Google Cloud

Overview

For GCP, integration is done through a Service Account. In Firefly, choose Add New > Google Cloud. You have two choices: using a service account key or using Terraform. Using a service account key is straightforward: you create a service account in GCP with the required read-only roles (like Viewer and maybe Storage Object Viewer for state files), then create and download a JSON key for that account. In Firefly, you upload this JSON key. Firefly will then use it to call Google APIs and list resources across your project. Make sure the service account has access to all the GCP projects you want to manage (this might mean using an organization-level account or repeating integration per project). If using Terraform, Firefly provides a Terraform script that sets up a service account and the roles, eliminating manual steps. After integration, Firefly scans GCP resources (Compute, Cloud SQL, GKE, etc.). Firefly also supports event-driven updates via Pub/Sub notifications from Cloud Audit logs if configured, but otherwise relies on periodic scanning and daily refresh.

One nice feature: Firefly can discover multiple GCP projects under one integration if the service account is given organization-level viewer rights. If you prefer to integrate each project separately, use separate service accounts or keys for isolation. In the Firefly UI, each integration will be listed by the project or alias name you give.

Integration Methods

Use one of these procedures to allow Firefly to monitor your Google Cloud account:

Service Account Key

Creating a service account

1. Go to your Google Cloud service account, and select + CREATE SERVICE ACCOUNT.

2. Enter the Service account details, and select CREATE AND CONTINUE.

3. Add the roles below:

   • viewer

   • iam.securityReviewer

   • logging.configWriter (to enable event-driven integration)

   • storage.objectViewer conditional to tfstate suffix

   To add the tfstate condition that enables Firefly to scan only files with a tfstate suffix:

   1. Select + ADD IAM CONDITION

   2. Enter the Title and Condition type > Resource > Name

   3. Operator > Ends with

   4. Under Value, enter tfstate > SAVE > DONE

4. At the organization level, create a custom role that allows Firefly to discover the project folder tree. Attach this role to your service account:

   1. Select your organization level

   2. Select Roles > + CREATE ROLE

   3. Enter a Title and ID

   4. Under Role launch stage, select General Availability

   5. Select + ADD PERMISSIONS and add the permissions below:

      • resourcemanager.folders.get

      • resourcemanager.folders.list

   6. Select ADD > CREATE

   7. Select IAM > GRANT ACCESS

   8. Under New principals, enter Firefly's principal

   9. Under Assign roles, select the role you just created > SAVE

5. At the project level, select Service Accounts and select the Firefly service account

6. Select the kebab > Manage keys > ADD KEY > Create new key

7. Select JSON > CREATE

8. Selecting CREATE downloads a service account key file

9. In Firefly, paste or upload the account key file into the Service Account Key field

Enabling APIs

To allow Firefly to scan your projects and present your assets in the Inventory, enable the APIs below:

• Logging API (to enable event-driven integration)

• Admin SDK API

• App Engine Admin API

• BigQuery API

• Cloud Billing API

• Cloud Functions API

• Cloud Scheduler API

• Cloud Dataproc API

• Cloud DNS API

• Cloud Resource Manager API

• Compute Engine API

• IAM API

• Kubernetes Engine API

• Service Management API

• Service Usage API

• Cloud Asset API

• Google Cloud Memorystore for Redis API

• Cloud Storage API

• Groups Settings API

• Cloud Spanner API

• Google Cloud Filestore API

• Recommender API

Discovering multiple projects in this integration

Use the same service account key to simultaneously integrate multiple Google Cloud projects.

1. Log in to the Google Cloud console

2. Select IAM & Admin > Service Accounts

3. Copy the principal of the Service account you created in "Creating a service account" (associated email address)

4. Select a resource - the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization

5. Select IAM > GRANT ACCESS

6. In the New principals field, paste the principal you copied in step 3

7. In the role field, select the following roles and SAVE:

   • roles/iam.securityReviewer

   • roles/storage.objectViewer (conditional to tfstate suffix)

   • roles/viewer

   • roles/logging.configWriter

8. To exclude projects under this service account, enter the rules in the Regex rules field

9. For all integrated projects, verify the Enabling APIs are activated

Google Cloud Insights

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled the Recommender API.

Terraform Integration

Before you begin

• Use Terraform v0.13 or later

• Install gcloud CLI on your workstation

To verify that you fulfilled these prerequisites, run the command in your terminal:

gcloud version && terraform init && terraform --version

Procedure

1. Create a directory for the Terraform file of your Google Cloud Platform project

2. At your gcloud CLI, run the command:

   Copy

   gcloud config set project <PROJECT_NAME>

3. In Firefly, select Settings > Integrations > + Add New > Google Cloud > Terraform

4. Copy the details created by the wizard, and paste them in the file

5. Run the terraform init command in the directory that contains the provided code

6. Run the terraform apply command

Discovering multiple projects in this integration

1. Log in to the Google Cloud console

2. Select IAM & Admin > Service Accounts

3. Copy the principal of the Service account you created in "Creating a service account" (associated email address)

4. Select a resource - the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization

5. Select IAM > GRANT ACCESS

6. In the New principals field, paste the principal you copied in step 3

7. In the role field, select the following roles and SAVE:

   • roles/iam.securityReviewer

   • roles/storage.objectViewer (conditional to tfstate suffix)

   • roles/viewer

   • roles/logging.configWriter

8. To exclude projects under this service account, enter the rules in the Regex rules field

9. Make sure the APIs in the list Enabling APIs is enabled for all projects you integrated

Scanning for Changes

To discover new assets and IaC stacks, as well as changes in the configuration of your assets and IaC stacks, scan your Google Cloud integration.

Procedure

1. Select Settings > Integrations > Google Cloud

2. Select the integration and

3. To scan for new projects, from the Projects card, select Scan now

4. To scan each project individually, select the kebab > Scan assets or Scan stacks

5. To view the changes, after several minutes, go to the Inventory and/or IaC Explorer

The project that was initially integrated is the first one listed in the table. We use this project to discover all subsequent ones, which appear below it.

Warning: Deleting the initial project deletes this integration, including all projects listed in the table.