>

Installing the Hello World app

This page provides the Hello World example of how to use Cloud Functions to integrate with Cloud SCC APIs.

This guide was written for tools version 3.3.0. If you're using a different version, please see the README file included with the tools version you downloaded. As of May 22, 2019, the most recent release version is 4.0.1.

As illustrated in the diagram below, the function is triggered by a Cloud Pub/Sub topic, which makes a call on the Cloud SCC API and sends response data to a topic subscribed by another function that logs the data.

Elements diagram

  1. A message is published on the Entry point Topic.
  2. The Transformer Cloud Functions function is triggered by the Topic.
  3. An API call is made on Cloud SCC to request Assets.
  4. The Assets ID returned is sent to the Redirect Topic.
  5. The triggered Cloud Functions Logger logs the received message.

Before you begin

Before you start this guide, you must complete the prerequisites and installation setup in Setting up Cloud SCC tools.

To install and run the Hello World package, you will also need the following:

  • An active GCP Organization
  • An active Cloud Billing account
  • The following Cloud Identity and Access Management (Cloud IAM) roles at the organization level:
    • Project Creator - roles/resourcemanager.projectCreator
    • Billing Account User - roles/billing.user
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Viewer - roles/viewer
    • Service Usage Admin - roles/serviceusage.serviceUsageAdmin
    • API Keys Admin - roles/serviceusage.apiKeysAdmin
    • Compute Storage Admin - roles/storage.admin
    • Storage Admin - roles/storage.admin
    • Storage Object Admin - roles/storage.objectAdmin
    • Pub/Sub Admin - roles/pubsub.admin
    • Cloud Functions Developer - roles/cloudfunctions.developer
    • Service Account User - roles/iam.serviceAccountUser

The Project Creator and Billing Account User roles are needed to run the pre-setup script create_project_with_billing.py that creates the deployment manager project and the Hello World project with a valid billing account.

Setting up environment variables

  1. Go to the Google Cloud Platform Console.
    Go to the GCP Console page
  2. Click Activate Cloud Shell.
  3. Run the following commands to set environment variables. Use the tools release version you downloaded during setup. This guide was written for tools version 3.3.0. For other tools versions, see the README included with the files you downloaded.

    # Release version you downloaded during setup
    export VERSION=[RELEASE_VERSION]
    
    # Directory to unzip the installation files
    export WORKING_DIR=${HOME}/scc-tools-install
    
    # Organization ID where the script will run
    export ORGANIZATION_ID=[YOUR_ORG_ID]
    
    # Project ID to be created
    export HELLO_WORLD_PROJECT_ID=[YOUR_HELLO_WORLD_PROJECT_ID]
    
    # A valid billing account ID
    export BILLING=[YOUR_BILLING_ACCOUNT_ID]
    
    # One Compute Engine region listed in Regions and Zones:
    # https://cloud.google.com/compute/docs/regions-zones
    export GCE_REGION=[YOUR_REGION]
    
    # A Cloud Storage bucket to use on the Cloud Functions function
    # See: https://cloud.google.com/storage/docs/creating-buckets
    export CF_BUCKET_NAME=[YOUR_BUCKET]
    
  4. On the Cloud Shell menu bar, click Upload file on the More devshell settings menu.

  5. Upload the scc-hello-world-${VERSION}.zip file you downloaded during the installation setup.

  6. Unzip the file you uploaded by running:

    unzip -qo scc-hello-world-${VERSION}.zip -d ${WORKING_DIR}
    
  7. Go to the installation working directory:

    cd ${WORKING_DIR}
    
  8. Copy your service account file to:

    ${WORKING_DIR}/hello-world/function/transformer/accounts/cscc_api_client.json
    

Installing the Hello World app package

In any of the following sections, you can simulate executions of the commands by using the option --simulation.

Step 1: Creating the project

This step requires the following Cloud IAM roles:

  • Organization Administrator - resourcemanager.organizationAdmin
  • Project Creator - resourcemanager.projectCreator
  • Billing Account User - billing.user
  • Organization Role Administrator - iam.organizationRoleAdmin

To create the project and enable billing, run:

  1. Create the project:

     gcloud projects create ${HELLO_WORLD_PROJECT_ID} \
       --organization ${ORGANIZATION_ID}
    
  2. Enable billing:

     gcloud beta billing projects link ${HELLO_WORLD_PROJECT_ID} \
       --billing-account ${BILLING}
    

Step 2: Enabling APIs

To enable the required Google APIs in the Hello World project, run:

gcloud services enable \
  securitycenter.googleapis.com \
  servicemanagement.googleapis.com \
  cloudresourcemanager.googleapis.com \
  cloudfunctions.googleapis.com \
  --project ${HELLO_WORLD_PROJECT_ID}

Step 3: Creating the service account

This step requires the following Cloud IAM roles:

  • Organization Administrator - roles/resourcemanager.organizationAdmin
  • Security Center Admin - roles/securitycenter.admin
  • Service Account Admin - roles/iam.serviceAccountAdmin
  • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin

You will use these roles to create a service account with the following organizational-level role:

  • Security Center Assets Viewer - roles/securitycenter.assetsViewer

Create the service account that will be used to deploy the application, download the key file, and grant the necessary roles by running:

  1. Create the Service Account:

    gcloud iam service-accounts create scc-asset-viewer  \
     --display-name "SCC Asset Viewer SA"  \
     --project ${HELLO_WORLD_PROJECT_ID}
    
  2. Download the service account key file:

    (cd setup; \
     gcloud iam service-accounts keys create \
     service_accounts/scc-asset-viewer-${HELLO_WORLD_PROJECT_ID}-service-account.json \
     --iam-account scc-asset-viewer@${HELLO_WORLD_PROJECT_ID}.iam.gserviceaccount.com)
    
  3. Export the absolute path to the service account key file:

    export SCC_SA_FILE=[PATH_TO_SERVICE_ACCOUNT_FILE]
    
  4. Grant the Organization Level roles:

     gcloud beta organizations add-iam-policy-binding ${ORGANIZATION_ID} \
      --member="serviceAccount:scc-asset-viewer@${HELLO_WORLD_PROJECT_ID}.iam.gserviceaccount.com" \
      --role='roles/securitycenter.assetsViewer'
    

Step 4: Creating an API key

Before you run the Hello World app setup, Create an API key and restrict it to the Cloud SCC application, then export its value to an environment variable:

  1. Go to the APIs & Services > Credentials page in the GCP Console.
    Go to the Credentials page
  2. On the Create credentials drop-down list, click API key.
  3. On the API key created dialog that appears, copy your API key.
  4. Export the API key as an environment variable by running:

    export API_KEY=[YOUR_API_KEY]
    

Step 5: Deploy the application

To create the remaining infrastructure and deploy the application, run the command below. If you want to run a simulation of the execution, use --simulation instead of --no-simulation.

(cd hello-world/setup; \
mkdir -p ../function/transformer/accounts; \
cp -f ${SCC_SA_FILE} ../function/transformer/accounts/cscc_api_client.json; \
pipenv run python3 run_setup.py \
  --organization_id ${ORGANIZATION_ID} \
  --project ${HELLO_WORLD_PROJECT_ID} \
  --region ${REGION} \
  --api_key ${API_KEY} \
  --no-simulation)

Verifying the installation

To verify the installation:

  1. Go to the GCP Console Cloud Functions list.
    Go to the GCP Console Cloud Functions list
  2. Verify that the functions display as enabled in the list.
  3. Go to the GCP Console Pub/Sub Topics list.
    Go to the GCP Console Pub/Sub Topics list
  4. Verify that the topics were created correctly.

Verifying the function

To verify the function, post any message to the topic Entrypoint:

  1. Go to the GCP Console Pub/Sub Topics list.
    Go to the GCP Console Pub/Sub Topics list
  2. Under Topic name, click entrypoint topic.
  3. On the Topic details page that appears, click Publish Message.
  4. In the Message box, enter a test message.
  5. Go to the GCP Console Stackdriver Logs page.
    Go to the GCP Console Stackdriver Logs page
  6. Verify that your test message is displayed in the list.

Updating the function

If you change the source code for one of the functions, you will need to re-deploy it by running the following:

(cd hello-world/setup; \
pipenv run python3 update_cloud_function.py \
  --organization_id ${ORGANIZATION_ID} \
  --project_id ${HELLO_WORLD_PROJECT_ID} \
  --bucket_name ${CF_BUCKET_NAME} \
  --cloud_function <logger|transformer> \
  --api_key ${API_KEY} \
  --no-simulation)
Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Cloud Security Command Center
Hai bisogno di assistenza? Visita la nostra pagina di assistenza.