Ensure GCP resources that support labels have Labels

Error: GCP resources that support labels do not have Labels

Bridgecrew Policy ID: BC_GCP_GENERAL_10
Checkov Check ID: -
Severity: LOW

GCP resources that support labels do not have Labels

Description

Many different types of GCP resources support labels. Labels allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that labels can be used, we recommend you follow a labeling practice.

View Google's recommended labeling best practices here.

google_active_directory_domain
google_bigquery_dataset
google_bigquery_job
google_bigquery_table
google_bigtable_instance
google_cloud_identity_group
google_cloudfunctions_function
google_composer_environment
google_compute_disk
google_compute_image
google_compute_instance
google_compute_instance_from_template
google_compute_instance_template
google_compute_region_disk
google_compute_snapshot
google_dataflow_job
google_dataproc_cluster
google_dataproc_job
google_dns_managed_zone
google_eventarc_trigger
google_filestore_instance
google_game_services_game_server_cluster
google_game_services_game_server_config
google_game_services_game_server_deployment
google_game_services_realm
google_healthcare_consent_store
google_healthcare_dicom_store
google_healthcare_fhir_store
google_healthcare_hl7_v2_store
google_kms_crypto_key
google_ml_engine_model
google_monitoring_notification_channel
google_network_management_connectivity_test
google_notebooks_instance
google_project
google_pubsub_subscription
google_pubsub_topic
google_redis_instance
google_secret_manager_secret
google_spanner_instance
google_storage_bucket
google_tpu_node
google_workflows_workflow'

Fix - Buildtime

Terraform

The example below shows how to label a security group in Terraform. The syntax is generally the same for any label-enabled resource type.

resource "google_storage_bucket" "auto-expire" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true

+  label {
+    type = prod
  }
  
  lifecycle_rule {
    condition {
      age = 3
    }
    action {
      type = "Delete"
    }
  }
}