GCP Deployment

This section covers installation methods.
Review the offering description on Sysdig Secure for cloud - GCP.

Deployments on GCP use a Terraform file.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of account you are using.

At this time, the options include:

  • Install for a single project: Targets a single project. Only a single workload is spawned in the specified project, that will target the resources of the account.
  • Install for an organization: Targets the whole organization. Only a single workload is spawned in the specified project, that will target the whole organization.
  • Other specific Secure for Cloud - GCP - Use-case scenarios.

The default code provided in the Data Sources page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.

Prerequisites and Permissions

To check that all the required GCP Service APIs are enabled execute:

gcloud services list --enabled

All the services listed above should be included. Note that you need to enable the serviceusage.googleapis.com Service API to use this command.

Available Options

  • Workload Types: Cloudrun, K8S

Check each example input parameters for these, and more configuration options.

Steps

  1. Log in to Sysdig Secure as Admin and select Integrations > Data Sources | Cloud Account and choose Connect Account | GCP

  2. Copy the code snippet under Single Account or Organizational Account and paste it into a Terraform Manifest (.tf file). It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init

    When complete, run:

    $ terraform apply

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

Customizing the Install

Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:

Enabling Image Scanner

Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning input variable on your snippet such as:

module "secure-for-cloud_example"{
 ...
 deploy_scanning = true
}

Resources Created by Each Module

Check full list of created resources

  • Cloud-bench
    • google_iam_workload_identity_pool
    • google_iam_workload_identity_pool_provider
    • google_project_iam_custom_role
    • google_project_iam_member
    • google_service_account
    • google_service_account_iam_binding
    • sysdig_secure_benchmark_task
    • sysdig_secure_cloud_account
  • Cloud-connector
    • google_cloud_run_service
    • google_eventarc_trigger
    • google_project_iam_member
    • google_storage_bucket
    • google_storage_bucket_iam_member
    • google_storage_bucket_object
  • Cloud-scanning
    • google_cloud_run_service
    • google_cloud_run_service_iam_member
    • google_eventarc_trigger
    • google_project_iam_member
    • google_pubsub_topic

If Cloud-connector is installed in organizational mode, this additional module will be installed:

  • Organization-sink
    • google_logging_organization_sink
    • google_pubsub_topic
    • google_pubsub_topic_iam_member

If Cloud-connector is installed in single-project mode, this additional module will be installed:

  • Project-sink
    • google_logging_project_sink
    • google_pubsub_topic
    • google_pubsub_topic_iam_member

If Cloud-scanning is installed, this additional module will be installed:

  • Secrets
    • google_secret_manager_secret
    • google_secret_manager_secret_iam_member
    • google_secret_manager_secret_version`

Troubleshooting


Find more troubleshooting options on the Secure for Cloud - Terraform GCP module source repository

1. Insufficient Permissions on Project

This error may occur if your current GCP authentication session does not have the required permissions to access the specified project.

Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.

2. Insufficient Permissions to Create Resource

This error may occur if your current GCP authentication session does not have the required permissions to create certain resources.

Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.

If you have sufficient permissions but still get this kind of error, try to authenticate gcloud using:

$ gcloud auth application-default login

$ gcloud auth application-default set-quota-project your_project_id

3. Conflicting Resources

This error may occur if the specified GCP project has already been onboarded to Sysdig.

Solution: The cloud account can be imported into terraform by running

terraform import module.single account.module.cloud_bench.sysdig_secure_cloud_account.cloud_account PROJECT_ID , where PROJECT_ID is the numerical ID of the project (not the project name).

4. Workload Identity Federation pool already exists

This error may occur if a Workload Identity Federation Pool or Pool Provider has previously been created, and then deleted, either via the GCP console or with terraform destroy. When a delete request for these resources is sent to GCP, they are not completely deleted, but marked as “deleted”, and remain for 30 days. These “deleted” resources will block creation of a new resource with the same name.

Solution: The “deleted” pools must be restored using the GCP console, and then imported into terraform

# re-activate pool and provider
$ gcloud iam workload-identity-pools undelete sysdigcloud  --location=global
$ gcloud iam workload-identity-pools providers undelete sysdigcloud --workload-identity-pool="sysdigcloud" --location=global

# import to terraform state
# for this you have to adapt the import resource to your specific usage
# ex.: for single-project, input your project-id
$ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool.pool' <PROJECT_ID>/sysdigcloud
$ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' <PROJECT_ID>/sysdigcloud/sysdigcloud

# ex.: for organization example you should change its reference too, per project
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool.pool' <PROJECT_ID>/sysdigcloud
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["<PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' <PROJECT_ID>/sysdigcloud/sysdigcloud

The import resource to use, is the one pointed out in your terraform plan/apply error messsage

# for
Error: Error creating WorkloadIdentityPool: googleapi: Error 409: Requested entity already exists
with module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool,
on .... in resource "google_iam_workload_identity_pool" "pool":
resource "google_iam_workload_identity_pool" "pool" {

# use
' module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool' as your import resource

# such as
$ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["org-child-project-1"].google_iam_workload_identity_pool.pool' 'org-child-project-1/sysdigcloud'

5. Received an email from Google Cloud Platform citing a Configuration Error

Email contains error codes such as:

Error Code: topic_not_found
or
Error Code: topic_permission_denied

Cause: The resources Sysdig deployed with Terraform will eventually be consistent, but it could happen that some pre-required resources are created but not ready yet.

Solution: This is a known issue that will only take place within first minutes of the deployment. Eventually, resource health checks will pass and modules will work as expected.

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

  • Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig GCP Threat Detection and Sysdig GCP Threat Intelligence managed policies are enabled.

    • These consist of the most-frequently-recommended rules for GCP.

  • Events: In the Events feed, search cloud to show events from GCP.

  • If you need a more technical checkup, visit [Secure for Cloud - Terraform GCP module source repository]https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/README.md#forcing-events—threat-detection)

Check Image Scanning

See Also