This page describes how to configure Forseti Inventory. Forseti Inventory collects and stores information about your Google Cloud Platform (GCP) resources. Forseti Scanner and Enforcer use Inventory data to perform operations.
To run Forseti, you’ll need to set up your configuration file. Please see the detailed guide to get a default installation of Forseti setup that can be used in production environment.
Please see the optional settings below to customize your inventory. View the full list of inputs here to see all of the available options and default values.
You must set
composite_root_resources variable in your
main.tf if you want
to run Forseti on a non-organizational root, or one or more resources from GCP
resource hierarchy (organizations, folders and projects) in any combination.
composite_root_resources configuration does not support G Suite
and Explain at this time.
Description: A list of root resources that Forseti will monitor. Can contain one or more resources from the GCP Resource Hierarchy in any combination. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
The IAM policy for all resources must grant the appropriate IAM permissions to the Forseti service account before they can be included in the inventory.
Resources can exist in multiple organizations.
Additional configuration settings allow you to finely tune the inventory process for your organization. The default values are setup based on the default quota that all organizations get in Google Cloud Platform and to ensure the greatest breadth of resources and policies are covered by the inventory.
Description: The maximum calls we can make to each API per second. This should be about 10% lower than the max allowed API quota to allow space for retries.
While most APIs will list their quota as calls per 100 seconds, the rate limiter used by Forseti will be most accurate over a 1 to 2 second time period.
For example, to calculate the values for max_calls and period for a theoretical API that has a quota of 500 calls per 100 seconds, use the following formula:
max_calls = 500/100 = 5 (5 calls per period)
period = 1.0/.9 = 1.11 rounded to nearest tenth = 1.1 (10% overhead)
The default values are based on the default quota all projects get for GCP APIs, however large organizations may request quota increases through the cloud console to reduce the time it takes to complete an inventory.
admin_max_callsvariable in your
admin_periodvariable in your
terraform planto see the infrastructure plan.
terraform applyto apply the infrastructure build.