GCP

Connect your GCP Projects and Organizations to Sysdig Secure using Terraform. Choose from agent-based or agentless installs depending on your desired functionality.

GCP Installation Options

  • Full install using the Wizard

    This installation option includes:

    • Agentless CSPM

    • Agent-based Cloud Detection and Response (CDR)

  • Agentless CSPM Only

    This installation option offers a lightweight, agentless install that will only support CSPM.

Prerequisites and Permissions

Installed Applications

  • Sysdig Secure SaaS with administrator permissions

  • Terraform must be installed on the machine from which you will deploy the installation code, along with:

GCP Roles and APIs

A Google Cloud Platform (GCP) account is required for Sysdig Secure’s cloud compute workload deployment, with the following roles and APIs enabled:

Check API Enablement

  1. Enable the serviceusage.googleapis.com Service API.

    This is required to execute the following command:

  2. Execute: gcloud services list --enabled

​ All the services listed above should be included.

Available Options

Workload Types: Cloudrun, Kubernetes

Full Install using Wizard

To install agentless CSPM and CDR, follow the Wizard Quick Start.

  1. Ensure you are authenticated to the GCP project you would like to connect to in your terminal window. You can authenticate using the GCP CLI by running:

    gcloud auth application-default login.

  2. Log in to Sysdig Secure as admin and select Integrations > Cloud Accounts > GCP.

  3. Click +Add GCP Account. Select which installation method matches your enterprise methods:

    • Terraform Single-Account

    • Terraform Organizational Account

  4. As prompted, specify the following:

    Single Account

    • Region of your GCP Project This is the region where resources will be created in your GCP project by default. For example, us-east1.

    • Project ID: The GCP Project ID that you are onboarding

    Organization

    • GCP Region: For example, us-east1. This is the region where resources will be created in your GCP project by default.

    • Organization Member Project ID: The GCP project where the workload will be deployed

    • Organization Domain: The domain of the GCP organization you are onboarding

    The Wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.

  5. Run terraform init && terraform apply.

  6. After deploying, validate the services are working.

Install Agentless CSPM Only

This method is an alternative to the full installation (above). This method will only support CSPM Compliance.

If you use this method, CDR, CIEM, and Image Scanning will not work.

This installation is manual and can be performed for a single project or organizational project in Terraform.

Single Project

  1. In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running:

gcloud auth application-default login.

  1. Save the following to a file named main.tf on your local machine:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_URL>"
      sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
    }
    
    
    provider "google" {
      project = "<GCP_PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    provider "google-beta" {
      project = "<GCP_PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    module "sysdig-sfc-agentless" {
      source     = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench"
      project_id = "<GCP_PROJECT_ID>"
    }
    
  2. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com.
      • US West: https://us2.app.sysdig.com
      • European Union:https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • GCP_REGION: This is the region where resources will be created in your GCP project by default. For example, us-east1.
    • GCP_PROJECT_ID: The GCP Project ID that you are onboarding
  3. Run terraform init && terraform apply.

  4. After deploying, validate that CSPM is working.

Organization

  1. In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. (See the Hashicorp documentation for details about Identity Federation.)

    You can authenticate using the GCP CLI by running:

    gcloud auth application-default login.

  2. Save the following to a file named main.tf on your local machine:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_URL>"
      sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
    }
    
    
    provider "google" {
      project = "<GCP_PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    provider "google-beta" {
      project = "<GCP_PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    module "sysdig-sfc-agentless" {
      source              = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench-workload-identity"
      organization_domain = "<GCP_ORG_DOMAIN>"
      project_id          = "<GCP_PROJECT_ID>"
    }
    
  3. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com
      • US West: https://us2.app.sysdig.com
      • European Union:https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created
    • GCP_REGION: This is the region where resources will be created in your GCP project by default. For example, us-east1.
    • GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding
  4. Apply the Terraform by running terraform init && terraform apply.

  5. After deploying, validate that CSPM is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for project =. Check for your GCP cloud account in the drop-down.

Check CDR

Policies: Select Policies > Runtime Policies and filter for GCP to confirm that GCP-specific managed policies are listed and enabled.

Events: Select Events > Cloud Events and filter for Platform in GCP

Available on GCP

Agentless CSPM

Resources Created

  • google_iam_workload_identity_pool

  • google_iam_workload_identity_pool_provider

  • google_project_iam_custom_role

  • google_project_iam_member.

  • google_service_account.

  • google_service_account_iam_binding

Threat Detection and Response

Resources Created

  • google_cloud_run_service
  • google_cloud_run_service_iam_member
  • google_eventarc_trigger
  • google_logging_organization_sink
  • google_logging_project_sink
  • google_project_iam_member
  • google_pubsub_subscription
  • google_pubsub_subscription_iam_member
  • google_pubsub_topic
  • google_pubsub_topic_iam_member
  • google_secret_manager_secret
  • google_secret_manager_secret_iam_member
  • google_secret_manager_secret_version
  • google_service_account
  • google_service_account_iam_binding