This guide explains how to upgrade your Forseti instance.
For version 2.0.0 and later, we will provide upgrade instructions from one minor version to the next minor version. This means, if you want to upgrade from version 2.2.0 to 2.4.0, you should follow the upgrade instruction for version 2.2.0 to 2.3.0 first, and then follow the upgrade instruction for version 2.3.0 to 2.4.0. This ensures the upgrade process is easier to manage and to test.
If you used the Forseti installer to deploy, the deployment template is in your
Cloud Storage bucket for the Forseti instance under the deployment_templates
folder.
The filename will be in the following format: deploy-forseti-{forseti_instance_type}-{hash}.yaml
,
for example, deploy-forseti-server-79c4374.yaml
.
Review deploy-forseti-server.yaml.in
and deploy-forseti-client.yaml.in
for any new properties that you need to copy to your previous deployment template. To compare what’s changed, use
the git diff
command. For example, to see the diff between v2.1.0 and v2.2.0, run:
$ git diff v2.1.0..v2.2.0 -- deployment-templates/deploy-forseti-server.yaml.in
Edit deploy-forseti-{forseti_instance_type}-{hash}.yaml
and update the field forseti-version:
under
section Compute Engine
to the newest tag. For more information, see the latest release.
Run the following update command:
$ gcloud deployment-manager deployments update DEPLOYMENT_NAME \
--config path/to/deploy-forseti-{forseti_instance_type}-{HASH}.yaml
If you changed the properties in the deploy-forseti-{forseti_instance_type}-{hash}.yaml
Compute Engine
section or the startup script in forseti-instance.py
, you need to reset the instance for changes
to take effect:
$ gcloud compute instances reset COMPUTE_ENGINE_INSTANCE_NAME
The Compute Engine instance will restart and perform a fresh installation of Forseti. You won’t need to SSH to the instance to run all the git clone or Python install commands.
Some resources can’t be updated in a deployment. If an error displays that you can’t change a certain resource, you’ll need to create a new deployment of Forseti.
Learn more about Updating a Deployment.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.8.0
to checkout version v2.8.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-8-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-8-0.yaml
for edit.
forseti-version
inside the deployment template to tags/v2.8.0
.deployment-templates/deploy-forseti-server-xxxxx-2-8-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-8-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-8-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-8-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-8
for Forseti client.rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.9.0
to checkout version v2.9.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-9-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-9-0.yaml
for edit.
forseti-version
inside the deployment template to tags/v2.9.0
.deployment-templates/deploy-forseti-server-xxxxx-2-9-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-9-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-9-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-9-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-8
for Forseti client.https://www.googleapis.com/auth/cloudplatformprojects.readonly
to the Client ID of your service account.
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly
forseti_conf_server.yaml
updates:api_quota
section to include disable_polling
.
Set disable_polling to True to disable polling that API for creation of the inventory.
inventory:
...
api_quota:
...
appengine:
max_calls: 18
period: 1.0
disable_polling: False
...
bigquery:
max_calls: 160
period: 1.0
disable_polling: False
...
...
Update the cai
section to include any asset types to exclude from the inventory. Refer
here
for the full list of assets to exclude.
google.appengine.Application
and google.compute.InstanceGroup
from the inventory.
inventory:
...
cai:
...
asset_types:
- google.appengine.Application
- google.compute.InstanceGroup
...
...
Notifier
violation
section to include source_id
where the format is organizations/ORG_ID/sources/SOURCE_ID
to enable CSCC Beta API. Information
here.resources
section to add the External Project Access Scanner:
notifier:
resources:
...
- resource: external_project_access_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
configuration:
sendgrid_api_key: {SENDGRID_API_KEY}
sender: {EMAIL_SENDER}
recipient: {EMAIL_RECIPIENT}
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://{FORSETI_BUCKET}/scanner_violations
rules/group_rules.yaml
to enable: - name: Allow my company users and gmail users to be in my company groups.
group_email: my_customer
mode: whitelist
conditions:
- member_email: '@MYDOMAIN.com'
- member_email: '@gmail.com'
# GCP Service Accounts
# https://cloud.google.com/compute/docs/access/service-accounts
- member_email: "gserviceaccount.com"
# Big Query Transfer Service
- member_email: "@bqdts.google.baggins"
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.10.0
to checkout version v2.10.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-10-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-10-0.yaml
for edit.
forseti-version
inside the deployment template to tags/v2.10.0
.deployment-templates/deploy-forseti-server-xxxxx-2-10-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running commandgsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-10-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-10-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-10-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-8
for Forseti client.forseti_conf_server.yaml
updates:
Inventory
api_timeout
field and the
newly fetched asset:
inventory:
...
cai:
# Timeout in seconds to wait for the exportAssets API to
# return success.
# Defaults to 3600 if not set.
api_timeout: 3600
# If commented out then all currently supported asset types
# are exported from Cloud Asset API. The list of default
# asset types is in
# google/cloud/forseti/services/inventory/base/cloudasset.py
#asset_types:
# - google.cloud.dataproc.Cluster
# - google.cloud.sql.Instance
# - google.compute.Project
# - google.compute.TargetVpnGateway
# - google.compute.VpnTunnel
# - google.pubsub.Subscription
# Timeout in seconds to wait for the exportAssets API to return success.
# Defaults to 3600 if not set.
api_timeout: 3600
# If commented out then all currently supported asset types are
# exported from Cloud Asset API. The list of default asset types is
# in google/cloud/forseti/services/inventory/base/cloudasset.py
#asset_types:
# - google.cloud.sql.Instance
# - google.compute.VpnTunnel
# - google.pubsub.Subscriptions
Notifier
notifier
section to add the email_connector
section.
Functionality will not change if email_connector
section isn’t added as
the code is backward compatible at the moment.
Example below shows the configuration for SendGrid.
notifier:
email_connector:
name: sendgrid
auth:
api_key: {SENDGRID_API_KEY}
sender: {EMAIL_SENDER}
recipient: {EMAIL_RECIPIENT}
data_format: csv
resources
section for all the resources to remove the
configuration
for Email violations
:
notifier:
resources:
...
- resource: iam_policy_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://{FORSETI_BUCKET}/scanner_violations
global
section.
global:
email_recipient: {EMAIL_RECIPIENT}
email_sender: {EMAIL_SENDER}
sendgrid_api_key: {SENDGRID_API_KEY}
global
section as shown below:
global:
dummy_key: this_is_just_a_placeholder_see_issue_2486
roles/bigquery.dataViewer
to roles/bigquery.metadataviewer
.rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.11.0
to checkout version v2.11.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-11-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-11-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.11.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-11-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-11-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-11-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-11-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.forseti_conf_server.yaml
updates:
Scanner
scanners
section to include kms_scanner
and resource
.
scanner:
...
scanners:
...
- name: kms_scanner
enabled: true
...
- name: resource
enabled: true
...
...
Notifier
resources
section to include kms_violations
and resource_violations
.
notifier:
resources:
...
- resource: kms_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://{FORSETI_BUCKET}/scanner_violations
...
- resource: resource_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://{FORSETI_BUCKET}/scanner_violations
...
...
rules/
under your Forseti server GCS bucket to use the KMS scanner.rules/
under your Forseti server GCS bucket to use the Resource scanner.You can upgrade from 2.11.0 to 2.12.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.12.0
to checkout version v2.12.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-12-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-12-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.12.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-12-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-12-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-12-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-12-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.forseti_conf_server.yaml
updates:
Inventory
inventory
to include support for composite_root_resources
.
inventory:
# You must set ONLY one of root_resource_id or
# composite_root_resources in your configuration. Defining both will
# cause Forseti to exit with an error.
...
root_resource_id: ROOT_RESOURCE_ID
# Composite root resources: combine multiple resource roots into a
# single inventory, for use across all the Forseti modules. Can obtain
# one or more resources from the GCP Resource Hierarchy in any
# combination.
# https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
#
# All resources must grant the appropriate IAM permissions to the
# Forseti service account before they can be included in the inventory.
#
#Forseti Explain is not supported with a composite root at this time.
#
# Resources can exist in multiple organizations
#
#composite_root_resources:
# - "folders/12345"
# - "folders/45678"
# - "projects/98765"
# - "organizations/56789"
rules/
in your Forseti server GCS bucket to be able to use the four
new use cases that have been added.version
inside main.tf
file to 1.2.0
.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.rules/
in your Forseti server GCS bucket to be able to use the four
new use cases that have been added.You can upgrade from 2.12.0 to 2.13.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.13.0
to checkout version v2.13.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-13-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-13-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.13.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-13-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-13-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-13-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deploy-forseti-server-xxxxx-2-13-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.You can upgrade from 2.13.0 to 2.14.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.14.0
to checkout version v2.14.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-14-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-14-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.14.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-14-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-14-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-14-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-14-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.forseti_conf_server.yaml
updates: inventory:
...
api_quota:
...
groupssettings:
max_calls: 5
period: 1.1
disable_polling: False
...
Scanner
scanner:
...
scanners:
- name: config_validator
enabled: false
- name: groups_settings
enabled: true
...
Notifier
notifier:
...
resources:
- resource: config_validator_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://<FORSETI_SERVER_BUCKET>/scanner_violations
- resource: groups_settings_violations
should_notify: true
notifiers:
# Email violations
- name: email_violations
# Upload violations to GCS.
- name: gcs_violations
configuration:
data_format: csv
# gcs_path should begin with "gs://"
gcs_path: gs://<FORSETI_SERVER_BUCKET>/scanner_violations
...
violation:
cscc:
enabled: true
# Cloud SCC Beta API uses a new source_id. It is unique per
# organization and must be generated via a self-registration process.
# The format is: organizations/ORG_ID/sources/SOURCE_ID
source_id: <YOUR_SOURCE_ID>
rules/
in your Forseti server GCS bucket to include sample rules according to CIS benchmark.rules/
in your Forseti server GCS bucket to include Groups Settings rules.https://www.googleapis.com/auth/apps.groups.settings
to your Forseti server service
account to allow it to obtain GSuite groups settings data during the inventory process.version
inside main.tf
file to 1.4.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.rules/
in your Forseti server GCS bucket to include sample rules according to CIS benchmark.You can upgrade from 2.14.0 to 2.15.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.15.0
to checkout version v2.15.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-15-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-15-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.15.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-15-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-15-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-15-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-15-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.forseti_conf_server.yaml
updates: inventory:
...
cai:
...
#asset_types:
# - compute.googleapis.com/GlobalForwardingRule
# - compute.googleapis.com/RegionBackendService
...
rules/
in your Forseti server GCS bucket to exclude gmail as a
default whitelisted groupversion
inside main.tf
file to 1.6.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.You can upgrade from 2.15.0 to 2.16.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.16.0
to checkout version v2.16.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-16-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-16-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.16.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-16-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-16-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-16-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-16-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.version
inside main.tf
file to 2.1.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.You can upgrade from 2.16.0 to 2.17.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.17.0
to checkout version v2.17.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-17-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-17-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.17.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-17-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-17-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-17-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-17-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.roles/monitoring.metricWriter
to the service account on the project level.
gcloud projects add-iam-policy-binding {ORGANIZATION_ID} --member=serviceAccount:{SERVICE_ACCOUNT_NAME}@{PROJECT_ID}.iam.gserviceaccount.com --role=roles/monitoring.metricWriter
Example:
gcloud projects add-iam-policy-binding 1234567890 --member=serviceAccount:forseti-server-gcp-ea370bd@my_gcp_project.iam.gserviceaccount.com --role=roles/monitoring.metricWriter
forseti_conf_server.yaml
updates:
Inventory
inventory:
...
cai:
...
#asset_types:
# - k8s.io/Namespace
# - k8s.io/Node
# - k8s.io/Pod
# - rbac.authorization.k8s.io/ClusterRole
# - rbac.authorization.k8s.io/ClusterRoleBinding
# - rbac.authorization.k8s.io/Role
# - rbac.authorization.k8s.io/RoleBinding
...
version
inside main.tf
file to 2.2.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.You can upgrade from 2.17.0 to 2.18.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.18.0
to checkout version v2.18.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-18-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-18-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.18.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-18-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-18-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-18-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-18-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.rules/
in your Forseti server GCS bucket to include the latest vulnerable ke versions.version
inside main.tf
file to 2.3.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.rules/
in your Forseti server GCS bucket to include the latest vulnerable ke versions.You can upgrade from 2.18.0 to 2.19.0 using Deployment Manager or Terraform.
rm -rf forseti-security
to delete the folder.git clone https://github.com/forseti-security/forseti-security.git
to
clone the forseti-security directory to cloud shell.cd forseti-security
to navigate to the forseti-security directory.git checkout tags/v2.19.0
to checkout version v2.19.0
of Forseti Security.forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp gs://YOUR_FORSETI_GCS_BUCKET/deployment_templates/deploy-forseti-server-<LATEST_TEMPLATE>.yaml
deployment-templates/deploy-forseti-server-xxxxx-2-19-0.yaml
.deployment-templates/deploy-forseti-server-xxxxx-2-19-0.yaml
for edit.Update the forseti-version
inside the deployment template to tags/v2.19.0
.
deployment-templates/deploy-forseti-server-xxxxx-2-19-0.yaml
back to the GCS bucket
(forseti-server-xxxxxx/deployment_templates
) by running command
gsutil cp deployment-templates/deploy-forseti-server-xxxxx-2-19-0.yaml gs://YOUR_FORSETI_GCS_BUCKET/
deployment_templates/deploy-forseti-server-xxxxx-2-19-0.yaml
.gcloud deployment-manager deployments update DEPLOYMENT_NAME --config deployment-templates/deploy-forseti-server-xxxxx-2-19-0.yaml
If you see errors while running the deployment manager update command, please refer to below section
Error while running deployment manager
for details on how to workaround the error.gcloud compute instances reset MY_FORSETI_SERVER_INSTANCE --zone MY_FORSETI_SERVER_ZONE
Example command: gcloud compute instances reset forseti-server-vm-70ce82f --zone us-central1-c
3-9
for Forseti client.version
inside main.tf
file to 4.0.0
.terraform init
to initialize terraform.terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.If you get the following error while running the deployment manager:
The fingerprint of the deployment is .....
Waiting for update [operation-xxx-xxx-xxx-xxx]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-xxx-xxx-xxx-xxx]: errors:
- code: NO_METHOD_TO_UPDATE_FIELD
message: No method found to update field 'networkInterfaces' on resource 'forseti-server-vm-xxxxx'
of type 'compute.v1.instance'. The resource may need to be recreated with the
new field.
You can follow the following steps to workaround this deployment manager problem:
gcloud deployment-manager deployments update DEPLOYMENT_NAME --config forseti_server_v2_x_x.yaml
gcloud deployment-manager deployments update DEPLOYMENT_NAME --config forseti_server_v2_x_x.yaml