This page describes how to configure Forseti Inventory. Forseti Inventory collects and stores information about your Google Cloud Platform (GCP) resources. Forseti Scanner and Enforcer use Inventory data to perform operations.
To run Forseti, you’ll need to set up your configuration file. Edit
the forseti_conf_server.yaml sample
file and save it as forseti_conf_server.yaml
.
You will also need to edit, at a minimum, the following variables in the config file:
You must set ONLY one of root_resource_id or composite_root_resources in your configuration. Defining both will cause Forseti to exit with an error.
NOTE: The composite_root_resources configuration does not support gsuite and Explain at this time.
Either
root_resource_id
<resource_type>/<resource_id>
.organizations/12345677890
.domain_super_admin_email
my_gsuite_admin@my_domain.com
.OR
composite_root_resources
Description: List of all resources to include in a single Forseti inventory. Can contain one or more resources from the GCP Resource Hierarchy in any combination. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
The IAM policy for all resources must grant the appropriate IAM permissions to the Forseti service account before they can be included in the inventory.
Resources can exist in multiple organizations.
<resource_type>/<resource_id>
.folders/12345677890
, projects/9876543210
,
organizations/5678901234
Additional configuration settings allow you to finely tune the inventory process for your organization. The default values are setup based on the default quota that all organizations get in Google Cloud Platform and to ensure the greatest breadth of resources and policies are covered by the inventory.
api_quota
Description: The maximum calls we can make to each API per second. This should be about 10% lower than the max allowed API quota to allow space for retries.
While most APIs will list their quota as calls per 100 seconds, the rate limiter used by Forseti will be most accurate over a 1 to 2 second time period.
For example, to calculate the values for max_calls and period for a theoretical API that has a quota of 500 calls per 100 seconds, use the following formula:
max_calls = 500/100 = 5 (5 calls per period)
period = 1.0/.9 = 1.11 rounded to nearest tenth = 1.1 (10% overhead)
The default values are based on the default quota all projects get for GCP APIs, however large organizations may request quota increases through the cloud console to reduce the time it takes to complete an inventory.
max_calls
1
, 2
, 100
.period
1.0
, 1.2
.disable_polling
true
, false
.retention_days
-1
, 5
, 10
.cai
organization
by providing values for the attributes below.enabled
true
, false
.gcs_path
gs://my_cai_export_bucket
asset_types
google.cloud.resourcemanager.Organization
,
google.compute.Instance