GCP
Services
Project
13min
Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on a GCP Project:
GraphQL
query { querygcpProject { id name parent projectId state displayName createTime updateTime deleteTime etag labels { id key value } dnsManagedZones { id # Other attributes and connections here... } dnsPolicies { id # Other attributes and connections here... } iamPolicies { id # Other attributes and connections here... } logBuckets { id # Other attributes and connections here... } logViews { id # Other attributes and connections here... } logSinks { id # Other attributes and connections here... } storageBuckets { id # Other attributes and connections here... } firewalls { id # Other attributes and connections here... } folder { id # Other attributes and connections here... } organization { id # Other attributes and connections here... } secrets { id # Other attributes and connections here... } networks { id # Other attributes and connections here... } subnets { id # Other attributes and connections here... } vmInstances { id # Other attributes and connections here... } } }
Get data for a single GCP Project that you know the ID for:
GraphQL
query { getgcpProject(id: "12345") { id # Other attributes and connections here... } } # Or you can query using the "querygcpProject" method query { querygcpProject(filter: { projectId: { eq: "12345" } }) { id # Other attributes and connections here... } } # Note that in addition to "accountId" you can # Filter based on any of the following attributes: # id # name # parent # projectId # state # displayName # createTime # updateTime # deleteTime # etag # And the following Dgraph filters can also be applied: # has # and # or # not # regexp(regular expressions) # fulltext filters # alloftext # anyoftext
Get data for all of the GCP projects that do NOT match certain projectId:
GraphQL
query { querygcpProject(filter: { not: { projectId: { eq: "12345" } } }) { id # Other attributes and connections here... } }
Get data for all of the GCP projects that have Storage Buckets in them:
GraphQL
query { querygcpProject(filter: { has: storageBuckets }) { id # Other attributes and connections here... } } # Note that in addition to "storageBuckets" you can filter # Using "has" based on any of the following attributes: # id # name # parent # projectId # state # displayName # createTime # updateTime # deleteTime # etag # labels # alertPolicies # apiKeys # cdnBackendBucket # cdnBackendService # cdnUrlMap # cloudFunctions # computeProject # dnsManagedZones # dnsPolicies # bigQueryDataset # bigQueryConnection # bigQueryReservation # bigQueryReservationCapacityCommitment # bigQueryDataTransfer # bigQueryDataTransferRun # vpcConnectors # kmsKeyRing # cloudRouters # iamPolicies # logBuckets # logMetrics # logViews # logSinks # storageBuckets # firewalls # folder # organization # secrets # sslPolicies # networks # subnets # targetSslProxies # targetHttpsProxies # vmInstances # assets # sqlInstances # serviceAccounts # kmsCryptoKeys # dataprocClusters # dataprocAutoscalingPolicies # dataprocJobs # dataprocWorkflowTemplates # aiPlatformNotebooks # apiGatewayGateways # apiGatewayApis # apiGatewayApiConfigs # firestoreDatabases # CISFindings
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the GCP projects that have Cloud Functions AND VMs OR that do not have Folders. Note that you can use has, and, not, or completely independently of each other:
GraphQL
query { querygcpProject( filter: { has: cloudFunctions and: { has: vmInstances } or: { not: { has: folder } } } ) { id # Other attributes and connections here... } }
You may also filter using a regex when filtering on a string field like name if you want to look for a value that matches say, "name-of-project":
GraphQL
query { querygcpProject(filter: { name: { regexp: "/.*name-of-project*/" } }) { id # Other attributes and connections here... } }
You can order the results you get back either asc or desc depending on your preference:
GraphQL
query { querygcpProject(order: { asc: projectId }) { id # Other attributes and connections here... } } # Note that in addition to "projectId" you can filter # Using "asc" or "desc" based on any of the following attributes: # id # name # parent # projectId # state # displayName # createTime # updateTime # deleteTime # etag
Only select and return the first two Projects that are found:
GraphQL
query { querygcpProject(first: 2, order: { desc: projectId }) { projectId # Other attributes and connections here... } }
Only select and return the first two Projects that are found, but offset by one so Projects two & three are returned:
GraphQL
query { querygcpProject(first: 2, order: { desc: projectId }, offset: 1) { projectId # Other attributes and connections here... } }
Count the number of GCP Projects across all scanned GCP projects:
GraphQL
query { aggregategcpProject { count # Other attributes and connections here... } } # Note that in addition to "count" you can request the # Following min and max values based on attributes of your project #idMin #idMax #nameMin #nameMax #parentMin #parentMax #projectIdMin #projectIdMax #stateMin #stateMax #displayNameMin #displayNameMax #createTimeMin #createTimeMax #updateTimeMin #updateTimeMax #deleteTimeMin #deleteTimeMax #etagMin #etagMax
Count the number of GCP projects that were created at a certian time. Note that you can apply all of the same filters that are listed above to aggregate queries.
GraphQL
query { aggregategcpProject(filter: { createTime: { eq: "sometime" } }) { count # Other attributes and connections here... } }
Search across all of your GCP projects to get their networks and each CIDR for each network:
GraphQL
query { querygcpProject { networks { ipV4Range } } }
Get the VM Instances for a given project using advanced filtering:
GraphQL
query { querygcpProject( filter: { createTime: { eq: "sometime" } name: { regexp: "/.*name-of-project*/" } has: vmInstances } ) { networks { ipV4Range subnets { id vmInstances { id } } } } }
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
GraphQL
query { querygcpProject( filter: { createTime: { eq: "sometime" } name: { regexp: "/.*name-of-project*/" } has: vmInstances } ) { networks { ipV4Range subnets { id vmInstances { id } } } } aggregategcpProject(filter: { createTime: { eq: "sometime" } }) { count # Other attributes and connections here... } }
Putting it all together; get all data for all GCP Projects across all regions for all scanned GCP projects in a single query. For the purposes of this example we will only get direct children of the Projects but if you want to it's easy to go from say, Project VPC -> Subnet -> VM...etc:
GraphQL
query { querygcpProject { id name parent projectId state displayName createTime updateTime deleteTime etag labels { id key value } dnsManagedZones { id projectId region name kind dnsName description nameServers dnssecConfigKind dnssecConfigState dnssecConfigDefaultKeySpecs { id # Other attributes and connections here... } dnssecConfigNonExistence nameServerSet visibility privateVisibilityConfigKind privateVisibilityConfigNetworks { id # Other attributes and connections here... } forwardingConfigKind forwardingConfigTargetNameServers { id # Other attributes and connections here... } labels { id # Other attributes and connections here... } peeringConfigKind peeringConfigTargetNetworkKind peeringConfigTargetNetworkUrl peeringConfigTargetNetworkDeactivateTime reverseLookupConfigKind serviceDirectoryConfigKind serviceDirectoryConfigNamespaceKind serviceDirectoryConfigNamespaceUrl serviceDirectoryConfigNamespaceDeactivateTime cloudLoggingConfigKind cloudLoggingConfigEnableLogging project { id } } dnsPolicies { id projectId region name kind enableInboundForwarding description alternativeNameServerConfigKind alternativeNameServerConfigTargetNameServers { id # Other attributes and connections here... } enableLogging network { id # Other attributes and connections here... } project { id # Other attributes and connections here... } # Other attributes and connections here... } kmsCryptoKeys { id projectId region name createTime project { id # Other attributes and connections here... } } iamPolicies { id projectId version bindings { id # Other attributes and connections here... } etag project { id # Other attributes and connections here... } # Other attributes and connections here... } logBuckets { id projectId name region description createTime updateTime retentionDays locked lifecycleState logView { id # Other attributes and connections here... } project { id # Other attributes and connections here... } } logViews { id projectId name region description createTime updateTime filter project { id # Other attributes and connections here... } logBucket { id # Other attributes and connections here... } } logSinks { id projectId name region destination filter description disabled exclusions { id } outputVersionFormat writerIdentity includeChildren bigqueryOptions { usePartitionedTables # Other attributes and connections here... } createTime updateTime project { id # Other attributes and connections here... } } storageBuckets { id projectId region name kind selfLink projectNumber metageneration location storageClass etag defaultEventBasedHold timeCreated updated labels { id # Other attributes and connections here... } iamConfiguration { publicAccessPrevention # Other attributes and connections here... } locationType satisfiesPZS rpo baseUrl pollIntervalMs userProject project { id # Other attributes and connections here... } } firewalls { id projectId name region allowed { id # Other attributes and connections here... } creationTimestamp denied { id # Other attributes and connections here... } description destinationRanges direction disabled kind logConfig { enable # Other attributes and connections here... } priority selfLink sourceRanges sourceServiceAccounts sourceTags targetServiceAccounts targetTags network { id # Other attributes and connections here... } project { id # Other attributes and connections here... } } folder { id projectId region name parent displayName state createTime updateTime deleteTime etag organization { id # Other attributes and connections here... } projects { id # Other attributes and connections here... } } organization { id projectId region name displayName directoryCustomerId state createTime updateTime deleteTime etag folders { id # Other attributes and connections here... } projects { id # Other attributes and connections here... } } secrets { id projectId region name replication { automatic { customerManagedEncryption { kmsKeyName } } # Other attributes and connections here... } createTime labels { id # Other attributes and connections here... } topics { id # Other attributes and connections here... } expireTime ttl { nanos # Other attributes and connections here... } etag rotation { rotationPeriod { seconds } # Other attributes and connections here... } project { id # Other attributes and connections here... } } networks { id projectId region name ipV4Range autoCreateSubnetworks creationTimestamp description gatewayIPv4 kind mtu peerings { id # Other attributes and connections here... } routingConfig { routingMode # Other attributes and connections here... } selfLink dnsPolicies { id # Other attributes and connections here... } firewalls { id # Other attributes and connections here... } project { id # Other attributes and connections here... } subnets { id # Other attributes and connections here... } vmInstances { id # Other attributes and connections here... } # Other attributes and connections here... } subnets { id projectId region name creationTimestamp description enableFlowLogs fingerprint gatewayAddress ipCidrRange ipv6CidrRange kind logConfig { enable # Other attributes and connections here... } privateIpGoogleAccess privateIpv6GoogleAccess purpose role secondaryIpRanges { id # Other attributes and connections here... } selfLink state project { id # Other attributes and connections here... } network { id # Other attributes and connections here... } vmInstances { id # Other attributes and connections here... } } vmInstances { id projectId region name advancedMachineFeatures { threadsPerCore # Other attributes and connections here... } canIpForward confidentialInstanceConfig { enableConfidentialCompute # Other attributes and connections here... } cpuPlatform creationTimestamp deletionProtection description disks { id # Other attributes and connections here... } displayDevice { enableDisplay # Other attributes and connections here... } fingerprint guestAccelerators { id # Other attributes and connections here... } hostname kind labelFingerprint labels { id # Other attributes and connections here... } lastStartTimestamp lastStopTimestamp lastSuspendedTimestamp machineType metadata { kind # Other attributes and connections here... } minCpuPlatform privateIpv6GoogleAccess reservationAffinity { key # Other attributes and connections here... } resourcePolicies satisfiesPzs scheduling { minNodeCpus # Other attributes and connections here... } selfLink serviceAccounts { id # Other attributes and connections here... } shieldedInstanceConfig { enableVtpm # Other attributes and connections here... } shieldedInstanceIntegrityPolicy { updateAutoLearnPolicy # Other attributes and connections here... } startRestricted status statusMessage tags { items # Other attributes and connections here... } zone project { id # Other attributes and connections here... } network { id # Other attributes and connections here... } subnet { id # Other attributes and connections here... } } } }
Updated 03 Mar 2023
Did this page help you?