In GCP, how can I identify all the subnets that have Flow Logs 'Off'?

Question

I would like to identify which subnets are not logging VPC Flows.

I have used the following gcloud command in one of my projects to try and identify which subnets do not have Flow logs enabled however the output of this command shows 1 result.

gcloud compute networks subnets list --format=json --filter='enableFlowLogs=false'

From the console, I can see that some other subnets do not have VPC Flow Logs enabled as can be seen from the "Flow Logs" column.

After looking at the JSON output for the command cloud compute networks subnets list --format=jsonI can see that the other subnets do not have the line, 'enableFlowLogs' so it appears to be ineffective to filter on this to identify all subnets that do not have VPC Flow Logs enabled. I understand they are disabled by default so wonder if this is making it more challenging.

I'm trying to figure out how to filter the command on enableFlowLogs=false OR "enableFlowLogs is not defined"

Any ideas?

score 1 · Accepted Answer · answered May 19 '20 at 23:44

I think the filter you are passing gcloud --filter='enableFlowLogs=false' , is also displaying the subnets for which the Flow logging flag is empty. You can reverse the logic and show only the subnets for which the enableFlowLogs is NOT True.

gcloud compute networks subnets list --filter='enableFlowLogs!=True' --format="table[box,title=FlowLoggingDisabled](name,enableFlowLogs,logConfig.enable:label=logging)"

In GCP, how can I identify all the subnets that have Flow Logs 'Off'?

1 Answers1