Google Cloud Deployment Manager
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Deployment Manager

Deployment Instances Expired

Risk Level: Low

Description

This plugin guarantees that Cloud Deployment Manager arrangement is erased later the ideal number of days from their creation time. Cloud Deployment Manager arrangements ought to be erased later the ideal time span from their creation time as dictated by your administration rules.

Configuration Parameters

Deployments Expiration Time: This plugin determines the expiration period of deployment after it’s creation. An alert is generated when the deployment’s expiration date is reached.

By default the value of this parameter is set to null.

About The Service

Google Cloud Deployment Manager:

Google Cloud Deployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources. Write flexible template and configuration files and use them to create deployments that have a variety of Google Cloud services, such as Cloud Storage, Compute Engine, and Cloud SQL configured to work together. For more information, click here.

Impact

When you delete a deployment, all resources that are part of the deployment are also deleted. If you want to delete specific resources from your deployment and keep the rest, delete those resources from your configuration file, and update the deployment instead. This plugin ensures that Cloud Deployment Manager deployment is deleted after the desired number of days from their creation time. Cloud Deployment Manager deployments should be deleted after the desired time period from their creation time as determined by your governance rules.

Steps to Reproduce

Using GCP Console-

In order to check if the deployment instance is expired, follow the steps given below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find Tools section under More Products Section, click on it.
     
  4. Select the Deployments nav link under the Deployment Manager section.
  5. A new page of Deployments will appear on the screen with a list of all the deployments will appear in it.
  6. Select and click on the Name of the deployment you wanted to examine for.
  7. A new page with all the details of that deployment will appear. Click on the Overview option to display the Properties of the Deployment.
  8. Check if the deployment is expired with respect to the desired number of days from their creation time. If yes, it will show expired at the top and that deployment instance is expired.
  9. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other GCP organizations deployed within your record.

Steps for Remediation

Using GCP Console-

In order to delete the expired deployment instance is expired, follow the below-mentioned steps:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find Tools section under More Products Section, click on it.
     
  4. Select the Deployments nav link under the Deployment Manager section.
  5. A new page of Deployments will appear on the screen with a list of all the deployments will appear in it.
  6. Select and click on the Name of the deployment you wanted to examine for.
  7. A new page with all the details of that deployment will appear. Click on the Overview option to display the Properties of the Deployment.
  8. Check if the deployment is expired with respect to the desired number of days from their creation time. If yes, it will show expired at the top and that deployment is expired.
  9. Click on the Delete button present at the top. This will completely remove that expired deployment instance. Hence, it deletes the underlying resource. This is permanent and cannot be undone
  10. A dialog box will appear. Choose the desired option. If you want the resources created by that deployment instance to remain, select the second option. Else select the first option.
  11. Now, click on the Delete button.
  12. You may repeat the above steps for other GCP Projects under your organization.