adityaprakash-bobby · January 24, 2020 10:25 · Jan 15, 2020 · Oct 30, 2019 · Oct 30, 2019 · Oct 14, 2019
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -717,6 +717,14 @@ gcloud container clusters describe mycluster --format='get(endpoint)'
 gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
 ```
 
+### create a GKE cluster with label and query it later
+
+```
+gcloud container clusters create example-cluster --labels env=dev
+gcloud container clusters list --filter resourceLabels.env=dev 
+```
+
+
 ## Cloud Run
 ```
 # deploy a service on Cloud Run in us-central1 and allow unauthenticated user

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -80,17 +80,17 @@ gcloud config configurations activate pythonrocks
 gcloud config set core/account [email protected]
 gcloud auth login
 gcloud projects list
-gcloud config set project dev-193420
+gcloud config set project mygcp-demo
 ```
 
 ### switch gcloud context with gcloud config
 ```
 gcloud config list
-gcloud config set account pythonrocksk8s201702@gmail.com 
-gcloud config set project salt-163215
+gcloud config set account pythonrocks@gmail.com 
+gcloud config set project mygcp-demo
 gcloud config set compute/region us-west1
 gcloud config set compute/zone us-west1-a
-alias demo='gcloud config set account pythonrocksk8s201702@gmail.com && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
+alias demo='gcloud config set account pythonrocks@gmail.com && gcloud config set project mygcp-demo && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
 
 
 cluster=$(gcloud config get-value container/cluster 2> /dev/null)
@@ -140,12 +140,12 @@ export PROJECT=$(gcloud info --format='value(config.project)')
 
 ```
 # various way to get project_id
-PROJECT_ID=$(gcloud config get-value core/project)
+PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null)
 PROJECT_ID=$(gcloud config list project --format='value(core.project)')
 PROJECT_ID=$(gcloud info --format='value(config.project)')
 
 # get project_number given project_id or name
-gcloud projects list --filter="project_id:${project_id}"  --format='value(project_number)'
+gcloud projects list --filter="project_id:${PROJECT_ID}"  --format='value(project_number)'
 gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -195,7 +195,10 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
 
-# project level: grant roles to sa
+## project level: get a list of roles assigned to a given sa such as terraform
+ gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com"
+
+# project level: grant roles to a given sa
 gcloud projects get-iam-policy $PROJECT
 gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \
     --member serviceAccount:$SA_EMAIL

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -384,6 +384,18 @@ gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh
 gcloud compute config-ssh
 ```
 
+### Windows RDP reset windows password
+returns the IP and password for creating the RDP connection. 
+```
+gcloud compute reset-windows-password qa-iceberg-instance --user=jdoe
+
+ip_address: 104.199.119.166
+password:   Ks(;_gx7Bf2d.NP
+username:   jode
+```
+
+
+
 ### debugging
 gcloud debugging: `gcloud  compute instances list --log-http`
 [serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -149,11 +149,15 @@ gcloud projects list --filter="project_id:${project_id}"  --format='value(projec
 gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 
-## zones
+## zones & regions
 To return a list of zones given a region
 ```
 gcloud compute zones list --filter=region:us-central1
 ```
+```
+# list regions
+gcloud compute regions list
+```
 
 ## billing
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -1,3 +1,60 @@
+Table of Contents
+=================
+* [References](#references)
+* [Other cheatsheets](#other-cheatsheets)
+* [multiple gcloud config configurations](#multiple-gcloud-config-configurations)
+    * [switch gcloud context with gcloud config](#switch-gcloud-context-with-gcloud-config)
+* [auth](#auth)
+* [info](#info)
+* [projects](#projects)
+* [zones](#zones)
+* [billing](#billing)
+* [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource)
+* [IAM service account](#iam-service-account)
+    * [GCS bucket level](#gcs-bucket-level)
+    * [Custom Roles](#custom-roles)
+* [app engine](#app-engine)
+* [cloud build](#cloud-build)
+    * [Cloud build trigger GCE rolling replace/start](#cloud-build-trigger-gce-rolling-replacestart)
+* [kms](#kms)
+* [compute engine](#compute-engine)
+    * [gcloud command for creating an instance?](#gcloud-command-for-creating-an-instance)
+    * [list compute images](#list-compute-images)
+    * [list an instance](#list-an-instance)
+    * [move instance](#move-instance)
+    * [ssh &amp; scp](#ssh--scp)
+    * [SSH via IAP](#ssh-via-iap)
+    * [ssh port forwarding for elasticsearch](#ssh-port-forwarding-for-elasticsearch)
+    * [ssh reverse port forwarding](#ssh-reverse-port-forwarding)
+    * [generate ssh config](#generate-ssh-config)
+    * [debugging](#debugging)
+    * [instance level metadata](#instance-level-metadata)
+    * [project level metadata](#project-level-metadata)
+    * [instances, template, target-pool and instance group](#instances-template-target-pool-and-instance-group)
+    * [MIG with startup and shutdown scripts](#mig-with-startup-and-shutdown-scripts)
+    * [disk snapshot](#disk-snapshot)
+    * [regional disk](#regional-disk)
+* [Networking](#networking)
+    * [network and subnets](#network-and-subnets)
+    * [route](#route)
+    * [firewall rules](#firewall-rules)
+    * [layer 4 network lb](#layer-4-network-lb)
+    * [layer 7 http lb](#layer-7-http-lb)
+    * [forwarding-rules](#forwarding-rules)
+    * [address](#address)
+* [GCP managed ssl certificate](#gcp-managed-ssl-certificate)
+* [StackDriver logging](#stackdriver-logging)
+* [Service](#service)
+    * [list service available](#list-service-available)
+    * [Enable Service](#enable-service)
+* [Client libraries you can use to connect to Google APIs](#client-libraries-you-can-use-to-connect-to-google-apis)
+* [chaining gcloud commands](#chaining-gcloud-commands)
+* [one liner to purge GCR images given a date](#one-liner-to-purge-gcr-images-given-a-date)
+* [GKE](#gke)
+* [Cloud Run](#cloud-run)
+* [Machine Learning](#machine-learning)
+* [Deployment Manager](#deployment-manager)
+
 ## References
 * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html)
 * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -641,6 +641,18 @@ gcloud container clusters describe mycluster --format='get(endpoint)'
 gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
 ```
 
+## Cloud Run
+```
+# deploy a service on Cloud Run in us-central1 and allow unauthenticated user
+gcloud beta run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated
+
+# list services
+gcloud beta run services list
+# get endpoint url for a service
+gcloud beta run services describe <service_name> --format="get(status.url)"
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -119,7 +119,6 @@ gcloud projects list --uri
 ```
 
 ## IAM service account
-* [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
 ```
 export SA_EMAIL=$(gcloud iam service-accounts list \
@@ -147,11 +146,24 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \
     --member serviceAccount:$SA_EMAIL
+```
+* [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
+```
 # service account level: add role to service account
 gcloud iam service-accounts get-iam-policy <sa_email>
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+* https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
+* https://medium.com/@tanujbolisetty/gcp-impersonate-service-accounts-36eaa247f87c
+* https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d
+* https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken shows the lifetime of the OAuth token of 3600 seconds by default
+
+```
+# user:[email protected] impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com
+gcloud iam service-accounts add-iam-policy-binding  terraform@${PROJECT_ID}.iam.gserviceaccount.com --member=user:[email protected] --role roles/iam.serviceAccountTokenCreator
+gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com
+```
 
 ### GCS bucket level
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -43,8 +43,6 @@ project=$(gcloud config get-value core/project 2> /dev/null)
 # switch project based on the name
 gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
 
-# get the GKE cluster endpoint
-gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
 ```
 
 ```
@@ -616,9 +614,15 @@ gcloud beta container clusters create run-gke \
 
 ```
 # create a VPC native cluster
-gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-alias  --enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
+gcloud container clusters create k1 \
+--network custom-ip-vpc --subnetwork subnet-alias \
+--enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
 ```
 
+```
+# get the GKE endpoint
+gcloud container clusters describe mycluster --format='get(endpoint)'
+```
 
 ```
 # generate a ~/.kube/config for private cluster with private endpoint

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -109,7 +109,12 @@ gcloud organizations list
 ## IAM list permission and roles for a given resource
 ```
 gcloud iam list-testable-permissions <uri>
+e.g gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
+
 gcloud iam list-grantable-roles <uri>
+e.g. 
+gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
+gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$PROJECT_ID/zones/us-central1-a/instances/iowa1
 
 # get uri e.g.
 gcloud projects list --uri

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -615,6 +615,11 @@ gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-
 ```
 
 
+```
+# generate a ~/.kube/config for private cluster with private endpoint
+gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
+```
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -278,6 +278,18 @@ gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get node
 
 gcloud compute scp  --recurse ../manifest <instance_name>:
 ```
+
+### SSH via IAP
+* https://cloud.google.com/iap/docs/using-tcp-forwarding
+
+```
+# find out access-config-name's name
+gcloud compute instances describe oregon1
+# remove the external IP
+gcloud compute instances delete-access-config  oregon1 --access-config-name "External NAT"
+# connect via IAP, assuming the IAP is granted to the account used for login. 
+gcloud beta compute ssh oregon1 --tunnel-through-iap
+```
 ### ssh port forwarding for elasticsearch
 ```
 gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -14,6 +14,7 @@
 
 ## multiple gcloud config configurations
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
+* https://medium.com/infrastructure-adventures/working-with-multiple-environment-in-gcloud-cli-93b2d4e8cf1e
 
 ```
 gcloud config configurations create pythonrocks

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -606,4 +606,8 @@ gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-
 ```
 brew install bat
 gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat  -l json
-```
+```
+
+## Deployment Manager
+* https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/
+Play with the commands for preview and cancel-preview. 
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -16,11 +16,13 @@
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
 
 ```
-$gcloud config configurations list
-NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
-default        False      [email protected]     operator  us-west1-b    us-west1
-someone  True       [email protected]  dev-env     us-west1-b    us-west1
-$gcloud config configurations activate default
+gcloud config configurations create pythonrocks
+gcloud config configurations list
+gcloud config configurations activate pythonrocks
+gcloud config set core/account [email protected]
+gcloud auth login
+gcloud projects list
+gcloud config set project dev-193420
 ```
 
 ### switch gcloud context with gcloud config

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -103,7 +103,16 @@ gcloud beta billing accounts list
 gcloud organizations list
 ```
 
-## service account
+## IAM list permission and roles for a given resource
+```
+gcloud iam list-testable-permissions <uri>
+gcloud iam list-grantable-roles <uri>
+
+# get uri e.g.
+gcloud projects list --uri
+```
+
+## IAM service account
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -203,7 +203,7 @@ gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
 gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
     --location global \
     --member user:$USER_EMAIL \
-    --role roles/cloudkms.admin
+    --role roles/cloudkms.cryptoKeyEncrypterDecrypter
     
 # Encrypt and Decrypt in REST API
 curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:encrypt" \

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -86,8 +86,9 @@ PROJECT_ID=$(gcloud config get-value core/project)
 PROJECT_ID=$(gcloud config list project --format='value(core.project)')
 PROJECT_ID=$(gcloud info --format='value(config.project)')
 
-# get project_number
-gcloud projects list --filter="name:${project_id}"  --format='value(project_number)'
+# get project_number given project_id or name
+gcloud projects list --filter="project_id:${project_id}"  --format='value(project_number)'
+gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 
 ## zones

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -96,32 +96,33 @@ To return a list of zones given a region
 gcloud compute zones list --filter=region:us-central1
 ```
 
-
-
 ## billing
 ```
 gcloud beta billing accounts list
 gcloud organizations list
 ```
 
-## service account and IAM
+## service account
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
-### List IAM policy on the project level
-```
-gcloud projects get-iam-policy <project_id>
 ```
-### service account level
-```
-# creaate jenkins sa
-gcloud iam service-accounts create jenkins --display-name jenkins
-
 export SA_EMAIL=$(gcloud iam service-accounts list \
     --filter="displayName:jenkins" --format='value(email)')
 export PROJECT=$(gcloud info --format='value(config.project)')
 
-gcloud projects add-iam-policy-binding $PROJECT \
-    --role roles/storage.admin --member serviceAccount:$SA_EMAIL
+# creaate and list sa
+gcloud iam service-accounts create jenkins --display-name jenkins
+gcloud iam service-accounts list
+gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --format='table(email)'
+
+# create & list sa key  
+gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
+gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
+
+# project level: grant roles to sa
+gcloud projects get-iam-policy $PROJECT
+gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \
+    --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.instanceAdmin.v1 \
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.networkAdmin \
@@ -130,20 +131,9 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \
     --member serviceAccount:$SA_EMAIL
-    
-# create service account key    
-gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
-```
 
-```
-gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
-gcloud iam service-accounts list
+# service account level: add role to service account
 gcloud iam service-accounts get-iam-policy <sa_email>
-
-# get the compute engine account 
-gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --format='table(email)'
-
-# add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
 
@@ -153,7 +143,7 @@ COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Comput
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
 ```
 
-## Custom Roles
+### Custom Roles
 ```
 # list predefined roles
 gcloud iam roles list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -160,9 +160,9 @@ gcloud iam roles list
 # list custom roles
 gcloud iam roles list --project $PROJECT_ID
 
-# create custom role in 2 ways
+# create custom role in the following 2 ways, either on project level (--project [PROJECT_ID]) or org level (--organization [ORGANIZATION_ID])
 1. gcloud iam roles create editor --project $PROJECT_ID --file role-definition.yaml
-2. gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
+2. gcloud iam roles create viewer --project $PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
 te.instances.list --stage ALPHA
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -78,8 +78,6 @@ gcloud info --format flattened
 export PROJECT=$(gcloud info --format='value(config.project)')
 ```
 
-
-
 ## projects
 
 ```
@@ -155,6 +153,19 @@ COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Comput
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
 ```
 
+## Custom Roles
+```
+# list predefined roles
+gcloud iam roles list
+# list custom roles
+gcloud iam roles list --project $PROJECT_ID
+
+# create custom role in 2 ways
+1. gcloud iam roles create editor --project $PROJECT_ID --file role-definition.yaml
+2. gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
+te.instances.list --stage ALPHA
+```
+
 ## app engine
 * https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -583,6 +583,12 @@ gcloud beta container clusters create run-gke \
 ```
 
 
+```
+# create a VPC native cluster
+gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-alias  --enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -12,17 +12,53 @@
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4
 
-## multiple gcloud config
+## multiple gcloud config configurations
+* https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
 
 ```
 $gcloud config configurations list
 NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
 default        False      [email protected]     operator  us-west1-b    us-west1
 someone  True       [email protected]  dev-env     us-west1-b    us-west1
-
 $gcloud config configurations activate default
 ```
 
+### switch gcloud context with gcloud config
+```
+gcloud config list
+gcloud config set account [email protected] 
+gcloud config set project salt-163215
+gcloud config set compute/region us-west1
+gcloud config set compute/zone us-west1-a
+alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
+
+
+cluster=$(gcloud config get-value container/cluster 2> /dev/null)
+zone=$(gcloud config get-value compute/zone 2> /dev/null)
+project=$(gcloud config get-value core/project 2> /dev/null)
+
+# switch project based on the name
+gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
+
+# get the GKE cluster endpoint
+gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
+```
+
+```
+command -v gcloud >/dev/null 2>&1 || { \
+ echo >&2 "I require gcloud but it's not installed.  Aborting."; exit 1; }
+
+REGION=$(gcloud config get-value compute/region)
+if [[ -z "${REGION}" ]]; then
+    echo "https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-region" 1>&2
+    echo "gcloud cli must be configured with a default region." 1>&2
+    echo "run 'gcloud config set compute/region REGION'." 1>&2
+    echo "replace 'REGION' with the region name like us-west1." 1>&2
+    exit 1;
+fi
+
+```
+
 ## auth
 ```
 gcloud auth list
@@ -62,42 +98,7 @@ To return a list of zones given a region
 gcloud compute zones list --filter=region:us-central1
 ```
 
-## switch gcloud context with gcloud config
-```
-gcloud config list
-gcloud config configurations list
-gcloud config set account [email protected] 
-gcloud config set project salt-163215
-gcloud config set compute/region us-west1
-gcloud config set compute/zone us-west1-a
-alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
-
-
-cluster=$(gcloud config get-value container/cluster 2> /dev/null)
-zone=$(gcloud config get-value compute/zone 2> /dev/null)
-project=$(gcloud config get-value core/project 2> /dev/null)
-
-# switch project based on the name
-gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
-
-# get the GKE cluster endpoint
-gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
-```
-
-```
-command -v gcloud >/dev/null 2>&1 || { \
- echo >&2 "I require gcloud but it's not installed.  Aborting."; exit 1; }
 
-REGION=$(gcloud config get-value compute/region)
-if [[ -z "${REGION}" ]]; then
-    echo "https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-region" 1>&2
-    echo "gcloud cli must be configured with a default region." 1>&2
-    echo "run 'gcloud config set compute/region REGION'." 1>&2
-    echo "replace 'REGION' with the region name like us-west1." 1>&2
-    exit 1;
-fi
-
-```
 
 ## billing
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -42,11 +42,7 @@ gcloud info --format flattened
 export PROJECT=$(gcloud info --format='value(config.project)')
 ```
 
-## zones
-To return a list of zones given a region
-```
-gcloud compute zones list --filter=region:us-central1
-```
+
 
 ## projects
 
@@ -59,10 +55,11 @@ PROJECT_ID=$(gcloud info --format='value(config.project)')
 # get project_number
 gcloud projects list --filter="name:${project_id}"  --format='value(project_number)'
 ```
-## billing
+
+## zones
+To return a list of zones given a region
 ```
-gcloud beta billing accounts list
-gcloud organizations list
+gcloud compute zones list --filter=region:us-central1
 ```
 
 ## switch gcloud context with gcloud config
@@ -76,7 +73,6 @@ gcloud config set compute/zone us-west1-a
 alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
 
 
-
 cluster=$(gcloud config get-value container/cluster 2> /dev/null)
 zone=$(gcloud config get-value compute/zone 2> /dev/null)
 project=$(gcloud config get-value core/project 2> /dev/null)
@@ -103,6 +99,12 @@ fi
 
 ```
 
+## billing
+```
+gcloud beta billing accounts list
+gcloud organizations list
+```
+
 ## service account and IAM
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -364,6 +364,8 @@ gcloud compute routes create no-ip-internet-route \
     --tags no-ip --priority 800
 ```
 ### firewall rules
+* https://medium.com/@swongra/protect-your-google-cloud-instances-with-firewall-rules-69cce960fba
+
 ```
 # allow SSH, RDP and ICMP for the given network
 gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -380,6 +380,9 @@ gcloud compute firewall-rules create mynetwork-deny-icmp \
 gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
+# sort-by
+gcloud compute firewall-rules list --sort-by=NETWORK
+
 ```
 
 ### layer 4 network lb

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -365,22 +365,19 @@ gcloud compute routes create no-ip-internet-route \
 ```
 ### firewall rules
 ```
-## ALLOW
-gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
---action ALLOW --direction INGRESS --rules icmp
-gcloud beta compute firewall-rules create mynetwork-allow-ssh --network mynetwork \
---action ALLOW --direction INGRESS --rules tcp:22
-gcloud beta compute firewall-rules create mynetwork-allow-internal --network \
+# allow SSH, RDP and ICMP for the given network
+gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0
+# allow internal from given source range
+gcloud compute firewall-rules create mynetwork-allow-internal --network \
 mynetwork --action ALLOW --direction INGRESS --rules all \
 --source-ranges 10.128.0.0/9
-gcloud beta compute firewall-rules list \
---filter="network:mynetwork"
+gcloud compute firewall-rules list --filter="network:mynetwork"
 
 ## DENY
-gcloud beta compute firewall-rules create mynetwork-deny-icmp \
+gcloud compute firewall-rules create mynetwork-deny-icmp \
 --network mynetwork --action DENY --direction EGRESS --rules icmp \
 --destination-ranges 10.132.0.2 --priority 500
-gcloud beta compute firewall-rules list \
+gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -343,6 +343,14 @@ Use [gcloud compute operations describe URI] command to check the status of the
 
 ## Networking
 
+### network and subnets
+```
+ gcloud compute networks create privatenet --subnet-mode=custom
+ gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24
+ gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20
+ gcloud compute networks subnets list --sort-by=NETWORK
+```
+
 ### route
 tag the instances with `no-ips`
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -558,6 +558,18 @@ gcloud beta container clusters create private-cluster2 \
     --master-authorized-networks <external_ip_of_kubectl_instance>
 ```
 
+```
+# create a GKE cluster with CloudRun,Istio, HPA enabled
+gcloud beta container clusters create run-gke \
+  --addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio,CloudRun \
+  --scopes cloud-platform \
+  --zone us-central1-a \
+  --machine-type n1-standard-4 \
+  --enable-stackdriver-kubernetes \
+  --no-enable-ip-alias
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -213,19 +213,90 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
   -H "Content-Type:application/json" \
 | jq .plaintext -r | base64 -d    
 ```
+## compute engine
 
-## gcloud command for creating an instance? 
+### gcloud command for creating an instance? 
 from web console
 ```
 gcloud compute instances create [INSTANCE_NAME] \
   --image-family [IMAGE_FAMILY] \
   --image-project [IMAGE_PROJECT] \
   --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]
   
-gcloud beta compute --project=victory-demo-dev instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
+gcloud compute instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
 ```
 
-## instances, template, target-pool and instance group
+### list compute images
+```
+gcloud compute images list --filter=name:debian --uri
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
+
+# Use the following command to see available non-Shielded VM Windows Server images
+gcloud compute images list --project windows-cloud --no-standard-images
+# Use the following command to see a list of available Shielded VM images, including Windows images
+gcloud compute images list --project gce-uefi-images --no-standard-images
+```
+
+### list an instance 
+* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
+* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
+
+```
+gcloud compute instances list --filter="zone:us-central1-a"
+gcloud compute instances list --project=dev --filter="name~^es"
+gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
+gcloud compute instances list --filter=tags:kafka-node
+gcloud compute instances list --filter='machineType:g1-small'
+```
+
+### move instance
+`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
+
+### ssh & scp
+```
+#--verbosity=debug is great for debugging, showing the SSH command 
+# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
+gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
+
+gcloud compute scp  --recurse ../manifest <instance_name>:
+```
+### ssh port forwarding for elasticsearch
+```
+gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
+```
+The 2nd `localhost` is relative to  elasticsearch-1`
+
+### ssh reverse port forwarding 
+for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
+```
+GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
+gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
+```
+
+### generate ssh config 
+```
+gcloud compute config-ssh
+```
+
+### debugging
+gcloud debugging: `gcloud  compute instances list --log-http`
+[serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console)
+
+
+### instance level metadata
+```
+curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
+leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
+```
+
+### project level metadata
+```
+gcloud compute project-info describe
+gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
+```
+
+### instances, template, target-pool and instance group
 ```
 cat << EOF > startup.sh
 #! /bin/bash
@@ -258,6 +329,19 @@ gcloud compute instance-templates create nat-2 \
     --machine-type n1-standard-2 --can-ip-forward --tags natgw \
     --metadata-from-file=startup-script=startup.sh  --address $nat_2_ip
 ```
+### disk snapshot
+```
+gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
+Use [gcloud compute operations describe URI] command to check the status of the operation(s).
+```
+
+### regional disk
+```
+ gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
+```
+
+
+## Networking
 
 ### route
 tag the instances with `no-ips`
@@ -271,7 +355,7 @@ gcloud compute routes create no-ip-internet-route \
     --next-hop-instance-zone us-central1-a \
     --tags no-ip --priority 800
 ```
-## firewall rules
+### firewall rules
 ```
 ## ALLOW
 gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
@@ -293,8 +377,7 @@ gcloud beta compute firewall-rules list \
 
 ```
 
-
-## layer 4 network lb
+### layer 4 network lb
 ```
 gcloud compute firewall-rules create www-firewall --allow tcp:80
 gcloud compute forwarding-rules create nginx-lb \
@@ -306,7 +389,7 @@ gcloud compute firewall-rules list --sort-by=NETWORK
 
 ```
 
-## layer 7 http lb
+### layer 7 http lb
 * https://cloud.google.com/solutions/scalable-and-resilient-apps
 
 ```
@@ -337,14 +420,14 @@ gcloud compute forwarding-rules list
 
 ```
 
-## forwarding-rules
+### forwarding-rules
 ```
 gcloud compute forwarding-rules list --filter=$(dig +short <dns_name>)
 gcloud compute forwarding-rules describe my-forwardingrule --region us-central1
 gcloud compute forwarding-rules describe my-http-forwardingrule --global
 ```
 
-## address
+### address
 ```
 # get the external IP address of the instance
 gcloud compute instances describe single-node \
@@ -357,84 +440,6 @@ gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute a
 ```
 
 
-## compute engine image
-```
-gcloud compute images list --filter=name:debian --uri
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
-```
-
-## list an instance 
-* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
-* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
-
-```
-gcloud compute instances list --filter="zone:us-central1-a"
-gcloud compute instances list --project=dev --filter="name~^es"
-gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
-gcloud compute instances list --filter=tags:kafka-node
-gcloud compute instances list --filter='machineType:g1-small'
-```
-
-## move instance
-`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
-
-## ssh & scp
-```
-#--verbosity=debug is great for debugging, showing the SSH command 
-# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
-gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
-
-gcloud compute scp  --recurse ../manifest <instance_name>:
-```
-### ssh port forwarding for elasticsearch
-```
-gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
-```
-The 2nd `localhost` is relative to  elasticsearch-1`
-
-### ssh reverse port forwarding 
-for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
-```
-GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
-gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
-```
-
-### generate ssh config 
-```
-gcloud compute config-ssh
-```
-
-## serial port debug
-* https://cloud.google.com/compute/docs/instances/interacting-with-serial-console
-
-## disk snapshot
-```
-gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
-Use [gcloud compute operations describe URI] command to check the status of the operation(s).
-```
-
-## regional disk
-```
- gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
-```
-
-## debugging
-```
-gcloud  compute instances list --log-http
-```
-
-## instance level metadata
-```
-curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
-leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
-```
-
-## project level metadata
-```
-gcloud compute project-info describe
-gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
-```
 
 ## GCP managed ssl certificate
 ```