Google Cloud
Visualize Google Cloud resources, map Google Cloud users to employees, and monitor visibility and governance of the environment through queries and alerts.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
info
To use this integration, JupiterOne requires the contents of a Google Cloud service account key file with the correct API services enabled. In addition, you must have permission in JupiterOne to install new integrations.
Overview
The Google Cloud integration requires three main configuration steps:
- Enable Google Cloud service APIs for the services you want to ingest
- Create a service account with appropriate permissions
- Configure the integration in JupiterOne with the service account key
Google Cloud Configuration
Google Cloud has most API services disabled by default. When a Google Cloud service API is disabled, the JupiterOne integration will not ingest the data from that API.
tip
You only need to enable the APIs for the services you want JupiterOne to ingest. If a service is not used in your Google Cloud environment, you can skip enabling its API.
See the Authorization tab for the full list of required APIs and permissions per ingestion step.
info
Required APIs: The following APIs must always be enabled for the integration to function: cloudasset.googleapis.com, cloudresourcemanager.googleapis.com, iam.googleapis.com, and serviceusage.googleapis.com. All other APIs are optional and should only be enabled if you want to ingest data from those specific services.
Enabling Google Cloud Service APIs
Google Cloud service APIs can be enabled from the Google Cloud Console API Library or using the gcloud CLI. See the Authorization tab for the complete list of APIs used by this integration.
Creating Google Cloud project service account
- See the Google Cloud service account documentation for more information on how to create a service account in the project that you would like to ingest data from.
We must assign the correct permissions to the newly created service account for the integration to be run. We recommend using the following roles managed by Google Cloud:
Instead of using the Google Cloud managed roles listed above, you can create a custom IAM role with only the specific permissions required by the JupiterOne integration. See the Authorization tab for the complete list of permissions per ingestion step. See the Google Cloud custom role documentation for information on how custom roles can be configured and assigned.
NOTE: You may also create a service account using the gcloud CLI. There is documentation on how to leverage the CLI in the JupiterOne Google Cloud integration developer documentation.
Generate a service account key
See the Google Cloud service account key documentation for more information on how to create a service account key for the service account that you would like to ingest data using.
NOTE: You may also create a service account key using the gcloud CLI. Read more about the CLI in the Google Cloud integration developer documentation.
JupiterOne + Google Cloud Organization
Given the correct permissions, JupiterOne has the ability to automatically discover each project under a Google Cloud organization and configure integration instances for each of the projects.
Setup
-
Select one Google Cloud project to configure a service account for JupiterOne.
-
Create the service account without a role. Copy the email address of the new service account (e.g.
my-sa@my-j1-project.iam.gserviceaccount.com). -
Generate and copy a new service account key.
-
Enable service APIs in both the "main" project and each "child" project that you'd like JupiterOne to access.
Important: The following APIs must be enabled in the "main" project:
cloudasset.googleapis.com(Cloud Asset)cloudresourcemanager.googleapis.com(Cloud Resource Manager)iam.googleapis.com(Identity and Access Management)serviceusage.googleapis.com(Service Usage)
For child projects: Enable the service APIs for the specific services you want to ingest from each project. Refer to the API table in the earlier section for the complete list of supported services.
-
Switch to the organization that you'd like to create individual integration instances for each project
-
Create a new custom role with the following permissions:
resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list resourcemanager.organizations.getIamPolicy cloudasset.assets.searchAllIamPolicies
The integration will also try to ingest organization policy for "storage.publicAccessPrevention" to precisely calculate storage buckets public access, and Access Approval settings for enforcing manual approval of privileged operations (CIS 2.15), it is therefore recommended that the following permissions are also included in the custom role above:
orgpolicy.policy.get accessapproval.settings.get accessapproval.requests.get
The integration will calculate if a storage bucket is public or not based on the following conditions:
Public to internetmeans one or more bucket-level permissions grant access toallUsersorallAuthenticatedUsers.Not publicmeans the bucket’s policy controls all objects uniformly, and no permissions have been granted to allUsers or allAuthenticatedUsers.Subject to object ACLsmeans fine-grained, object-level access control lists (ACLs) are enabled. Objects may be public if they grant access to allUsers or allAuthenticatedUsers.
-
Navigate to the Cloud Resource Manager for that organization and add a new member to the organization. The new member email address is the email address of the service account that was created earlier. Select the new organization role that was created above, as well as the Google Cloud managed role "Security Reviewer" (
roles/iam.securityReviewer) or an alternative JupiterOne custom role that you've created. -
Navigate to the JupiterOne Google Cloud integration configuration page to begin configuring the "main" integration instance.
Use the generated service account key as the value for the "Service Account Key File" field.
note
The "Polling Interval" that is selected for the "main" integration instances will be the same polling interval that is used for each of the child integration instances.
- Select the "Configure Organization Projects" checkbox.
- Enter the numerical value of the Google Cloud organization into the "Organization ID" text field (e.g. "1234567890").
- Click
CREATE CONFIGURATION.
Depending on how many projects exist under a Google Cloud organization, the auto-configuration process may take a few minutes to complete. When the process has been completed, you will see your new integration instances on the JupiterOne Google Cloud integration list page.
Configuration in JupiterOne
To install the Google Cloud integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Google Cloud. Click New Instance to begin configuring your integration.
Creating an instance requires the following:
- Account Name by which you want to identify this Google Cloud account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen Add AccountName Tag is enabled. - Description that will assist your team to identify the integration instance.
- Polling Interval that you feel is sufficient for your monitoring needs. You can leave this as
DISABLEDand manually execute the integration. - Service Account Key File contents of the Google Cloud service account.
- Add any tags you want to use to simplify data management and queries.
Optionally, you can enter a project ID to target for data ingestion. The default is the project ID specified in the service account key file.
Select Configure Organization Projects if you want J1 to auto-configure all projects in your organization. J1 applies the configuration to all other projects that do not have optional j1-integration: SKIP tag applied to the project in your infrastructure-as-code. Do not use the optional project ID if you want to use this feature.
Optionally, enter a numerical folder ID if you want to specify that J1 is to only ingest projects in a specific folder and any of its subfolders. If you have enabled Configure Organization Projects, J1 only auto-configures projects in this specified folder.
Click Create after all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Permissions
IAM permissions that must be granted to the integration principal for data ingestion.
Show Permissions (150)
accessapproval.settings.getaccesscontextmanager.accessLevels.listaccesscontextmanager.accessPolicies.listaccesscontextmanager.servicePerimeters.listaiplatform.batchPredictionJobs.listaiplatform.datasets.listaiplatform.endpoints.listaiplatform.models.listaiplatform.trainingPipelines.listalloydb.backups.getalloydb.clusters.listalloydb.instances.connectalloydb.instances.listalloydb.users.listapigateway.apiconfigs.getIamPolicyapigateway.apiconfigs.listapigateway.apis.getIamPolicyapigateway.apis.listapigateway.gateways.getIamPolicyapigateway.gateways.listappengine.applications.getappengine.instances.listappengine.services.listappengine.versions.listartifactregistry.packages.listartifactregistry.repositories.listartifactregistry.vpcscconfigs.getbigquery.datasets.getbigquery.models.getDatabigquery.models.getMetadatabigquery.models.listbigquery.tables.getbigquery.tables.getIamPolicybigquery.tables.listbigtable.appProfiles.listbigtable.backups.listbigtable.clusters.listbigtable.instances.listbigtable.tables.listbilling.budgets.listbinaryauthorization.policy.getcloudasset.assets.listCloudbillingBillingAccountscloudasset.assets.listCloudbillingProjectBillingInfoscloudasset.assets.searchAllIamPoliciescloudbuild.builds.getcloudbuild.builds.listcloudbuild.integrations.getcloudbuild.integrations.listcloudbuild.repositories.getcloudbuild.repositories.listcloudbuild.workerpools.listclouddeploy.automations.listclouddeploy.deliveryPipelines.listcloudfunctions.functions.listcloudkms.cryptoKeys.getIamPolicycloudkms.cryptoKeys.listcloudkms.keyRings.listcloudsecurityscanner.scanruns.listcloudsecurityscanner.scans.listcloudsql.databases.listcloudsql.instances.listcloudsql.users.listcompute.addresses.listcompute.backendBuckets.listcompute.backendServices.listcompute.disks.listcompute.externalVpnGateways.listcompute.firewalls.listcompute.forwardingRules.listcompute.globalAddresses.listcompute.globalForwardingRules.listcompute.healthChecks.listcompute.images.getcompute.images.getIamPolicycompute.images.listcompute.instanceGroups.listcompute.instances.listcompute.networks.listcompute.projects.getcompute.regionBackendServices.listcompute.regionHealthChecks.listcompute.regionTargetHttpProxies.listcompute.regionTargetHttpsProxies.listcompute.regionUrlMaps.listcompute.routers.listcompute.snapshots.listcompute.sslPolicies.listcompute.subnetworks.listcompute.targetHttpProxies.listcompute.targetHttpsProxies.listcompute.targetPools.listcompute.targetSslProxies.listcompute.targetVpnGateways.listcompute.urlMaps.listcompute.vpnGateways.listcompute.vpnTunnels.listcontainer.clusters.listdataproc.clusters.listdlp.jobTriggers.listdlp.tableDataProfiles.listdns.managedZones.listdns.policies.listdns.resourceRecordSets.getessentialcontacts.contacts.listfile.instances.listfirestore.databases.listiam.roles.listiam.serviceAccountKeys.listiam.serviceAccounts.listiap.webServices.getIamPolicylogging.logMetrics.listlogging.sinks.listmemcache.instances.listmonitoring.alertPolicies.listorgpolicy.policies.listorgpolicy.policy.getosconfig.inventories.getprivateca.caPools.listprivateca.certificateAuthorities.getIamPolicyprivateca.certificateAuthorities.listprivateca.certificates.listpubsub.subscriptions.listpubsub.topics.getIamPolicypubsub.topics.listredis.instances.listresourcemanager.folders.listresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.listrun.configurations.listrun.routes.listrun.services.listsecretmanager.secrets.listsecretmanager.versions.listsecuritycenter.findings.listserviceusage.services.listsource.repos.listspanner.backups.getspanner.databases.getIamPolicyspanner.databases.listspanner.databasesRoles.listspanner.instanceConfigs.listspanner.instances.liststorage.buckets.getIamPolicystorage.buckets.listworkflows.workflows.listworkstations.clusters.listworkstations.configs.listworkstations.workstations.list
APIs
APIs or services that must be enabled in the target environment.
Show APIs (49)
accessapproval.googleapis.comaccesscontextmanager.googleapis.comaiplatform.googleapis.comalloydb.googleapis.comapigateway.googleapis.comapikeys.googleapis.comappengine.googleapis.comartifactregistry.googleapis.combigquery.googleapis.combigtable.googleapis.combinaryauthorization.googleapis.comcloudasset.googleapis.comcloudbilling.googleapis.comcloudbuild.googleapis.comclouddeploy.googleapis.comcloudfunctions.googleapis.comcloudidentity.googleapis.comcloudkms.googleapis.comcloudsql.googleapis.comcompute.googleapis.comcontainer.googleapis.comdataproc.googleapis.comdlp.googleapis.comdns.googleapis.comessentialcontacts.googleapis.comfile.googleapis.comfirestore.googleapis.comiam.googleapis.comiap.googleapis.comlogging.googleapis.commemcache.googleapis.commonitoring.googleapis.comorgpolicy.googleapis.comosconfig.googleapis.comprivateca.googleapis.compubsub.googleapis.comredis.googleapis.comresourcemanager.googleapis.comrun.googleapis.comsecretmanager.googleapis.comsecuritycenter.googleapis.comserviceusage.googleapis.comsource.googleapis.comspanner.googleapis.comsqladmin.googleapis.comstorage.googleapis.comwebsecurityscanner.googleapis.comworkflows.googleapis.comworkstations.googleapis.com
Per-Step Breakdown
Detailed authorization requirements for each ingestion step.
Show all steps (96)
| Step | Permissions | APIs |
|---|---|---|
| Access Approval Settings | accessapproval.settings.get | accessapproval.googleapis.com |
| Access Context Manager Access Levels | accesscontextmanager.accessLevels.list | accesscontextmanager.googleapis.com |
| Access Context Manager Ingress Policies Sources Relationships | - | - |
| Access Context Manager Service Perimeters | accesscontextmanager.servicePerimeters.list | accesscontextmanager.googleapis.com |
| Api Gateway Api Configs | apigateway.apiconfigs.list, apigateway.apiconfigs.getIamPolicy | apigateway.googleapis.com |
| Api Gateway Gateways | apigateway.gateways.list, apigateway.gateways.getIamPolicy | apigateway.googleapis.com |
| API Keys | - | apikeys.googleapis.com |
| API Services | serviceusage.services.list | serviceusage.googleapis.com |
| AppEngine Instances | appengine.instances.list | appengine.googleapis.com |
| AppEngine Services | appengine.services.list | appengine.googleapis.com |
| AppEngine Versions | appengine.versions.list | - |
| Artifact Registry VPC SC configuration and Policy | artifactregistry.vpcscconfigs.get | artifactregistry.googleapis.com |
| Artifact Repository Package | artifactregistry.packages.list | artifactregistry.googleapis.com |
| Audit Config IAM Policy | resourcemanager.projects.getIamPolicy | resourcemanager.googleapis.com |
| Big Query Models | bigquery.models.list, bigquery.models.getData, bigquery.models.getMetadata | bigquery.googleapis.com |
| Big Query Tables | bigquery.tables.list, bigquery.tables.getIamPolicy, bigquery.tables.get | bigquery.googleapis.com |
| Bigtable AppProfiles | bigtable.appProfiles.list | bigtable.googleapis.com |
| Bigtable Backups | bigtable.backups.list | bigtable.googleapis.com |
| Bigtable Clusters | bigtable.clusters.list | bigtable.googleapis.com |
| Bigtable Tables | bigtable.tables.list | bigtable.googleapis.com |
| Billing Budgets | billing.budgets.list | cloudbilling.googleapis.com |
| Binary Authorization Policy | binaryauthorization.policy.get | binaryauthorization.googleapis.com |
| Build Additional Project Budget Relationships | cloudasset.assets.listCloudbillingProjectBillingInfos | cloudbilling.googleapis.com |
| Build Device User Is Google User Relationship | - | - |
| Build User Assigned AlloyDb Cluster Relationship | alloydb.users.list | - |
| Cloud Deploy Automation | clouddeploy.automations.list | clouddeploy.googleapis.com |
| Cloud Identity Device Users | - | cloudidentity.googleapis.com |
| Cloud Identity Groups | - | cloudidentity.googleapis.com |
| Cloud Identity Membership Roles | - | cloudidentity.googleapis.com |
| Cloud Identity SAML Provider Uses Group Relationship | - | cloudidentity.googleapis.com |
| Cloud Run Configurations | run.configurations.list | run.googleapis.com |
| Cloud Run Routes | run.routes.list | - |
| Cloud Spanner Backups | spanner.backups.get | spanner.googleapis.com |
| Cloud VPN Gateways | compute.vpnGateways.list | compute.googleapis.com |
| Compute Addresses | compute.addresses.list | compute.googleapis.com |
| Compute Backend Services | compute.backendServices.list | compute.googleapis.com |
| Compute Disk Image Relationships | compute.images.get | compute.googleapis.com |
| Compute Firewalls | compute.firewalls.list | compute.googleapis.com |
| Compute Forwarding Rules | compute.forwardingRules.list | compute.googleapis.com |
| Compute Global Addresses | compute.globalAddresses.list | compute.googleapis.com |
| Compute Global Forwarding Rules | compute.globalForwardingRules.list | compute.googleapis.com |
| Compute Images | compute.images.list, compute.images.getIamPolicy | compute.googleapis.com |
| Compute Instances | compute.instances.list, osconfig.inventories.get | compute.googleapis.com, osconfig.googleapis.com |
| Compute Load Balancers | compute.urlMaps.list | compute.googleapis.com |
| Compute Project | compute.projects.get | compute.googleapis.com |
| Compute Region Backend Services | compute.regionBackendServices.list | compute.googleapis.com |
| Compute Region Load Balancers | compute.regionUrlMaps.list | compute.googleapis.com |
| Compute Region Target HTTP Proxies | compute.regionTargetHttpProxies.list | compute.googleapis.com |
| Compute Region Target HTTPS Proxies | compute.regionTargetHttpsProxies.list | compute.googleapis.com |
| Compute SSL Policies | compute.sslPolicies.list | compute.googleapis.com |
| Compute Subnetworks | compute.subnetworks.list | compute.googleapis.com |
| Compute Target HTTP Proxies | compute.targetHttpProxies.list | compute.googleapis.com |
| Compute Target HTTPS Proxies | compute.targetHttpsProxies.list | compute.googleapis.com |
| Compute Target Pools | compute.targetPools.list | compute.googleapis.com |
| Compute Target SSL Proxies | compute.targetSslProxies.list | compute.googleapis.com |
| Container Clusters | container.clusters.list | container.googleapis.com |
| DLP Table Data Profiles | dlp.tableDataProfiles.list | dlp.googleapis.com |
| DNS Managed Zone Records | dns.resourceRecordSets.get | dns.googleapis.com |
| DNS Policies | dns.policies.list | dns.googleapis.com |
| Essential Contacts | essentialcontacts.contacts.list | essentialcontacts.googleapis.com |
| External VPN Gateways | compute.externalVpnGateways.list | compute.googleapis.com |
| Fetch Cloud Build BitBucket Server Repos | cloudbuild.repositories.list, cloudbuild.repositories.get | cloudbuild.googleapis.com |
| Fetch Scan Runs | cloudsecurityscanner.scanruns.list | websecurityscanner.googleapis.com |
| Fetch Secret Manager secret versions | secretmanager.versions.list | secretmanager.googleapis.com |
| Fetch Security Command Center Findings | securitycenter.findings.list | securitycenter.googleapis.com |
| Fetch SQL Admin Backups | cloudsql.databases.list | cloudsql.googleapis.com |
| Fetch SQL Admin Instance Databases | cloudsql.databases.list | sqladmin.googleapis.com |
| Fetch SQL Admin Instance Users | cloudsql.users.list | sqladmin.googleapis.com |
| Fetch SQL Admin SSL Certs | cloudsql.databases.list | cloudsql.googleapis.com |
| fetch-alloydb-postgre-sql-connection | alloydb.instances.connect | alloydb.googleapis.com |
| fetch-alloydb-postgre-sql-instance | alloydb.instances.list | alloydb.googleapis.com |
| Firestore Service Database Relationships | - | - |
| google_cloud_workflow_uses_iam_service_account | - | - |
| IAP Backend Service Bindings | iap.webServices.getIamPolicy | iap.googleapis.com |
| KMS Crypto Keys | cloudkms.cryptoKeys.list, cloudkms.cryptoKeys.getIamPolicy | cloudkms.googleapis.com |
| Logging Metrics | logging.logMetrics.list | logging.googleapis.com |
| Network Has VPN Gateway Relationships | - | - |
| Private CA Certificate Authorities | privateca.certificateAuthorities.getIamPolicy, privateca.certificateAuthorities.list | privateca.googleapis.com |
| Private CA Certificates | privateca.certificates.list | privateca.googleapis.com |
| PubSub Subscriptions | pubsub.subscriptions.list | pubsub.googleapis.com |
| Resource Manager Folders | resourcemanager.folders.list | resourcemanager.googleapis.com |
| Resource Manager Projects | resourcemanager.projects.list | resourcemanager.googleapis.com |
| Resource Manager Skipped and Deleted Projects | resourcemanager.projects.get | resourcemanager.googleapis.com |
| Spanner Instance Databases | spanner.databases.list | spanner.googleapis.com |
| Spanner Instance Databases Role | spanner.databasesRoles.list | spanner.googleapis.com |
| Spanner Instances | spanner.instances.list, spanner.databases.getIamPolicy | spanner.googleapis.com |
| SQL Admin Instances | cloudsql.instances.list | cloudsql.googleapis.com |
| Target VPN Gateways | compute.targetVpnGateways.list | compute.googleapis.com |
| Vertex AI Endpoint Model Relationships | - | - |
| VPN Gateway Has Tunnel Relationships | - | - |
| VPN Tunnel Uses Router Relationships | - | - |
| VPN Tunnels | compute.vpnTunnels.list | compute.googleapis.com |
| Workflows Service Workflow Relationships | - | - |
| Workstations | workstations.workstations.list | workstations.googleapis.com |
| Workstations Clusters | workstations.clusters.list | workstations.googleapis.com |
| Workstations Configurations | workstations.configs.list | workstations.googleapis.com |
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Access Approval Settings | google_cloud_access_approval_settings | Configuration |
| Access Context Manager Access Level | google_access_context_manager_access_level | Ruleset |
| Access Context Manager Access Level Condition | google_access_context_manager_access_level_condition | Rule |
| Access Context Manager Access Policy | google_access_context_manager_access_policy | AccessPolicy |
| Access Context Manager Service Perimeter | google_access_context_manager_service_perimeter | Configuration |
| Access Context Manager Service Perimeter Api Operation | google_access_context_manager_service_perimeter_api_operation | Configuration |
| Access Context Manager Service Perimeter Egress Policy | google_access_context_manager_service_perimeter_egress_policy | ControlPolicy |
| Access Context Manager Service Perimeter Ingress Policy | google_access_context_manager_service_perimeter_ingress_policy | ControlPolicy |
| Access Context Manager Service Perimeter Method Selector | google_access_context_manager_service_perimeter_method_selector | Configuration |
| AlloyDB for PostgreSQL | google_cloud_alloydb | Service |
| AlloyDB for PostgreSQL Backup | google_cloud_alloydb_backup | Backup |
| AlloyDB for PostgreSQL Cluster | google_cloud_alloydb_cluster | Database, DataStore, Cluster |
| AlloyDB for PostgreSQL Connection | google_cloud_alloydb_connection | Network |
| AlloyDB for PostgreSQL Instances | google_cloud_alloydb_instance | Database, DataStore, Host |
| Api Gateway Api | google_api_gateway_api | Service |
| Api Gateway Api Config | google_api_gateway_api_config | Configuration |
| Api Gateway Gateway | google_api_gateway_gateway | Gateway |
| API Key | google_api_key | AccessKey |
| AppEngine Application | google_app_engine_application | Application |
| AppEngine Instance | google_app_engine_instance | Host |
| AppEngine Service | google_app_engine_service | Container |
| AppEngine Version | google_app_engine_version | Service |
| AppEngine Version Handler | google_app_engine_version_handler | Configuration |
| Artifact Registry | google_cloud_artifact_registry | Service |
| Artifact Registry Repository | google_cloud_artifact_registry_repository | CodeRepo, Repository |
| Artifact Registry VPCSC configuration | google_cloud_artifact_registry_vpcsc_configuration | Configuration |
| Artifact Registry VPCSC Policy | google_cloud_artifact_registry_vpcsc_policy | Configuration |
| Artifact Repository Package | google_cloud_artifact_registry_package | CodeModule |
| Audit Config | google_cloud_audit_config | Configuration |
| Big Query Dataset | google_bigquery_dataset | DataStore, Database |
| Big Query Model | google_bigquery_model | Model |
| Big Query Table | google_bigquery_table | DataCollection |
| Bigtable AppProfile | google_bigtable_app_profile | Configuration |
| Bigtable Backup | google_bigtable_backup | Backup |
| Bigtable Cluster | google_bigtable_cluster | Cluster |
| Bigtable Instance | google_bigtable_instance | Database |
| Bigtable Table | google_bigtable_table | DataCollection |
| Billing Account | google_billing_account | Account |
| Billing Budget | google_billing_budget | Ruleset |
| Binary Authorization Policy | google_binary_authorization_policy | AccessPolicy |
| Cloud API Service | google_cloud_api_service | Service |
| Cloud Build | google_cloud_build | Workflow |
| Cloud Build BitBucket Server Config | google_cloud_bitbucket_server_config | Configuration |
| Cloud Build BitBucket Server Repo | google_cloud_bitbucket_server_repo | CodeRepo |
| Cloud Build GitHub Enterprise Config | google_cloud_github_enterprise_config | Configuration |
| Cloud Build Trigger | google_cloud_build_trigger | Rule |
| Cloud Build Worker Pool | google_cloud_build_worker_pool | Cluster |
| Cloud Compute Router | google_cloud_compute_router | Device |
| Cloud Deploy Automation | google_cloud_deploy_automation | Rule |
| Cloud Deploy Delivery Pipeline | google_cloud_deploy_delivery_pipeline | Workflow |
| Cloud Deploy Service | google_cloud_deploy_service | Service |
| Cloud Function | google_cloud_function | Function |
| Cloud Identity Device Users | google_cloud_identity_user | User |
| Cloud Identity Devices | google_cloud_identity_device | Device |
| Cloud Identity Groups | google_cloud_identity_group | UserGroup |
| Cloud Identity Membership Roles | google_cloud_identity_member_role | AccessRole |
| Cloud Identity SSO Profile | google_cloud_sso | Configuration |
| Cloud Identity SSO Saml Provider | google_cloud_identity_saml_provider | Service |
| Cloud Run Configuration | google_cloud_run_configuration | Configuration |
| Cloud Run Route | google_cloud_run_route | Configuration |
| Cloud Run Service | google_cloud_run_service | Service |
| Cloud Source Repository | google_cloud_source_repository | CodeRepo |
| Cloud Spanner | google_cloud_spanner | Service |
| Cloud Spanner Backups | google_cloud_spanner_backup | Backup |
| Cloud Storage Bucket | google_storage_bucket | DataStore |
| Compute Address | google_compute_address | IpAddress |
| Compute Backend Bucket | google_compute_backend_bucket | Gateway |
| Compute Backend Service | google_compute_backend_service | Service |
| Compute Disk | google_compute_disk | DataStore, Disk |
| Compute Firewalls | google_compute_firewall | Firewall |
| Compute Forwarding Rule | google_compute_forwarding_rule | Configuration |
| Compute Global Address | google_compute_global_address | IpAddress |
| Compute Global Forwarding Rule | google_compute_global_forwarding_rule | Configuration |
| Compute Health Check | google_compute_health_check | Service |
| Compute Image | google_compute_image | Image |
| Compute Instance | google_compute_instance | Host |
| Compute Instance Group | google_compute_instance_group | Group |
| Compute Instance Group Named Port | google_compute_instance_group_named_port | Configuration |
| Compute Networks | google_compute_network | Network |
| Compute Project | google_compute_project | Project |
| Compute Region Load Balancer | google_compute_url_map | Gateway |
| Compute Region Target HTTP Proxy | google_compute_target_http_proxy | Gateway |
| Compute Snapshot | google_compute_snapshot | Image |
| Compute SSL Policy | google_compute_ssl_policy | Policy |
| Compute Subnetwork | google_compute_subnetwork | Network |
| Compute Target HTTPS Proxy | google_compute_target_https_proxy | Gateway |
| Compute Target Pool | google_compute_target_pool | Group |
| Compute Target SSL Proxy | google_compute_target_ssl_proxy | Gateway |
| Container Cluster | google_container_cluster | Cluster |
| Container Node Pool | google_container_node_pool | Group |
| Dataproc Cluster | google_dataproc_cluster | Cluster |
| DLP Discovery Config | google_dlp_discovery_config | Configuration |
| DLP Table Data Profile | google_dlp_table_data_profile | Finding |
| DNS Managed Zone | google_dns_managed_zone | DomainZone |
| DNS Managed Zone Record | google_dns_managed_zone_record | DomainRecord |
| DNS Policy | google_dns_policy | Ruleset |
| Essential Contact | google_essential_contact | Record |
| Folder | google_cloud_folder | Group |
| Google Cloud Filestore Instance | google_cloud_filestore_instance | DataStore |
| Google Cloud Filestore Service | google_cloud_filestore_service | Service |
| Google Cloud Firestore Database | google_cloud_firestore_database | Database |
| Google Cloud Firestore Service | google_cloud_firestore_service | Service |
| Google Cloud Vertex AI Batch Prediction Job | google_cloud_vertex_ai_batch_prediction_job | Task |
| Google Cloud Vertex AI Dataset | google_cloud_vertex_ai_dataset | DataCollection |
| Google Cloud Vertex AI Endpoint | google_cloud_vertex_ai_endpoint | Gateway |
| Google Cloud Vertex AI Model | google_cloud_vertex_ai_model | Model |
| Google Cloud Vertex AI Service | google_cloud_vertex_ai_service | Service |
| Google Cloud Vertex AI Training Pipeline | google_cloud_vertex_ai_training_pipeline | Workflow |
| Google Cloud VPN Service | google_cloud_vpn_service | Service |
| Google Cloud Workflow | google_cloud_workflow | Workflow |
| Google Cloud Workflows Service | google_cloud_workflows_service | Service |
| Google Cloud Workstation | google_cloud_workstation | Host |
| Google Cloud Workstations Cluster | google_cloud_workstations_cluster | Cluster |
| Google Cloud Workstations Configuration | google_cloud_workstations_configuration | Configuration |
| Google Cloud Workstations Service | google_cloud_workstations_service | Service |
| Google Compute External VPN Gateway | google_compute_external_vpn_gateway | Gateway |
| Google Compute HA VPN Gateway | google_compute_vpn_gateway | Gateway |
| Google Compute Target VPN Gateway | google_compute_target_vpn_gateway | Gateway |
| Google Compute VPN Tunnel | google_compute_vpn_tunnel | Gateway |
| IAM Binding | google_iam_binding | AccessPolicy |
| IAM Custom Role | google_iam_role | AccessRole |
| IAM Service Account | google_iam_service_account | User |
| IAM Service Account Key | google_iam_service_account_key | AccessKey |
| IAP Binding | google_iap_binding | AccessPolicy |
| KMS Crypto Key | google_kms_crypto_key | Key, CryptoKey |
| KMS Key Ring | google_kms_key_ring | Vault |
| Logging Metric | google_logging_metric | Configuration |
| Logging Project Sink | google_logging_project_sink | Logs |
| Memcache Instance | google_memcache_instance | Database, DataStore, Cluster |
| Memcache Instance Node | google_memcache_instance_node | Database, DataStore, Host |
| Monitoring Alert Policy | google_monitoring_alert_policy | Policy |
| Organization | google_cloud_organization | Organization |
| Private CA Certificate | google_privateca_certificate | Certificate |
| Private CA Certificate Authority | google_privateca_certificate_authority | Service |
| Private CA Pool | google_privateca_pool | Group |
| Project | google_cloud_project | Account |
| PubSub Subscription | google_pubsub_subscription | Service |
| PubSub Topic | google_pubsub_topic | Channel |
| Redis Instance | google_redis_instance | Database, DataStore, Host |
| Scan Config | google_cloud_scan_config | Configuration |
| Scan Run | google_cloud_scan_run | Process, Task |
| Secret | google_secret_manager_secret | Group |
| Secret Version | google_secret_manager_secret_version | Secret |
| Security Command Center Finding | google_cloud_security_command_center_finding | Finding, Vulnerability |
| Spanner Instance | google_spanner_instance | Database, Cluster |
| Spanner Instance Config | google_spanner_instance_config | Configuration |
| Spanner Instance Database | google_spanner_database | Database |
| Spanner Instance Database Role | google_cloud_spanner_database_role | AccessRole |
| SQL Admin MySQL Instance | google_sql_mysql_instance | Database |
| SQL Admin MySQL Instance Backup | google_sql_mysql_instance_backup | Backup |
| SQL Admin MySQL Instance Cert | google_sql_mysql_instance_cert | Certificate |
| SQL Admin MySQL Instance Database | google_sql_mysql_instance_database | Database |
| SQL Admin MySQL Instance User | google_sql_mysql_instance_user | User |
| SQL Admin Postgres Instance | google_sql_postgres_instance | Database |
| SQL Admin Postgres Instance Backup | google_sql_postgres_instance_backup | Backup |
| SQL Admin Postgres Instance Cert | google_sql_postgres_instance_cert | Certificate |
| SQL Admin Postgres Instance Database | google_sql_postgres_instance_database | Database |
| SQL Admin Postgres Instance User | google_sql_postgres_instance_user | User |
| SQL Admin SQL Server Instance | google_sql_sql_server_instance | Database |
| SQL Admin SQL Server Instance Backup | google_sql_sql_server_instance_backup | Backup |
| SQL Admin SQL Server Instance Database | google_sql_sql_server_instance_database | Database |
| SQL Admin SQL Server Instance User | google_sql_sql_server_instance_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
google_access_context_manager_access_level | DEFINES | google_access_context_manager_access_level_condition |
google_access_context_manager_access_policy | HAS | google_access_context_manager_access_level |
google_access_context_manager_access_policy | HAS | google_access_context_manager_service_perimeter |
google_access_context_manager_service_perimeter | HAS | google_access_context_manager_service_perimeter_egress_policy |
google_access_context_manager_service_perimeter | HAS | google_access_context_manager_service_perimeter_ingress_policy |
google_access_context_manager_service_perimeter_api_operation | HAS | google_access_context_manager_service_perimeter_method_selector |
google_access_context_manager_service_perimeter_egress_policy | HAS | google_access_context_manager_service_perimeter_api_operation |
google_access_context_manager_service_perimeter_ingress_policy | HAS | google_access_context_manager_service_perimeter_api_operation |
google_access_context_manager_service_perimeter_ingress_policy | ALLOWS | google_access_context_manager_access_level |
google_api_gateway_api | USES | google_api_gateway_api_config |
google_api_gateway_api | HAS | google_api_gateway_gateway |
google_api_gateway_api_config | USES | google_iam_service_account |
google_app_engine_application | USES | google_storage_bucket |
google_app_engine_application | HAS | google_app_engine_service |
google_app_engine_service | HAS | google_app_engine_version |
google_app_engine_version | HAS | google_app_engine_version_handler |
google_app_engine_version | HAS | google_app_engine_instance |
google_bigquery_dataset | USES | google_kms_crypto_key |
google_bigquery_dataset | HAS | google_bigquery_model |
google_bigquery_dataset | HAS | google_bigquery_table |
google_bigtable_cluster | USES | google_kms_crypto_key |
google_bigtable_cluster | HAS | google_bigtable_backup |
google_bigtable_instance | HAS | google_bigtable_app_profile |
google_bigtable_instance | HAS | google_bigtable_cluster |
google_bigtable_instance | HAS | google_bigtable_table |
google_bigtable_table | HAS | google_bigtable_backup |
google_billing_account | HAS | google_billing_budget |
google_cloud_alloydb_cluster | HAS | google_cloud_alloydb_backup |
google_cloud_alloydb_cluster | USES | google_kms_crypto_key |
google_cloud_alloydb_instance | USES | google_cloud_alloydb_cluster |
google_cloud_alloydb_instance | HAS | google_cloud_alloydb_connection |
google_cloud_api_service | HAS | google_iam_role |
google_cloud_api_service | HAS | resource |
google_cloud_api_service | USES | google_cloud_audit_config |
google_cloud_artifact_registry_repository | USES | google_kms_crypto_key |
google_cloud_artifact_registry_repository | USES | google_cloud_artifact_registry_package |
google_cloud_artifact_registry_vpcsc_configuration | ASSIGNED | google_cloud_artifact_registry_vpcsc_policy |
google_cloud_audit_config | ALLOWS | google_iam_service_account |
google_cloud_audit_config | ALLOWS | google_user |
google_cloud_audit_config | ALLOWS | google_group |
google_cloud_audit_config | ALLOWS | google_domain |
google_cloud_bitbucket_server_config | HAS | google_cloud_bitbucket_server_repo |
google_cloud_build | USES | google_storage_bucket |
google_cloud_build | USES | google_cloud_source_repository |
google_cloud_build_trigger | TRIGGERS | google_cloud_build |
google_cloud_compute_router | USES | google_compute_address |
google_cloud_deploy_automation | TRIGGERS | google_cloud_deploy_delivery_pipeline |
google_cloud_deploy_delivery_pipeline | USES | google_storage_bucket |
google_cloud_deploy_service | HAS | google_cloud_deploy_delivery_pipeline |
google_cloud_filestore_instance | USES | google_compute_network |
google_cloud_filestore_service | HAS | google_cloud_filestore_instance |
google_cloud_firestore_service | HAS | google_cloud_firestore_database |
google_cloud_folder | HAS | google_cloud_folder |
google_cloud_folder | HAS | google_cloud_project |
google_cloud_function | USES | google_iam_service_account |
google_cloud_function | USES | google_cloud_source_repository |
google_cloud_function | USES | google_storage_bucket |
google_cloud_function | USES | google_secret_manager_secret |
google_cloud_identity_group | ASSIGNED | google_cloud_identity_member_role |
google_cloud_identity_saml_provider | USES | google_cloud_identity_group |
google_cloud_identity_user | IS | google_user |
google_cloud_identity_user | USES | google_cloud_identity_device |
google_cloud_organization | HAS | google_cloud_folder |
google_cloud_organization | HAS | google_cloud_project |
google_cloud_organization | HAS | google_essential_contact |
google_cloud_organization | HAS | google_cloud_access_approval_settings |
google_cloud_project | HAS | google_cloud_api_service |
google_cloud_project | HAS | google_iam_service_account |
google_cloud_project | CONTAINS | google_sql_postgres_instance |
google_cloud_project | CONTAINS | google_sql_mysql_instance |
google_cloud_project | CONTAINS | google_sql_sql_server_instance |
google_cloud_project | HAS | google_binary_authorization_policy |
google_cloud_project | HAS | google_spanner_instance |
google_cloud_project | HAS | google_spanner_instance_config |
google_cloud_project | HAS | google_cloud_spanner |
google_cloud_project | HAS | google_billing_budget |
google_cloud_project | HAS | google_cloud_deploy_service |
google_cloud_project | HAS | google_cloud_alloydb_cluster |
google_cloud_project | HAS | google_cloud_artifact_registry_repository |
google_cloud_project | HAS | google_cloud_artifact_registry |
google_cloud_project | USES | google_cloud_artifact_registry_vpcsc_configuration |
google_cloud_project | ASSIGNED | google_cloud_artifact_registry_vpcsc_policy |
google_cloud_project | HAS | google_api_key |
google_cloud_run_service | MANAGES | google_cloud_run_route |
google_cloud_run_service | MANAGES | google_cloud_run_configuration |
google_cloud_scan_config | PERFORMED | google_cloud_scan_run |
google_cloud_sso | ASSIGNED | google_cloud_identity_group |
google_cloud_vertex_ai_endpoint | CONTAINS | google_cloud_vertex_ai_model |
google_cloud_vertex_ai_service | HAS | google_cloud_vertex_ai_model |
google_cloud_vertex_ai_service | HAS | google_cloud_vertex_ai_endpoint |
google_cloud_vertex_ai_service | HAS | google_cloud_vertex_ai_dataset |
google_cloud_vertex_ai_service | HAS | google_cloud_vertex_ai_training_pipeline |
google_cloud_vertex_ai_service | HAS | google_cloud_vertex_ai_batch_prediction_job |
google_cloud_vpn_service | HAS | google_compute_vpn_gateway |
google_cloud_vpn_service | HAS | google_compute_target_vpn_gateway |
google_cloud_vpn_service | HAS | google_compute_external_vpn_gateway |
google_cloud_vpn_service | HAS | google_compute_vpn_tunnel |
google_cloud_workflow | USES | google_iam_service_account |
google_cloud_workflows_service | HAS | google_cloud_workflow |
google_cloud_workstation | USES | google_cloud_workstations_configuration |
google_cloud_workstations_cluster | HAS | google_cloud_workstations_configuration |
google_cloud_workstations_cluster | HAS | google_cloud_workstation |
google_cloud_workstations_cluster | USES | google_compute_network |
google_cloud_workstations_service | HAS | google_cloud_workstations_cluster |
google_compute_backend_bucket | HAS | google_storage_bucket |
google_compute_backend_service | HAS | google_compute_instance_group |
google_compute_backend_service | HAS | google_compute_health_check |
google_compute_backend_service | HAS | google_compute_target_ssl_proxy |
google_compute_disk | CREATED | google_compute_snapshot |
google_compute_disk | USES | google_compute_image |
google_compute_disk | USES | google_kms_crypto_key |
google_compute_firewall | PROTECTS | google_compute_network |
google_compute_forwarding_rule | USES | google_compute_address |
google_compute_forwarding_rule | CONNECTS | google_compute_backend_service |
google_compute_forwarding_rule | CONNECTS | google_compute_subnetwork |
google_compute_forwarding_rule | CONNECTS | google_compute_network |
google_compute_forwarding_rule | CONNECTS | google_compute_target_http_proxy |
google_compute_forwarding_rule | CONNECTS | google_compute_target_https_proxy |
google_compute_forwarding_rule | CONNECTS | google_compute_target_pool |
google_compute_global_forwarding_rule | CONNECTS | google_compute_backend_service |
google_compute_global_forwarding_rule | CONNECTS | google_compute_subnetwork |
google_compute_global_forwarding_rule | CONNECTS | google_compute_network |
google_compute_global_forwarding_rule | CONNECTS | google_compute_target_http_proxy |
google_compute_global_forwarding_rule | CONNECTS | google_compute_target_https_proxy |
google_compute_image | USES | google_compute_image |
google_compute_image | USES | google_kms_crypto_key |
google_compute_instance | USES | google_compute_address |
google_compute_instance | USES | google_compute_disk |
google_compute_instance | TRUSTS | google_iam_service_account |
google_compute_instance | HAS | google_cloud_security_command_center_finding |
google_compute_instance_group | HAS | google_compute_instance_group_named_port |
google_compute_instance_group | HAS | google_compute_instance |
google_compute_network | CONTAINS | google_compute_subnetwork |
google_compute_network | HAS | google_compute_address |
google_compute_network | HAS | google_compute_global_address |
google_compute_network | HAS | google_compute_firewall |
google_compute_network | CONNECTS | google_compute_network |
google_compute_network | HAS | google_cloud_compute_router |
google_compute_network | HAS | google_dns_policy |
google_compute_network | HAS | google_compute_vpn_gateway |
google_compute_network | HAS | google_compute_target_vpn_gateway |
google_compute_project | HAS | google_compute_instance |
google_compute_snapshot | CREATED | google_compute_image |
google_compute_subnetwork | HAS | google_compute_address |
google_compute_subnetwork | HAS | google_compute_global_address |
google_compute_subnetwork | HAS | google_compute_instance |
google_compute_target_https_proxy | HAS | google_compute_ssl_policy |
google_compute_target_pool | HAS | google_compute_instance |
google_compute_target_ssl_proxy | HAS | google_compute_ssl_policy |
google_compute_target_vpn_gateway | HAS | google_compute_vpn_tunnel |
google_compute_url_map | HAS | google_compute_backend_service |
google_compute_url_map | HAS | google_compute_backend_bucket |
google_compute_url_map | HAS | google_compute_target_https_proxy |
google_compute_url_map | HAS | google_compute_target_http_proxy |
google_compute_vpn_gateway | HAS | google_compute_vpn_tunnel |
google_compute_vpn_tunnel | USES | google_cloud_compute_router |
google_container_cluster | HAS | google_container_node_pool |
google_container_cluster | HAS | google_cloud_security_command_center_finding |
google_container_node_pool | HAS | google_compute_instance_group |
google_dataproc_cluster | USES | google_kms_crypto_key |
google_dataproc_cluster | USES | google_compute_image |
google_dataproc_cluster | USES | google_storage_bucket |
google_dlp_discovery_config | HAS | google_dlp_table_data_profile |
google_dlp_table_data_profile | HAS | google_bigquery_table |
google_dns_managed_zone | HAS | google_dns_managed_zone_record |
google_iam_binding | ASSIGNED | google_domain |
google_iam_binding | ASSIGNED | google_iam_service_account |
google_iam_binding | ASSIGNED | google_group |
google_iam_binding | ASSIGNED | google_user |
google_iam_binding | ASSIGNED | google_cloud_authenticated_users |
google_iam_binding | ASSIGNED | everyone |
google_iam_binding | ASSIGNED | google_iam_role |
google_iam_binding | USES | google_iam_role |
google_iam_binding | ALLOWS | resource |
google_iam_service_account | HAS | google_iam_service_account_key |
google_iam_service_account | CREATED | google_app_engine_version |
google_iap_binding | ALLOWS | google_compute_backend_service |
google_iap_binding | USES | google_iam_role |
google_iap_binding | ASSIGNED | google_iam_service_account |
google_iap_binding | ASSIGNED | google_user |
google_iap_binding | ASSIGNED | google_group |
google_iap_binding | ASSIGNED | google_domain |
google_kms_key_ring | HAS | google_kms_crypto_key |
google_logging_metric | HAS | google_monitoring_alert_policy |
google_logging_project_sink | USES | google_storage_bucket |
google_memcache_instance | HAS | google_memcache_instance_node |
google_memcache_instance | USES | google_compute_network |
google_privateca_certificate_authority | CREATED | google_privateca_certificate |
google_privateca_certificate_authority | USES | google_storage_bucket |
google_privateca_pool | HAS | google_privateca_certificate_authority |
google_pubsub_subscription | USES | google_pubsub_topic |
google_pubsub_topic | USES | google_kms_crypto_key |
google_redis_instance | USES | google_compute_network |
google_secret_manager_secret | HAS | google_secret_manager_secret_version |
google_spanner_database | USES | google_kms_crypto_key |
google_spanner_database | ASSIGNED | google_cloud_spanner_database_role |
google_spanner_instance | USES | google_spanner_instance_config |
google_spanner_instance | HAS | google_spanner_database |
google_spanner_instance | HAS | google_cloud_spanner_backup |
google_sql_mysql_instance | CONNECTS | google_kms_crypto_key |
google_sql_mysql_instance | USES | google_iam_service_account |
google_sql_mysql_instance | HAS | google_sql_mysql_instance_user |
google_sql_mysql_instance | HAS | google_sql_mysql_instance_database |
google_sql_mysql_instance | HAS | google_sql_mysql_instance_backup |
google_sql_mysql_instance | HAS | google_sql_mysql_instance_cert |
google_sql_mysql_instance | USES | google_kms_crypto_key |
google_sql_postgres_instance | CONNECTS | google_kms_crypto_key |
google_sql_postgres_instance | USES | google_iam_service_account |
google_sql_postgres_instance | HAS | google_sql_postgres_instance_user |
google_sql_postgres_instance | HAS | google_sql_postgres_instance_database |
google_sql_postgres_instance | HAS | google_sql_postgres_instance_backup |
google_sql_postgres_instance | HAS | google_sql_postgres_instance_cert |
google_sql_postgres_instance | USES | google_kms_crypto_key |
google_sql_sql_server_instance | CONNECTS | google_kms_crypto_key |
google_sql_sql_server_instance | HAS | google_sql_sql_server_instance_user |
google_sql_sql_server_instance | HAS | google_sql_sql_server_instance_database |
google_sql_sql_server_instance | HAS | google_sql_sql_server_instance_backup |
google_sql_sql_server_instance | USES | google_kms_crypto_key |
google_user | CREATED | google_app_engine_version |
google_user | ASSIGNED | google_cloud_alloydb_cluster |
internet | ALLOWS | google_compute_firewall |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
google_access_context_manager_service_perimeter | PROTECTS | google_cloud_project | FORWARD |
google_access_context_manager_service_perimeter | LIMITS | google_cloud_api_service | FORWARD |
google_cloud_build_trigger | USES | github_repo | FORWARD |
google_cloud_deploy_delivery_pipeline | USES | github_repo | FORWARD |
Google Api Key
google_api_key inherits from AccessKey
| Property | Type | Description | Specifications |
|---|---|---|---|
androidKeyRestrictions.allowedApplications * | array | null | ||
assetName | string | ||
browserKeyRestrictions.allowedReferrers * | array | null | ||
createdOn | number | ||
deletedOn | number | ||
etag * | string | null | ||
iosKeyRestrictions.allowedBundleIds * | array | null | ||
serverKeyRestrictions.allowedIps * | array | null | ||
uid * | string | null | ||
updatedOn | number |
Google Cloud Access Approval Settings
google_cloud_access_approval_settings inherits from Configuration
| Property | Type | Description | Specifications |
|---|---|---|---|
activeKeyVersion * | string | null | ||
ancestorHasActiveKeyVersion * | boolean | ||
enrolledAncestor * | boolean | ||
enrolledServices * | array | null | ||
enrollmentCount * | number | ||
enrollmentLevel * | string | null | ||
hasAllServicesEnrolled * | boolean | null | ||
hasNotificationEmails * | boolean | ||
invalidKeyVersion * | boolean | ||
isConfigured * | boolean | ||
notificationEmailCount * | number | ||
notificationEmails * | array of strings | ||
notificationPubsubTopic * | string | null | ||
preferNoBroadApprovalRequests * | boolean | null | ||
preferredRequestExpirationDays * | number | null | ||
resourceId * | string | ||
resourceType * | string | Any of: organizationprojectfolder |
Google Cloud Filestore Instance
google_cloud_filestore_instance inherits from DataStore
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName * | string | null | ||
etag * | string | null | ||
fileShareNames * | array | null | ||
isSatisfyingPzi * | boolean | null | ||
kmsKeyName * | string | null | ||
networkNames * | array | null | ||
projectId * | string | null | ||
state * | string | null | ||
statusMessage * | string | null | ||
suspensionReasons * | array | null | ||
tier * | string | null | ||
zone * | string | null |
Google Cloud Filestore Service
google_cloud_filestore_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
organizationId * | string | null | ||
projectId * | string | null |
Google Cloud Firestore Database
google_cloud_firestore_database inherits from Database
| Property | Type | Description | Specifications |
|---|---|---|---|
appEngineIntegrationMode * | string | null | ||
assetName * | string | null | ||
concurrencyMode * | string | null | ||
createdOn * | number | null | ||
displayName * | string | ||
id * | string | ||
keyPrefix * | string | null | ||
locationId * | string | null | ||
name * | string | ||
projectId * | string | null | ||
type * | string | null | ||
updatedOn * | number | null | ||
webLink * | string | null |
Google Cloud Firestore Service
google_cloud_firestore_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
category * | array | null | ||
displayName * | string | ||
function * | array | null | ||
id * | string | ||
name * | string | ||
projectId * | string | null | ||
webLink * | string | null |
Google Cloud Security Command Center Finding
google_cloud_security_command_center_finding inherits from Finding, Vulnerability
| Property | Type | Description | Specifications |
|---|---|---|---|
canonicalName | string | ||
createTimeOn | number | ||
description | string | ||
eventTimeOn | number | ||
externalUri | string | ||
findingClass | string | ||
mute | string | ||
muteUpdateTimeOn | number | ||
name | string | ||
parent | string | ||
parentDisplayName | string | ||
resourceName | string | ||
securityMarksName | string | ||
sourcePropertiesDescription | string | ||
state | string | ||
vulnerabilityCVEId | string | ||
vulnerabilityCVEReferences | array of strings | ||
vulnerabilityCvssv3AttackComplexity | string | ||
vulnerabilityCvssv3AttackVector | string | ||
vulnerabilityCvssv3AvailabilityImpact | string | ||
vulnerabilityCvssv3BaseScoret | number | ||
vulnerabilityCvssv3ConfidentialityImpact | string | ||
vulnerabilityCvssv3IntegrityImpact | string | ||
vulnerabilityCvssv3PrivilegesRequired | string | ||
vulnerabilityCvssv3Scope | string | ||
vulnerabilityCvssv3UserInteraction | string | ||
vulnerabilityUpstreamFixAvailable | boolean |
Google Cloud Vertex Ai Batch Prediction Job
google_cloud_vertex_ai_batch_prediction_job inherits from Task
| Property | Type | Description | Specifications |
|---|---|---|---|
acceleratorCount * | number | null | ||
acceleratorType * | string | null | ||
assetName | string | ||
batchSize * | number | null | ||
bigQueryOutputDataset * | string | null | ||
bigQueryOutputTable * | string | null | ||
endedOn * | number | null | ||
errorCode * | number | null | ||
errorMessage * | string | null | ||
failedCount * | string | null | ||
gcsOutputDirectory * | string | null | ||
hasExplanationSpec * | boolean | null | ||
incompleteCount * | string | null | ||
inputBigQuerySource * | string | null | ||
inputGcsSource * | string | null | ||
isContainerLoggingDisabled * | boolean | null | ||
isExplanationGenerated * | boolean | null | ||
kmsKeyName * | string | null | ||
machineType * | string | null | ||
model * | string | null | ||
modelVersionId * | string | null | ||
outputBigQueryDestination * | string | null | ||
outputGcsDestination * | string | null | ||
partialFailureCount * | number | null | ||
projectId * | string | null | ||
replicaHours * | number | null | ||
serviceAccount * | string | null | ||
startedOn * | number | null | ||
state * | string | null | ||
successfulCount * | string | null | ||
unmanagedContainerImageUri * | string | null |
Google Cloud Vertex Ai Dataset
google_cloud_vertex_ai_dataset inherits from DataCollection
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
dataItemCount * | string | null | ||
etag * | string | null | ||
kmsKeyName * | string | null | ||
metadataArtifact * | string | null | ||
metadataSchemaUri * | string | null | ||
projectId * | string | null | ||
region * | string | null | ||
savedQueryCount * | number | null | ||
savedQueryNames * | array | null |
Google Cloud Vertex Ai Endpoint
google_cloud_vertex_ai_endpoint inherits from Gateway
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
deployedModelCount * | number | null | ||
deployedModelIds * | array | null | ||
etag * | string | null | ||
isPrivateServiceConnectEnabled * | boolean | null | ||
kmsKeyName * | string | null | ||
modelDeploymentMonitoringJob * | string | null | ||
network * | string | null | ||
projectId * | string | null |
Google Cloud Vertex Ai Model
google_cloud_vertex_ai_model inherits from Model
| Property | Type | Description | Specifications |
|---|---|---|---|
artifactUri * | string | null | ||
assetName | string | ||
containerArgs * | array | null | ||
containerCommand * | array | null | ||
containerImageUri * | string | null | ||
etag * | string | null | ||
hasExplanationSpec * | boolean | null | ||
kmsKeyName * | string | null | ||
metadataArtifact * | string | null | ||
metadataSchemaUri * | string | null | ||
pipelineJob * | string | null | ||
predictionSchemaUri * | string | null | ||
projectId * | string | null | ||
supportedDeploymentResourcesTypes * | array | null | ||
supportedExportFormats * | array | null | ||
supportedInputStorageFormats * | array | null | ||
supportedOutputStorageFormats * | array | null | ||
trainingPipeline * | string | null | ||
versionAliases * | array | null | ||
versionCreatedOn * | number | null | ||
versionDescription * | string | null | ||
versionId * | string | null | ||
versionUpdatedOn * | number | null |
Google Cloud Vertex Ai Service
google_cloud_vertex_ai_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
category * | array | null | ||
function * | array | null | ||
id * | string | null | ||
organizationId * | string | null | ||
projectId * | string | null | ||
webLink * | string | null |
Google Cloud Vertex Ai Training Pipeline
google_cloud_vertex_ai_training_pipeline inherits from Workflow
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
endedOn * | number | null | ||
errorCode * | string | null | ||
errorMessage * | string | null | ||
inputDatasetId * | string | null | ||
kmsKeyName * | string | null | ||
modelDisplayName * | string | null | ||
modelId * | string | null | ||
parentModel * | string | null | ||
projectId * | string | null | ||
startedOn * | number | null | ||
state * | string | null | ||
trainingTaskDefinition * | string | null |
Google Cloud Vpn Service
google_cloud_vpn_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
organizationId * | string | null | ||
projectId * | string | null |
Google Cloud Workflow
google_cloud_workflow inherits from Workflow
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
callLogLevel * | string | null | ||
createdOn * | number | null | ||
description * | string | null | ||
displayName * | string | ||
id * | string | ||
isEncrypted * | boolean | null | ||
name * | string | ||
projectId * | string | null | ||
region * | string | null | ||
revisionId * | string | null | ||
serviceAccount * | string | null | ||
sourceContents * | string | null | ||
state * | string | null | ||
updatedOn * | number | null | ||
webLink * | string | null |
Google Cloud Workflows Service
google_cloud_workflows_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
category * | array | null | ||
displayName * | string | ||
function * | array | null | ||
id * | string | ||
name * | string | ||
projectId * | string | null | ||
region * | string | null | ||
webLink * | string | null |
Google Cloud Workstation
google_cloud_workstation inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
etag * | string | null | ||
isReconciling * | boolean | null | ||
projectId * | string | null | ||
startedOn * | number | null | ||
state * | string | null | ||
uid * | string | null | ||
zone * | string | null |
Google Cloud Workstations Cluster
google_cloud_workstations_cluster inherits from Cluster
| Property | Type | Description | Specifications |
|---|---|---|---|
allowedProjects * | array | null | ||
assetName | string | ||
clusterHostname * | string | null | ||
conditionCodes * | array | null | ||
controlPlaneIp * | string | null | ||
degraded * | boolean | null | ||
etag * | string | null | ||
isPrivateEndpointEnabled * | boolean | null | ||
isReconciling * | boolean | null | ||
network * | string | null | ||
projectId * | string | null | ||
serviceAttachmentUri * | string | null | ||
subnetwork * | string | null | ||
uid * | string | null | ||
zone * | string | null |
Google Cloud Workstations Configuration
google_cloud_workstations_configuration inherits from Configuration
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
conditionCodes * | array | null | ||
containerArgs * | array | null | ||
containerCommand * | array | null | ||
containerImage * | string | null | ||
containerRunAsUser * | number | null | ||
containerWorkingDir * | string | null | ||
etag * | string | null | ||
idleTimeout * | string | null | ||
isDegraded * | boolean | null | ||
isReconciling * | boolean | null | ||
kmsKey * | string | null | ||
kmsKeyServiceAccount * | string | null | ||
persistentDirectoriesDiskTypes * | array | null | ||
persistentDirectoriesFsTypes * | array | null | ||
projectId * | string | null | ||
readinessCheckPaths * | array | null | ||
readinessCheckPorts * | array | null | ||
replicaZones * | array | null | ||
runningTimeout * | string | null | ||
uid * | string | null | ||
zone * | string | null |
Google Cloud Workstations Service
google_cloud_workstations_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
organizationId * | string | null | ||
projectId * | string | null |
Google Compute External Vpn Gateway
google_compute_external_vpn_gateway inherits from Gateway
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
id * | string | ||
interfaceIds * | array | null | ||
interfaceIpAddresses * | array | null | ||
kind * | string | null | ||
projectId * | string | null | ||
redundancyType * | string | null | ||
selfLink * | string | null |
Google Compute Target Vpn Gateway
google_compute_target_vpn_gateway inherits from Gateway
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
forwardingRules * | array | null | ||
id * | string | ||
kind * | string | null | ||
network * | string | null | ||
projectId * | string | null | ||
region * | string | null | ||
selfLink * | string | null | ||
tunnels * | array | null |
Google Compute Vpn Gateway
google_compute_vpn_gateway inherits from Gateway
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
id * | string | ||
kind * | string | null | ||
network * | string | null | ||
projectId * | string | null | ||
region * | string | null | ||
selfLink * | string | null | ||
stackType * | string | null | ||
vpnInterfaceIpAddresses * | array | null |
Google Compute Vpn Tunnel
google_compute_vpn_tunnel inherits from Gateway
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
detailedStatus * | string | null | ||
id * | string | ||
ikeVersion * | number | null | ||
kind * | string | null | ||
localTrafficSelector * | array | null | ||
peerExternalGateway * | string | null | ||
peerExternalGatewayInterface * | number | null | ||
peerGcpGateway * | string | null | ||
peerIp * | string | null | ||
projectId * | string | null | ||
region * | string | null | ||
remoteTrafficSelector * | array | null | ||
router * | string | null | ||
selfLink * | string | null | ||
targetVpnGateway * | string | null | ||
vpnGateway * | string | null | ||
vpnGatewayInterface * | number | null |
Google Dlp Discovery Config
google_dlp_discovery_config inherits from Configuration
| Property | Type | Description | Specifications |
|---|---|---|---|
createdOn | number | ||
inspectTemplates * | array | null | ||
projectId | string | ||
state * | string | null | ||
updatedOn | number |
Google Dlp Table Data Profile
google_dlp_table_data_profile inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
createdOn | number | ||
projectId | string | ||
state * | string | null | ||
updatedOn | number |
Google Essential Contact
google_essential_contact inherits from Record
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName | string | ||
email * | string | null | ||
languageTag * | string | null | ||
name | string | ||
notificationCategories * | array | null | ||
validateTime | number | ||
validationState * | string | null |
Google Iap Binding
google_iap_binding inherits from AccessPolicy
| Property | Type | Description | Specifications |
|---|---|---|---|
backendServiceId * | string | null | ||
backendServiceName * | string | null | ||
condition.description * | string | null | ||
condition.expression * | string | null | ||
condition.location * | string | null | ||
condition.title * | string | null | ||
displayName * | string | ||
members * | array | null | ||
name * | string | ||
permissions * | array | null | ||
projectId * | string | null | ||
readonly * | boolean | null | ||
role * | string | null |
Release Notes
- 2026-04-08 — Added configuration option to automatically delete child integration instances when their parent is removed from the Google Cloud integration.
- 2026-04-08 — Improved OS name and OS type detection for Google Cloud Compute Engine instances using inventory OS short names.
- 2026-04-08 — Added relationships linking Google Cloud projects directly to their associated IAM service accounts.
- 2026-03-31 — Added OS kernel version property to Google Cloud Compute Engine instances and Cloud Identity device entities.
- 2025-11-18 — Added additional configuration and metadata properties to Cloud SQL MySQL instance entities.
- 2025-10-29 — Added ingestion of Organization Access Approval settings as new entity types.
- 2025-10-24 — Added Cloud Functions environment variable capture for secret detection analysis.
- 2025-10-24 — Added GCP asset identifier properties (akin to AWS ARNs) to compute, networking, and storage resources across multiple rounds of promotion.
- 2025-10-22 — Added Google Cloud DLP Configuration and DLP Profiles as new ingested entity types.
- 2025-10-22 — Added Identity-Aware Proxy (IAP) ingestion, relating IAP-protected resources to their backend services.
- 2025-10-16 — Added App Engine version handler configurations to App Engine version entities.
- 2025-10-13 — Added Google Cloud API Keys ingestion as new entity types.
- 2025-10-10 — Added computed public property to Google Cloud firewall entities indicating whether the firewall allows public internet access.
- 2025-10-06 — Added HTTP(S) Load Balancer logging configuration properties to backend service entities.
- 2025-10-06 — Added Google Cloud Essential Contacts ingestion for incident notification contacts.
- 2025-10-01 — Added pgAudit enabled property to Cloud SQL PostgreSQL instances, exposing audit logging configuration.
- 2025-09-03 — Added GCP Cloud Workstations ingestion, including workstation clusters and workstations as new entity types.
- 2025-08-20 — Added allowed targets and denied targets queryable properties to GCP firewall entities.
- 2025-08-20 — Added Google Cloud Vertex AI ingestion, including datasets, models, and endpoints.
- 2025-08-18 — Added Google Cloud Filestore ingestion as new entity types.
- 2025-08-18 — Added Google Cloud VPN ingestion, including VPN gateways, tunnels, and router configurations.
- 2025-08-12 — Added Google Cloud Firestore database ingestion as new entity types.
- 2025-08-11 — Added Google Cloud Workflows ingestion as new entity types.
- 2025-05-27 — Added relationship from VPC Service Controls ingress policy to Access Context Manager access levels.
- 2025-04-25 — Added active property to Google IAM service account key entities.