🕵️ GCP Forgotten Resource Detective
A comprehensive PowerShell script designed to identify and analyze Google Cloud resources that may be forgotten, unused, or misconfigured, potentially leading to unnecessary costs.
Overview
The GCP Forgotten Resource Detective is a comprehensive PowerShell script designed to identify and analyze Google Cloud resources that may be forgotten, unused, or misconfigured, potentially leading to unnecessary costs. This tool is part of the "FinOps for Everyone" series and helps organizations optimize their GCP spending by detecting orphaned resources and suspicious patterns.
Features
Resource Detection Capabilities
Orphaned Persistent Disks
Unattached disks consuming storage costs
Unattached Static IPs
Reserved public IPs not associated with any resource
Suspicious Firewall Rules
Rules with test/temp naming patterns
Empty Load Balancers
Backend services with no instances
Old Snapshots & Images
Aging snapshots and custom images
Unused Service Accounts
Service accounts with suspicious naming patterns
Cloud SQL Analysis
Identify potentially underutilized databases
Cloud Functions Review
Detect rarely invoked or test functions
Cost Analysis
- Estimates monthly costs for identified resources
- Calculates potential savings from cleanup activities
- Provides cost impact assessments (High/Medium/Low)
Reporting
- HTML Report: Rich, interactive report with visual styling and actionable insights
- CSV Export: Structured data export for further analysis
- Console Summary: Real-time progress and summary information
Prerequisites
System Requirements
- PowerShell: Version 5.1 or later
- Google Cloud SDK: Latest version installed and configured
- GCP Authentication: User must be logged in with
gcloud auth login
Required Permissions
- Viewer: Access to project resources
- Billing Viewer: For cost analysis (optional but recommended)
Google Cloud SDK Setup
# Install Google Cloud SDK (if not already installed)
# Download from: https://cloud.google.com/sdk/docs/install
# Login to Google Cloud
gcloud auth login
# Verify access to project
gcloud config get-value projectUsage
Basic Syntax
.\gcp-forgotten-resources-detector.ps1 -ProjectId "<project-id>"Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
ProjectId | String | ✅ Yes | - | GCP project ID to analyze |
Region | String | ❌ No | "" | Specific region to analyze (empty for all regions) |
DaysThreshold | Integer | ❌ No | 30 | Age threshold for resource analysis (days) |
OutputPath | String | ❌ No | forgotten-resources-report.html | Path for HTML report output |
CsvOutputPath | String | ❌ No | forgotten-resources-report.csv | Path for CSV export |
Example Usage
Basic Analysis
# Analyze project with default settings
.\gcp-forgotten-resources-detector.ps1 -ProjectId "my-production-project"Region-Specific Analysis
# Analyze resources in a specific region
.\gcp-forgotten-resources-detector.ps1 \
-ProjectId "my-project" \
-Region "us-central1" \
-OutputPath "C:\Reports\gcp-analysis.html" \
-CsvOutputPath "C:\Reports\gcp-analysis.csv"Enterprise Analysis
# Analyze multiple projects
$projects = @(
"project-prod-123",
"project-dev-456",
"project-test-789"
)
foreach ($project in $projects) {
.\gcp-forgotten-resources-detector.ps1 \
-ProjectId $project \
-OutputPath "report-$project.html" \
-CsvOutputPath "report-$project.csv"
}Detection Patterns
Orphaned Resources
The script identifies truly orphaned resources that incur costs without providing value:
Orphaned Persistent Disks
Criteria: status == "READY" AND users == null || users.Count == 0
Cost Impact: High (direct storage costs)
Estimated Savings: ~$4-17/month per 100GB disk (varies by type)
Unattached Static IPs
Criteria: status == "RESERVED" AND users == null || users.Count == 0
Exclusions: None
Cost Impact: Medium (~$1.46/month per IP)
Empty Backend Services
Criteria: backends == null || backends.Count == 0
Cost Impact: High (~$16/month per load balancer)
Suspicious Patterns
| Pattern | Risk Level | Description | Detection Logic |
|---|---|---|---|
| No Labels | High | Resources without proper labeling | labels == null || labels.Count == 0 |
| Test/Temp Names | Medium | Resources with temporary naming patterns | name -match "(test|temp|demo)" |
| Old Snapshots | Medium | Snapshots older than threshold | (Now - creationTimestamp).Days > DaysThreshold |
| Legacy Machine Types | Medium | Previous generation machine types | machineType -match "n1-" |
Cost Estimation
The script provides estimated monthly costs for each identified resource based on Google Cloud pricing. These estimates help prioritize cleanup efforts based on potential savings.
Cost Calculation Methodology
Persistent Disk Cost Estimation
# Example cost calculation for persistent disks
function Calculate-PersistentDiskCost {
param($diskType, $sizeGB)
switch -regex ($diskType) {
"pd-standard" { return $sizeGB * 0.04 } # $0.04 per GB-month
"pd-balanced" { return $sizeGB * 0.10 } # $0.10 per GB-month
"pd-ssd" { return $sizeGB * 0.17 } # $0.17 per GB-month
"pd-extreme" { return $sizeGB * 0.25 } # $0.25 per GB-month
default { return $sizeGB * 0.04 } # Default to standard pricing
}
}Sample Cost Impact
| Resource Type | Typical Monthly Cost | Impact Level |
|---|---|---|
| Unattached Persistent Disk (100GB, pd-standard) | $4.00 | Medium |
| Unattached Persistent Disk (100GB, pd-ssd) | $17.00 | High |
| Unattached Static IP | $1.46 | Medium |
| Empty Load Balancer | $16.00 | High |
| Old Snapshot (100GB) | $2.60 | Medium |
Report Output
The script generates comprehensive reports to help you analyze and act on the findings:
HTML Report
A rich, interactive HTML report with visual styling that includes:
- Executive summary with total potential savings
- Resource breakdown by type and risk level
- Detailed findings with resource IDs, ages, and estimated costs
- Cleanup recommendations and best practices
- Sample gcloud commands for remediation
CSV Export
A structured CSV file containing all findings for further analysis or integration with other tools:
ResourceId,ResourceType,Name,Age,EstimatedMonthlyCost,RiskLevel,RecommendedAction
disk-1,Persistent Disk,unused-disk-1,45,$4.00,Medium,Delete or snapshot if needed
address-1,Static IP,N/A,120,$1.46,Medium,Release if not needed
backend-service-1,Backend Service,test-backend,90,$16.00,High,Delete if not in use
snapshot-1,Snapshot,backup-2024-01-15,150,$2.60,Medium,Delete if outdatedSafety & Best Practices
Safe Usage Guidelines
⚠️ Important Safety Notes
- This script is read-only and does not modify any resources
- Always review findings before taking action
- Consider business context before deleting resources
- Take snapshots of disks before deletion if data might be needed
- Test in non-production environments first
Recommended Workflow
- Run the script with default settings to get an initial assessment
- Review the HTML report to understand the findings
- Export CSV data for team review or ticketing system integration
- Create a remediation plan for identified resources
- Implement cleanup actions with appropriate approvals
- Re-run the script to verify improvements
Troubleshooting
Common Issues
| Issue | Possible Cause | Resolution |
|---|---|---|
| gcloud CLI not found | Google Cloud SDK not installed or not in PATH | Install Google Cloud SDK and ensure it's in your system PATH |
| Authentication failure | Not logged in to gcloud | Run gcloud auth login to authenticate |
| Permission denied errors | Insufficient IAM permissions | Ensure your account has Viewer role on the project |
| Script runs slowly | Large number of resources to analyze | Use region-specific analysis or increase timeout settings |
Debugging Tips
- Run gcloud commands manually to verify access and permissions
- Check Cloud Audit Logs for API access denied errors
- Verify project ID spelling and existence
- Ensure PowerShell execution policy allows script execution
Integration Options
Automation Scenarios
The GCP Forgotten Resource Detective can be integrated into various workflows:
- Scheduled Tasks: Run weekly/monthly for ongoing monitoring
- CI/CD Pipelines: Include in infrastructure validation steps
- Cloud Governance: Part of regular compliance checks
- Cost Optimization Initiatives: Regular cleanup campaigns
Integration with GCP Organization
# Example script to run across all projects in a GCP Organization
$projects = gcloud projects list --format="value(projectId)"
foreach ($project in $projects) {
# Set project context
gcloud config set project $project
# Run detective script
.\gcp-forgotten-resources-detector.ps1 -ProjectId $project -OutputPath "report-$project.html"
}Performance
Resource Requirements
The script's performance depends on the size of your GCP environment:
- Small environments (< 100 resources): 1-2 minutes
- Medium environments (100-1000 resources): 2-5 minutes
- Large environments (1000+ resources): 5-15+ minutes
Optimization Tips
- Run region-specific analysis instead of global scans
- Use gcloud pagination settings for large environments
- Consider running in parallel for multiple projects
- Use Cloud Asset Inventory queries where available for faster results
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | 2025-06-01 | Initial release with core detection capabilities |
| 1.1.0 | 2025-06-10 | Added support for Cloud SQL and Cloud Functions analysis |
| 1.2.0 | 2025-06-15 | Enhanced HTML reporting and added CSV export |
Conclusion
The GCP Forgotten Resource Detective is a powerful tool for identifying cost optimization opportunities in your Google Cloud environment. By regularly scanning for orphaned and suspicious resources, you can significantly reduce your cloud spend and improve your cloud governance posture.
Remember that this tool is part of a broader FinOps strategy. Combine it with proper labeling policies, resource lifecycle management, and regular reviews to maximize your cloud cost efficiency.
Ready to Optimize Your GCP Costs?
Download the GCP Forgotten Resource Detective and start identifying savings opportunities today.