Cloud Resources Management (云资源管理)

为运维人员提供 GCP 云资源的管理和监控功能，包括查看和管理 Compute Engine、Cloud Storage、网络资源等。

Provides GCP cloud resource management and monitoring for DevOps engineers, including Compute Engine, Cloud Storage, networking, and more.

Quick Start

List Compute Instances (列出计算实例)

显示所有 GCE 实例 List all Compute Engine instances

Check Cloud Storage (检查云存储)

列出所有 GCS buckets List all Cloud Storage buckets

View Project Resources (查看项目资源)

显示项目 srpproduct-dc37e 的资源概况 Show resource overview for project srpproduct-dc37e

Key Features

1. Compute Engine Management (计算引擎管理)

View and monitor GCE instances:

Common Operations:

List instances

gcloud compute instances list

Get instance details

gcloud compute instances describe <instance-name>

Check instance status

gcloud compute instances get-serial-port-output <instance-name>

2. Cloud Storage (云存储)

Monitor and manage GCS buckets and objects:

Common Operations:

List buckets

gcloud storage buckets list

List objects in bucket

gcloud storage ls gs://<bucket-name>/

Get object metadata

gcloud storage objects describe gs://<bucket-name>/<object-name>

3. Network Resources (网络资源)

View network configuration and health:

Common Operations:

List networks

gcloud compute networks list

List firewalls

gcloud compute firewall-rules list

List load balancers

gcloud compute forwarding-rules list

4. Resource Monitoring (资源监控)

Monitor resource usage and costs:

Common Operations:

Project info

gcloud projects describe <project-id>

List services

gcloud services list --enabled

Check quotas

gcloud compute project-info describe --project=<project-id>

Common Workflows

Workflow 1: Instance Health Check

1. User: "检查所有 production 实例的健康状态"
2. List instances: gcloud compute instances list --filter="labels.env=production"
3. Check each instance status
4. Review recent logs if needed
5. Report health summary

Workflow 2: Storage Audit

1. User: "审计 GCS buckets 的访问权限"
2. List all buckets
3. Get IAM policy for each bucket
4. Check public access
5. Identify potential security issues
6. Generate audit report

Workflow 3: Network Troubleshooting

1. User: "为什么服务 A 无法连接到服务 B？"
2. Check firewall rules
3. Verify network connectivity
4. Review load balancer config
5. Check DNS settings
6. Diagnose issue and suggest fixes

Examples (示例)

Example 1: List Compute Instances (列出计算实例)

User (Chinese):

显示项目中所有正在运行的 GCE 实例

Assistant Response:

我会列出所有正在运行的 GCE 实例。

<executes: gcloud compute instances list --filter="status=RUNNING">

Running Compute Engine Instances:

Summary:

• Total running instances: 4
• Machine types: n2-standard-4 (2), n2-standard-8 (1), n2-highmem-8 (1)
• 2 instances with external IPs
• All instances in us-east1 region

Example 2: Storage Bucket Overview (存储桶概览)

User (English):

List all Cloud Storage buckets and their sizes

Assistant Response:

I'll list all GCS buckets with size information.

<executes: gcloud storage buckets list> <executes: gcloud storage du -s gs://<bucket>/* for each bucket>

Cloud Storage Buckets:

Summary:

• Total storage: 8.4 TB
• Monthly estimated cost: ~$180 (based on storage class)
• Largest bucket: srp-prod-backups (5.1 TB)
• Most objects: srp-prod-logs (1.25M objects)

Recommendations:

• Consider lifecycle policies for old logs
• Review backup retention policy
• Monitor storage costs

Example 3: Network Firewall Audit (网络防火墙审计)

User (Chinese):

检查是否有过于宽松的防火墙规则

Assistant Response:

我会检查防火墙规则，识别潜在的安全风险。

<executes: gcloud compute firewall-rules list>

Firewall Rules Audit:

✅ Secure Rules (10):

• allow-internal-prod: 10.0.0.0/8 → All (Internal only)
• allow-ssh-bastion: Specific IPs → tcp:22
• allow-https-lb: Load balancer → tcp:443
• ... (7 more)

⚠️ Potentially Risky Rules (2):

1. allow-all-dev ⚠️

   • Source: 0.0.0.0/0 (All internet)
   • Ports: tcp:8080, tcp:3000
   • Target: dev-instances
   • Risk: Development ports exposed to internet
   • Recommendation: Restrict to office IPs or VPN

2. allow-ssh-temp ⚠️ HIGH PRIORITY

   • Source: 0.0.0.0/0 (All internet)
   • Port: tcp:22
   • Target: All instances
   • Risk: SSH open to entire internet
   • Recommendation: DELETE immediately and use bastion host

Summary:

• Total rules: 12
• Secure: 10
• Needs review: 2

Action Items:

1. 🔴 URGENT: Review and restrict allow-ssh-temp rule
2. 🟡 Review allow-all-dev and limit to VPN/office IPs
3. 🟢 Document all firewall rule purposes

Important Notes

Access Control (访问控制)

• Requires GCP authentication (gcloud)

• Operations limited by IAM permissions

• Read access to most resources

• Some management operations available with proper roles

Safety Guidelines (安全指南)

• Caution with management operations: Always verify before executing

• Prefer read-only commands for investigation

• Use appropriate environments (dev/staging/prod)

• Follow change management processes

• Document all changes

Best Practices (最佳实践)

• Use labels for resource organization

• Enable audit logging

• Regular security reviews

• Monitor costs and quotas

• Use least privilege access

Prerequisites

GCP CLI (gcloud)

Ensure gcloud is installed and configured:

Check gcloud installation

gcloud version

Authenticate

gcloud auth login

Set default project

gcloud config set project srpproduct-dc37e

Verify access

gcloud projects describe srpproduct-dc37e

Environment Variables

export GCP_PROJECT_ID="srpproduct-dc37e" export GCP_REGION="us-east1" export GCP_ZONE="us-east1-b"

Required IAM Roles

Minimum roles needed:

• roles/compute.viewer

• View compute resources

• roles/storage.objectViewer

• View storage objects

• roles/viewer

• Basic project viewing

For management operations:

• roles/compute.instanceAdmin

• Manage instances

• roles/storage.admin

• Manage storage

• roles/iam.securityReviewer

• Security audits

Limitations

Current Limitations

• Uses gcloud CLI (not direct API integration)

• No real-time dashboards

• Limited cost analytics

• No automated remediation

• Manual execution of commands

Future Enhancements

• Direct GCP API integration via MCP

• Real-time resource monitoring

• Cost analytics and optimization

• Automated compliance checks

• Integration with Terraform/IaC

• Alert and notification system

Troubleshooting

Issue 1: "gcloud: command not found"

Solutions:

• Install gcloud SDK: https://cloud.google.com/sdk/docs/install

• Add to PATH

• Restart terminal

Issue 2: "Permission denied"

Solutions:

• Check current account: gcloud auth list

• Verify IAM permissions

• Switch account if needed: gcloud config set account <email>

• Contact GCP admin

Issue 3: "Project not found"

Solutions:

• List available projects: gcloud projects list

• Set correct project: gcloud config set project <project-id>

• Verify project ID spelling

Security & Compliance

Resource Access Audit

• All operations are logged in Cloud Audit Logs

• Review logs regularly

• Follow principle of least privilege

• Use service accounts for automation

Sensitive Data

• Do not expose credentials

• Use Secret Manager for secrets

• Enable data encryption

• Regular access reviews

Compliance

• Follow company security policies

• Document all infrastructure changes

• Regular compliance audits

• Incident response procedures

Related Skills

• k8s-management : Kubernetes cluster management

• Future: monitoring-alerts , cost-optimization , incident-response

Operations Reference

Safe Read Operations (安全的只读操作)

✅ List resources ✅ Describe resources ✅ Get logs ✅ Check status ✅ View metrics

Management Operations (需谨慎执行)

⚠️ Start/stop instances ⚠️ Modify configurations ⚠️ Create/delete resources ⚠️ Change IAM policies ⚠️ Network changes

Always verify management operations before executing and follow change management processes.