Cloud infrastructure managers are always looking for ways to save costs. It's good to detect underused or unused resources, and even better to automatically streamline or remove them. Enter the GCP Thrifty mod for Flowpipe, a new tool that enables you automate cost optimization. Let's see how it works.
Detect and release unused external IPs
Here's a Steampipe query that finds unattached external IPs.
> select name, location from gcp_compute_address+-----------+-------------+| name | location |+-----------+-------------+| ip-addr-2 | us-central1 || ip-addr-1 | us-central1 |+-----------+-------------+We're paying for these, and if we don't need them we should release them. To do that, we'll run the detect_and_correct_compute_addresses_if_unattached pipeline in the GCP Thrifty mod.
Per the README, the setup entails:
Cloning the mod
Visiting its directory and installing dependencies (
flowpipe mod install)Starting Steampipe as a service (
steampipe service start)Using
credential_importto give Flowpipe access to the credentials in Steampipe'sgcp.spcOptionally, configuring variables that govern the mod's behavior.
Let's run the pipeline.
$ flowpipe pipeline run detect_and_correct_compute_addresses_if_unattached --arg='approvers=[""]'With no approvers, the pipeline runs without interruptions and reports that both addresses are unattached.
Detected unattached Compute address ip-addr-1 [us-central1/encoded-blend-333001].Detected unattached Compute address ip-addr-2 [us-central1/encoded-blend-333001].Now let's take action on them.
Wizard mode for interactive decisions
In wizard mode, Flowpipe prompts you to decide whether to release each address. It's the default, so we can run the pipeline with no arguments.
flowpipe pipeline run detect_and_correct_compute_addresses_if_unattachedNow, Flowpipe pauses on each detected address, so you can decide whether to release it. We'll choose Skip and keep this one for now.
┃ Detected unattached Compute address ip1 [us-central1/encoded-blend-333001].┃ > Skip┃ Delete Compute AddressNote that this interaction can instead happen in Slack, MSTeams, or email by naming — in approvers — one or more notifiers configured with alternate integrations.
Flowpipe proceeds to the next detected address. This time we'll choose Delete Compute Address; Flowpipe takes that action and reports the outcome.
Deleted Compute address ip-addr-2 [us-central1/encoded-blend-333001].Nice!
Delete old compute snapshots automatically
You won't want to automatically release IP addresses without checking each one, but you might want to automatically delete compute snapshots older than a threshold number of days. There's another pipeline for that, detect_and_correct_compute_snapshots_exceeding_max_age.
To use that pipeline automatically, you'll activate a query trigger to query for old snapshots. And you'll set some configuration variables to control how it works. We'll put them into a file, continuous-compliance.fpvars.
approvers = []compute_snapshots_exceeding_max_age_trigger_enabled = truecompute_snapshots_exceeding_max_age_trigger_schedule = "weekly"compute_snapshots_exceeding_max_age_default_action = "delete_snapshot"compute_snapshots_exceeding_max_age_days = 90Then we'll run Flowpipe in server mode and point it at that package of variables.
flowpipe server --var-file=continuous-compliance.fpvarsWith approvers = [] the pipeline handles each detected old snapshot without requiring approval. The default action is normally notify but here we override to delete_snapshot. Now, snapshots older than 90 days will be automatically deleted on a weekly basis.
Configuration-driven workflow
A detect-and-correct mod like this one doesn't require you to write any SQL or HCL. It's a tool that you configure and then use to perform a range of tasks you'd like to automate, with or without approval. Give GCP Thrifty a try, and please let us know how it goes.