Google has postponed the launch to April 2026 and has implemented a preview function of the estimated cost when editing an alerting policy. This estimate is uses a very similar calculation to appe
but only looks at the last few minutes / hours (the exact value is not known and seems to vary slightly). This will generally result in lower estimates than appe
but you can change the length of the window appe
goes back using the -d
flag (eg. -d 5m
or -d 4h
) to get the same or similar results. In order to more closely match the results of the preview functionality, appe
's default has been changed to 12h
for now. This will likely change again if or when Google updates the built-in preview functionality again.
Please note that both the preview function and appe
's default are not 100% accurate.
Starting April 2026, Google will begin charging for Alerting Policies.
While Google has provided documentation and examples, it is still very hard to actually estimate the cost of an Alerting Policy, let alone if you have dozens or possible hundreds of them.
Using appe
, you can easily estimate the price of not just an individual Alerting Policy, but all of them in your entire organization using a single command.
- Make sure you have Application Default Credentials set up correctly (See Authentication)
- Make sure you have the recommended roles
- Download the release for your operating system and CPU architecture
- Run
appe
on your project withappe -p PROJECT_ID
(or see usage for other examples)
appe
can output human-readable output to the standard console output (stdout
) or stream the results to a CSV file while it is scanning with the --csvOutput FILENAME
flag.
In order to get the metadata of a policy or list the existing policies within a project, you will need the following permissions:
monitoring.alertPolicies.get
monitoring.alertPolicies.list
These would be included in the Monitoring AlertPolicy Viewer (roles/monitoring.alertPolicyViewer
) role. However, the metadata is not enough to estimate the price and we will need to actually execute the policy’s condition. This requires the monitoring.timeSeries.list
permission, which is included in the Monitoring Viewer (roles/monitoring.viewer
) role.
If you want to run appe
on more than individual policies, you will also need the resourcemanager.projects.list
permission (which is also conveniently included in the Monitoring Viewer role). If you need to recursively scan for projects (i.e. go into subfolders), you will also need the resourcemanager.folders.list
permission.
You can also use the --testPermissions
flag to let appe
verify that you have the correct permissions before trying to use them in order to avoid errors in your logs.
We recommend that you assign the following two roles for full compatibility:
- Monitoring Viewer (
roles/monitoring.viewer
) - Browser (
roles/browser
)
The easiest way to get and install appe
is to download one of the pre-compiled binaries from the releases. appe
is a self-contained binary without any dependencies and can be run from anywhere. You do not need to download any runtime and there is no need for an installer.
Since the binary is not signed with an Apple Developer Certificate, your Mac will likely report it as untrustworthy. There are two ways to deal with this:
- Run
xattr -dr com.apple.quarantine <path to appe>
to add the executable to the allow list (credit to openecoacoustics.org) - Compile it yourself (see below)
The easiest way to do this is to:
- Install Go
- Run
go install github.com/doitintl/gcp-tool-appe@latest
This will download the dependencies, compile the program and put the executable in your $GOPATH/bin
directory (see GOPATH)
Alternatively, you can also clone the repository and run go build
to compile it manually.
appe
uses Application Default Credentials (ADC) to authenticate against the various APIs.
If you are running appe
on a Google Cloud compute service such as Compute Engine, it will use the service's Service Account to authenticate.
If you are running appe
locally, the easiest way to set up ADC is to use gcloud by running:
gcloud auth application-default login
See also https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev.
Using appe
is fairly straightforward
To estimate the price for individual policies, you can reference them directly with the --policy
flag:
./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_ID
You can also specify multiple policies:
./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_ID_1,projects/PROJECT_ID/alertPolicies/POLICY_ID_2
To estimate the price for all policies in a project, you can specify the project either with the --project
flag or the shorthand -p
:
./appe -p PROJECT_ID
You can also specify multiple projects:
./appe -p PROJECT_ID_1,PROJECT_ID_2
To estimate the price of all policies in all projects in a folder, you can specify the folder ID either with the --folder
flag or the shorthand -f
:
./appe -f FOLDER_ID
You can also specify multiple folders:
./appe -f FOLDER_ID_1,FOLDER_ID_2
Note that you will need to specify the --recursive
or -r
flag to also scan subfolders.
To estimate the price of all policies in all projects in an organization, you can specify the organization ID either with the --organization
flag or the shorthand -o
:
./appe -o ORG_ID
You can also specify multiple organizations:
./appe -o ORG_ID_1,ORG_ID_2
Note that you will need to specify the --recursive
or -r
flag to also scan subfolders.
The following condition types are supported by appe
:
- Monitoring Query Language (MQL) via projects.timeSeries.query
- Threshold and Absence via projects.timeSeries.list
- Prometheus Query Language (PromQL / PQL) via projects.location.prometheus.api.v1.query_range
-c, --csvOut string Path to a CSV file to redirect output to. If this is not set, human-readable output will be given on stdout.
-d, --duration duration The delta from now to go back in time for query. Default is 12 hours. (default 12h0m0s)
-e, --excludeFolder strings One or more folders to exclude. Separated by ",".
-f, --folder strings One or more folders to scan. Use the "-r" flag to scan recursively. Separated by ",".
-h, --help help for appe
-i, --includeDisabled If the application should also include disabled policies. (default false)
-o, --organization strings One or more organizations to scan. Use the "-r" flag to scan recursively. Separated by ",".
--policy strings One or more alerting policies to analyze. Names must be given in full in the format "projects/PROJECT_ID/alertPolicies/POLICY_ID". Separated by ",".
-p, --project strings One or more projects to scan. Separated by ",".
-q, --quotaProject string A quota or billing project. Useful if you don't have the serviceusage.services.use permission in the target project.
-r, --recursive If parent should be scanned recursively. If this is not set, only projects at the root of the folder or organization will be scanned. (default false)
-s, --summary Whether the output should just be a summary (sum of all scanned policies) (default false)
-t, --testPermissions If the application should verify that the user has the necessary permissions before processing a project. (default false)
--threads int Number of threads to use to process folders, projects and policies in parallel. (default 4)
-v, --version version for appe