Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Labels for Resource Management

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that user-defined labels are being used to tag, collect, and organize Eventarc triggers within your Google Cloud Platform (GCP) projects. User-defined labels are a lightweight and efficient way to group together related or associated cloud resources.

Security
Reliability
Performance
efficiency
Cost
optimisation

As your Google Cloud Platform (GCP) projects grow increasingly complex, effective management strategies become essential. User-defined labels can significantly enhance visibility and organization across your Google Cloud resources. By strategically labeling your Eventarc triggers, you can streamline organization, simplify search queries, and optimize resource management. This lightweight yet powerful approach allows you to group related services, such as production, staging, and development environments, for efficient identification and control.

Audit

To determine if your Google Cloud Eventarc triggers are labeled for better resource management, perform the following operations:

Getting the user-defined labels for Eventarc triggers using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-ai-project-112233
cc-dev-project-112233

03 Run eventarc triggers list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each Eventarc trigger created for the selected project: 

gcloud eventarc triggers list
	--project=cc-web-project-123123
	--format="default(name)"

04 The command request should return the requested Eventarc trigger IDs (i.e., fully qualified identifiers): 

---
name: projects/cc-web-project-123123/locations/us-central1/triggers/cc-project5-trigger
---
name: projects/cc-web-project-123123/locations/us-central1/triggers/cc-cloud-ai-trigger

05 Run eventarc triggers describe command (Windows/macOS/Linux) with the ID of the Eventarc trigger that you want to examine as the identifier parameter and custom output filters to describe the user-defined resource labels configured for the selected trigger: 

gcloud eventarc triggers describe "projects/cc-web-project-123123/locations/us-central1/triggers/cc-project5-trigger"
	--format="json(labels)"

06 The command output should return the requested resource labels: 

null

If the eventarc triggers describe command output returns null, as shown in the example above, the selected Google Cloud Eventarc trigger is not labeled with user-defined labels for resource management. Missing user-defined labels reduces asset tracking, cost allocation, and resource visibility.

07 Repeat steps no. 5 and 6 for each Eventarc trigger that you want to examine, created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that all your Google Cloud Eventarc triggers are labeled with user-defined labels for better resource management, perform the following operations:

Implementing user-defined labels for Eventarc triggers using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run eventarc triggers update command (Windows/macOS/Linux) with the ID of the Eventarc trigger that you want to configure as the identifier parameter, to set user-defined labels for the trigger. Use the --update-labels command parameter to supply your own labels. If the specified label exists, its value is modified. Otherwise, a new label is created. You can use labels such as: environment (e.g., prod, test, dev), team (e.g., frontend, backend, secops), billing (e.g., project5, engineering), version (e.g., v1.5, v2.1) or owner (e.g., john-doe, team-lead): 

gcloud eventarc triggers update "projects/cc-web-project-123123/locations/us-central1/triggers/cc-project5-trigger"
	--update-labels=environment=prod,team=engineering

02 The command output should return the update operation status: 

Updating trigger [cc-project5-trigger] in project [cc-web-project-123123], location [us-central1]... done.

03 Repeat steps no. 1 and 2 for each Eventarc trigger that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 11, 2025

Related Eventarc rules