Ensure that App Engine applications enforce HTTPS connections

Question

I have to Verify that the app.yaml file controlling the application contains a line which enforces secure connections. For example

handlers:
- url: /.*
 secure: always
 redirect_http_response_code: 301
 script: auto

I created a python that get all the list of project in GCP and check the App deployed version and then it app.yaml eg. handlers:

• url: /.* secure: always redirect_http_response_code: 301 script: auto

I get the output with version id but it doesn't found the app.yaml file.

Code Here

import subprocess
import csv
import re

# Get a list of all Google Cloud projects
projects = subprocess.run(["gcloud", "projects", "list", "--format=value(projectId)"], capture_output=True, text=True)
project_ids = projects.stdout.splitlines()

results = []

for project_id in project_ids:
    # Get versions for App Engine services within each project
    app_versions_command = f"gcloud app versions list --format='table(version.id)' --project={project_id} --service=default"
    app_versions_output = subprocess.run(app_versions_command, shell=True, capture_output=True, text=True)

    if app_versions_output.returncode == 0:
        versions = app_versions_output.stdout.splitlines()[1:]  # Skip header
        for version in versions:
            version = version.strip()
            # Get app.yaml content for each version
            app_yaml_command = f"gcloud app versions describe {version} --project={project_id} --service=default --format='get(config.appYaml)'"
            app_yaml_content = subprocess.run(app_yaml_command, shell=True, capture_output=True, text=True)

            if app_yaml_content.returncode == 0:
                yaml_content = app_yaml_content.stdout
                # Check if the app.yaml file contains the specific configuration
                if re.search(r'handlers:\s*- url: /.*\s*  secure: always\s*  redirect_http_response_code: 301\s*  script: auto', yaml_content):
                    results.append({"Project ID": project_id, "Version ID": version, "Secure Connection": "Enforced"})
                else:
                    results.append({"Project ID": project_id, "Version ID": version, "Secure Connection": "Not Enforced"})
            else:
                results.append({"Project ID": project_id, "Version ID": version, "Secure Connection": "No app.yaml found"})
    else:
        results.append({"Project ID": project_id, "Version ID": "N/A", "Secure Connection": "Error fetching versions"})

# Export results to a CSV file
with open('secure_connections_all_versions.csv', 'w', newline='') as csvfile:
    fieldnames = ['Project ID', 'Version ID', 'Secure Connection']
    writer = csv.DictWriter(csvfile, fieldnames=fieldnames)

    writer.writeheader()
    writer.writerows(results)

print("Results exported to secure_connections_all_versions.csv")

If the app.yaml found checks the below code inside app.yaml

handlers:
- url: /.*
 secure: always
 redirect_http_response_code: 301
 script: auto

Answer 1

Sharing this as a community wiki for the benefit of others

As discussed by @Puteri and @Touhid Alam

This command works? gcloud app versions describe {version} --project={project_id} --service=default --format='get(config.appYaml)'. On the other hand, it would be better to use GCP libraries instead of running gcloud command with python and parsing the output

This command work gcloud app versions describe {version} --project={project_id} --service=default