Deploy Sysdig Secure for cloud on GCP

Review the offering description on Sysdig Secure for cloud, if needed. Deployments on GCP use a Terraform file.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of account you are using.

At this time, the options include:

The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.

Prerequisites

  • A Sysdig Secure SaaS account

  • A Google Cloud Platform (GCP) account you would like to connect to Sysdig, with appropriate permissions to deploy

  • Have Terraform installed on the machine from which you will deploy the installation code.

  • Google’s Cloud SDK deployed in the environment where you will deploy the installation code

    For more background information, see the Google Cloud Platform Provider documentation.

  • Enable the required GCP APIs as described in the Terraform module documentation

Permissions

  • Sysdig Secure administrator permissions
  • For GCP, in order to create each of the resources specified in the resources list below, you must have - Owner role if using single-project mode.
    • For organizational Organization Admin role is required too.

Steps

  1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the GCP tab.

  2. Copy the code snippet under Single Account or Organizational Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init
    

    When complete, run:

    $ terraform apply
    

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

Resources Created by Each Module

  • Cloud-bench
    • google_iam_workload_identity_pool
    • google_iam_workload_identity_pool_provider
    • google_project_iam_custom_role
    • google_project_iam_member
    • google_service_account
    • google_service_account_iam_binding
    • sysdig_secure_benchmark_task
    • sysdig_secure_cloud_account
  • Cloud-connector
    • google_cloud_run_service
    • google_eventarc_trigger
    • google_project_iam_member
    • google_storage_bucket
    • google_storage_bucket_iam_member
    • google_storage_bucket_object
  • Cloud-scanning
    • google_cloud_run_service
    • google_cloud_run_service_iam_member
    • google_eventarc_trigger
    • google_project_iam_member
    • google_pubsub_topic

If Cloud-connector is installed in organizational mode, this additional module will be installed:

  • Organization-sink
    • google_logging_organization_sink
    • google_pubsub_topic
    • google_pubsub_topic_iam_member

If Cloud-connector is installed in single-project mode, this additional module will be installed:

  • Project-sink
    • google_logging_project_sink
    • google_pubsub_topic
    • google_pubsub_topic_iam_member

If Cloud-scanning is installed, this additional module will be installed:

  • Secrets
    • google_secret_manager_secret
    • google_secret_manager_secret_iam_member
    • google_secret_manager_secret_version`

Troubleshooting

1. Insufficient Permissions on Project

This error may occur if your current GCP authentication session does not have the required permissions to access the specified project.

Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.

2. Insufficient Permissions to Create Resource

This error may occur if your current GCP authentication session does not have the required permissions to create certain resources.

Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.

If you have sufficient permissions but still get this kind of error, try to authenticate gcloudusing:

$ gcloud auth application-default login

$ gcloud auth application-default login set-quota-project your_project_id

3. Conflicting Resources

This error may occur if the specified GCP project has already been onboarded to Sysdig.

Solution: The cloud account can be imported into terraform by running

terraform import module.single account.module.cloud_bench.sysdig_secure_cloud_account.cloud_account PROJECT_ID , where PROJECT_ID is the numerical ID of the project (not the project name).

4. Workload Identity Federation pool already exists

This error may occur if a Workload Identity Federation Pool or Pool Provider has previously been created, and then deleted, either via the GCP console or with terraform destroy. When a delete request for these resources is sent to GCP, they are not completely deleted, but marked as “deleted”, and remain for 30 days. These “deleted” resources will block creation of a new resource with the same name.

Solution: The “deleted” pools must be restored using the GCP console, and then imported into terraform, using terraform import module.single-account.module.cloud_bench.google_iam_workload_identity_pool.pool POOL_ID and module.single-account.module.cloud_bench.google_iam_workload_identity_pool_provider.pool_provider POOL_ID/PROVIDER_ID

5. Received an email from Google Cloud Platform citing a Configuration Error

Email contains error codes such as:

Error Code: topic_not_found
or
Error Code: topic_permission_denied

Cause: The resources Sysdig deployed with Terraform will eventually be consistent, but it could happen that some pre-required resources are created but not ready yet.

Solution: This is a known issue that will only take place within first minutes of the deployment. Eventually, resource health checks will pass and modules will work as expected.

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Data Sources from the User menu to see all connected cloud accounts.

  • Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.

  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

  • Policies: Check Policies > Runtime Policies and confirm that the GCP Best Practices policy is enabled. This consists of the most-frequently-recommended rules for GCP.

  • Events: In the Events feed, search ‘cloud’ to show events from GCP.

Check GCP Benchmarks

  • Tasks: Select Compliance > Benchmarks > Tasks and confirm a task with the name Sysdig Secure for Cloud (GCP) exists.
  • Results: After a few minutes, check results of the benchmark are available by clicking on the Sysdig Secure for Cloud (GCP) task. Note that results may take up to 15 minutes to appear.

Check GCP Scanning

  • Scan Results: CheckImage Scanning > Scan Resultsand choose the Origins drop-down.

    Confirm that GCP is listed.

  • Filter by the desired origin and review scan results.

  • Force an event: Upload an image to a new Repository in a Container Registry. Follow repository Setup Instructions provided by GCP.

See Also



Last modified November 15, 2021