GCP

Connect your GCP Projects and Organizations to Sysdig Secure using Terraform. Choose from agent-based or agentless installs depending on your desired functionality.

GCP Installation Options

Full install using the Wizard
This installation option includes:
- Agentless CSPM
- Agent-based Cloud Detection and Response (CDR)
Agentless CSPM Only
This installation option offers a lightweight, agentless install that will only support CSPM.

Prerequisites and Permissions

Installed Applications

Sysdig Secure SaaS with administrator permissions
Terraform must be installed on the machine from which you will deploy the installation code, along with:
- Terraform Google Platform Provider
- Google’s Cloud SDK must be deployed in the environment where you will deploy the installation code.
  For further guidance, see the Hashicorp and Google documentation: Install Terraform; Google Platform Provider; Install the gcloud CLI.

GCP Roles and APIs

A Google Cloud Platform (GCP) account is required for Sysdig Secure’s cloud compute workload deployment, with the following roles and APIs enabled:

Owner role, to create each of the resources specified in the resources list below.
Organization Admin role (for Organizations)
GCP Service APIs enabled:
- For CDR:
  - Cloud Pub/Sub API (pubsub.googleapis.com)
  - Cloud Run API (run.googleapis.com)
  - Eventarc API (eventarc.googleapis.com)
- For Agentless CSPM:
  - Identity and access management API (iam.googleapis.com)
  - IAM Service Account Credentials API(iamcredentials.googleapis.com)
  - Cloud Resource Manager API(cloudresourcemanager.googleapis.com)
  - Security Token Service API (sts.googleapis.com)
  - Cloud Asset API (cloudasset.googleapis.com)
- For Cloud Scanning (optional module):
  - Cloud Pub/Sub API (pubsub.googleapis.com)
  - Cloud Run API (run.googleapis.com)
  - Eventarc API (eventarc.googleapis.com)
  - Secret Manager API (secretmanager.googleapis.com)
  - Cloud Build API (cloudbuild.googleapis.com)
  - Identity and Access Management API ( iam.googleapis.com)

Check API Enablement

Enable the serviceusage.googleapis.com Service API.
This is required to execute the following command:
Execute: gcloud services list --enabled

All the services listed above should be included.

Available Options

Workload Types: Cloudrun, Kubernetes

Full Install using Wizard

To install agentless CSPM and CDR, follow the Wizard Quick Start.

Ensure you are authenticated to the GCP project you would like to connect to in your terminal window. You can authenticate using the GCP CLI by running:
gcloud auth application-default login.
Log in to Sysdig Secure as admin and select Integrations > Data Sources|Cloud Accounts.
Click +Add Account and select GCP. Select which installation method matches your enterprise methods:
- Terraform Single-Account
- Terraform Organizational Account
As prompted, specify the following:
Single Account
- Region of your GCP Project This is the region where resources will be created in your GCP project by default. For example, us-east1.
- Project ID: The GCP Project ID that you are onboarding
Organization
- GCP Region: For example, us-east1. This is the region where resources will be created in your GCP project by default.
- Organization Member Project ID: The GCP project where the workload will be deployed
- Organization Domain: The domain of the GCP organization you are onboarding
The Wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Run terraform init && terraform apply.
After deploying, validate the services are working.

Install Agentless CSPM Only

This method is an alternative to the full installation (above). This method will only support CSPM Compliance.

If you use this method, CDR, CIEM, and Image Scanning will not work.

This installation is manual and can be performed for a single project or organizational project in Terraform.

Single Project

In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running:

gcloud auth application-default login.

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}


provider "google" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google-beta" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

module "sysdig-sfc-agentless" {
  source     = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench"
  project_id = "<GCP_PROJECT_ID>"
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_REGION: This is the region where resources will be created in your GCP project by default. For example, us-east1.
- GCP_PROJECT_ID: The GCP Project ID that you are onboarding
Run terraform init && terraform apply.
After deploying, validate that CSPM is working.

Organization

In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. (See the Hashicorp documentation for details about Identity Federation.)
You can authenticate using the GCP CLI by running:
gcloud auth application-default login.

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_URL>"
  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
}


provider "google" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google-beta" {
  project = "<GCP_PROJECT_ID>"
  region  = "<GCP_REGION>"
}

module "sysdig-sfc-agentless" {
  source              = "sysdiglabs/secure-for-cloud/google//modules/services/cloud-bench-workload-identity"
  organization_domain = "<GCP_ORG_DOMAIN>"
  project_id          = "<GCP_PROJECT_ID>"
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created
- GCP_REGION: This is the region where resources will be created in your GCP project by default. For example, us-east1.
- GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding
Apply the Terraform by running terraform init && terraform apply.
After deploying, validate that CSPM is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for project =. Check for your GCP cloud account in the drop-down.

Check CDR

Policies: Select Policies > Runtime Policies and filter for GCP to confirm that GCP-specific managed policies are listed and enabled.

Events: Select Events > Cloud Events and filter for Platform in GCP

Available on GCP

Agentless CSPM

Resources Created

google_iam_workload_identity_pool
google_iam_workload_identity_pool_provider
google_project_iam_custom_role
google_project_iam_member.
google_service_account.
google_service_account_iam_binding

Threat Detection and Response

Resources Created

google_cloud_run_service
google_cloud_run_service_iam_member
google_eventarc_trigger
google_logging_organization_sink
google_logging_project_sink
google_project_iam_member
google_pubsub_subscription
google_pubsub_subscription_iam_member
google_pubsub_topic
google_pubsub_topic_iam_member
google_secret_manager_secret
google_secret_manager_secret_iam_member
google_secret_manager_secret_version
google_service_account
google_service_account_iam_binding

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.