Configuring Remediation for GCP

Configure a Google Cloud Platform (GCP) connector for gathering resource information from your Google Cloud Platform project. It just takes a couple of minutes.

Enable Remediation for New GCP Connectors

Go to Configuration > Google Cloud Platform and then click Manage Connectors.

The Connectors Application appears.

On the Connectors Application, click  Create Connector.

Provide a name and description (optional) for your connector. Configure the required settings for the GCP connector. For detailed information on connector creations steps, refer to Configure GCP Connectors.

Option to enable remediation for gcp connector

Select Enable Remediation check box to enable remediation for the connector. All the resources detected by this connector will be evaluated. You can then initiate remediation for the failed resources.

Then click Create Connector.

That’s it! The connector will connect with GCP to start discovering resources from each region.

Configuration on GCP Console

You could manually configure the roles and permissions needed for remediation on the Google Cloud Platform portal. The configuration for remediation includes two parts:

Creating Custom RoleCreating Custom Role

1. Go to IAM console on the Google Cloud Platform Portal.

2. From the drop-down list at the top, select the project for which you want to create a role.

3. Click CREATE ROLE and provide the required details.

4. Click Add Permissions.

5. In the Add Permissions window, add the following permissions:

- compute.firewalls.update
- compute.instances.setMetadata
- storage.buckets.setIamPolicy
- cloudfunctions.functions.setIamPolicy
- bigquery.datasets.update
- cloudsql.instances.update
cloudkms.cryptoKeys.setIamPolicy

6. Click CREATE.

The custom role is created. You need to now add the custom role to the IAM member.

Adding Custom Role to the IAM MemberAdding Custom Role to the IAM Member

1. Go to IAM-Admin page on the Google Cloud Platform Portal - IAM Admin.

2. In the IAM members list, choose the member used for creating the connector.

3. Click the edit icon on the right side of the Selected IAM member row.

4. In the Edit permissions window, click ADD ANOTHER ROLE and then choose the Custom role created in the above step.

5. Click Save.

The custom role is added to the IAM member.

Add Compute Engine default service account access to TotalCloud service accountAdd Compute Engine default service account access to TotalCloud service account

1. Go to Service accounts page by visiting Google Cloud Platform Portal - Service Accounts.

2. From the service accounts list select Compute Engine default service accounts, which is of pattern PROJECT_NUMBER-compute@developer.gserviceaccount.com and check the
box on the left.

3. On the right pane, click ADD MEMBER.

4. In the New members field, choose the service account provided during connector creation.

5. In Select a role field, choose Service Account User role.

6. Click SAVE.

Enabling Remediation for Existing GCP Connectors

Go to Configuration > Google Cloud Platform and select the connector for which you would want to edit the details. From the quick actions menu, select View and go to Connector Information tab and click Edit.

You can now edit the required details. Select the Enable Remediation check box and click Save. Remediation is enabled for the connector. Once you edit the connector settings, ensure you also configure the roles and permissions needed for remediation on the GCP console.

For more information on configuration of roles and permissions on GCP console, refer to Configuration on GCP console

To fetch the updated resources, you need to select Run from the quick actions menu for the GCP connector.