Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Labels for Resource Management

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that user-defined labels are being used to tag, collect, and organize Google Cloud functions within your Google Cloud Platform (GCP) projects. User-defined labels are a lightweight and efficient way to group together related or associated cloud resources.

Security
Reliability
Performance
efficiency
Cost
optimisation

As your Google Cloud Platform (GCP) projects grow increasingly complex, effective management strategies become essential. User-defined labels can significantly enhance visibility and organization across your Google Cloud resources. By strategically labeling your Google Cloud Functions, you can streamline organization, simplify search queries, and optimize resource management. This lightweight yet powerful approach allows you to group related functions, such as production, staging, and development environments, for efficient identification and control.

Audit

To determine if your Google Cloud functions are labeled for better resource management, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Select the Google Cloud function that you want to examine and choose LABELS to view the labels defined for selected function. The panel with the function labels opens.

05 Review the Labels for \ panel to determine if any user-defined labels are configured for the selected resource. If there are no user-defined labels listed on this panel, the selected Google Cloud function is not labeled for resource management.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s): 

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested function names and the associated regions: 

NAME: cc-project5-function
REGION: us-central1

NAME: tm-stream-function
REGION: us-central1

NAME: tm-vertex-function
REGION: us-central1

05 Run functions describe command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the user-defined labels configured for the selected function: 

gcloud functions describe cc-project5-function
	--region=us-central1
	--format="json(labels)"

06 The command output should return the requested resource labels: 

null

If functions describe command output returns null, as shown in the example above, the selected Google Cloud function is not labeled for resource management.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that all your Google Cloud functions are labeled for better resource management, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Select the Google Cloud function that you want to configure and choose LABELS to view the labels defined for selected function. The panel with the function labels opens.

05 In the Labels for \ panel, choose ADD LABEL, and use the Key and Value text fields to define your own labels for the selected function. You can use labels such as: environment (e.g., prod, test, dev), team (e.g., frontend, backend, secops), purpose (e.g., API), billing (e.g., project5, engineering), version (e.g., v1.5, v2.1), location (e.g., us-central1) or owner (e.g., john-doe, team-lead). Choose SAVE to apply the changes. Adding labels will deploy a new revision of the function.

06 Repeat steps no. 4 and 5 for each Google Cloud function that you want to configure, available within the selected project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run functions deploy command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to configure as the identifier parameter, to set labels for the selected function. Use the --update-labels command parameter to supply your own labels. If the specified label exists, its value is modified. Otherwise, a new label is created. You can use labels such as: environment (e.g., prod, test, dev), team (e.g., frontend, backend, secops), purpose (e.g., API), billing (e.g., project5, engineering), version (e.g., v1.5, v2.1), location (e.g., us-central1) or owner (e.g., john-doe, team-lead). Adding labels will deploy a new revision of the function: 

gcloud functions deploy cc-project5-function
	--source=gs://gcf-v2-sources-123456789012-us-central1/cc-project5-function/function-source.zip
	--region=us-central1
	--runtime=nodejs20
	--trigger-http
	--update-labels environment=prod,team=engineering,location=us-central1

02 The command output should return the build information available for the redeployed function: 

buildConfig:
	automaticUpdatePolicy: {}
	build: projects/123456789012/locations/us-central1/builds/abcd1234-abcd-1234-abcd-1234abcd1234abcd
	dockerRegistry: ARTIFACT_REGISTRY
	dockerRepository: projects/cc-bigdata-project-123123/locations/us-central1/repositories/gcf-artifacts
	entryPoint: run-app
	runtime: nodejs20
	source:
	storageSource:
		bucket: gcf-v2-sources-123456789012-us-central1
		generation: '1730285369954566'
		object: cc-project5-function/function-source.zip
	sourceProvenance:
	resolvedStorageSource:
		bucket: gcf-v2-sources-123456789012-us-central1
		generation: '1730285369954566'
		object: cc-project5-function/function-source.zip
createTime: '2024-10-28T09:49:12.051881848Z'
environment: GEN_2
labels:
	deployment-tool: console-cloud
name: projects/cc-bigdata-project-123123/locations/us-central1/functions/cc-project5-function
serviceConfig:
	allTrafficOnLatestRevision: true
	availableCpu: 167m
	availableMemory: 256Mi
	environmentVariables:
	LOG_EXECUTION_ID: 'true'
	ingressSettings: ALLOW_ALL
	minInstanceCount: 3
	maxInstanceCount: 10
	maxInstanceRequestConcurrency: 1
	revision: cc-project5-function-00003-abc
	service: projects/cc-bigdata-project-123123/locations/us-central1/services/cc-project5-function
	serviceAccountEmail: 123456789012-compute@developer.gserviceaccount.com
	timeoutSeconds: 60
	uri: https://cc-project5-function-abcd1234abcd-uc.a.run.app
state: ACTIVE
updateTime: '2024-10-28T10:50:15.176254527Z'
url: https://us-central1-cc-bigdata-project-123123.cloudfunctions.net/cc-project5-function

03 Repeat steps no. 1 and 2 for each Google Cloud function that you want to configure, available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Nov 21, 2024

Related CloudFunction rules