Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an GCP VM Instances
query {
querygcpVmInstance {
id
projectId
region
name
kind
advancedMachineFeatures {
enableNestedVirtualization
threadsPerCore
}
canIpForward
confidentialInstanceConfig {
enableConfidentialCompute
}
cpuPlatform
creationTimestamp
deletionProtection
description
disks {
id
autoDelete
boot
deviceName
diskEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
diskSizeGb
guestOsFeatures {
id
type
}
index
initializeParams {
description
diskName
diskSizeGb
diskType
labels {
id
key
value
}
onUpdateAction
provisionedIops
resourcePolicies
sourceImage
sourceImageEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
sourceSnapshot
sourceSnapshotEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
}
interface
kind
licenses
mode
shieldedInstanceInitialState {
dbs {
id
content
fileType
}
dbxs {
id
content
fileType
}
keks {
id
content
fileType
}
pk {
id
content
fileType
}
}
source
type
}
displayDevice {
enableDisplay
}
fingerprint
guestAccelerators {
id
acceleratorCount
acceleratorType
}
hostname
kind
labelFingerprint
labels {
id
key
value
}
lastStartTimestamp
lastStopTimestamp
lastSuspendedTimestamp
machineType
metadata {
fingerprint
items {
id
key
value
}
kind
}
minCpuPlatform
networkInterfaces {
id
accessConfigs {
id
kind
name
natIP
networkTier
publicPtrDomainName
setPublicPtr
type
}
aliasIpRanges {
id
ipCidrRange
subnetworkRangeName
}
fingerprint
ipv6Address
kind
name
network
networkIP
nicType
subnetwork
}
privateIpv6GoogleAccess
reservationAffinity {
consumeReservationType
key
values
}
resourcePolicies
satisfiesPzs
scheduling {
automaticRestart
locationHint
minNodeCpus
nodeAffinities {
id
key
operator
values
}
onHostMaintenance
preemptible
}
selfLink
serviceAccounts {
id
email
scopes
}
shieldedInstanceConfig {
enableIntegrityMonitoring
enableSecureBoot
enableVtpm
}
shieldedInstanceIntegrityPolicy {
updateAutoLearnPolicy
}
startRestricted
status
statusMessage
tags {
fingerprint
items
}
zone
project {
name
}
network {
name
}
subnet {
name
}
}
}
Get data for a single GCP VM Instance that you know the ID for:
query {
getgcpVmInstance(id: "12345") {
id
}
}
Get data for all of the VM instances in a GCP project:
query {
querygcpVmInstance(filter: { projectId: { eq: "12345" } }) {
id
}
}
Get data for all of the VM instances that are NOT in a GCP project:
query {
querygcpVmInstance(filter: { not: { projectId: { eq: "12345" } } }) {
id
}
}
Get data for all of the VM instances that have cloud functions in them:
query {
querygcpVmInstance(filter: { has: network }) {
id
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the VM instances that have cloud functions AND subnets in them OR that do not have networks in them. Note that you can use has, and, not, or completely independently of each other:
query {
querygcpVmInstance(
filter: {
has: network
and: { has: subnet }
or: { not: { has: network } }
}
) {
id
}
}
You may also filter using a regex when filtering on a string field like, lastStartTimestamp if you want to look for a value that matches say, some-time:
query {
querygcpVmInstance(filter: { lastStartTimestamp: { regexp: "/.*some-time*/" } }) {
id
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
querygcpVmInstance(order: { desc: description }) {
description
}
}
Only select and return the first two VM instances that are found:
query {
querygcpVmInstance(first: 2, order: { desc: description }) {
description
}
}
Only select and return the first two VM instances that are found, but offset by one so VM instances two & three are returned:
query {
querygcpVmInstance(first: 2, order: { desc: description }, offset: 1) {
id
}
}
Count the number of VM instances across all scanned GCP projects:
query {
aggregategcpVmInstance {
count
}
}
Count the number of VM instances in a single project. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregategcpVmInstance(filter: { projectId: { eq: "12345" } }) {
count
}
}
Find all of the VM instances that have a tag of Environment:Production for a single GCP project:
query {
querygcpTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
vmInstance(filter: { projectId: { eq: "12345" } }) {
id
}
}
}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
querygcpVmInstance {
id
}
querygcpTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
vmInstance(filter: { projectId: { eq: "12345" } }) {
id
}
}
}
When you think, "in terms of a graph", you can do almost anything with CloudGraph. Say for example that you want to know what VM instances don't leverage networking. Simply check to see what networks the VM instance is "connected" to, and compare that against the list of all networks like so:
query {
querygcpVmInstance(filter: { id: { eq: "id:12345" } }) {
id
network {
id
}
}
querygcpNetwork {
id
}
}
Putting it all together; get all data for all VM instances across all regions for all scanned GCP projects in a single query. For the purposes of this example we will only get direct children of the VM instances:
query {
querygcpVmInstance {
id
projectId
region
name
kind
advancedMachineFeatures {
enableNestedVirtualization
threadsPerCore
}
canIpForward
confidentialInstanceConfig {
enableConfidentialCompute
}
cpuPlatform
creationTimestamp
deletionProtection
description
disks {
id
autoDelete
boot
deviceName
diskEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
diskSizeGb
guestOsFeatures {
id
type
}
index
initializeParams {
description
diskName
diskSizeGb
diskType
labels {
id
key
value
}
onUpdateAction
provisionedIops
resourcePolicies
sourceImage
sourceImageEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
sourceSnapshot
sourceSnapshotEncryptionKey {
kmsKeyName
kmsKeyServiceAccount
rawKey
sha256
}
}
interface
kind
licenses
mode
shieldedInstanceInitialState {
dbs {
id
content
fileType
}
dbxs {
id
content
fileType
}
keks {
id
content
fileType
}
pk {
id
content
fileType
}
}
source
type
}
displayDevice {
enableDisplay
}
fingerprint
guestAccelerators {
id
acceleratorCount
acceleratorType
}
hostname
kind
labelFingerprint
labels {
id
key
value
}
lastStartTimestamp
lastStopTimestamp
lastSuspendedTimestamp
machineType
metadata {
fingerprint
items {
id
key
value
}
kind
}
minCpuPlatform
networkInterfaces {
id
accessConfigs {
id
kind
name
natIP
networkTier
publicPtrDomainName
setPublicPtr
type
}
aliasIpRanges {
id
ipCidrRange
subnetworkRangeName
}
fingerprint
ipv6Address
kind
name
network
networkIP
nicType
subnetwork
}
privateIpv6GoogleAccess
reservationAffinity {
consumeReservationType
key
values
}
resourcePolicies
satisfiesPzs
scheduling {
automaticRestart
locationHint
minNodeCpus
nodeAffinities {
id
key
operator
values
}
onHostMaintenance
preemptible
}
selfLink
serviceAccounts {
id
email
scopes
}
shieldedInstanceConfig {
enableIntegrityMonitoring
enableSecureBoot
enableVtpm
}
shieldedInstanceIntegrityPolicy {
updateAutoLearnPolicy
}
startRestricted
status
statusMessage
tags {
fingerprint
items
}
zone
project {
id
name
parent
projectId
state
displayName
createTime
updateTime
deleteTime
etag
labels {
id
key
value
}
alertPolicies {
name
}
apiKeys {
name
}
cloudFunctions {
name
}
computeProject {
name
}
dnsManagedZones {
name
}
dnsPolicies {
name
}
bigQueryDataset {
name
}
bigQueryConnection {
name
}
bigQueryReservation {
name
}
bigQueryReservationCapacityCommitment {
name
}
bigQueryDataTransfer {
name
}
bigQueryDataTransferRun {
name
}
vpcConnectors {
name
}
kmsKeyRing {
name
}
cloudRouters {
name
}
iamPolicies {
id
}
logBuckets {
name
}
logMetrics {
name
}
logViews {
name
}
logSinks {
name
}
storageBuckets {
name
}
firewalls {
name
}
folder {
name
}
organization {
name
}
secrets {
name
}
sslPolicies {
name
}
networks {
name
}
subnets {
name
}
targetSslProxies {
name
}
targetHttpsProxies {
name
}
vmInstances {
name
}
assets {
name
}
sqlInstances {
name
}
serviceAccounts {
name
}
kmsCryptoKeys {
name
}
dataprocClusters {
name
}
dataprocAutoscalingPolicies {
name
}
dataprocJobs {
name
}
dataprocWorkflowTemplates {
name
}
}
network {
id
projectId
region
name
kind
labels {
id
key
value
}
ipV4Range
autoCreateSubnetworks
creationTimestamp
description
gatewayIPv4
kind
mtu
peerings {
id
autoCreateRoutes
exchangeSubnetRoutes
exportCustomRoutes
exportSubnetRoutesWithPublicIp
importCustomRoutes
importSubnetRoutesWithPublicIp
name
network
peerMtu
state
stateDetails
}
routingConfig {
routingMode
}
selfLink
dnsPolicies {
name
}
firewalls {
name
}
project {
name
}
sqlInstances {
name
}
subnets {
name
}
vpcConnectors {
name
}
vmInstances {
name
}
cloudRouters {
name
}
}
subnet {
id
projectId
region
name
kind
labels {
id
key
value
}
creationTimestamp
description
enableFlowLogs
fingerprint
gatewayAddress
ipCidrRange
ipv6CidrRange
kind
logConfig {
aggregationInterval
enable
filterExpr
flowSampling
metadata
metadataFields
}
privateIpGoogleAccess
privateIpv6GoogleAccess
purpose
role
secondaryIpRanges {
id
ipCidrRange
rangeName
}
selfLink
state
project {
displayName
}
network {
name
}
vpcConnectors {
name
}
vmInstances {
name
}
}
}
}
