Contributed by Google employees.

This guide walks you through a private Forseti Security installation on Compute Engine, following enterprise best practices.

This guide shows how to do the following:

• Deploy Forseti in its own virtual private cloud (VPC), not the default VPC.
• Restrict the firewall rules that are preconfigured.
• Optionally, remove the public IP address from Compute Engine instances.
• Configure Cloud SQL to be a private instance.
• Configure Forseti to send violations to Cloud Security Command Center (Cloud SCC).

This guide does not show how to do the following:

• Customize Forseti.
• Configure Forseti beyond the basic setup.
• Configure Forseti Enforcer.

This guide was developed using Forseti version 2.24.0 (release v5.1.0).

Prerequisites

To perform the steps in this tutorial, you need the following:

• Access to a G Suite or Cloud Identity super admin account.
• Access to the Security page in the Google Admin console.
• Access to the Cloud Console.
• Rights to modify IAM permissions at the Organization level.
• A project where you will deploy Forseti. In this tutorial, we use the project name forseti.
• Editor or owner permissions for the forseti project.

Software that you need:

• Terraform 0.12.12 or higher
• Cloud SDK

Installing Forseti

You have two options when following this tutorial:

• (Recommended) Clone the installer repository into your local workspace:

  Forseti Security: Terraform Google Installer

  For a stable build, select the latest module-release branch.

• Use a temporary shell workspace managed by Google:

  

  If you use the Cloud Shell option, be sure to back up your terraform.tfvars file at the end of the session.

Regardless of which option you choose for the working environment, the steps below are the same. When the steps below refer to your shell session, this refers to whichever choice of environment you made above.

Preparing the Google Cloud environment

If you do not have a dedicated forseti project yet, then create one. Navigate to the project Home page and take note of the Project ID information displayed in the Project info panel.

In the forseti project, do the following:

1. Go to the VPC Networks page in the Cloud Console.

2. Create a VPC for Forseti with one subnet. Configure it with the following parameters:

   • Private Google access: On
   • Flow logs: On (optional)
   • Dynamic routing mode: Regional

   In the example above, the VPC was created with the name forseti and the subnet with the name forseti-subnet1. The chosen region is us-east4. The chosen zone is us-east4-a. During this step, record the network, subnet, and region names; you will use them in later steps.

3. Remove the default network.

4. Open your shell session and confirm that you have the required software installed:

   terraform -v && gsutil -v && gcloud -v
   

   Sample output:

   Terraform v0.12.16
   gsutil version: 4.46
   Google Cloud SDK 272.0.0
   

5. Before the next step, run gcloud auth list to ensure that your shell session is authenticated.

   If your shell session is not yet authenticated, then use the gcloud auth login command to authenticate.

6. In your shell, run the following commands to set the configuration context for gcloud:

   gcloud config set project [PROJECT_ID]
   gcloud config set compute/region [REGION_NAME]
   gcloud config set compute/zone [ZONE_NAME]
   

   In our example:

   gcloud config set project forseti-project-id
   gcloud config set compute/region us-east4
   gcloud config set compute/zone us-east4-a
   

Run a helper script to create a service account and enable APIs

Before you can run the Terraform module, you must create a service account and enable specific APIs. The Forseti installer has a helper script that uses gcloud for this purpose.

1. Navigate to terraform-google-forseti/helpers.

2. Run the setup.sh script:

   ./setup.sh -p [PROJECT_ID] -o [ORGANIZATION_ID]
   

   To find your Organization ID, you can use the gcloud organizations list command. You will need the Organization ID for subsequent steps, too.

   This step creates a credentials.json file in the helpers folder, which you will need in a later step. This file is removed at the end of the installation procedure.

Prepare the Terraform environment

1. Move the credentials.json file to the terraform-google-forseti/examples/install_simple folder and navigate to that folder:

   # from the helpers folder
   mv credentials.json ../examples/install_simple
   cd ../examples/install_simple
   

   For details, see the installation documentation.

2. Open the terraform.tfvars file with a text editor. This file contains the input provided to the Terraform module.

   The default terraform.tfvars file looks like the following:

   project_id = "my-project-id"
   org_id     = "11111111"
   domain     = "mydomain.com"
   region     = "us-east4"
   
   network         = "default"
   subnetwork      = "default"
   network_project = ""
   
   gsuite_admin_email      = "admin@mydomain.com"
   sendgrid_api_key        = ""
   forseti_email_sender    = ""
   forseti_email_recipient = ""
   

3. Configure the file as follows:

   • Configure project_id with your project ID.
   • Configure the org_id with your Organization ID.
   • Configure the domain with your organization's domain.
   • Configure network and subnetwork and region with the information you recorded when creating the network. In this example it's forseti, forseti-subnet1 and us-east4 respectively.

   If your organization is set up to use shared networks, you can instead use a network in your host project and populate the network_project accordingly. Typically, because the Forseti toolset should be contained to Google Cloud, an isolated project/network combination is appropriate. Also note that in this case you would need to pass the -f flag to the helper script in the previous section.

4. Add the following line to the end of the terraform.tfvars file:

   private = true
   

5. Your file should look like the following:

   project_id = "forseti-project-id"
   org_id     = "111111111111"
   domain     = "example.com"
   region     = "us-east4"
   
   network         = "forseti"
   subnetwork      = "forseti-subnet1"
   network_project = ""
   
   gsuite_admin_email      = "admin@example.com"
   sendgrid_api_key        = ""
   forseti_email_sender    = ""
   forseti_email_recipient = ""
   
   private = true
   

6. If you plan to use the SendGrid email service, ensure that you obtain an API key and configure the sendgrid_api_key, forseti_email_sender, and forseti_email_recipient. We recommend that you use a group alias as the email recipient.

7. Create a bucket to store the Terraform state. The bucket name must be unique. In this tutorial, we use the project ID as the bucket name, but you can use any unique name.

   PROJECT=`gcloud config list --format 'value(core.project)'`
   gsutil mb gs://$PROJECT-tfstate
   

   Take note of the bucket name for subsequent use.

   If your organization already uses Terraform, you can use the same backend as your other Terraform scripts, with a separate folder for the Forseti installation.

8. Open the backend.tf file with a text editor. The default contents should look like the following:

   # terraform {
   #   backend "gcs" {
   #     bucket  = "my-project-tfstate"
   #     prefix  = "terraform/forseti"
   #   }
   # }
   

9. Uncomment the block above, and populate the bucket value with the bucket name from the previous step. The prefix is the folder in which the state will be saved within the bucket. The updated file should look like the following:

   terraform {
       backend "gcs" {
           bucket  = "[PROJECT_ID]-tfstate"
           prefix  = "terraform/forseti"
       }
   }
   

Running the installer module

With the prerequisite work done, you can install Forseti.

1. Initialize and download the required modules:

   terraform init
   

2. Run the installer module:

   terraform apply
   

At the time of this writing, there is a bug when running with Terraform higher than version 0.12.12 that causes the following error: tls_private_key.policy_library_sync_ssh is empty tuple (more info). To work around this issue, open the main.tf file and add the following line after the private lines in the module definition: policy_library_sync_enabled = true. After this modification, the module will look like the following:

module "forseti-install-simple" {
    source  = "terraform-google-modules/forseti/google"
    version = "~> 5.0.0"

    [... REDACTED for brevity ... ]

    client_private = var.private
    server_private = var.private

    policy_library_sync_enabled = true
}

You may see other warnings, such as Warning: Quoted references are deprecated or Warning: Interpolation-only expressions are deprecated. These do not affect the installation, and you should be able to proceed with the installation as expected.

Making Forseti private

At this stage, Forseti is installed, but it is not yet fully private. In this section, you make Forseti private.

In the Cloud Console, ensure that you have the forseti project selected, and then do the following:

1. Go to the Cloud SQL page in the Cloud Console.

2. Find the row for the forseti-server-db instance, click the more icon (three dots) at the end of the row, and then click Edit.

3. Add the private IP address, remove the public IP address, and save the changes.

   Note: This is also a good time to ensure that the database is in the same zone as the server VM (optional).

4. Go to the Firewall rules page and edit the rules of both forseti-client-allow-ssh-external and forseti-server-allow-ssh-external to restrict the source IP ranges to the locaton (on-premises or datacenter range) that you will be connecting from.

5. (Optional) Go to the VM instances page and verify that there is no public IP addresses for the server and client VMs; since we set the private flag to true, this should be properly configured.

   If you remove the public IP addresses, then connections to the instances must be through Cloud Identity-Aware Proxy (IAP), Cloud VPN, or Cloud Interconnect. Cloud IAP provides Google Identity verified proxy tunnel to compute instances without internet access. For details on how to set up Cloud IAP to access a Forseti VM through SSH, see the Cloud IAP documentation.

Configuring Forseti

In this section, you perform the base configuration to get Forseti up and running.

Enable domain-wide delegation

You must be logged in with the super admin account for the steps in this section.

For details of domain-wide delegation, see Enable domain-wide delegation in G Suite in the Forseti documentaton.

1. Navigate to IAM & admin > Service Account page on the forseti project.

2. Find the Forseti Server service account, click the more icon (three dots), and then click Edit. Note the service account address for use in the next section.

3. Click the checkbox to select Enable G Suite Domain-wide Delegation.

4. Click View Client ID.

5. Copy the value from the Client ID field and save it for the next step.

   You can also copy the client ID from the Edit page if you are unable to copy it from the popover that displays the information.

6. In the Google Admin Console, go to Manage API client access in Security Settings, and paste the client ID in the client name box.

7. Authorize the following scopes: https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings

Enable Cloud SCC with Forseti plugin

1. In the Forseti project, go to API & Services > Library page, search for the Cloud Security Command Center API (securitycenter.googleapis.com), and enable it.

2. Navigate to the Organization level.

3. Use the menu in the upper-left corner of the Cloud Console to navigate to Security > Security Command Center.

4. Enable the service.

5. At the top of the Security Command Center page, click Add Security Sources.

6. Select the Forseti Cloud SCC Connector plugin.

7. Click the Visit Forseti Security to sign up button to get started.

8. Follow the steps to enable the extension. First, select your organization.

9. Follow the instructions on the screen. When asked for a service account, use the Forseti Server service account. Choose the forseti project.

10. Copy the source_id for later use. The source_id is in this format, as shown in the screenshot above: organizations/[ORGANIZATION_ID]/sources/[SOURCE_ID]

11. Navigate to the Organization IAM page and ensure that the service account has the Security Center Findings Editor role.

    If you did not re-use the Forseti Server service account and created a new service account for Cloud SCC, you need to grant Security Center Findings Editor role for both the Foresti Server service acconut and the newly created service account for Cloud SCC.

Configuring the CSCC integration in Forseti

Now you can edit the Terraform files to enable CSCC integration.

1. Ensure that you are in the terraform-google-forseti/examples/install_simple folder for the next steps.

2. Add the following line to the bottom of the terraform.tfvars file:

   cscc_violations_enabled = "true"
   cscc_source_id = "organizations/[ORGANIZATION_ID]/sources/[SOURCE]"
   

   The cscc_source_id is the value of source_id that you copied in the previous section.

3. Your file should look like the following:

   project_id = "forseti-project-id"
   org_id     = "111111111111"
   domain     = "example.com"
   region     = "us-east4"
   
   network         = "forseti"
   subnetwork      = "forseti-subnet1"
   network_project = ""
   
   gsuite_admin_email      = "admin@example.com"
   sendgrid_api_key        = ""
   forseti_email_sender    = ""
   forseti_email_recipient = ""
   
   private = true
   cscc_violations_enabled = "true"
   cscc_source_id = "organizations/[ORGANIZATION_ID]/sources/[SOURCE]"
   

4. To tell the module how to to use the values set in the previous steps, you edit the variables.tf and main.tf files.

   Add the following to the bottom of the variables.tf file:

   variable "cscc_violations_enabled" {
     description = "enables integraton with Cloud Security Command Center"
     type = bool
     default = false
   }
   
   variable "cscc_source_id" {
     description = "Source ID to be used in the Cloud Security Command Center configuration"
     default = ""
   }
   

   In the main.tf file, find the module "forseti-install-simple" line; this is a code block surrounded by {}. Inside this code block, add the following lines:

   cscc_violations_enabled = var.cscc_violations_enabled
   cscc_source_id = var.cscc_source_id
   

   After the modification, the module will look like the following:

   module "forseti-install-simple" {
       source  = "terraform-google-modules/forseti/google"
       version = "~> 5.0.0"
   
       [... REDACTED for brevity ... ]
   
       client_private = var.private
       server_private = var.private
   
       cscc_violations_enabled = var.cscc_violations_enabled
       cscc_source_id = var.cscc_source_id
   }
   

5. Run terraform apply again:

   terraform apply
   

Validate the configuration

To validate that the configuration was properly applied, do the following:

1. List the buckets:

   gsutil ls
   

2. Find the forseti-server bucket.

3. View the relevant part of configuration file:

   gsutil cat gs://forseti-server-[id]/configs/forseti_conf_server.yaml | grep cscc -A6
   

   The output should look similar to the following:

   cscc:
       enabled: true
       # Cloud SCC uses a source_id. It is unique per
       # organization and must be generated via a self-registration process.
       # The format is: organizations/ORG_ID/sources/SOURCE_ID
       source_id: organizations/[ORGANIZATION_ID]/sources/[SOURCE]
   

For further validation, you can trigger a notification manually and verify that it shows up in the Security Command Center page:

1. Use SSH to connect to the Forseti server VM: forseti-server-vm.

2. Reload the server configuration:

   forseti server configuration reload gs://forseti-server-[id]/configs/forseti_conf_server.yaml
   

3. Create an inventory:

   forseti inventory create
   

   At the end of this step, the output gives an inventory ID; copy it for the next step.

   {
     "errors": 0,
     "warnings": 31,
     "step": "bucket/test-function-http-tpc6nm6zh2",
     "finalMessage": false,
     "lastError": "",
     "id": "1556128018126591", # <== This is the inventory ID.
     "lastWarning": ""
   }
   

   Sometimes the installation procedure does not complete as expected, in which case the VM might give the following error:

   forseti: command not found
   

   If you receive this error, you have three options:

   • Restart the Forseti Server VM, because a known issue might have prevented the process from starting correctly.
   • Destroy the installation, ensure that the project is clean, and run terraform apply again.
   • Follow the steps detailed here in the Forseti Server VM to install it locally.

4. Create a model based on the inventory, and configure Forseti to use it:

   forseti model create --inventory_index_id [INVENTORY_ID] [MODEL_NAME]
   forseti model use [MODEL_NAME]
   

5. Run Forseti Scanner:

   forseti scanner run
   

6. Run Forseti Notifier:

   forseti notifier run
   

7. Check the output for any violations.

8. Validate that the Forseti violations are shown as findings in the Cloud Security Command Center page.

Conclusion

This gives you a production-ready base intallation of Forseti. However, it's important to note that you still need to create an organizaton-specific configuration. Typically, you need to refine the base rules to remove the noise and catch use-cases that are specific to your organization (for example, allow firewall rules opening SSH and RDP traffic only for your defined IP ranges).

See the Forseti documentation on how to create your own rules.