Setup - Google Cloud

Note

Looking for Azure setup instructions? To get started with Fugue on Microsoft Azure, see Setup - Azure & Azure Government.

Looking for Amazon Web Services instructions? To get started with Fugue on AWS, see Setup - AWS & AWS GovCloud.

Ready to create a Fugue environment? An environment represents cloud infrastructure configuration in a provider account – in this case, Google Cloud. Fugue surveys the resource configuration in an environment and reports whether the infrastructure is compliant with the selected compliance standards.

Tip

In a hurry? For an even quicker setup guide, see Get Started in 5 Minutes.

To learn more about the basics of using Fugue, see Fugue 101.

Sign Up for Fugue

Before you can create an environment, you’ll need to sign up for a free account with Fugue. (You’ll start off with a free Enterprise trial, which gives you access to all of Fugue’s features; after 30 days, you’ll be transitioned to the free-forever Developer plan if you choose not to upgrade.)

Once you’re all signed up and logged in, select the Define New Environment button:

_images/hello-define-env.png

Step 1: Setup (Name, Provider)

In the first step of creating an environment, you name it and specify your cloud provider.

  1. Name your environment.

  2. Select Google as the cloud provider.

  3. Select Continue.

_images/google-setup-name.png

Step 2: Settings (Enable Google Service APIs & Create a Service Account)

Note

If at any point you want to change something, you can select “Back” at the bottom of the page to return to the previous step, or “Edit” in the sidebar next to the desired step to return to that step.

Note

If you want to add a Google organization, refer to Adding a Google Organization.

Step 2 has two parts, which we’ll detail next:

2a. Enable the Service APIs required to scan your project’s resources.

_images/step_1_enable_APIs.png

2b. Create a Service Account.

_images/step_2_create_service_account.png

Enable Google Service APIs

  1. Log in to the Google Cloud project you would like Fugue to scan.

  2. In the top-right, select Activate Cloud Shell.

_images/activate_cloud_shell.png

3. In the Cloud Shell, run the following command:

gcloud services enable bigquery.googleapis.com \
  bigquerydatatransfer.googleapis.com \
  cloudkms.googleapis.com \
  compute.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  redis.googleapis.com \
  sqladmin.googleapis.com

Note

This step is needed to enable the Service APIs required to scan your project’s resources.

Create a Service Account

Fugue securely scans your resources by impersonating a properly permissioned service account and generating short-lived credentials.

..note:

If you want to add a Google Organization-level Service Account, refer to `Adding a Google Organization-level Service Account <#adding-a-google-organization-level-service-account>` for more information.
  1. In the Cloud Shell, run the command shown in Fugue under Create a Service Account. It will look something like this:

Warning

This is example code that will differ from yours. Fugue will generate code for you.

service_account=$(gcloud iam service-accounts create fugue-tests \
  --display-name "Fugue service account" \
  --description "Service account used by Fugue to scan project" \
  --format="value(email)") && project_name=$(gcloud config get-value project) && \
gcloud projects add-iam-policy-binding ${project_name} \
  --member serviceAccount:${service_account} \
  --role roles/iam.securityReviewer \
  --format none --condition None && \
gcloud projects add-iam-policy-binding ${project_name} \
  --member serviceAccount:${service_account} \
  --role roles/viewer \
  --format none --condition None && \
gcloud iam service-accounts add-iam-policy-binding ${service_account} \
  --member serviceAccount:fugue-scanner@fugueco.iam.gserviceaccount.com \
  --role roles/iam.serviceAccountTokenCreator \
  --format none --condition None && \
echo "Your service account email: ${service_account}"

2. Back in the Fugue environment setup, enter the returned email address of the created service account.

3. Click Continue.

Note

It takes Google at least 60 seconds or more to create your service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again. Refer to Creating a service account for more information.

Step 3: Compliance

  • If you’d like Fugue to evaluate your infrastructure configuration for all compliance standards, ensure “Yes” is selected.

  • If you’d prefer to select the compliance families yourself, click No - select a subset.

Fugue supports the following compliance families for Google environments:

Step 4: Review

  1. Review the details for your environment, including environment name, Service Account, resource types, and compliance standards.

  2. If anything needs to be changed, click Edit next to the appropriate step.

  3. If everything looks good, select the Approve and Begin Scan button. Fugue will create your environment and start to scan your infrastructure.

_images/review_google.png

When the scan is complete, Fugue brings you to your environment’s dashboard, where you can see your compliance state.

_images/google_cloud_final.png

Note

It takes Google at least 60 seconds or more to create your service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again. Refer to Creating a service account for more information.

Congratulations! You’ve just created a Google environment with Fugue.

Adding a Google Organization-level Service Account

You can use a Google Organization-level Service Account to add multiple projects instead of making a new service account for each project.

Note

You need to have the sufficient permissions within your Google Cloud account to add a Google Organization-level Service Account to Fugue. Refer to Creating and managing organizations for more information.

  1. At your organization-level, navigate to Service Accounts > Create Project.

    1. Enter a Project name.

    2. Select the Organization.

    3. Select the Location.

    4. Click Create. Refer to Creating and managing service accounts for more information.

  2. Select the project you created in step 1 and select Create Service Account.

    1. Enter the Service account name.

    2. The Service account ID is automatically generated by Google.

    3. Optionally, enter a Service account description.

    4. Click Create > Done.

    5. In Service Account, select the Service Account you created and select the email address (e.g.,superstore@fugueco.iam.gserviceaccount.com).

    6. Select Permissions and click Grant Access.

    7. In the New members field, enter the email address for the Service Account created in Step 2.2.

    8. From the Role drop-down, select Viewer.

    9. Select Add Another Role. From Role drop-down, select Security Reviewer.

    10. Select Add Another Role. From Role drop-down, select Service Account Token Creator.

    11. Click Save.

    12. Select Grant Access and in New members, enter fugue-scanner@fugueco.iam.gserviceaccount.com.

    13. From the Role drop-down, select Security Reviewer.

    14. Click Add Another Role. From the Role drop-down, select Service Account Token Creator.

    15. Click Save.

    16. Select Keys > Add Key.

    17. Click Create new key, select JSON or P12, and click Create. See Creating and managing service account keys for more information.

  3. At your organization-level, navigate to IAM > select Add.

    1. In the New members field, enter the email address from the service account created in Step 2.2.

    2. From the Role drop-down, select Browser.

    3. Select Add Another Role. From the Role drop-down, select Viewer.

    4. Select Add Another Role. From the Role drop-down, select Security Reviewer.

    5. Select add another role. From the Role drop-down, select Service Account Token Creator.

    6. Select Add Another Role. From the Role drop-down, select Folder Viewer.

    7. Select Add Another Role. From the Role drop-down, select Organization Viewer.

    8. Click Save.

  4. Enable the Cloud Resource Manager API for the Service Account created in Step 2.2.

What’s Next?

Fugue will continue to scan the resource configuration in your environment at regular intervals (and on demand). This is how Fugue detects compliance violations in your infrastructure.

Now that you’ve created an environment, learn how to configure it further in Environment Configuration. If you’d like to learn more about checking compliance state, see Compliance. Or, check out the visualizer for an interactive diagram of your cloud infrastructure.

Google Cloud Support for Regula

Fugue’s open source Regula project supports assessing Google Cloud Terraform templates. Regula utilizes the Open Policy Agent policy engine, which is the same engine that powers Fugue compliance rules. More information is available in the Regula README.