# Google Cloud Filtering

We'll go through all the available access-types for Google Cloud request filtering.

### Filtering permission requests

To filter on permission requests, we can use the `permission` access-type. There is a single available key, `id`, which refers to the permission ID (list available in Google's docs [here](https://cloud.google.com/iam/docs/permissions-reference))

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>
```

#### Allow requesting only bigquery permissions:

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.
```

#### Allow requesting any permissions except compute.instances.delete

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: remove
      key: id
      pattern: ^compute.instances.delete$
```

### Filtering role requests

To filter on permission requests, we can use the `role` access-type. There is a single available key, `id`, which refers to the role ID (list available in Google's docs [here](https://cloud.google.com/iam/docs/understanding-roles)). Note that this is the ID that is prefixed with `roles/`

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>
```

#### Allow requesting only compute roles

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep
      key: id
      pattern: ^roles/compute.
```

#### Allow requesting any roles except the basic roles (viewer, editor, owner)

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: remove
      key: id
      pattern: ^roles/editor$|^roles/viewer$|^roles/owner$
```

### Filtering resource requests

To filter on permission requests, we can use the `resource` access-type. There are 3 available keys:

* `name`: This is the name of the resource.
* `type`: This is the type of the resource. The available values for `type` are below:

| Resource type        | "type" value     |
| -------------------- | ---------------- |
| BigQuery Dataset     | `dataset`        |
| BigQuery Table       | `table`          |
| Compute Zone         | `zone`           |
| Compute Instance     | `instance`       |
| IAM Service Account  | `serviceaccount` |
| Cloud Storage Bucket | `bucket`         |
| Cloud Storage Object | `object`         |

* `full-resource-name`: This is the Google API full resource name, including the service, type, and name. Available formats for the `full-resource-name` are below.

| Resource type        | "type" value                                                                            |
| -------------------- | --------------------------------------------------------------------------------------- |
| BigQuery Dataset     | `//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME`                   |
| BigQuery Table       | `//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME` |
| Compute Zone         | `//compute.googleapis.com/zones/ZONE_NAME`                                              |
| Compute Instance     | `//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME`  |
| IAM Service Account  | `//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL`        |
| Cloud Storage Bucket | `//storage.googleapis.com/BUCKET_NAME`                                                  |
| Cloud Storage Object | `//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH`                              |

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|type|full-resource-name
      pattern: <regex pattern>
```

#### Allow requesting only the Bigquery Dataset "customer-data" in project "test"

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//bigquery.googleapis.com/projects/test/datasets/customer-data$
```

#### Allow requesting any Cloud Storage bucket:

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: type
      pattern: ^bucket$
```

#### Allow requesting any resource with "application-1" in the name

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: name
      pattern: application-1
```

#### Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: remove
      key: full-resource-name
      pattern: ^//compute.googleapis.com/projects/test/zones/us-west1-a/instances/prod 
```

#### Allow requesting only Cloud Storage buckets with names starting with dev

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//storage.googleapis.com/dev
```