Google Cloud

Firefly integrates with Google Cloud to ingest information about your cloud resources into your Firefly Inventory. This enables you to view, manage, and govern Google Cloud assets alongside resources from other cloud providers. You can use Firefly to enforce infrastructure-as-code (IaC) practices and apply policies across your Google Cloud environment, helping ensure compliance, visibility, and best practices at scale.

Google Cloud Insights

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled the Recommender API.

Multiple Projects

Firefly can discover multiple Google Cloud projects under one integration if the service account is given organization-level viewer rights. If you prefer to integrate each project separately, use separate service accounts or keys for isolation. In the Firefly UI, each integration will be listed by the project or alias name you give.

Integration Methods

Use one of these procedures to allow Firefly to monitor your Google Cloud account:

Service Account Key

Creating a service account

  1. Go to your Google Cloud service account, and click Create Service Account.

  2. Enter the Service account details, and click Create and Continue.

  3. Add the roles below:

    • viewer

    • iam.securityReviewer

    • logging.configWriter (to enable event-driven integration)

    • storage.objectViewer (conditional to tfstate suffix)

    To add the tfstate condition that enables Firefly to scan only files with a tfstate suffix:

    1. Click Add IAM Condition.

    2. Enter the Title and Condition type > Resource > Name.

    3. Operator > Ends with.

    4. Under Value, enter tfstate > Save > Done.

  4. At the organization level, create a custom role that allows Firefly to discover the project folder tree. Attach this role to your service account:

    1. Click your organization level.

    2. Click Roles > Create Role.

    3. Enter a Title and ID.

    4. Under Role launch stage, click General Availability.

    5. Click Add Permissions and add the permissions below:

      • resourcemanager.folders.get

      • resourcemanager.folders.list

    6. Click Add > Create.

    7. Click IAM > Grant Access.

    8. Under New principals, enter Firefly's principal.

    9. Under Assign roles, select the role you just created > Save.

  5. At the project level, click Service Accounts and select the Firefly service account.

  6. Click the menu > Manage keys > Add Key > Create new key.

  7. Click JSON > Create.

  8. Selecting Create downloads a service account key file.

  9. In Firefly, paste or upload the account key file into the Service Account Key field.

Enabling APIs

To allow Firefly to scan your projects and present your assets in the Inventory, enable the APIs below:

  • Logging API (to enable event-driven integration)

  • Admin SDK API

  • App Engine Admin API

  • BigQuery API

  • Cloud Billing API

  • Cloud Functions API

  • Cloud Scheduler API

  • Cloud Dataproc API

  • Cloud DNS API

  • Cloud Resource Manager API

  • Compute Engine API

  • IAM API

  • Kubernetes Engine API

  • Service Management API

  • Service Usage API

  • Cloud Asset API

  • Google Cloud Memorystore for Redis API

  • Cloud Storage API

  • Groups Settings API

  • Cloud Spanner API

  • Google Cloud Filestore API

  • Recommender API

Discovering multiple projects in this integration

Use the same service account key to simultaneously integrate multiple Google Cloud projects.

  1. Log in to the Google Cloud console.

  2. Click IAM & Admin > Service Accounts.

  3. Copy the principal of the Service account you created in Creating a service account (associated email address).

  4. Select a resource, the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.

  5. Click IAM > Grant Access.

  6. In the New principals field, paste the principal you copied in step 3.

  7. In the role field, select the following roles and Save:

    • roles/iam.securityReviewer

    • roles/storage.objectViewer (conditional to tfstate suffix)

    • roles/viewer

    • roles/logging.configWriter

  8. To exclude projects under this service account, enter the rules in the Regex rules field.

  9. For all integrated projects, verify the Enabling APIs are activated.

Terraform Integration

Before you begin

  • Use Terraform v0.13 or later

  • Install gcloud CLI on your workstation

To verify that you fulfilled these prerequisites, run the command in your terminal:

gcloud version && terraform init && terraform --version

Setup Procedure

  1. Create a directory for the Terraform file of your Google Cloud project.

  2. At your gcloud CLI, run the command:

    gcloud config set project <PROJECT_NAME>
  3. In Firefly, select Settings > Integrations > Add New > Google Cloud > Terraform.

  4. Copy the details created by the wizard, and paste them in the file.

  5. Run:

    terraform init
    terraform plan
    terraform apply
  6. Select Done.

Additional setup instructions and information about the Firefly onboarding Terraform module are available in Firefly Google Cloud Integration.

Discovering multiple projects in this integration

  1. Log in to the Google Cloud console.

  2. Select IAM & Admin > Service Accounts.

  3. Copy the principal of the Service account Terraform created (associated email address).

  4. Select a resource, the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.

  5. Select IAM > GRANT ACCESS.

  6. In the New principals field, paste the principal you copied in step 3.

  7. In the role field, select the following roles and Save:

    • roles/iam.securityReviewer

    • roles/storage.objectViewer (conditional to tfstate suffix)

    • roles/viewer

    • roles/logging.configWriter

  8. To exclude projects under this service account, enter the rules in the Regex rules field.

  9. Make sure the APIs in the list Enabling APIs is enabled for all projects you integrated.

Google Cloud Discovery Status

To scan your integration for changes and discover new assets:

Procedure

  1. Select Settings > Integrations > Google Cloud.

  2. Select the integration.

  3. For assets changes, on the integration menu, select Scan Assets.

  4. For IaC stacks changes, on the integration menu, select Scan Stacks.

  5. View changes in the Inventory and/or IaC Explorer after several minutes.

The project that was initially integrated is the first one listed in the table. We use this project to discover all subsequent ones, which appear below it.

Warning: Deleting the initial project deletes this integration, including all projects listed in the table.

Last updated

Was this helpful?