This is a beta release. This product might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
This guide explains how to setup Real-Time Enforcer using Terraform.
Get the latest version of the Forseti Terraform module here.
In your main.tf
file, include the following Real-Time Enforcer specific modules in the order provided:
real_time_enforcer_roles
creates and assigns the custom roles required for Real-Time Enforcer to access and remediate resources.real_time_enforcer_organization_sink
creates and sets up an organization
level logging sink
and a Pub/Sub topic to publish to.real_time_enforcer
creates and sets up the necessary resources to run Real-Time Enforcer that are not covered by the first two modules, which include:
module "forseti" {
source = "terraform-google-modules/forseti/google"
project_id = "${var.project_id}"
gsuite_admin_email = "${var.gsuite_admin_email}"
org_id = "${var.org_id}"
domain = "${var.domain}"
client_instance_metadata = "${var.instance_metadata}"
server_instance_metadata = "${var.instance_metadata}"
}
module "real_time_enforcer_roles" {
source = "terraform-google-modules/forseti/google//modules/real_time_enforcer_roles"
org_id = "${var.org_id}"
suffix = "${module.forseti.suffix}"
}
module "real_time_enforcer_organization_sink" {
source = "terraform-google-modules/forseti/google//modules/real_time_enforcer_organization_sink"
pubsub_project_id = "${var.project_id}"
org_id = "${var.org_id}"
}
module "real_time_enforcer" {
source = "terraform-google-modules/forseti/google//modules/real_time_enforcer"
project_id = "${var.project_id}"
org_id = "${var.org_id}"
enforcer_instance_metadata = "${var.instance_metadata}"
topic = "${module.real_time_enforcer_organization_sink.topic}"
enforcer_viewer_role = "${module.real_time_enforcer_roles.forseti-rt-enforcer-viewer-role-id}"
enforcer_writer_role = "${module.real_time_enforcer_roles.forseti-rt-enforcer-writer-role-id}"
suffix = "${module.forseti.suffix}"
}
terraform init
to get the modules and plugins.
cloud-foundation-forseti
service account:
roles/iam.organizationRoleAdmin
roles/logging.configWriter
roles/pubsub.admin
./helpers/setup.sh -p <project_id> -o <org_name> -e
to create a service account called
cloud-foundation-forseti
, give it the proper roles, and download it to your current directory.
roles/resourcemanager.organizationAdmin
roles/iam.securityReviewer
roles/owner
roles/compute.securityAdmin
roles/compute.networkAdmin
terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.