This page describes the steps to install and deploy Forseti manually on Google Cloud Platform (GCP). It’s best to use the automated installer for an easy and error-free deployment. Use this guide only if you strongly prefer to install Forseti yourself, or if you want to learn about the installation process.
To complete this guide, you will need in-depth knowledge of GCP. For example, you will need to know how to use the gcloud command-line tool and where to bind a service account to a VM in the GCP Console. This guide refers to the installer and deployment templates for specific details of the commands to use.
Create a new project to host Forseti. Forseti is intended to run in its own dedicated project to control access to its highly privileged permissions. Assign a billing account to the project.
Install the required APIs for Forseti Security using the following command:
gcloud services enable <API URI>
| Name | API URI |
|---|---|
| Admin SDK | admin.googleapis.com |
| App Engine Admin | appengine.googleapis.com |
| BigQuery | bigquery-json.googleapis.com |
| Cloud Asset | cloudasset.googleapis.com |
| Cloud Billing | cloudbilling.googleapis.com |
| Cloud IAM | iam.googleapis.com |
| Cloud SQL Administration | sqladmin.googleapis.com |
| Cloud SQL | sql-component.googleapis.com |
| Cloud Storage | storage-api.googleapis.com |
| Compute Engine | compute.googleapis.com |
| Deployment Manager | deploymentmanager.googleapis.com |
| Groups Settings | groupssettings.googleapis.com |
| Kubernetes Engine | container.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
| Stackdriver Logging | logging.googleapis.com |
| Service Management | servicemanagement.googleapis.com |
| Service Usage | serviceusage.googleapis.com |
Create a server service account by running the following command:
gcloud iam service-accounts create forseti-server-gcp-####### --display-name forseti-server-gcp-#######
Where ####### is a random alphanumeric unique identifier.
For information about the roles you need to assign to the Forseti server service account, see the server service account.
To install the Forseti Server, follow the steps below:
SSH into the server VM:
gcloud compute --project <YOUR_PROJECT> ssh --zone <YOUR_ZONE> <YOUR_FORSETI_SERVER_NAME>
To become an Ubuntu user, run the following command:
sudo su ubuntu
git clone from the forseti repo,
and check out the latest release
by their tags:
git clone https://github.com/forseti-security/forseti-security.git
git checkout tags/v<version_number>
To install Forseti server and necessary components like Fluentd and Cloud SQL Proxy, follow the setup instructions in the startup-script.
Create the following firewall rules:
# To create firewall rules, you will need the email address of your service account.
# You can get the service account's email address by running command
# gcloud iam service-accounts list
# The email address will be in this format: forseti-server-gcp-#######@PROJECT-ID.iam.gserviceaccount.com
# Create a firewall rule to block out all the ingress traffic.
gcloud compute firewall-rules create forseti-server-deny-all --action DENY --target-service-accounts <SERVICE_ACCOUNT_EMAIL_ADDRESS> --priority 1 --direction INGRESS --rules icmp,udp,tcp
# Create a firewall rule to open only port tcp:50051 within the internal network (ip-ranges - 10.128.0.0/9).
gcloud compute firewall-rules create forseti-server-allow-grpc --action ALLOW --target-service-accounts <SERVICE_ACCOUNT_EMAIL_ADDRESS> --priority 0 --direction INGRESS --rules tcp:50051 --source-ranges 10.128.0.0/9
# Create a firewall rule to open only port tcp:22 (ssh) to all the external traffics from the internet.
gcloud compute firewall-rules create forseti-server-allow-ssh-external --action ALLOW --target-service-accounts <SERVICE_ACCOUNT_EMAIL_ADDRESS> --priority 0 --direction INGRESS --rules tcp:22 --source-ranges 0.0.0.0/0
Forseti server configuration and rule files are configured and stored in Cloud Storage. For more information, see Configuring Forseti.
To integrate G Suite, you’ll need to enable domain-wide delegation in G Suite. For more information, see how to enable G Suite access
To create a Cloud SQL instance, see Creating Instances.
For more information about the specifications needed for the Cloud SQL instance, see the Cloud SQL template.
Create a client service account by running the following command:
gcloud iam service-accounts create forseti-client-gcp-####### --display-name forseti-client-gcp-#######
Where ####### is a random alphanumeric unique identifier.
For information about the roles you need to assign to the Forseti server service account, see the client service account.
To install the Forseti client, follow the steps below:
SSH into the client VM:
gcloud compute --project <YOUR_PROJECT> ssh --zone <YOUR_ZONE> <YOUR_FORSETI_CLIENT_NAME>
Run the following command to become an Ubuntu user:
sudo su ubuntu
git clone from the Forseti repo,
and check out the latest release
by their tags:
git clone https://github.com/forseti-security/forseti-security.git
git checkout tags/v<version_number>
To install the Foresti command-line interface (CLI), follow the setup instructions in the startup-script.
Forseti client configuration files are configured and stored in Cloud Storage. For more information, see Configuring Forseti.