Skip to main content

Sample GCP Compute RQL Queries

note

The following guide will walk you through GCP Compute Engine RQL Examples

List terminated Compute instances

config from cloud.resource where api.name = 'gcloud-compute-instances-list'  and json.rule = status contains TERMINATED

List VPC subnetworks which are in use

config from cloud.resource where api.name = 'gcloud-compute-instances-list' as X; config from cloud.resource where api.name = 'gcloud-compute-networks-subnets-list' as Y; filter '$.X.networkInterfaces[*].subnetwork contains $.Y.selfLink'; show Y;

List VPC subnetworks which are NOT in-use

config from cloud.resource where api.name = 'gcloud-compute-instances-list' as X; config from cloud.resource where api.name = 'gcloud-compute-networks-subnets-list' as Y; filter 'not ($.X.networkInterfaces[*].subnetwork contains $.Y.selfLink)'; show Y;

Find subnetworks that do not have VPC flow logs enabled and Compute instances can forward IP's

config from cloud.resource where api.name = 'gcloud-compute-networks-subnets-list' AND json.rule = enableFlowLogs does not exist or enableFlowLogs is false as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = canIpForward is true as Y; filter ' $.Y.networkInterfaces[*].network contains $.X.network '; show X;

Find Compute instances with OS-Login enabled

config from cloud.resource where api.name = 'gcloud-compute-project-info' AND json.rule = "commonInstanceMetadata.items[?(@.key=='enable-oslogin' && @.value=='TRUE')] exists"