Cloud monitoring for GCP and AWS

Overview

TerraTrue supports integrations with Google Cloud Platform (GCP) and Amazon Web Services (AWS). These integrations continuously monitor your cloud infrastructure and will automatically create a launch each time a change is detected.

Data Privacy and TerraTrue’s Cloud Integrations

To enable these integrations, you’ll need to grant TerraTrue permission to read the configuration data and metadata for several cloud storage services. TerraTrue will not request and will not receive permissions to read the actual data you’re storing. 

For more information on permissions, see Permissions

If you choose to disable an integration, TerraTrue will immediately revoke its own access credentials and will no longer access your cloud environment. You can also make additional configuration changes to your cloud environment to fully remove any peripheral resources created during the setup of the integration. Once you’ve disabled an integration, we’ll delete any data we’ve collected about your cloud environment within 30 days.

To learn how to disable the GCP integration, see Disabling the GCP integration

Enabling the GCP Integration

  1. Ensure that you have the Admin role in TerraTrue and the Organization Administrator and Organization Role Administrator roles in your GCP organization
  2. In Org Settings > Integrations > Google Cloud, toggle on the integration
  3. Select the product you wish to associate with the launches that this integration will create
  4. Configure your GCP environment to grant permissions to the service account that we've automatically provisioned for you.
  5. Configure your GCP projects to enable several APIs that the integration needs.
  6. Once you've completed these configurations, we'll perform a smoke test to confirm your setup. This test takes a few minutes to run, and we'll will notify you by email once it completes.
  7. After our test finishes, we'll show you a list of your GCP projects on the integration page. Each project can have one of the following statuses:
    • Success
    • Warning (one or more GCP APIs failed to be enabled in this project)
    • Error (we encountered an error when trying to access this project)

After you complete the GCP integration setup, TerraTrue will scan your GCP environment once a day, detect any infrastructure changes, and automatically create a launch for each change. 

Infrastructure changes

The GCP integration detects the creation of new instances in supported storage services. For each new instance, the integration creates a launch that includes the name and type of the storage instance, the GCP project it belongs to, and its URL. TerraTrue supports the following storage services:

  • BigQuery dataset
  • Cloud Storage bucket
  • Cloud SQL instance
  • Datastore entity kind
  • Firestore collection

Permissions

TerraTrue’s GCP integration requires permissions to your organization and projects to perform the following tasks:

  • List projects in your organization
  • List and get metadata of instances of the GCP storage services
  • List the enabled APIs in a GCP project so that we can notify you if the project hasn’t enabled an API we need

The integration requires the following permissions:

  • bigquery.datasets.get
  • cloudsql.instances.get
  • cloudsql.instances.list
  • datastore.entities.list
  • datastore.namespaces.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • storage.buckets.list

APIs

For TerraTrue to monitor your storage services, you’ll need to enable the following APIs in your GCP projects. 

  • bigquery.googleapis.com
  • bigquerystorage.googleapis.com
  • datastore.googleapis.com
  • firestore.googleapis.com
  • sql-component.googleapis.com
  • sqladmin.googleapis.com
  • storage-api.googleapis.com
  • storage-component.googleapis.com
  • Storage.googleapis.com

If any one of these APIs is disabled, TerraTrue can still monitor the enabled storage services.

Disabling the GCP integration

When you disable your GCP integration, TerraTrue will immediately delete the service account we’ve provisioned for you and will stop accessing your GCP environment. You can verify deletion of the service account and, if you wish, delete the service account’s entry by visiting your organization’s GCP IAM page. You can delete the custom role that TerraTrue created by visiting your organization’s GCP Roles page.

Enabling the AWS Integration

Prerequisites

You'll need to have the following accesses to enable and configure the AWS integration:

  • Admin in TerraTrue
  • For each AWS account:
    • Full access to IAM
    • Full access to CloudFormation
    • Read and List access to S3
    • Read access to Cloud Control API

Setup

  1. Select a product that you wish to associate with the launches created by this integration.
  2. For each of your organization’s AWS accounts, grant access to TerraTrue’s AWS account:
    1. Log into your AWS account
    2. Select CloudFormation on the AWS integration page
    3. Follow the steps to create an AWS Stack that includes a new role with an inline policy in your AWS account and grants our AWS account the sts:AssumeRole permission
    4. After the AWS Stack is created, copy the RoleARN string from the outputs tab, paste it into the AWS integration page, and click Add Account
    5. We'll perform a quick test to confirm that our AWS account can now access this account

After you complete the AWS integration setup, TerraTrue will scan your AWS environment once a day, detect any infrastructure change, and automatically create a launch for each change. 

Infrastructure Changes

The AWS integration can detect the creation of instances in the following storage services:

  • S3 Bucket
  • RDS Instance
  • Aurora Cluster
  • DynamoDB Table

For each infrastructure change, the integration will create a launch that includes the name and type of the storage instance, the AWS account to which it belongs, and its URL.

Permissions

The AWS Stack includes a role with an AssumeRole policy that allows our AWS account to assume this role. Additionally it also has an inline policy including the following permissions. We need these permissions to list and get metadata of your storage instances.

  • ec2:DescribeRegions
  • s3:ListAllMyBuckets
  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • rds:DescribeDBInstances
  • rds:DescribeDBClusters

Disabling the AWS integration

If you choose to disable the AWS integration, we'll immediately remove the RoleARNs that you've added and will stop accessing your AWS accounts. To fully remove our access, delete the AWS Stack created during the setup in each AWS account.