Google Cloud Platform - IaC Deployment (Recommended)

This guide walks you through connecting your GCP environment to Chariot for comprehensive security monitoring and management using Infrastructure as Code (IaC) deployment methods. The integration leverages GCP's Workload Identity Federation and IAM roles to provide Chariot with the necessary permissions to assess your GCP resources while maintaining security best practices.

You can choose between Organization-level integration (recommended for full GCP environment coverage) or Project-level integration (for specific Project monitoring). The process involves creating service accounts, configuring Workload Identity Pools, and setting up the appropriate IAM bindings through automated Terraform deployment.

Note: While manual integration is also available, we strongly recommend using the Terraform/IaC approach for consistency, reliability, and easier maintenance of your integration configuration.

Prerequisites

Before starting the integration, ensure you have:

• GCP Console access with sufficient permissions to create Projects, service accounts, and Workload Identity Pools
• Organization administrator permissions (for Organization-level integration)
• Project editor/owner permissions (for Project-level integration)
• Billing account access (for creating new Projects in Organization-level integration)
• Terraform

Integration Process

Step 1: Initiate Integration Setup

1. Navigate to the Integrations section in your Chariot dashboard
2. Click "Add Integration" and select "GCP"
3. Choose your integration scope and provide the required information

Organization-Level Integration (Recommended)

For Organization-level integration, you'll need to provide:

• Organization ID: Your GCP Organization ID (numeric value)
• Deployment Type: Choose from Terraform or Manual

TIP: To get your Organization ID, view the Project switcher in the Google Cloud Console. You can also search for your Organization name.

Project-Level Integration

For Project-level integration, you'll need to provide:

• Organization ID: Your GCP Organization ID (numeric value)
• Project ID: The specific GCP Project ID you want to integrate
• Deployment Type: Choose from Terraform or Manual

Step 2: Download Integration Template

After providing your Project information, Chariot will generate the appropriate deployment template. This template is generated dynamically based on the information you provided.

1. Click "Download IAC Template" to download the deployment files
2. The template contains all necessary service accounts, Workload Identity Pool, and IAM bindings pre-configured with your unique subject ID
3. On submission, the next step will ask for an "Infrastructure ID", which you will get after completing the infrastructure deployment

NOTE: Your integration information is temporarily cached while your browser tab is open. You can close the integration modal using the X icon and return later to continue the integration process once the IaC deployment is complete. This cache is maintained only as long as you keep the browser tab open. If you close the tab, a new dynamic template will be generated.

Step 3: Deploy the Template

Perform the necessary tasks based on the deployment task you chose above. Please make sure to complete this deployment successfully before completing the integration.

Terraform Deployment (Recommended)

1. Open Google Cloud Shell or ensure authenticate to GCP within your workstation (you will need to ensure Terraform is installed; Google Cloud Shell comes pre-installed with Terraform):

   gcloud auth application-default login

2. Ensure that the credentials you signed up with possess global administrator privileges (i.e., at the Organization scope)
3. If you're integrating your GCP Organization, it's beneficial to unset your local Project:

   gcloud config unset project

4. If you're integrating a single Project, set CLI to use that Project:

   gcloud config set project YOUR_PROJECT_ID

5. Create a new directory, initialize Terraform, and create a plan:

   mkdir chariot-deployment && \
   cd chariot-deployment

   Upload the template from previous step to this directory

   terraform init && \
   terraform plan

6. Review the planned changes and save to a file if necessary. Once satisfied, apply the changes and monitor for deployment errors:

   terraform apply

7. Ensure there are no errors during deployment, then observe the output at the end of the execution output. The deployment will produce an infrastructure ID, which you need to provide back to Chariot.
   

Under the hood, the terraform template performs a number of actions. More specifically, for the Organization-level integration, the template will:

• Create a new Project named praetorian-chariot-integration
• Create a service account for Chariot integration
• Grant Organization-level permissions to the service account
• Set up a Workload Identity Pool and Provider
• Configure federated identity credentials to trust Chariot's identity pool with a strict subject match for your associated user in Chariot

For a Project integration, the template will perform similar actions:

• Create a service account for Chariot integration
• Grant Project-level and required but limited Organization-level permissions via a custom role
• Set up Workload Identity Pool and Provider in your [same] Project
• Configure federated identity credentials to trust Chariot's identity pool with a strict subject match for your associated user in Chariot

Step 4: Complete Integration

1. After deploying the template or completing manual setup, return to the Chariot integration modal
2. Enter the Infrastructure ID value provided as an output of your deployment
3. Click "Finish" to complete the integration

Chariot will automatically:

• Validate the integration by authenticating with Cognito
• Perform OIDC token exchange with your Workload Identity Provider
• verify validity of access using a simple GCP API call
• Add the integration to your integrations list upon successful validation

Next Steps

Once your GCP integration is successfully validated and appears in your integrations list, Chariot will begin monitoring your GCP environment. The system will automatically discover and assess your GCP resources, providing security insights and recommendations through your Chariot dashboard.

Need Help?

If you encounter any issues during the integration process or have questions about configuring your GCP integration, please contact our support team at support@praetorian.com. Include your Infrastructure ID and any error messages you've encountered to help us assist you more effectively.