Configure Google Cloud Platform Resource Collection

The Google Cloud Platform (GCP) collector is configured within the Resoto Worker configuration via the config command in Resoto Shell.

Enabling the Collector

1. Open the Resoto Worker configuration via the config command in Resoto Shell:

   > config edit resoto.worker

2. Add gcp to the list of collectors by modifying the configuration as follows:

   Resoto Worker configuration

   resotoworker:
     ...
     # List of collectors to run
     collector:
       - 'gcp'
       ...
   ...

Authentication

You can authenticate with Google Cloud Platform via service account JSON files or automatic discovery.

Service Account JSON Files

1. Move or copy your service account JSON file(s) to the ~/.gcp directory.

2. Make your service account JSON file(s) available to Resoto at /home/resoto/.gcp:

   Docker

   • Add volume definition(s) for each service account JSON file to the resotoworker service in docker-compose.yaml:

     docker-compose.yaml

     services:
       ...
       resotoworker:
         image: somecr.io/someengineering/resotoworker:edge
         ...
         volumes:
           - $HOME/.gcp:/home/resoto/.gcp
       ...
     ...

   • Recreate the resotoworker container with the updated service definition:

     $ docker-compose up -d
     note

     Docker Compose V2 integrated compose functions in to the Docker platform.

     In Docker Compose V2, the command is docker compose (no hyphen) instead of docker-compose.

   Kubernetes

   • Create a secret with the path(s) to your service account JSON file(s):

     $ kubectl -n resoto create secret generic resoto-auth \
       --from-file=service-account-1.json=<PATH TO SERVICE ACCOUNT JSON> \
       --from-file=service-account-2.json=<PATH TO ANOTHER SERVICE ACCOUNT JSON>

   • Update resoto-values.yaml as follows:

     resoto-values.yaml

     ...
     resotoworker:
       ...
       volumeMounts:
         - mountPath: /home/resoto/.gcp`
           name: auth-secret
       volumes:
         - name: auth-secret
           secret:
             secretName: resoto-auth
     ...

   • Deploy these changes with Helm:

     $ helm upgrade resoto resoto/resoto --set image.tag=edge -f resoto-values.yaml

   pip

   • Simply move or copy your service account JSON file(s) to the ~/.gcp directory. (Since Resoto is running on your local machine, it can access the file(s) directly.)

     note

     The following steps assume that the file(s) are named service-account-1.json, service-account-2.json, etc.

3. Open the Resoto Worker configuration via the config command in Resoto Shell:

   > config edit resoto.worker

4. Modify the gcp section of the configuration as follows, adding the paths to your service account JSON file:

   Resoto Worker configuration

   resotoworker:
     ...
   ...
   gcp:
     ...
     # GCP service account file(s)
     service_account:
       - /home/resoto/.gcp/service-account-1.json
       - /home/resoto/.gcp/service-account-2.json
   ...

Automatic Discovery

You can specify an empty string for the service account file, and Resoto will automatically discover the service account and all the projects it has access to.

1. Open the Resoto Worker configuration via the config command in Resoto Shell:

   > config edit resoto.worker

2. Modify the gcp section of the configuration as follows:

   Resoto Worker configuration

   resotoworker:
     ...
   ...
   gcp:
     ...
     # GCP service account file(s)
     service_account:
       - ''
   ...

Resource Collection

By default, Resoto performs resource collection each hour. To immediately trigger a collect run, use the workflow run command in Resoto Shell:

> workflow run collect

Once the collect run completes, you can view a summary of collected GCP resources using the following search:

> search is(gcp_resource) | count kind