If you bring your own licenses for operating systems such as Windows Server,contractual obligations might require you to monitor and report how many VM instances,physical servers, and physical CPU cores you're using these licenses on.

This article describes how you can use the open-source tool License Tracker tomonitor the number of VM instances, physical servers, and physical CPU cores you'reusing, and how you can visualize the results by using Looker Studio.

The License Tracker tool works by analyzing Compute Engine audit logs to determineplacements for each VM instance. A placement describes the time period duringwhich a VM instance is running on a specific physical server. Each time a VM ismigrated from one physical server to another marks the end of one placement andstarts another.

As an example, consider a VM instance that is started and, several months later,stopped again. At some point during its runtime, the VM is automatically migratedfromServer 1 toServer 2 and later back toServer 1 again. This historycorresponds to 3 placements:

When you run the License Tracker tool the first time, it analyzes Compute Engineusage of the past 90 days and writes its result to BigQuery. Onsubsequent runs, the tool analyzes the delta between the last run and thecurrent day, and updates the BigQuery dataset accordingly.

The License Tracker tool replaces the usage reporting feature provided byIAP Desktop.

Costs

This guide uses billable components of Google Cloud, including:

• Cloud Run
• BigQuery

Use thepricing calculator to generate a cost estimate based on your projected usage.

Deploy the License Tracker tool

This section describes how to set up Cloud Run and Cloud Scheduler to automaticallyrun the License Tracker tool once a day.

The following diagram illustrates the solution described in this article:

• The License Tracker tool is deployed on Cloud Run and configured to analyzethe logs of one or more projects.
• Once a day, Cloud Scheduler triggers the Cloud Run job, causing the LicenseTracker tool to update a BigQuery dataset.
• A Looker Studio dashboard visualizes the data from BigQuery and makes it availableto users.

Create a project

To set up Cloud Run and Cloud Scheduler, create a new project:

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the BigQuery, Cloud Logging, Resource Manager, Cloud Build, Cloud Scheduler, and Cloud Run APIs.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

Enable the APIs

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the BigQuery, Cloud Logging, Resource Manager, Cloud Build, Cloud Scheduler, and Cloud Run APIs.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

Enable the APIs

Deploy the application

You now deploy the License Tracker tool to Cloud Run:

1. In the Google Cloud console, openCloud Shell by clicking theActivate Cloud Shellbutton.

   Go to the Google Cloud console

2. Set an environment variable to contain yourproject ID:

   gcloud config set projectPROJECT_ID

   ReplacePROJECT_ID with the ID of your project.

3. Set the Cloud Run region to deploy to:

   gcloud config set run/regionREGION

   ReplaceREGION with a region thatsupports Cloud Run andCloud Scheduler.

4. Create a service account for the tool:

   SERVICE_ACCOUNT=$(gcloud iam service-accounts create license-tracker \  --display-name "License Tracker" \  --format "value(email)")

5. Allow the service to create and access a BigQuery dataset and tostart Cloud Run jobs in the same project:

   gcloud projects add-iam-policy-binding $(gcloud config get-value core/project) \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/bigquery.admin"gcloud projects add-iam-policy-binding $(gcloud config get-value core/project) \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/run.invoker"

6. Allow Cloud Buildto perform Cloud Run deployments and manageCloud Scheduler jobs:

   PROJECT_NUMBER=$(gcloud projects describe $(gcloud config get-value core/project) --format='value(projectNumber)') \gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT \  --member "serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \  --role "roles/iam.serviceAccountUser"gcloud projects add-iam-policy-binding $(gcloud config get-value core/project) \  --member "serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \  --role "roles/run.developer"gcloud projects add-iam-policy-binding $(gcloud config get-value core/project) \  --member "serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \  --role "roles/cloudscheduler.admin"

7. Clone theGitHub repositoryand switch to thelatest branch:

   git clone https://github.com/GoogleCloudPlatform/gce-license-tracker.gitcd gce-license-trackergit checkout latest

8. Submit a build to Cloud Build:

   gcloud builds submit . --substitutions=_REGION=$(gcloud config get-value run/region)

   The build deploys the License Tracker application to Cloud Runand configures Cloud Scheduler to trigger the job once a day.

   The build takes about 3 minutes to complete.

Select projects to analyze

The License Tracker tool analyzes all Google Cloud projects for which allof the following conditions apply:

• The Compute Engine API is enabled.
• The project grantsCompute Viewer (roles/compute.viewer) andLogs Viewer (roles/logging.viewer) access to the tool's service account.

To include a project, folder, or an entire organization in the analysis, do the following:

SCOPE_ID=RESOURCE_PROJECT_IDSCOPE_TYPE=projectsgcloud projects add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/compute.viewer" \  --condition Nonegcloud projects add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/logging.viewer" \  --condition None

SCOPE_ID=RESOURCE_FOLDER_IDSCOPE_TYPE=foldersgcloud resource-manager folders add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/compute.viewer" \  --condition Nonegcloud resource-manager folders add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/logging.viewer" \  --condition None

SCOPE_ID=ORGANIZATION_IDSCOPE_TYPE=organizationsgcloud organizations add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/compute.viewer" \  --condition Nonegcloud organizations add-iam-policy-binding $SCOPE_ID \  --member "serviceAccount:$SERVICE_ACCOUNT" \  --role "roles/logging.viewer" \  --condition None

Start the initial analysis

You can now start an initial analysis:

1. In the Google Cloud console, go toCloud Run > Jobs.

   Go to Cloud Run jobs

2. Select thelicense-tracker job to open the job details.

3. ClickExecute.

   Depending on the number and size of projects that you selected, the initialanalysis might take several hours to complete.

   When the job completes, your project contains a BigQuery dataset namedlicense_usage.

4. Optionally, view logs in Cloud Logging:

   Go to Logging

Create a dashboard

You now create a Looker Studio dashboard by creating a copy of a sample dashboard:

1. Copy the dashboard's data sources:

   1. Nodes
   2. Licensed nodes
   3. Nodes histogram
   4. Instances histogram

   For each of the data source, do the following:

   1. Click the link above to open the data source.
   2. ClickMake a copy of this data source.
   3. ClickCopy data source.
   4. If you're promoted to connect the dashboard to BigQuery, clickAuthorize.
   5. Optionally, click the header and rename the datasource.
   6. In the list of billing projects, select the project that you used todeploy the License Tracker tool.
   7. ClickReconnect.
   8. In theApply connection changes dialog box, selectApply.

2. Copy the dashboard:

   1. Open thesample dashboard.

      The dashboard isn't connected to a datasource, so it doesn't show any data.

   2. Click… > Make a copy

   3. In theCopy this report dialog, select your copies of the data sources:

      

   4. ClickCopy report.

      The dashboard now shows the data from your BigQuery dataset.

Grant other users access to the dashboard

The dashboard's data sources are configured to usethe viewer's credentials to access BigQuery. To grant another user access to the dashboard,you must:

1. Share the dashboardand grant the user permission to view the report.
2. Grant theBigQuery Data Viewer (roles/bigquery.dataViewer) andBigQuery Job User (roles/bigquery.jobUser) roles to the user.You can grant these rolesat the dataset or project level.

Customize the dashboard

You can customize the dashboard byusing the Looker Studio report editor to modify existing chartsor to add additional charts.

All charts in the sample dashboard are based on theplacements view in theBigQuery dataset. This view contains all placements across all projects and uses the following schema:

You can use theplacement view when customizing existing charts or adding yourown charts to the dashboard.

Upgrade the License Tracker tool

This section describes how you can upgrade an existing deployment of theLicense Tracker tool to use a newer version of the application, or to use adifferent configuration.

1. In the Google Cloud console, openCloud Shell by clicking theActivate Cloud Shellbutton.

   Go to the Google Cloud console

2. Set an environment variable to contain yourproject ID:

   gcloud config set projectPROJECT_ID

   ReplacePROJECT_ID with the ID of the project that containsyour existing deployment.

3. Select the Cloud Run region of your existing deployment:

   gcloud config set run/regionREGION

4. Clone theGitHub repositoryand switch to thelatest branch:

   git clone https://github.com/GoogleCloudPlatform/gce-license-tracker.gitcd gce-license-trackergit checkout latest

5. Submit a build to Cloud Build:

   gcloud builds submit . --substitutions=_REGION=$(gcloud config get-value run/region)

   The build updates your existing deployment and takes about 3 minutes to complete.