Personalized recommendations with customized recommender

One of the power of any cloud platforms is the scalability. It’s now very easy to create dozens of accounts, hundreds of projects, thousands of ressources,… And, after a while, you have tons of things and it’s hard to manage, optimize and curate.
On Google Cloud, Active Assist helps you to keep your cloud environment clean, safe and efficient by providing recommendations.

The different recommender engines are very useful and provide powerful insights. However, that insights are based on generic rules.
For instance, you will have IAM recommendations (to reduce the permissions granted on an account) after 90 days of observation. It could be too much, or too few according to your use cases.

Let’s have a try on my favorite recommender: IAM recommender

Get the current configuration

The first step is to extract the current configuration. For that, you must have the Recommender Viewer role (in our case IAM Recommender Viewer role).

Then, you have to select your recommender’s name in the list.
Mine is google.iam.policy.Recommender

And finally, use the gcloud CLI to get the config and visualize the result

gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID>

A typical result is the following

etag: '"24512cd0d91389e6"'
name: projects/<project>/locations/global/recommenders/google.iam.policy.Recommender/config
recommenderGenerationConfig:
params:
minimum_observation_period: P90D
revisionId: DEFAULT
updateTime: '2022-08-08T01:18:29Z'

You can note the P90D that define the 90 days of observation by default

Apply your own configuration with the CLI

To update your configuration with the CLI, you need 2 things:

  • The current parameter
  • The ETAG.
    The etag is usually used to know the latest version read by the requester. If the submitted etag is the same as the current one, the update is accepted, else, rejected.

Get and Update the current parameter

You can use the describe command with JQ to extract the current parameter and save the result in a file, paramsConfig.json here (in JSON format)

gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
| jq .recommenderGenerationConfig > paramsConfig.json

And then, update the parameter value. For instance, P30D for 30 days of observability instead of 90 by default.

{
"params": {
"minimum_observation_period": "P30D"
}
}

The ETAG value

Next, the etag value. Same, with describe andJQ, but to save the result in a variable, ETAG here.

export ETAG=$(gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
| jq .etag)

Perform the update

Finally, put it all together in a final command. Use the paramsConfig.json and the etag value

gcloud beta recommender recommender-config update \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--config-file=paramsConfig.json --etag=${ETAG}

You must have the Recommender Admin role (in our case IAM Recommender Admin role).

The command successfully applied, you can again perform a describe (the first section) to confirm that the correct value is set.

A simplest way with the API

As you can see, the developer experience isn’t good. Extracting a part of the API response, getting the etag separately, it’s so boring.

Get and update the current parameter

Firstly, get the current configuration as is in JSON, and save the result in a file, recommender-iam.json for instance

Either with the CLI as before.

gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
> recommender-iam.json

Or with the API directly

curl -H "x-goog-user-project: <ProjectID>" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://recommender.googleapis.com/v1beta1/projects/<ProjectID>/locations/global/recommenders/google.iam.policy.Recommender/config \
> recommender-iam.json

Note that you can use the CLI to get the access token to be authenticated.
If you use your user account, you have to mention the “consumer project” with the
x-goog-user-project header.
If you use a service account, you can remove it.

After the save, update the content; change the P90D to P30D for instance

Perform the update

The interesting part comes here. Keep the extracted JSON as is. No etag or params to extract!

curl -H "x-goog-user-project: <ProjectID>" \
-d @recommender-iam.json -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://recommender.googleapis.com/v1beta1/projects/<ProjectID>/locations/global/recommenders/google.iam.policy.Recommender/config

I already shared that easiest way with the engineering team. I hope the CLI will be better soon!

A platform built with your rules

Recommender customization is only at the beginning and all the recommenders aren’t customizable yet.

In addition, some mandatory components are missing, like the Terraform module to be able to set the recommender parameter directly with the IaC.

Anyway, you can start to think and to define your policies and how you want to be recommended to optimize your cloud environment!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
guillaume blaquiere

GDE cloud platform, Group Data Architect @Carrefour, speaker, writer and polyglot developer, Google Cloud platform 3x certified, serverless addict and Go fan.