Deploy Sysdig Secure for cloud on GCP
If needed, review the offering description on Sysdig Secure for cloud - GCP.
Deployments on GCP use a Terraform file.
Onboarding Using Terraform
Terraform-based install instructions differ depending on what type of account you are using.
At this time, the options include:
- Install for a single project
- Install for an organization
The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection, benchmarks, and container registry and image scanning.
Prerequisites
A Sysdig Secure SaaS account
A Google Cloud Platform (GCP) account you would like to connect to Sysdig, with appropriate permissions to deploy
Have Terraform installed on the machine from which you will deploy the installation code.
Google’s Cloud SDK deployed in the environment where you will deploy the installation code
For more background information, see the Google Cloud Platform Provider documentation.
Enable the required GCP APIs as described in the Terraform module documentation
Permissions
- Sysdig Secure administrator permissions
- For GCP, in order to create each of the resources specified in the resources list below, you must have
- Owner role if using single-project mode.
- For organizational Organization Admin role is required too.
Steps
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account
. Choose theGCP
tab.Copy the code snippet under Single Account or Organizational Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.
Resources Created by Each Module
- Cloud-bench
google_iam_workload_identity_pool
google_iam_workload_identity_pool_provider
google_project_iam_custom_role
google_project_iam_member
google_service_account
google_service_account_iam_binding
sysdig_secure_benchmark_task
sysdig_secure_cloud_account
- Cloud-connector
google_cloud_run_service
google_eventarc_trigger
google_project_iam_member
google_storage_bucket
google_storage_bucket_iam_member
google_storage_bucket_object
- Cloud-scanning
google_cloud_run_service
google_cloud_run_service_iam_member
google_eventarc_trigger
google_project_iam_member
google_pubsub_topic
If Cloud-connector is installed in organizational mode, this additional module will be installed:
- Organization-sink
google_logging_organization_sink
google_pubsub_topic
google_pubsub_topic_iam_member
If Cloud-connector is installed in single-project mode, this additional module will be installed:
- Project-sink
google_logging_project_sink
google_pubsub_topic
google_pubsub_topic_iam_member
If Cloud-scanning is installed, this additional module will be installed:
- Secrets
google_secret_manager_secret
google_secret_manager_secret_iam_member
- google_secret_manager_secret_version`
Troubleshooting
1. Insufficient Permissions on Project
This error may occur if your current GCP authentication session does not have the required permissions to access the specified project.
Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.
2. Insufficient Permissions to Create Resource
This error may occur if your current GCP authentication session does not have the required permissions to create certain resources.
Solution: Ensure you are authenticated to GCP using a user or service account with the required permissions.
If you have sufficient permissions but still get this kind of error, try to authenticate gcloud
using:
$ gcloud auth application-default login
$ gcloud auth application-default login set-quota-project your_project_id
3. Conflicting Resources
This error may occur if the specified GCP project has already been onboarded to Sysdig.
Solution: The cloud account can be imported into terraform by running
terraform import module.single account.module.cloud_bench.sysdig_secure_cloud_account.cloud_account PROJECT_ID
, where PROJECT_ID
is the numerical ID of the project (not the project name).
4. Workload Identity Federation pool already exists
This error may occur if a Workload Identity Federation Pool or Pool Provider has previously been created, and then deleted, either via the GCP console or with terraform destroy
. When a delete request for these resources is sent to GCP, they are not completely deleted, but marked as “deleted”, and remain for 30 days. These “deleted” resources will block creation of a new resource with the same name.
Solution:
The “deleted” pools must be restored using the GCP console, and then imported into terraform, using terraform import module.single-account.module.cloud_bench.google_iam_workload_identity_pool.pool POOL_ID
and module.single-account.module.cloud_bench.google_iam_workload_identity_pool_provider.pool_provider POOL_ID/PROVIDER_ID
5. Received an email from Google Cloud Platform citing a Configuration Error
Email contains error codes such as:
Error Code: topic_not_found
or
Error Code: topic_permission_denied
Cause: The resources Sysdig deployed with Terraform will eventually be consistent, but it could happen that some pre-required resources are created but not ready yet.
Solution: This is a known issue that will only take place within first minutes of the deployment. Eventually, resource health checks will pass and modules will work as expected.
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
Data Sources: Select
Integrations > Inbound | Cloud Accounts
to see all connected cloud accounts.Subscription: Select
Settings > Subscription
to see an overview of your account activity, including cloud accounts.Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.
Check Threat Detection
Policies: Check
Policies > Runtime Policies
and confirm that theGCP Best Practices
policy is enabled. This consists of the most-frequently-recommended rules for GCP.Events: In the
Events
feed, search ‘cloud’ to show events from GCP.
Check GCP Benchmarks
- Tasks: Select
Compliance > Benchmarks > Tasks
and confirm a task with the nameSysdig Secure for Cloud (GCP)
exists. - Results: After a few minutes, check results of the benchmark are available by clicking on the
Sysdig Secure for Cloud (GCP)
task. Note that results may take up to 15 minutes to appear.
Check GCP Scanning
Scan Results: Check
Image Scanning > Scan Results
and choose theOrigins
drop-down.Confirm that
GCP
is listed.Filter by the desired origin and review scan results.
Force an event: Upload an image to a new Repository in a Container Registry. Follow repository
Setup Instructions
provided by GCP.
See Also
- Secure for Cloud - Terraform GCP - Terraform registry module
- Secure for Cloud - Terraform GCP - Source Github repo
- Insights
- Integrate with Container Registries
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.