By default, Forseti is designed to be installed with complete organization access, and run with the organization as the root node in the resource hierarchy.
But, you also have the option to run Forseti on a subset of resources:
Inventory, Data Model, and Scanner will be supported for use on these subset of resources, but Explain will not be supported.
Run the Forseti Installer.
By default, the installer will try to assign org-level roles. If you are not an Org Admin, there will be errors, but you can safely disregard, as you will manually assign the correct roles later.
Edit main.tf
and set composite_root_resources
variable to point to the
target folder: ["folders/<foo_folder_id>"]
.
You can use the composite_root_resources
configuration to include
multiple resources in a single Forseti installation. See Configure Inventory
for more details.
Saving changes.
main.tf
file.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.When you run Forseti again, all the resources from the target root will be collected in Inventory and audited.
As an alternative, you can use the composite_root_resources
configuration to
include one or more resources from GCP resource hierarchy in a single Forseti
installation.
See Configure Inventory
for more details.
For example: composite_root_resources:
["projects/<foo_project1_id>", "projects/<foo_project2_id"]
Edit main.tf
and set composite_root_resources
variable to the target
projects: ["projects/<foo_project1_id>", "projects/<foo_project2_id"]
.
Saving changes.
main.tf
file.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.When you run Forseti again, all the resources from the target root will be collected in Inventory and audited.