Installation
The GCP integration is deployed using Terraform on Google Cloud Cloud Run.
It uses our Terraform Ocean Integration Factory module to deploy the integration.
Infrastructure
The Google Cloud integration uses the following GCP infrastructure:
- GCP Cloud Run.
- GCP PubSub Topic & Subscription.
- GCP Roles & Service accounts.
- GCP Cloud Assets
- GCP Cloud Asset Inventory
- GCP Cloud Asset Feed (Used for real-time data sync to Port)
Prerequisites
Artifact Registry Image
In order to run the Cloud Run Service, it's mandatory to have a working Image. Currently our GHCR based images aren't supported by Google Cloud's Cloud run platform, so a manual installation to Dockerhub\Artifact registry is required. In the guide we specify an Artifact registry approach, but a similar DockerHub approach should yield the same results:
-
Create an Artifact Registry in GCP.
-
Pull our AMD based image from our GHCR registry
docker pull ghcr.io/port-labs/port-ocean-gcp --platform amd64 -
Tag this image
docker tag ghcr.io/port-labs/port-ocean-gcp:latest <your_artifact_registry_/_dockerhub>/port-ocean-gcp:<your_version> -
Push the image to your artifact registry:
docker push <your_artifact_registry_/_dockerhub>/port-ocean-gcp:<your_version>
Permissions
In order to successfully deploy the GCP integration, it's crucial to ensure that the user who deploys the integration in the GCP Organization has the appropriate access permissions.
The installation process also includes an Integration-Specific service account. Pay attention that the permissions required here are not the same as the permissions that the integration's service account has.
-
The user can have the
OwnerGCP role assigned to him for the Organization that the integration will be deployed on. This role provides comprehensive control and access rights; -
For a more limited approach, the user should possess the minimum necessary permissions required to carry out the integration deployment. These permissions will grant the user access to specific resources and actions essential for the task without granting full
Ownerprivileges. The following steps will guide you through the process of creating a custom role and assigning it to the user along with other required roles:- Create a service account in a project
- Create a custom organization role with these permissions:
Custom Role Permissions
cloudasset.assets.exportResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.list
cloudasset.feeds.update
iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.undelete
iam.roles.update
iam.serviceAccountKeys.get
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.update
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
run.operations.get
run.services.create
run.services.delete
run.services.get
serviceusage.services.use - Go to the
Manage Resourceswindow at your organization's GCP- Click on the Organization
- At the right side, Clock on
Add Principal - Here, Enter your new service account principal, and grant it your newly created Role.
Installation walkthrough
If you prefer not to have the integration fetch all the organization's projects, you can specify a list of projects using the projects variable in the Terraform module. The integration will then pull resources exclusively from these projects, ignoring all others.
- Go to Port's Data Sources and click on GCP.
- Edit and copy the installation command.
- Run the command in your terminal to deploy the GCP integration.
Further Examples
Refer to the examples page for practical configurations and their corresponding blueprint definitions.