GCP

Connect a GCP cloud account to Sysdig Secure using Terraform via a wizard. You can connect single or organizational projects. You can also connect agentless CSPM alone.

Installation Options

Full Install using Wizard

To install all the features offered, follow the Wizard Quick Start.

Log in to Sysdig Secure as admin and select Integrations > Data Sources|Cloud Accounts.
Click +Add Account and select GCP. Select which installation method matches your enterprise methods:
- Terraform Single-Account
- Terraform Organizational Account
As prompted by the Wizard screen, specify the following:
Single Account
- Region of your GCP Project: The region where resources will be created in your GCP project by default.
- Project ID: The GCP Project ID that you are onboarding.
Organization
- GCP Region: The region where resources will be created in your GCP project by default.
- Organization Member Project ID: The GCP project where workload will be deployed.
- Organization Domain: The domain of the GCP organization you are onboarding.
The Wizard will autopopulate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Apply the Terraform by running
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
After deploying, perform any necessary configuration steps and confirm the services are working.

Install Agentless CSPM Only

This method of installation will only support CSPM Compliance.

The following features will not work: Threat Detection, Identity and Access, Image Scanning

This installation is manual and can be performed for a single project or organizational project in Terraform.

Single Project

In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running gcloud auth application-default login

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}


provider "google" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google-beta" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

module "sysdig-sfc-agentless" {
  source     = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench"
  project_id = "<GCP_PROJECT_ID>"
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union: https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
- GCP_PROJECT_ID: The GCP Project ID that you are onboarding.
Apply the Terraform by running
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
After deploying, confirm that Compliance is working.

Organization

In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. You can authenticate using the GCP CLI by running gcloud auth application-default login

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}


provider "google" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google-beta" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

module "sysdig-sfc-agentless" {
  source              = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench-workload-identity"
  organization_domain = "<GCP_ORG_DOMAIN>"
  project_id          = "<GCP_PROJECT_ID>"
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union: https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created.
- GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
- GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding.
Apply the Terraform by running
```
$ terraform init
```
When complete, run:
```
$ terraform apply
```
After deploying, confirm that Compliance is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check CSPM

Check Inventory and filter for project =. Check for your GCP cloud account in the drop-down.

Check Threat Detection

Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig GCP Threat Detection and Sysdig GCP Threat Intelligence managed policies are enabled.
- These consist of the most-frequently-recommended rules for GCP.
Events: In the Events feed, filter for gcp.projectid = and check for your cloud account.
More technical details: Secure for Cloud - Terraform GCP module source repository

Available on GCP

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

google_iam_workload_identity_pool
google_iam_workload_identity_pool_provider
google_project_iam_custom_role
google_project_iam_member.
google_service_account.
google_service_account_iam_binding

Threat Detection

Resources Created

google_cloud_run_service
google_cloud_run_service_iam_member
google_eventarc_trigger
google_logging_organization_sink
google_logging_project_sink
google_project_iam_member
google_pubsub_subscription
google_pubsub_subscription_iam_member
google_pubsub_topic
google_pubsub_topic_iam_member
google_secret_manager_secret
google_secret_manager_secret_iam_member
google_secret_manager_secret_version
google_service_account
google_service_account_iam_binding

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.