GCP Deployment
This section covers installation methods.
Review the offering description on Sysdig Secure for cloud - GCP.
Deployments on GCP use a Terraform file.
Onboarding Using Terraform
Terraform-based install instructions differ depending on what type of account you are using.
At this time, the options include:
- Install for a single project: Targets a single project. Only a single workload is spawned in the specified project, that will target the resources of the account.
- Install for an organization: Targets the whole organization. Only a single workload is spawned in the specified project, that will target the whole organization.
- Other specific Secure for Cloud - GCP - Use-case scenarios.
The default code provided in the Data Sources page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.
Prerequisites and Permissions
- A Sysdig Secure SaaS account, with administrator permissions.
- Have Terraform installed on the
machine from which you will deploy the installation code.
- Terraform Google Platform Provider.
- Google’s Cloud SDK deployed in the environment where you will deploy the installation code.
- A Google Cloud Platform (GCP) account, for Secure for Cloud compute workload deployment.
- Owner role, in order to create each of the resources specified in the resources list below.
- For organizational Organization Admin role is required too.
- Check that the following GCP Service APIs are enabled:
For Cloud Connector:
- Cloud Pub/Sub API (
pubsub.googleapis.com
) - Cloud Run API (
run.googleapis.com
) - Eventarc API (
eventarc.googleapis.com
)
- Cloud Pub/Sub API (
For Cloud Benchmarks:
- Identity and access management API (
iam.googleapis.com
) - IAM Service Account Credentials API(
iamcredentials.googleapis.com
) - Cloud Resource Manager API(
cloudresourcemanager.googleapis.com
) - Security Token Service API (
sts.googleapis.com
) - Cloud Asset API (
cloudasset.googleapis.com
)
- Identity and access management API (
For Cloud Scanning (optional module):
- Cloud Pub/Sub API (
pubsub.googleapis.com
) - Cloud Run API (
run.googleapis.com
) - Eventarc API (
eventarc.googleapis.com
) - Secret Manager API (
secretmanager.googleapis.com
) - Cloud Build API (
cloudbuild.googleapis.com
) - Identity and access management API (
iam.googleapis.com
)
- Cloud Pub/Sub API (
- Owner role, in order to create each of the resources specified in the resources list below.
To check that all the required GCP Service APIs are enabled execute:
gcloud services list --enabled
All the services listed above should be included.
Note that you need to enable the serviceusage.googleapis.com
Service API to use this command.
Available Options
- Workload Types: Cloudrun, K8S
Check each example input parameters for these, and more configuration options.
Steps
Log in to Sysdig Secure as Admin and select
Integrations > Data Sources | Cloud Account
and chooseConnect Account | GCP
Copy the code snippet under Single Account or Organizational Account and paste it into a Terraform Manifest (.tf file). It should be pre-configured with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.
Customizing the Install
Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:
Enabling Image Scanner
Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning
input variable on your snippet such as:
module "secure-for-cloud_example"{
...
deploy_scanning = true
}
Resources Created by Each Module
Check full list of created resources
- Cloud-bench
google_iam_workload_identity_pool
google_iam_workload_identity_pool_provider
google_project_iam_custom_role
google_project_iam_member
google_service_account
google_service_account_iam_binding
sysdig_secure_benchmark_task
sysdig_secure_cloud_account
- Cloud-connector
google_cloud_run_service
google_eventarc_trigger
google_project_iam_member
google_storage_bucket
google_storage_bucket_iam_member
google_storage_bucket_object
- Cloud-scanning
google_cloud_run_service
google_cloud_run_service_iam_member
google_eventarc_trigger
google_project_iam_member
google_pubsub_topic
If Cloud-connector is installed in organizational mode, this additional module will be installed:
- Organization-sink
google_logging_organization_sink
google_pubsub_topic
google_pubsub_topic_iam_member
If Cloud-connector is installed in single-project mode, this additional module will be installed:
- Project-sink
google_logging_project_sink
google_pubsub_topic
google_pubsub_topic_iam_member
If Cloud-scanning is installed, this additional module will be installed:
- Secrets
google_secret_manager_secret
google_secret_manager_secret_iam_member
- google_secret_manager_secret_version`
Troubleshooting
Find more troubleshooting options on the Secure for Cloud - Terraform GCP module source repository
1. Insufficient Permissions on Project
This error may occur if your current GCP authentication session does not have the required permissions to access the specified project.
Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.
2. Insufficient Permissions to Create Resource
This error may occur if your current GCP authentication session does not have the required permissions to create certain resources.
Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.
If you have sufficient permissions but still get this kind of error, try to authenticate gcloud
using:
$ gcloud auth application-default login
$ gcloud auth application-default set-quota-project your_project_id
3. Conflicting Resources
This error may occur if the specified GCP project has already been onboarded to Sysdig.
Solution: The cloud account can be imported into terraform by running
terraform import module.single account.module.cloud_bench.sysdig_secure_cloud_account.cloud_account PROJECT_ID
, where PROJECT_ID
is the numerical ID of the project (not the project name).
4. Workload Identity Federation pool already exists
This error may occur if a Workload Identity Federation Pool or Pool Provider has previously been created, and then deleted, either via the GCP console or with terraform destroy
. When a delete request for these resources is sent to GCP, they are not completely deleted, but marked as “deleted”, and remain for 30 days. These “deleted” resources will block creation of a new resource with the same name.
Solution: The “deleted” pools must be restored using the GCP console, and then imported into terraform
# re-activate pool and provider
$ gcloud iam workload-identity-pools undelete sysdigcloud --location=global
$ gcloud iam workload-identity-pools providers undelete sysdigcloud --workload-identity-pool="sysdigcloud" --location=global
# import to terraform state
# for this you have to adapt the import resource to your specific usage
# ex.: for single-project, input your project-id
$ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool.pool' <PROJECT_ID>/sysdigcloud
$ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' <PROJECT_ID>/sysdigcloud/sysdigcloud
# ex.: for organization example you should change its reference too, per project
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool.pool' <PROJECT_ID>/sysdigcloud
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' <PROJECT_ID>/sysdigcloud/sysdigcloud
The import resource to use, is the one pointed out in your terraform plan/apply error messsage
# for
Error: Error creating WorkloadIdentityPool: googleapi: Error 409: Requested entity already exists
with module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool,
on .... in resource "google_iam_workload_identity_pool" "pool":
resource "google_iam_workload_identity_pool" "pool" {
# use
' module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool' as your import resource
# such as
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool' 'org-child-project-1/sysdigcloud'
5. Received an email from Google Cloud Platform citing a Configuration Error
Email contains error codes such as:
Error Code: topic_not_found
or
Error Code: topic_permission_denied
Cause: The resources Sysdig deployed with Terraform will eventually be consistent, but it could happen that some pre-required resources are created but not ready yet.
Solution: This is a known issue that will only take place within first minutes of the deployment. Eventually, resource health checks will pass and modules will work as expected.
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
Data Sources: Select
Integrations > Data Sources | Cloud Accounts
to see all connected cloud accounts.Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.
Check Threat Detection
Policies and Rules: Check
Policies > Runtime Policies
and confirm that theSysdig GCP Threat Detection
andSysdig GCP Threat Intelligence
managed policies are enabled.- These consist of the most-frequently-recommended rules for GCP.
Events: In the
Events
feed, searchcloud
to show events from GCP.If you need a more technical checkup, visit [Secure for Cloud - Terraform GCP module source repository]https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/README.md#forcing-events—threat-detection)
Check Image Scanning
- Check details in Secure for Cloud - Terraform GCP module source repository
See Also
- Secure for Cloud - Terraform GCP - Terraform registry module
- Secure for Cloud - Terraform GCP - Source Github repo
- Insights
- Integrate with Container Registries
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.