivateTime
      reverseLookupConfigKind
      serviceDirectoryConfigKind
      serviceDirectoryConfigNamespaceKind
      serviceDirectoryConfigNamespaceUrl
      serviceDirectoryConfigNamespaceDeactivateTime
      cloudLoggingConfigKind
      cloudLoggingConfigEnableLogging
      project {
        id
      }
    }
    dnsPolicies {
      id
      projectId
      region
      name
      kind
      enableInboundForwarding
      description
      alternativeNameServerConfigKind
      alternativeNameServerConfigTargetNameServers {
        id
        # Other attributes and connections here...
      }
      enableLogging
      network {
        id # Other attributes and connections here...
      }
      project {
        id
        # Other attributes and connections here...
      }

      # Other attributes and connections here...
    }
    kmsCryptoKeys {
      id
      projectId
      region
      name
      createTime
      project {
        id
        # Other attributes and connections here...
      }
    }
    iamPolicies {
      id
      projectId
      version
      bindings {
        id
        # Other attributes and connections here...
      }
      etag
      project {
        id
        # Other attributes and connections here...
      }
      # Other attributes and connections here...
    }
    logBuckets {
      id
      projectId
      name
      region
      description
      createTime
      updateTime
      retentionDays
      locked
      lifecycleState
      logView {
        id
        # Other attributes and connections here...
      }
      project {
        id
        # Other attributes and connections here...
      }
    }
    logViews {
      id
      projectId
      name
      region
      description
      createTime
      updateTime
      filter
      project {
        id
        # Other attributes and connections here...
      }
      logBucket {
        id
        # Other attributes and connections here...
      }
    }
    logSinks {
      id
      projectId
      name
      region
      destination
      filter
      description
      disabled
      exclusions {
        id
      }
      outputVersionFormat
      writerIdentity
      includeChildren
      bigqueryOptions {
        usePartitionedTables
        # Other attributes and connections here...
      }
      createTime
      updateTime
      project {
        id
        # Other attributes and connections here...
      }
    }
    storageBuckets {
      id
      projectId
      region
      name
      kind
      selfLink
      projectNumber
      metageneration
      location
      storageClass
      etag
      defaultEventBasedHold
      timeCreated
      updated
      labels {
        id
        # Other attributes and connections here...
      }
      iamConfiguration {
        publicAccessPrevention
        # Other attributes and connections here...
      }
      locationType
      satisfiesPZS
      rpo
      baseUrl
      pollIntervalMs
      userProject
      project {
        id
        # Other attributes and connections here...
      }
    }
    firewalls {
      id
      projectId
      name
      region
      allowed {
        id
        # Other attributes and connections here...
      }
      creationTimestamp
      denied {
        id
        # Other attributes and connections here...
      }
      description
      destinationRanges
      direction
      disabled
      kind
      logConfig {
        enable
        # Other attributes and connections here...
      }
      priority
      selfLink
      sourceRanges
      sourceServiceAccounts
      sourceTags
      targetServiceAccounts
      targetTags
      network {
        id
        # Other attributes and connections here...
      }
      project {
        id
        # Other attributes and connections here...
      }
    }
    folder {
      id
      projectId
      region
      name
      parent
      displayName
      state
      createTime
      updateTime
      deleteTime
      etag
      organization {
        id
        # Other attributes and connections here...
      }
      projects {
        id
        # Other attributes and connections here...
      }
    }
    organization {
      id
      projectId
      region
      name
      displayName
      directoryCustomerId
      state
      createTime
      updateTime
      deleteTime
      etag
      folders {
        id
        # Other attributes and connections here...
      }
      projects {
        id
        # Other attributes and connections here...
      }
    }
    secrets {
      id
      projectId
      region
      name
      replication {
        automatic {
          customerManagedEncryption {
            kmsKeyName
          }
        }
        # Other attributes and connections here...
      }
      createTime
      labels {
        id
        # Other attributes and connections here...
      }
      topics {
        id
        # Other attributes and connections here...
      }
      expireTime
      ttl {
        nanos
        # Other attributes and connections here...
      }
      etag
      rotation {
        rotationPeriod {
          seconds
        }
        # Other attributes and connections here...
      }
      project {
        id
        # Other attributes and connections here...
      }
    }
    networks {
      id
      projectId
      region
      name
      ipV4Range
      autoCreateSubnetworks
      creationTimestamp
      description
      gatewayIPv4
      kind
      mtu
      peerings {
        id
        # Other attributes and connections here...
      }
      routingConfig {
        routingMode
        # Other attributes and connections here...
      }
      selfLink
      dnsPolicies {
        id
        # Other attributes and connections here...
      }
      firewalls {
        id
        # Other attributes and connections here...
      }
      project {
        id
        # Other attributes and connections here...
      }
      subnets {
        id
        # Other attributes and connections here...
      }
      vmInstances {
        id
        # Other attributes and connections here...
      }
      # Other attributes and connections here...
    }
    subnets {
      id
      projectId
      region
      name
      creationTimestamp
      description
      enableFlowLogs
      fingerprint
      gatewayAddress
      ipCidrRange
      ipv6CidrRange
      kind
      logConfig {
        enable
        # Other attributes and connections here...
      }
      privateIpGoogleAccess
      privateIpv6GoogleAccess
      purpose
      role
      secondaryIpRanges {
        id
        # Other attributes and connections here...
      }
      selfLink
      state
      project {
        id
        # Other attributes and connections here...
      }
      network {
        id
        # Other attributes and connections here...
      }
      vmInstances {
        id
        # Other attributes and connections here...
      }
    }
    vmInstances {
      id
      projectId
      region
      name
      advancedMachineFeatures {
        threadsPerCore
        # Other attributes and connections here...
      }
      canIpForward
      confidentialInstanceConfig {
        enableConfidentialCompute
        # Other attributes and connections here...
      }
      cpuPlatform
      creationTimestamp
      deletionProtection
      description
      disks {
        id
        # Other attributes and connections here...
      }
      displayDevice {
        enableDisplay
        # Other attributes and connections here...
      }
      fingerprint
      guestAccelerators {
        id
        # Other attributes and connections here...
      }
      hostname
      kind
      labelFingerprint
      labels {
        id
        # Other attributes and connections here...
      }
      lastStartTimestamp
      lastStopTimestamp
      lastSuspendedTimestamp
      machineType
      metadata {
        kind
        # Other attributes and connections here...
      }
      minCpuPlatform
      privateIpv6GoogleAccess
      reservationAffinity {
        key
        # Other attributes and connections here...
      }
      resourcePolicies
      satisfiesPzs
      scheduling {
        minNodeCpus
        # Other attributes and connections here...
      }
      selfLink
      serviceAccounts {
        id
        # Other attributes and connections here...
      }
      shieldedInstanceConfig {
        enableVtpm
        # Other attributes and connections here...
      }
      shieldedInstanceIntegrityPolicy {
        updateAutoLearnPolicy
        # Other attributes and connections here...
      }
      startRestricted
      status
      statusMessage
      tags {
        items
        # Other attributes and connections here...
      }
      zone
      project {
        id
        # Other attributes and connections here...
      }
      network {
        id
        # Other attributes and connections here...
      }
      subnet {
        id
        # Other attributes and connections here...
      }
    }
  }
}


References

Dgraph documentation on querying

GCP Project Documentation

Updated 03 Mar 2023
Did this page help you?
Yes
No
PREVIOUS
Subnet
NEXT
Querying Kubernetes Data
Docs powered by archbee 
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References