Cloud App Analyzer GCP Onboarding Script

This topic explains how to use an GCP shell script to automate the onboarding your application to Google Cloud Platform (GCP). Each step of the script is outlined to help users understand its purpose and functionality.

Script Sections

1. Generate Unique Identifiers

The script begins by generating a unique hash value that is used to create unique resource names for service accounts and other resources.

Copy 
HASH=$(echo $RANDOM | md5sum | head -c 5)
SERVICE_ACCOUNT_NAME=prevasio-cspm-$HASH            

Purpose:This ensures that each onboarding process does not conflict with previous deployments.

2. Retrieve and Filter Project IDs

Copy 
list_project_ids() {
    for project_id in $(gcloud projects list --format='value(project_id)'); do
        parent_id=$(gcloud projects describe $project_id --format='value(parent.id)')
        if [ "$1" == "ALL" ] || [ $parent_id -eq $1 ]; then
            PROJECT_IDS+=($project_id)
        fi
    done
}

Purpose: The list_project_ids function retrieves all available GCP project IDs and filters them based on the given target resource.

3. Create an Attestor for Binary Authorization

Copy 
gcloud container binauthz attestors create $ATTESTOR_ID --attestation-authority-note=$NOTE_ID            

Purpose: Binary Authorization enforces deploy-time security controls. The script creates an attestor with:

  1. A note for recording security attestations.

  2. An attestor in Binary Authorization.

  3. IAM permissions to allow service accounts to access attestation notes.

4. Create and Manage Secrets

Copy 
gcloud secrets create prevasio-$HASH-auth-token --data-file=-
gcloud secrets add-iam-policy-binding prevasio-$HASH-auth-token --member="serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com" --role="roles/secretmanager.secretAccessor"

Purpose: The script creates and stores sensitive credentials securely in GCP Secret Manager. It also configures IAM roles to grant access.

5. Deploy Cloud Functions

Copy 
gcloud functions deploy prevasio-$HASH-events-forwarder --gen2 --trigger-http --runtime=python310        

Purpose: The script deploys multiple Cloud Functions that handle events and security scanning:

  1. prevasio-events-forwarder: Processes security events.

  2. prevasio-cloud-run-scanner: Scans Cloud Run deployments.

  3. prevasio-image-attestation-creator: Generates attestations for container images.

6. Configure Cloud Scheduler and Pub/Sub

Determine if resource group should be dropped:

Copy 
gcloud scheduler jobs create http prevasio-$HASH-cloud-run-scanner-scheduler --schedule="0 */6 * * *"
gcloud pubsub topics create prevasio-$HASH-images-to-sign            

Purpose: The script configures automated execution using Cloud Scheduler and event-driven processing using Pub/Sub.

7. Enable Required APIs

Copy 
MANDATORY_APIS=(artifactregistry.googleapis.com cloudfunctions.googleapis.com cloudkms.googleapis.com)

Purpose: To ensure full functionality, the script verifies that necessary APIs are enabled.

If any API is missing, the script prompts the user to enable it before proceeding.

8. Validate Organization and Project Configuration

Copy 
if [[ "$TARGET_RESOURCE" == "$ORGANIZATION_ID" ]]; then
    ONBOARDING_TYPE="ORGANIZATION"
elif gcloud resource-manager folders describe $TARGET_RESOURCE 2>/dev/null; then
    ONBOARDING_TYPE="FOLDER"
else
    ONBOARDING_TYPE="PROJECT"
fi        

Purpose: The script determines whether the target resource is an organization, folder, or project, ensuring that the correct scope is used.