This guide explains how to install Forseti Security on Google Compute Engine.
Before you set up Forseti Security, you will need:
A Google Cloud Shell walkthrough has been setup to make it easy for users who are new to Forseti and Terraform. This walkthrough provides a set of instructions to get a default installation of Forseti setup that can be used in a production environment.
If you are familiar with Terraform and would like to run Terraform from a different machine, you can skip this walkthrough and move onto the How to Deploy section below.
Terraform version 0.12 is required for this module, which can be downloaded from the Terraform website.
In order to run this module you will need to be authenticated as a user that has access to the project and can create/authorize service accounts at both the organization and project levels. To login to GCP from a shell:
gcloud auth login
In order to execute this module you must have a Service Account with the documented IAM roles assigned and APIs enabled on the Forseti project.
The setup script (as discussed below) will create the Service Account, grant the roles and enable the APIs for you.
Terraform uses an IAM Service Account to deploy and configure resources on behalf of the user. The Service Account and required APIs can be setup automatically with a provided script on the Forseti Terraform Github repository. The Service account and required APIs can also be configured manually by following the instructions documented here. Alternatively, if you are an Org Admin, you can use your own credentials to install Forseti.
git clone --branch modulerelease522 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
cd terraform-google-forseti
. ./helpers/setup.sh -p PROJECT_ID -o ORG_ID
This will create a service account called cloud-foundation-forseti-<suffix>
,
assign it the proper roles, and download the service account credentials to
${PWD}/credentials.json
.
Utilizing a shared VPC via a host project is supported with the -f
flag:
. ./helpers/setup.sh -p PROJECT_ID -f HOST_PROJECT_ID -o ORG_ID
If you are using the Real-Time Enforcer, you will need to generate a
service account with a few extra roles. This can be enabled with the -e
flag:
. ./helpers/setup.sh -p PROJECT_ID -o ORG_ID -e
Example configurations are included in the examples directory on the Forseti Terraform Github repository. You can copy these examples or use the snippet below as a starting point to your own custom configuration.
Create a file named main.tf
in an empty directory and copy the contents below into the file.
module "forseti" {
source = "terraform-google-modules/forseti/google"
version = "~> 5.2.0"
gsuite_admin_email = "superadmin@yourdomain.com"
domain = "yourdomain.com"
project_id = "my-forseti-project"
org_id = "2313934234"
config_validator_enabled = "true"
}
Config Validator Scanner is enabled when config_validator_enabled
is set to
"true"
.
Forseti provides many optional settings for users to customize for their environment and security requirements.
The default Forseti Server VM machine type and
Cloud SQL machine type
have been set to n1-standard-8
and db-n1-standard-4
to account for larger GCP environments.
These can be changed by providing the server_type
and cloudsql_type
variables.
View the sample variables to help you identify and set any customized values here
View the exhaustive list of inputs here to see all of the available options and default values.
Forseti is ready to be installed! First you will need to initialize Terraform to download any of the module dependencies.
terraform init
The configuration can now be applied which will determine the necessary actions to perform on the GCP project.
terraform apply
Review the Terraform plan and enter yes
to perform these actions.
Remember to cleanup the service account used to install Forseti either manually or by running the command:
./scripts/cleanup.sh -p PROJECT_ID -o ORG_ID -s cloud-foundation-forseti-<suffix>
This will deprovision and delete the service account, and then delete the credentials file.
If the service account was provisioned with the roles needed for the real time
policy enforcer, you can set the -e
flag to clean up those roles as well:
./scripts/cleanup.sh -p PROJECT_ID -o ORG_ID -S cloud-foundation-forseti-<suffix> -e
Now that Forseti has been deployed, you can configure it further by following these additional steps.
View the list of outputs here to identify important resources that have been created by the Forseti installation.