Google Cloud Platform

Connect CloudyFit to Google Cloud Platform to get real time anomaly detection and remediation. You can follow all your resoures and check alerts in their lifetime.

Prerequisites

GCP integration uses service account impersonation and relies on you having certain roles and APIs enabled. Please ensure the following APIs are enabled for each of the projects you want to monitor:

• Cloud Resource Manager API
• Google Cloud Billing API
• Cloud Monitoring API
• Compute Engine API
• Cloud Asset API
• IAM API

Metric collection

Installation

You can use service account impersonation and automatic project discovery to integrate CloudyFit with Google Cloud Platform. You can assign roles to individual projects, or you can configure CloudyFit to monitor groups of projects by assigning these roles at the organization or folder level. Assigning roles in this way allows CloudyFit to automatically discover and monitor all projects in the given scope, including any new projects that may be added in the group in the future.

1. Create your Google Cloud service account

1. Open your Google Cloud console
2. Navigate to IAM & Admin > Service Accounts.
3. Click on Create service account at the top.
4. Give the service account a unique name: , then click Create and continue.
5. Add the following roles to the service account:
   • Monitoring Viewer
   • Compute Viewer
   • Cloud Asset Viewer
   • Browser
6. Click Continue, then Done to complete creating the service account.

2. Add the CloudyFit principal to your service account

1. In CloudyFit, navigate yo the Integrations > Google Cloud Platform
2. Click on Add a GCP agent. If you have no configured projects, you are automatically redirected to this page.
3. If you have not generated a CloudyFit Agent for your org, click the Generate Agent button.
4. Copy your CloudyFit Agent and keep it for the next section.
5. In Google Cloud console, under the Service Accounts menu, find the service account you created:
6. Go to the Permissions tab and click on Grant Access.
7. Paste your CloudyFit Agent into the New principals text box.
8. Assign the role of Service Account Token Creator and click Save.

3. Complete the integration setup in CloudyFit

1. In your Google Cloud console, navigate to the Service Account > Details tab. There, you can find the email associated with this Google service account. It ressembles <sa-name>@<project-id>.iam.gserviceaccount.com
2. Copy this email.
3. Return to the integration configuration tile in CloudyFit
4. In the box under Add Service Account Email, paste the email previsouly copied.
5. Click on Verify and Save Account.

4. Assign roles to other projects (optional)

Automatic project discovery simplifies the process of adding additional projects to be monitored. If you grant your service account access to other projects, folders, or orgs. CloudyFit discovers these projects (and any projects nested in the folders or orgs) and automatically adds them to your integration tile.

1. Make sure you have the appropriate permissions to assign roles at the desired scope:
   • Project IAM Admin (or higher)
   • Folder Admin
   • Organization Admin
2. In the Google Cloud console, go to the IAM page.
3. Select a project, folder, or organization.
4. To grant a role to a principal that does not already have other roles on the resource, click Grant Access, then enter the email of the service account.
5. Assign the following roles:
   • Compute Viewer
   • Monitoring Viewer
   • Cloud Asset Viewer
6. Click Save.

Resource change collection

Create a Cloud Pub/Sub topic and subscription

Create a topic

1. In the Google Cloud Pub/Sub topics page, click CREATE TOPIC.
2. Give the topic a descriptive name: .
3. Uncheck the option to add a default subscription.
4. Click CREATE.

Create a subscription

1. In the Google Cloud Pub/Sub subscription page, click CREATE SUBSCRIPTION.
2. Enter for the subscription name.
3. Select the Cloud Pub/Sub topic previously created: .
4. Select Pull as the delivery type.
5. Click CREATE.

Grant access

To read this Pub/Sub subscription, the Google Cloud service account used by the integration needs the pubsub.subscriptions.consume permission for the subscription. A default role with minimal permissions that allows this is the Pub/Sub subscriber role. Follow the steps below to grant this role:

1. In the Google Cloud Pub/Sub subscriptions page, click the subscription.
2. In the info panel on the right of the page, click the Permissions tab. If you don't see the info panel, click SHOW INFO PANEL.
3. Click ADD PRINCIPAL.
4. Enter the service account email used by the CloudyFit Agent. You can find your service accounts listed on the left of the Configuration tab in the Google Cloud integration page in CloudyFit.

Create an asset feed

Project

gcloud asset feeds create <FEED_NAME>
--project=<PROJECT_ID>
--pubsub-topic=projects/<PROJECT_ID>/topics/<TOPIC_NAME>
--asset-types=".*"
--content-type="resource"

Updates the placeholder values as indicated:

• <FEED_NAME>: A descriptive name for the Cloud Asset Inventory Feed.
• <PROJECT_ID>: Your Google Cloud project ID.
• <TOPIC_NAME>: The name of the Pub/Sub topic linked with the subscription.

Folder

gcloud asset feeds create <FEED_NAME>
--folder=<FOLDER_ID>
--pubsub-topic=projects/<PROJECT_ID>/topics/<TOPIC_NAME>
--asset-types=".*"
--content-type="resource"

Updates the placeholder values as indicated:

• <FEED_NAME>: A descriptive name for the Cloud Asset Inventory Feed.
• <FOLDER_ID>: Your Google Cloud folder ID.
• <TOPIC_NAME>: The name of the Pub/Sub topic linked with the subscription.

Organization

gcloud asset feeds create <FEED_NAME>
--organization=<ORGANIZATION_ID>
--pubsub-topic=projects/<PROJECT_ID>/topics/<TOPIC_NAME>
--asset-types=".*"
--content-type="resource"

Updates the placeholder values as indicated:

• <FEED_NAME>: A descriptive name for the Cloud Asset Inventory Feed.
• <ORGANIZATION_ID>: Your Google Cloud organization ID.
• <TOPIC_NAME>: The name of the Pub/Sub topic: .