If you have large enough deployment on Google Cloud using shared VPC, it’s often easy to lose track of firewall rules applicable to your environment. Here is how I’ve solved the orphaned firewall rules problem.
Often it’s easier to manage the entire firewall configuration via a Host project with shared VPC’s.
As of today, there’s no easy way to get the rules that are not applied to any instance in the network, when you reach the limits for the number of firewall rules, you need to find all of these unused/orphaned firewall rules to clean them up.
The gcp-discover-orphaned-firewall-rules tool will help you identify the firewall orphaned rules.
How it works:
This tool will take the host project-id and find all the shared VPC’s projects linked to this host project. It will then find all the firewall rules (ingress type only) for the host project and create a new list for the elimination of active rules.
For each project (including the host project) it will discover the VM instances on it and look for network tags and service accounts that are matching the list of firewall rules target tags if there is a match the rule will be removed from the elimination list and the list will be passed to the next project until the end of iteration of projects, which will leave you with a list of orphaned firewall rules.
The list will be printed to screen in a tabular format as well as CSV file.
This tool does not delete any firewall rule, you should either do it manually or use the CSV file with a script you write for deletion of the rules.
How to install:
download the binary or clone the repo
git clone [email protected]:doitintl/gcp-discover-orphaned-firewall-rules.git cd gcp-discover-orphaned-firewall-rules go mod download go run main.go
Authentication to Google Cloud
This Project is using the Google Application Default Credentials (ADC).
You can either use the following command to login from the terminal using your default setup for gcloud:
gcloud auth application-default login
Or by a service account using the following environment variable:
How to run
--debug Set log level --host string Host Project ID <Required> --running Filter only running VM instances
./discover-orphaned-rules-darwin-amd64 --host=host-project-123ewquiyt INFO[2019-06-12T12:57:54+03:00] creating a new Compute API client INFO[2019-06-12T12:57:54+03:00] host project: host-project-123ewquiyt INFO[2019-06-12T12:57:56+03:00] firewall Rules for host project: host-project-123ewquiyt INFO listing only TargetTags rules... INFO number of TargetTags Rules: 3 INFO[2019-06-12T12:57:56+03:00] child project: deleted-project-1268522 WARN error listing VM instances googleapi: Error 404: Failed to find project deleted-project-1268522, notFound WARN[2019-06-12T12:57:56+03:00] Could not check project deleted-project-1268522 for orphaned rules: googleapi: Error 404: Failed to find project deleted-project-1268522, notFound INFO[2019-06-12T12:57:56+03:00] child project: resource-project-12iuyt2854 INFO making a list of orphaned rules with all rules (active rules will be removed from it) resource-project-12iuyt2854, ghostresource-project-12iuyt2854, instance-target-demo-ruleresource-project-12iuyt2854, real-ruleINFO looking for orphaned rules in project.. INFO remove active rule from orphans list: instance-target-demo-rule INFO 2 potential orphaned firewall rules to evalute... INFO[2019-06-12T12:57:56+03:00] child project: resource-2-23ouyrwe9 INFO making a list of orphaned rules with all rules (active rules will be removed from it) resource-2-23ouyrwe9, ghostami-resource-2-23ouyrwe9, instance-target-demo-ruleami-resource-2-23ouyrwe9, real-ruleINFO looking for orphaned rules in project.. INFO remove active rule from orphans list: instance-target-demo-rule INFO 2 potential orphaned firewall rules to evalute... INFO[2019-06-12T12:57:57+03:00] generating CSV file for orphaned rules... INFO creating a new CSV file: orphaned-rules.csv INFO[2019-06-12T12:57:57+03:00] done!
This will also generate a CSV file:
rule-name,rule-tags ghost,dead real-rule,"real-1,real2,real-3"
Want more stories? Check our blog, or follow Ami on Twitter.