Identity & Security

Understand GCP Organization resource hierarchies with Forseti Visualizer

Google Cloud Platform (GCP) includes a powerful resource hierarchy that establishes who owns a specific resource, and through which you can apply access controls and organizational policies. But understanding the GCP resource hierarchy can be hard. For example, what does a GCP Organization “look” like? What networks exist within it? Do specific resources violate established security policies? To which service accounts and groups visualizing do you have access?

To help answer those questions, as well as others, we recently open-sourced Forseti Visualizer, which lets you, er, visualize and interact with your GCP Organization. Built on top of the open-source Forseti Security, we also used our colleague Mike Zinni’s post, Visualizing GCP Architecture using Forseti 2.0 and D3.js, as inspiration.

1 Forseti Visualizer.gif

Forseti Visualizer does a number things:

1. Dynamically renders your entire GCP Organization. Forseti Visualizer leverages Forseti Security’s Inventory via connectivity to CloudSQL / MySQL database, so it’s always up-to-date with the most recent inventory iteration.

2. Finds all networks or a given set of resource types across an Organization. Again using Forseti Inventory, Visualizer tackles dynamic data processing and filtering of resources. Through a simple series of clicks on filtered resource types AND expanding the tree structure, we can quickly find all Networks.

2 filter by networks.gif

3. Finds violations. Using Forseti Scanner, Visualizer quickly shows you when a given resource is in violation of one of your Forseti policies.

3 find violations.gif

4. Displays access permissions. With the help of Forseti IAM Explain and Visualizer, you can quickly figure out whether or not you have access to a given resource—a question that’s otherwise difficult to answer, particularly if you have multiple projects. 

The future for Forseti Visualizer

These are powerful features in and of themselves, but we’re just getting started with Forseti Visualizer. Here’s a sampling of other extensions and features that could be useful:

  • Visualization Scaling  - Internal performance testing shows degradation when over 500 resources are open and rendered on the page. An extension to limit the total number of resources and dynamically render content while scrolling through the visualization would help prevent this.

  • Visualization spacing for vertical / horizontal / wide-view

  • Multiple sub-visualizations

  • Full Forseti Explain functionality

  • More detailed GCP resource metadata

When it comes to Forseti Visualizer, the sky’s the limit. To get started with Forseti Visualizer, check the getting started pages. If you have feedback or suggestions on the visualization, interactivity, future features, reach out to me on our Forseti Slack channel.