Google Cloud project management

Access the Onboarding wizard

Do the following:

1. In the CloudFlow Settings area, click ONBOARDING.

   On the Onboarding Managment page that opens, click +Onboard.

2. If you are onboarding your first account, click the New Cloud Account button on the welcome page.

3. Otherwise, click the Google Cloud button and click Next.

   The Google Cloud Onboarding wizard appears.

   

4. Select your preferred method to onboard using the Select Onboarding Method dropdown.

   *Automatically syncs changes to projects from Google Cloud to CloudFlow after onboarding.

   Onboarding Method	Description	Automatic sync*
   With script	Uses scripts to onboard Google Cloud resources	Yes
   No script	Onboard Google Cloud resources without using scripts	Yes
   API (single account)	Onboard a single Google Cloud via API	No
   Terraform	Onboard Google Cloud resources using Terraform	Yes

5. Onboard Google Cloud resources using your preferred method:

   To onboard Google Cloud resources | With script

   Do the following:

   1. In the Onboarding wizard for Google Cloud, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.
      

   2. The Google Cloud Projects Onboarding wizard is displayed.

      

   3. In the Access Project ID field, input an Access Project ID using one of the following methods:

      • From the dropdown: Select an existing Google Cloud Project ID to grant access to the Google Cloud resource. CloudFlow will have access to the previous resources and the new resource.

      • Enter a new Access Project ID into the field: The project is used to establish access to the Google Cloud resources.

      Warning: Changing the Access Project ID for an already onboarded organization resets its onboarded data.

   4. (Optional) In the Onboarding resource ID field, enter the ID of the project, folder, or organization root to onboard.

      Note: When this field is left blank, CloudFlow will onboard the project you entered in the Access project ID field.

   5. Complete the onboarding using one of the following methods:

      1. To open a Cloud Shell session directly from the CloudFlow interface:

         1. Click Copy & Launch Shell.

            The Cloud Shell command is automatically copied into the system memory and the browser opens a new tab with the Google Cloud Shell displayed.

            Important: Before clicking Copy & Launch Shell, make sure no Google Cloud Shell terminals are already open to avoid "Billing not found" errors.

         2. Paste the Cloud Shell command from system memory (Ctrl-Shift-V) and press Enter.

            The Authorize Cloud Shell confirmation window appears.

            

         3. Click AUTHORIZE.

            An onboarding script runs in the Cloud Shell. This script creates an access project and automates all the steps necessary to onboard the resource(s) to CloudFlow.

         4. When the script finishes, press Ctrl-D to close the terminal.

            The CloudFlow Onboarding Management page displays the newly onboarded resources.

            Note: It may take up to an hour for Google Cloud to sync with CloudFlow.

      2. (Alternative method) If you don't want to open a Cloud Shell session directly from the CloudFlow interface, you can run bash locally using a proxy:

         1. Click Copy to copy the Cloud Shell command.

            

            Note: The command generates an unreadable script. Expand the example below to see the readable version of the script:

            Example of CloudFlare script

            Copy

            #!/bin/bash
            #Algosec's onboarding URL
            CF_ONBOARDING_URL='https://cloudflow.algosec.com/cloudflow/api/admin/v1/onboarding/gcp'
            #Token
            TOKEN='Bearer XXXX'
            ENV='prod'
            #Define a working project where a service account would be created
            PROJECT_ID='gcp-pm-cf-demo-01'
            PROJECT_ID=($(echo $PROJECT_ID | tr -d '\n'))
            #Define a target project/folder/organization would be onboarded into CloudFlow
            TARGET_RESOURCE='0123456789012'
            TARGET_RESOURCE=($(echo $TARGET_RESOURCE | tr -d '\n'))
            
            SERVICE_ACCOUNT_NAME_PREFIX="cloudflow-sa"
            SERVICE_ACCOUNT_NAME="$SERVICE_ACCOUNT_NAME_PREFIX-$ENV"

         2. Paste and run the script in your alternative shell to complete onboarding the subscription(s).

            The CloudFlow Onboarding Management page displays the newly onboarded resources.

            Note: It may take up to an hour for Google Cloud to sync with CloudFlow.

   To Onboard Google Cloud resources | No script

   Requires CloudFlow read-only access

   You can onboard Google Cloud Projects without using a script if your system does not support using scripts.

   Do the following:

   1. Log in to the https://console.cloud.google.com/ as a user with the following permissions:

      1. Organization Role Administrator or  IAM Role Administrator

      2. Organization Policy Administrator

   2. Enable the required APIs for your project:

      1. Click the project dropdown from the menu and choose your current project in the popup window that opens.

         In this example, the project is called RnD-GCP-Project.

         

      2. Click APIs & Services in the navigation menu.

         

         The APIs & Services page opens.

      3. Click +ENABLE APIS & SERVICES at the top of the screen.

         

         The Welcome to the API Library screen opens.

      4. Search for Compute Engine API and make sure it is enabled.

         

         

      5. Repeat the previous step for

         1. Identity and Access Management (IAM) API

         2. Cloud Storage API

         3. Cloud Resource Manager API

         4. Cloud Logging API

         Note: For a details about required permissions see Permissions required for Google Cloud

   3. Add a Service Account:

      1. Select APIs & Services > Credentials in the navigation menu.

         

         The Credentials screen opens.

      2. Click on +CREATE CREDENTIALS and select Service account from the dropdown list.

         

      3. In the Service account name field enter "CloudFlow-account" and click CREATE AND CONTINUE.

         

      4. Click the Select a role dropdown and scroll to Project with the role Viewer.

         

         Note: For the list of the Viewer role permissions see the Roles ID column in Permissions required for Google Cloud .

      5. Click CONTINUE to save your changes. (Do not click DONE until you see a checkmark next to Grant this service account access to project).

         

      6. Click DONE.

      7. Copy the created Service Account email to use it later in Step 6b.

         

   4. Export the Service Account credentials as a JSON file:

      1. On the Credentials page, click on the Service Account email link for the CloudFlow account.

         

         The CloudFlow account page opens.

      2. Select the KEYS tab. Click ADD KEY, and choose Create new key.

         

         The Create Private Key for CloudFlow-account dialog appears.

      3. Select JSON for Key type and then click CREATE.

         

         The JSON file is downloaded to your computer. You will use this file in Step 8.

         This is an example of the Service Account credentials in a JSON file:

         

         Note: Your browser may block downloading the file. See the URL box for notifications.

   5. Create custom role with required permissions for your organization

      1. Select Roles located under IAM & Admin in the navigation menu.

         

      2. Click the project dropdown from the menu and choose your organization in the popup window that opens.

         

      3. Click +CREATE ROLE. The Create Role screen opens.

      4. Enter the role Title and ID and then click +ADD PERMISSIONS.

         In the example below, Title is "Inherited Policy Viewer" and ID is "InheritedPolicyViewer".

         

         The Add permissions window opens.

      5. In the Enter property name or value field enter compute.firewallPolicies.list.

         

      6. Choose the matching string from the list, click the checkbox to activate it and press ADD.

         

      7. Repeat steps d through f for

         • resourcemanager.folders.get

         • resourcemanager.organizations.get

         • storage.buckets.list

         Note: For a details about required permissions see Permissions required for Google Cloud

      8. Click CREATE to complete the role creation process.

         

   6. Assign the required role to the Service Account:

      1. Select IAM located under IAM & Admin in the navigation menu and then click GRANT ACCESS or ADD.

         

         The Add principals screen opens.

      2. Paste the Service Account email you copied from Step 3g into the New principals field and then choose it from the dropdown.

         

      3. Click Select a role and choose Custom from the Quick access.

      4. In the Roles list on the right side of the dialog window, click on the inherited role name you created in Step 5d.

         

      5. Click SAVE. The policy is updated.

   7. From the CloudFlow GPS Onboarding wizard, from the Select Onboarding Method, select No script.

      

   8. Input the Organization ID and Service Account Key into the appropriate fields. (The Service Account Key is stored in the JSON file that was downloaded in Step 4c.)

   9. Click Onboard to complete the onboarding process.

   To Onboard Google Cloud resources | API (single account)

   You can use API calls to add a single Google Cloud project to CloudFlow.

   Note: Any changes to a project after onboarding are not synced with CloudFlow. To delete one or more manually added accounts, see Delete manually configured subscriptions

   Do the following:

   1. Go to the page Add a cloud account.

   2. Click on the tab For Google Cloud Project.

      

      The instructions for onboarding a Google Cloud Project using API appears.

   3. Follow the instructions on the page.

   To Onboard Google Cloud resources | Terraform

   You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your Google Cloud projects into CloudFlow.

   Do the following:

   Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

   Parameter	Description	Notes
   cf_auth_url	URL to authorize CloudFlow	For US use: https://app.algosec.com/api/algosaas/auth/v1/access-keys/login For EMEA use: https://api.platform.eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login For ANZ use: https://api.platform.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login
   cf_url	URL to onboard Google Cloud Project	For US use: https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp For EMEA use: https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp For ANZ use: https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp
   tenantId	Your CloudFlow Tenant ID
   clientId	Client ID	This is part of Access Key details. In CloudFlow, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
   clientSecret	Client Secret of the API Access Key	This is part of Access Key details. In CloudFlow, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
   organization_id	Organization ID
   project_id	Project ID
   sa_id	Service Account ID

   Copy

   locals {
     cf_auth_url  = "XXXXXXXXXXXXXXXX"
     cf_url       = "XXXXXXXXXXXXXXXX"
     tenantId    = "XXXXXXXXXXXXXXXX"
     clientId = "XXXXXXXXXXXXXXXXX"
     clientSecret    = "XXXXXXXXXXX"
     organization_id = "XXXXXXXXXXXXX"
     project_id = "XXXXXXXXXXX"
     sa_id = "XXXXXXXXXXX"
   }
   
   resource "google_service_account_key" "cf-key" {
       service_account_id = "projects/${local.project_id}/serviceAccounts/${local.sa_id}"
   }
   
   data "http" "cf_auth" {
     url    = local.cf_auth_url
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept = "application/json"
     }
     request_body = jsonencode({ tenantId : local.cf_tenant, clientId : local.cf_client_id, clientSecret : local.cf_secret })
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Authorization failed"
       }
     }
   }
   
   locals {
     auth_response = jsondecode(data.http.cf_auth.response_body)
     auth_token    = local.auth_response.access_token
   }
   
   data "http" "cf_onboard_account" {
     url    = local.cf_url
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept        = "application/json"
       Authorization = "Bearer ${local.auth_token}"
     }
     request_body = jsonencode({
       data : google_service_account_key.cf-key.private_key,
       organization_id: local.organization_id,
       project_id: local.project_id
     })
   
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Onboarding process failed"
       }
     }
   }