This page describes how to configure Forseti Inventory. Forseti Inventory collects and stores information about your Google Cloud Platform (GCP) resources. Forseti Scanner and Enforcer use Inventory data to perform operations.
To run Forseti, you’ll need to set up your configuration file. Please see the detailed guide to get a default installation of Forseti setup that can be used in production environment.
Please see the optional settings below to customize your inventory. View the full list of inputs here to see all of the available options and default values.
You must set composite_root_resources
variable in your main.tf
if you want
to run Forseti on a non-organizational root, or one or more resources from GCP
resource hierarchy (organizations, folders and projects) in any combination.
NOTE: The composite_root_resources
configuration does not support G Suite
and Explain at this time.
composite_root_resources
Description: A list of root resources that Forseti will monitor. Can contain one or more resources from the GCP Resource Hierarchy in any combination. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
The IAM policy for all resources must grant the appropriate IAM permissions to the Forseti service account before they can be included in the inventory.
Resources can exist in multiple organizations.
<resource_type>/<resource_id>
.organizations/5678901234
, folders/12345677890
and
projects/9876543210
.gsuite_admin_email
my_gsuite_admin@my_domain.com
.Additional configuration settings allow you to finely tune the inventory process for your organization. The default values are setup based on the default quota that all organizations get in Google Cloud Platform and to ensure the greatest breadth of resources and policies are covered by the inventory.
Description: The maximum calls we can make to each API per second. This should be about 10% lower than the max allowed API quota to allow space for retries.
While most APIs will list their quota as calls per 100 seconds, the rate limiter used by Forseti will be most accurate over a 1 to 2 second time period.
For example, to calculate the values for max_calls and period for a theoretical API that has a quota of 500 calls per 100 seconds, use the following formula:
max_calls = 500/100 = 5 (5 calls per period)
period = 1.0/.9 = 1.11 rounded to nearest tenth = 1.1 (10% overhead)
The default values are based on the default quota all projects get for GCP APIs, however large organizations may request quota increases through the cloud console to reduce the time it takes to complete an inventory.
admin_max_calls
variable in your main.tf
."1"
, "2"
, "100"
.admin_period
variable in your
main.tf
."1.0"
, "1.2"
.admin_disable_polling
variable to "true"
in your main.tf
."true"
, "false"
.inventory_retention_days
"-1"
, "5"
, "10"
.bucket_cai_lifecycle_age
"14"
bucket_cai_location
"us-central1"
cai_api_timeout
"3600"
enable_cai_bucket
"true"
Saving changes:
main.tf
file.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.