Discover and Publish Resources hosted in Google Cloud Platform
- Updated on May 31, 2024
Overview
This article describes how to use Google Cloud Platform (GCP) serverless tooling - Cloud Run and Cloud Scheduler - to regularly and automatically synchronize your GCP resources into SonicWall Cloud Secure Edge (CSE) inventory. You can then publish these discovered resources that need to be accessed by your end users as specific CSE services.
If you wish to run the discovery scripts manually or create your own custom automation workflows, you can use our open-source pybanyan tool. Review the docs on GCP Workflows to leverage Google Cloud Client Libraries for Python to synchronize GCP resources into CSE’s inventory.
Prerequisites
Before proceeding through the steps below, ensure you have:
- Administrator access to your Google Cloud project
- API credentials to interact with the CSE (formerly Banyan) API
Steps
At a high level, you will:
- Step 1. Create a GCP Service Account
- Step 2. Create a GCP Cloud Run that discovers your GCP resources
- Step 3. Create a GCP Cloud Scheduler that will call the Cloud Run at regular intervals
- Step 4. Verify inventory is being synchronized
- Step 5. Publish discovered resources
Step 1. Create a GCP Service Account
In the GCP console, navigate to IAM & Admin > Service Accounts and create a new service account you will use to invoke the serverless setup.
Assign the following IAM roles to your Service Account:
Cloud Run Invoker.
Step 2. Create a GCP Cloud Run
We can now configure a Cloud Run to discover your GCP resources.
2.1 In the GCP console, navigate to Serverless > Cloud Run.
2.2 Click Create service and enter the deployment details.
In the form, set:
- Container image URL to be
gcr.io/banyan-pub/iaas-discovery-gcp:latest - Maximum number of instances to be
1
Also set the Service name and Region appropriately for your environment.
2.3 Go into Advanced settings > Variables & Secrets and enter the parameters needed for container.
You must specify:
GOOGLE_CLOUD_FUNCTION=trueBANYAN_API_URL= URL of your Command CenterBANYAN_REFRESH_TOKEN= Credential for API access to the Command CenterRESOURCE_TYPE=allorvm, to indicate the types of GCP resources to syncPROJECT= ID (not name!) of your GCP project
You may also optionally specify parameters to discover more specific resources:
ZONE= only sync resources in this GCP ZoneLABEL_NAME= only sync resources with this label name
2.4 Go into Configure how this service is triggered
Configure your Cloud Run to Allow all traffic for ingress and to Require authentication.
2.5 Click Create and note down the URL of your Cloud Run.
Note that a Cloud Run service account will be automatically created and default permissions assigned that are sufficient to view your cloud resources.
Step 3. Create a GCP Cloud Scheduler
Next, we’ll create a Cloud Scheduler that will call the Cloud Run at regular intervals.
3.1 In the GCP console, navigate to Application Integration > Cloud Scheduler.
3.2 Click Create Job and enter the job details.
In the form, define the schedule. Set the Frequency to run as often as your need; to run every 6 hours, say: 0 */6 * * *.
3.3 Configure the execution to call the Cloud Run you created in Step-2
In the form, set:
- Target type to be
HTTP - URL to be the Cloud Run URL you created in Step-2.5
- HTTP method to be
GET
Enable authentication:
- Auth header to
Add OIDC token - Service Account should be the service account you created in Step-1
- Audience to be the Cloud Run URL you created in Step-2.5
3.4 Create Create
Your scheduler will now run at the specific interval. Click on Run Now to run in manually as well.
Step 4. Verify inventory is being synchronized
Once your Cloud Run and Cloud Scheduler are configured, you can verify their operations using the Logs section in your GCP console.
Your GCP resources will be listed under the Inventory tab in the Command Center.
Step 5. Publish discovered resources
Click on the Publish icon to publish a Banyan service from of this discovered resource.
Select the type of service you wish to create, populate the required fields - such as service domain, access tier, etc - and attach a policy.
Congrats! You have discovered your GCP resources and published them for your end-users. You can repeat this process as often as you need.