Personalized recommendations with customized recommender
--
One of the power of any cloud platforms is the scalability. It’s now very easy to create dozens of accounts, hundreds of projects, thousands of ressources,… And, after a while, you have tons of things and it’s hard to manage, optimize and curate.
On Google Cloud, Active Assist helps you to keep your cloud environment clean, safe and efficient by providing recommendations.
The different recommender engines are very useful and provide powerful insights. However, that insights are based on generic rules.
For instance, you will have IAM recommendations (to reduce the permissions granted on an account) after 90 days of observation. It could be too much, or too few according to your use cases.
But now, you can customize the recommenders’ config!
Let’s have a try on my favorite recommender: IAM recommender
Get the current configuration
The first step is to extract the current configuration. For that, you must have the Recommender Viewer role (in our case IAM Recommender Viewer role).
Then, you have to select your recommender’s name in the list.
Mine is google.iam.policy.Recommender
And finally, use the gcloud CLI to get the config and visualize the result
gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID>A typical result is the following
etag: '"24512cd0d91389e6"'
name: projects/<project>/locations/global/recommenders/google.iam.policy.Recommender/config
recommenderGenerationConfig:
params:
minimum_observation_period: P90D
revisionId: DEFAULT
updateTime: '2022-08-08T01:18:29Z'You can note the P90D that define the 90 days of observation by default
Apply your own configuration with the CLI
To update your configuration with the CLI, you need 2 things:
- The current parameter
- The
ETAG.
Theetagis usually used to know the latest version read by the requester. If the submittedetagis the same as the current one, the update is accepted, else, rejected.
Get and Update the current parameter
You can use the describe command with JQ to extract the current parameter and save the result in a file, paramsConfig.json here (in JSON format)
gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
| jq .recommenderGenerationConfig > paramsConfig.jsonAnd then, update the parameter value. For instance, P30D for 30 days of observability instead of 90 by default.
{
"params": {
"minimum_observation_period": "P30D"
}
}The ETAG value
Next, the etag value. Same, with describe andJQ, but to save the result in a variable, ETAG here.
export ETAG=$(gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
| jq .etag)Perform the update
Finally, put it all together in a final command. Use the paramsConfig.json and the etag value
gcloud beta recommender recommender-config update \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--config-file=paramsConfig.json --etag=${ETAG}You must have the Recommender Admin role (in our case IAM Recommender Admin role).
The command successfully applied, you can again perform a describe (the first section) to confirm that the correct value is set.
A simplest way with the API
As you can see, the developer experience isn’t good. Extracting a part of the API response, getting the etag separately, it’s so boring.
For an easiest update, you can use the Recommender API.
Get and update the current parameter
Firstly, get the current configuration as is in JSON, and save the result in a file, recommender-iam.json for instance
Either with the CLI as before.
gcloud beta recommender recommender-config describe \
google.iam.policy.Recommender \
--location=global \
--project=<ProjectID> \
--format=json \
> recommender-iam.jsonOr with the API directly
curl -H "x-goog-user-project: <ProjectID>" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://recommender.googleapis.com/v1beta1/projects/<ProjectID>/locations/global/recommenders/google.iam.policy.Recommender/config \
> recommender-iam.jsonNote that you can use the CLI to get the access token to be authenticated.
If you use your user account, you have to mention the “consumer project” with the x-goog-user-project header.
If you use a service account, you can remove it.
After the save, update the content; change the P90D to P30D for instance
Perform the update
The interesting part comes here. Keep the extracted JSON as is. No etag or params to extract!
curl -H "x-goog-user-project: <ProjectID>" \
-d @recommender-iam.json -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://recommender.googleapis.com/v1beta1/projects/<ProjectID>/locations/global/recommenders/google.iam.policy.Recommender/configI already shared that easiest way with the engineering team. I hope the CLI will be better soon!
A platform built with your rules
Recommender customization is only at the beginning and all the recommenders aren’t customizable yet.
In addition, some mandatory components are missing, like the Terraform module to be able to set the recommender parameter directly with the IaC.
Anyway, you can start to think and to define your policies and how you want to be recommended to optimize your cloud environment!
