Skip to content

doitintl/gcp-tool-appe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

IMPORTANT NOTE

Google has postponed the launch to April 2026 and has implemented a preview function of the estimated cost when editing an alerting policy. This estimate is uses a very similar calculation to appe but only looks at the last few minutes / hours (the exact value is not known and seems to vary slightly). This will generally result in lower estimates than appe but you can change the length of the window appe goes back using the -d flag (eg. -d 5m or -d 4h) to get the same or similar results. In order to more closely match the results of the preview functionality, appe's default has been changed to 12h for now. This will likely change again if or when Google updates the built-in preview functionality again. Please note that both the preview function and appe's default are not 100% accurate.

appe - Alerting Policy Price Estimator

Starting April 2026, Google will begin charging for Alerting Policies.

While Google has provided documentation and examples, it is still very hard to actually estimate the cost of an Alerting Policy, let alone if you have dozens or possible hundreds of them. Using appe, you can easily estimate the price of not just an individual Alerting Policy, but all of them in your entire organization using a single command.

Quick Start

  1. Make sure you have Application Default Credentials set up correctly (See Authentication)
  2. Make sure you have the recommended roles
  3. Download the release for your operating system and CPU architecture
  4. Run appe on your project with appe -p PROJECT_ID (or see usage for other examples)

Output

appe can output human-readable output to the standard console output (stdout) or stream the results to a CSV file while it is scanning with the --csvOutput FILENAME flag.

Required Permissions

In order to get the metadata of a policy or list the existing policies within a project, you will need the following permissions:

  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list

These would be included in the Monitoring AlertPolicy Viewer (roles/monitoring.alertPolicyViewer) role. However, the metadata is not enough to estimate the price and we will need to actually execute the policy’s condition. This requires the monitoring.timeSeries.list permission, which is included in the Monitoring Viewer (roles/monitoring.viewer) role. If you want to run appe on more than individual policies, you will also need the resourcemanager.projects.list permission (which is also conveniently included in the Monitoring Viewer role). If you need to recursively scan for projects (i.e. go into subfolders), you will also need the resourcemanager.folders.list permission. You can also use the --testPermissions flag to let appe verify that you have the correct permissions before trying to use them in order to avoid errors in your logs.

Recommended Roles

We recommend that you assign the following two roles for full compatibility:

Installation

The easiest way to get and install appe is to download one of the pre-compiled binaries from the releases. appe is a self-contained binary without any dependencies and can be run from anywhere. You do not need to download any runtime and there is no need for an installer.

macOS

Since the binary is not signed with an Apple Developer Certificate, your Mac will likely report it as untrustworthy. There are two ways to deal with this:

  1. Run xattr -dr com.apple.quarantine <path to appe> to add the executable to the allow list (credit to openecoacoustics.org)
  2. Compile it yourself (see below)

Compile appe Yourself

The easiest way to do this is to:

  1. Install Go
  2. Run go install github.com/doitintl/gcp-tool-appe@latest

This will download the dependencies, compile the program and put the executable in your $GOPATH/bin directory (see GOPATH)

Alternatively, you can also clone the repository and run go build to compile it manually.

Authentication

appe uses Application Default Credentials (ADC) to authenticate against the various APIs. If you are running appe on a Google Cloud compute service such as Compute Engine, it will use the service's Service Account to authenticate.

If you are running appe locally, the easiest way to set up ADC is to use gcloud by running:

gcloud auth application-default login

See also https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev.

Usage

Using appe is fairly straightforward

Estimate the Price of Individual Policies

To estimate the price for individual policies, you can reference them directly with the --policy flag:

./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_ID

You can also specify multiple policies:

./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_ID_1,projects/PROJECT_ID/alertPolicies/POLICY_ID_2

Estimate the Price for all Policies in a Project

To estimate the price for all policies in a project, you can specify the project either with the --project flag or the shorthand -p:

./appe -p PROJECT_ID

You can also specify multiple projects:

./appe -p PROJECT_ID_1,PROJECT_ID_2

Estimate the Price for all Policies in all Projects in a Folder

To estimate the price of all policies in all projects in a folder, you can specify the folder ID either with the --folder flag or the shorthand -f:

./appe -f FOLDER_ID

You can also specify multiple folders:

./appe -f FOLDER_ID_1,FOLDER_ID_2

Note that you will need to specify the --recursive or -r flag to also scan subfolders.

Estimate the Price for all Policies in all Projects in an Organization

To estimate the price of all policies in all projects in an organization, you can specify the organization ID either with the --organization flag or the shorthand -o:

./appe -o ORG_ID

You can also specify multiple organizations:

./appe -o ORG_ID_1,ORG_ID_2

Note that you will need to specify the --recursive or -r flag to also scan subfolders.

Supported Condition Types

The following condition types are supported by appe:

All Flags

  -c, --csvOut string           Path to a CSV file to redirect output to. If this is not set, human-readable output will be given on stdout.
  -d, --duration duration       The delta from now to go back in time for query. Default is 12 hours. (default 12h0m0s)
  -e, --excludeFolder strings   One or more folders to exclude. Separated by  ",".
  -f, --folder strings          One or more folders to scan. Use the "-r" flag to scan recursively. Separated by ",".
  -h, --help                    help for appe
  -i, --includeDisabled         If the application should also include disabled policies. (default false)
  -o, --organization strings    One or more organizations to scan. Use the "-r" flag to scan recursively. Separated by ",".
      --policy strings          One or more alerting policies to analyze. Names must be given in full in the format "projects/PROJECT_ID/alertPolicies/POLICY_ID". Separated by ",".
  -p, --project strings         One or more projects to scan. Separated by ",".
  -q, --quotaProject string     A quota or billing project. Useful if you don't have the serviceusage.services.use permission in the target project.
  -r, --recursive               If parent should be scanned recursively. If this is not set, only projects at the root of the folder or organization will be scanned. (default false)
  -s, --summary                 Whether the output should just be a summary (sum of all scanned policies) (default false)
  -t, --testPermissions         If the application should verify that the user has the necessary permissions before processing a project. (default false)
      --threads int             Number of threads to use to process folders, projects and policies in parallel. (default 4)
  -v, --version                 version for appe