GCP
GCP Installation Options
Full install using the Wizard
This installation option includes:
Agentless CSPM
Agent-based Cloud Detection and Response (CDR)
Agentless CSPM Only
This installation option offers a lightweight, agentless install that will only support CSPM.
Prerequisites and Permissions
Installed Applications
Sysdig Secure SaaS with
administrator
permissionsTerraform must be installed on the machine from which you will deploy the installation code, along with:
Terraform Google Platform Provider
Google’s Cloud SDK must be deployed in the environment where you will deploy the installation code.
For further guidance, see the Hashicorp and Google documentation: Install Terraform; Google Platform Provider; Install the gcloud CLI.
GCP Roles and APIs
A Google Cloud Platform (GCP) account is required for Sysdig Secure’s cloud compute workload deployment, with the following roles and APIs enabled:
- Owner role, to create each of the resources specified in the resources list below.
- Organization Admin role (for Organizations)
- GCP Service APIs enabled:
For CDR:
- Cloud Pub/Sub API (
pubsub.googleapis.com
) - Cloud Run API (
run.googleapis.com
) - Eventarc API (
eventarc.googleapis.com
)
- Cloud Pub/Sub API (
For Agentless CSPM:
- Identity and access management API (
iam.googleapis.com
) - IAM Service Account Credentials API(
iamcredentials.googleapis.com
) - Cloud Resource Manager API(
cloudresourcemanager.googleapis.com
) - Security Token Service API (
sts.googleapis.com
) - Cloud Asset API (
cloudasset.googleapis.com
)
- Identity and access management API (
For Cloud Scanning (optional module):
- Cloud Pub/Sub API (
pubsub.googleapis.com
) - Cloud Run API (
run.googleapis.com
) - Eventarc API (
eventarc.googleapis.com
) - Secret Manager API (
secretmanager.googleapis.com
) - Cloud Build API (
cloudbuild.googleapis.com
) - Identity and Access Management API (
iam.googleapis.com
)
- Cloud Pub/Sub API (
Check API Enablement
Enable the
serviceusage.googleapis.com
Service API.This is required to execute the following command:
Execute:
gcloud services list --enabled
All the services listed above should be included.
Available Options
Workload Types: Cloudrun
, Kubernetes
Full Install using Wizard
To install agentless CSPM and CDR, follow the Wizard Quick Start.
Ensure you are authenticated to the GCP project you would like to connect to in your terminal window. You can authenticate using the GCP CLI by running:
gcloud auth application-default login
.Log in to Sysdig Secure as
admin
and select Integrations > Data Sources|Cloud Accounts.Click +Add Account and select GCP. Select which installation method matches your enterprise methods:
Terraform Single-Account
Terraform Organizational Account
As prompted, specify the following:
Single Account
Region of your GCP Project This is the region where resources will be created in your GCP project by default. For example,
us-east1
.Project ID: The GCP Project ID that you are onboarding
Organization
GCP Region: For example,
us-east1
. This is the region where resources will be created in your GCP project by default.Organization Member Project ID: The GCP project where the workload will be deployed
Organization Domain: The domain of the GCP organization you are onboarding
The Wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Run
terraform init && terraform apply
.After deploying, validate the services are working.
Install Agentless CSPM Only
This method is an alternative to the full installation (above). This method will only support CSPM Compliance.
If you use this method, CDR, CIEM, and Image Scanning will not work.
This installation is manual and can be performed for a single project or organizational project in Terraform.
Single Project
- In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running:
gcloud auth application-default login
.
Save the following to a file named
main.tf
on your local machine:terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" } } } provider "sysdig" { sysdig_secure_url = "<SYSDIG_URL>" sysdig_secure_api_token = "<SYSDIG_API_TOKEN>" } provider "google" { project = "<GCP_PROJECT_ID>" region = "<GCP_REGION>" } provider "google-beta" { project = "<GCP_PROJECT_ID>" region = "<GCP_REGION>" } module "sysdig-sfc-agentless" { source = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench" project_id = "<GCP_PROJECT_ID>" }
Replace the following placeholders in
main.tf
:- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
- US East:
https://secure.sysdig.com
. - US West:
https://us2.app.sysdig.com
- European Union:
https://eu1.app.sysdig.com
- US East:
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_REGION: This is the region where resources will be created in your GCP project by default. For example,
us-east1
. - GCP_PROJECT_ID: The GCP Project ID that you are onboarding
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
Run
terraform init && terraform apply
.After deploying, validate that CSPM is working.
Organization
In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. (See the Hashicorp documentation for details about Identity Federation.)
You can authenticate using the GCP CLI by running:
gcloud auth application-default login
.Save the following to a file named
main.tf
on your local machine:terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" } } } provider "sysdig" { sysdig_secure_url = "<SYSDIG_URL>" sysdig_secure_api_token = "<SYSDIG_API_TOKEN>" } provider "google" { project = "<GCP_PROJECT_ID>" region = "<GCP_REGION>" } provider "google-beta" { project = "<GCP_PROJECT_ID>" region = "<GCP_REGION>" } module "sysdig-sfc-agentless" { source = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench-workload-identity" organization_domain = "<GCP_ORG_DOMAIN>" project_id = "<GCP_PROJECT_ID>" }
Replace the following placeholders in
main.tf
:- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
- US East:
https://secure.sysdig.com
- US West:
https://us2.app.sysdig.com
- European Union:
https://eu1.app.sysdig.com
- US East:
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created
- GCP_REGION: This is the region where resources will be created in your GCP project by default. For example,
us-east1
. - GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
Apply the Terraform by running
terraform init && terraform apply
.After deploying, validate that CSPM is working.
Validate
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
Check CSPM
Inventory: Select the Inventory module and filter for project =
. Check for your GCP cloud account in the drop-down.
Check CDR
Policies: Select Policies > Runtime Policies and filter for GCP
to confirm that GCP-specific managed policies are listed and enabled.
Events: Select Events > Cloud Events and filter for Platform in GCP
Available on GCP
Agentless CSPM
Resources Created
google_iam_workload_identity_pool
google_iam_workload_identity_pool_provider
google_project_iam_custom_role
google_project_iam_member.
google_service_account.
google_service_account_iam_binding
Threat Detection and Response
Resources Created
- google_cloud_run_service
- google_cloud_run_service_iam_member
- google_eventarc_trigger
- google_logging_organization_sink
- google_logging_project_sink
- google_project_iam_member
- google_pubsub_subscription
- google_pubsub_subscription_iam_member
- google_pubsub_topic
- google_pubsub_topic_iam_member
- google_secret_manager_secret
- google_secret_manager_secret_iam_member
- google_secret_manager_secret_version
- google_service_account
- google_service_account_iam_binding
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.