This page lists the steps to set up Config Validator Scanner.
In your main.tf
file, set the config_validator_enabled
variable in the
Forseti Terraform module to "true"
:
module "forseti" {
source = "terraform-google-modules/forseti/google"
project_id = "PROJECT_ID"
org_id = "ORG_ID"
domain = "DOMAIN"
...
config_validator_enabled = "true"
config_validator_image = "CONFIG_VALIDATOR_IMAGE"
config_validator_image_tag = "CONFIG_VALIDATOR_IMAGE_TAG"
}
Note:
config_validator_violations_should_notify
is set to "true"
by default.config_validator_image
and config_validator_image_tag
should be set
only when you want to use a specific Config Validator image or tag. Default
values can be found here.
Please reach out to the Forseti Security Team
to see if the specific Config Validator image/tag that you want to you use is
supported.Apply the Terraform module.
terraform apply
At this point, you are ready to add your own constraints in your policy-library and start scanning your infrastructure for violations based on them. The Forseti project offers a great list of sample constraints you can use freely to get started.
You can provide policies to the Forseti Server in two ways:
config-validator
.All Logs
from the Forseti Server VM by default.
Change the log filter by selecting forseti
from the drop-down menu to
view Forseti logs. Similarly, select gcplogs-docker-driver
to view the
docker logs for config-validator
and git-sync
services. sudo systemctl status config-validator