Starting April 2025, Google will begin charging for Alerting Policies.
While Google has provided documentation and examples, it is still very hard to actually estimate the cost of an Alerting Policy, let alone if you have dozens or possible hundreds of them.
Using appe, you can easily estimate the price of not just an individual Alerting Policy, but all of them in your entire organization using a single command.
- Make sure you have Application Default Credentials set up correctly (See Authentication)
- Make sure you have the recommended roles
- Download the release for your operating system and CPU architecture
- Run
appeon your project withappe -p PROJECT_ID(or see usage for other examples)
appe can output human-readable output to the standard console output (stdout) or stream the results to a CSV file while it is scanning with the --csvOutput FILENAME flag.
In order to get the metadata of a policy or list the existing policies within a project, you will need the following permissions:
monitoring.alertPolicies.getmonitoring.alertPolicies.list
These would be included in the Monitoring AlertPolicy Viewer (roles/monitoring.alertPolicyViewer) role. However, the metadata is not enough to estimate the price and we will need to actually execute the policy’s condition. This requires the monitoring.timeSeries.list permission, which is included in the Monitoring Viewer (roles/monitoring.viewer) role.
If you want to run appe on more than individual policies, you will also need the resourcemanager.projects.list permission (which is also conveniently included in the Monitoring Viewer role). If you need to recursively scan for projects (i.e. go into subfolders), you will also need the resourcemanager.folders.list permission.
You can also use the --testPermissions flag to let appe verify that you have the correct permissions before trying to use them in order to avoid errors in your logs.
We recommend that you assign the following two roles for full compatibility:
- Monitoring Viewer (
roles/monitoring.viewer) - Browser (
roles/browser)
The easiest way to get and install appe is to download one of the pre-compiled binaries from the releases. appe is a self-contained binary without any dependencies and can be run from anywhere. You do not need to download any runtime and there is no need for an installer.
See also https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev.
Since the binary is not signed with an Apple Developer Certificate, your Mac will likely report it as untrustworthy. There are two ways to deal with this:
- Run
xattr -dr com.apple.quarantine <path to appe>to add the executable to the allow list (credit to openecoacoustics.org) - Compile it yourself (see below)
The easiest way to do this is to:
- Install Go
- Run
go install github.com/doitintl/gcp-tool-appe@latest
This will download the dependencies, compile the program and put the executable in your $GOPATH/bin directory (see GOPATH)
Alternatively, you can also clone the repository and run go build to compile it manually.
appe uses Application Default Credentials (ADC) to authenticate against the various APIs.
If you are running appe on a Google Cloud compute service such as Compute Engine, it will use the service's Service Account to authenticate.
If you are running appe locally, the easiest way to set up ADC is to use gcloud by running:
gcloud auth application-default loginUsing appe is fairly straightforward
To estimate the price for individual policies, you can reference them directly with the --policy flag:
./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_IDYou can also specify multiple policies:
./appe --policy projects/PROJECT_ID/alertPolicies/POLICY_ID_1,projects/PROJECT_ID/alertPolicies/POLICY_ID_2To estimate the price for all policies in a project, you can specify the project either with the --project flag or the shorthand -p:
./appe -p PROJECT_IDYou can also specify multiple projects:
./appe -p PROJECT_ID_1,PROJECT_ID_2To estimate the price of all policies in all projects in a folder, you can specify the folder ID either with the --folder flag or the shorthand -f:
./appe -f FOLDER_IDYou can also specify multiple folders:
./appe -f FOLDER_ID_1,FOLDER_ID_2Note that you will need to specify the --recursive or -r flag to also scan subfolders.
To estimate the price of all policies in all projects in an organization, you can specify the organization ID either with the --organization flag or the shorthand -o:
./appe -o ORG_IDYou can also specify multiple organizations:
./appe -o ORG_ID_1,ORG_ID_2Note that you will need to specify the --recursive or -r flag to also scan subfolders.
-c, --csvOut string Path to a CSV file to redirect output to. If this is not set, human-readable output will be given on stdout.
-d, --duration duration The delta from now to go back in time for query. Default is 30 days. (default 720h0m0s)
-e, --excludeFolder strings One or more folders to exclude. Separated by ",".
-f, --folder strings One or more folders to scan. Use the "-r" flag to scan recursively. Separated by ",".
-h, --help help for appe
-i, --includeDisabled If the application should also include disabled policies. (default false)
-o, --organization strings One or more organizations to scan. Use the "-r" flag to scan recursively. Separated by ",".
--policy strings One or more alerting policies to analyze. Names must be given in full in the format "projects/PROJECT_ID/alertPolicies/POLICY_ID". Separated by ",".
-p, --project strings One or more projects to scan. Separated by ",".
-q, --quotaProject string A quota or billing project. Useful if you don't have the serviceusage.services.use permission in the target project.
-r, --recursive If parent should be scanned recursively. If this is not set, only projects at the root of the folder or organization will be scanned. (default false)
-t, --testPermissions If the application should verify that the user has the necessary permissions before processing a project. (default false)
--threads int Number of threads to use to process folders, projects and policies in parallel. (default 4)
-v, --version version for appe