Guía pública

Deploy the Cloud Scanner on GCP

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions. Audiencia: Cloud engineers, security engineers, platform teams. Tiempo típico de configuración: 5 minutes.

Antes de comenzar

Install Terraform ≥ 1.7: brew install terraform
Authenticate: gcloud auth application-default login
Create an ingestion API key in Settings → API Keys with Ingestion scope.

Paso a paso

Paso 1

Prerequisites and authentication

Install Terraform, authenticate with gcloud, and set your API key.

Install Terraform ≥ 1.7: brew install terraform
Authenticate: gcloud auth application-default login
Create an Ingestion API key in Settings → API Keys.
Set TF_VAR_secplatform_api_key=sp_xxxx in your environment.

Paso 2

Configure targets and deploy

Edit the targets map in main.tf, then apply to deploy all project+region pairs at once.

Bootstrap the local source bundle first, then edit deploy/gcp-cloud-scanner/main.tf — add your project IDs and regions to locals.targets.
Run: cd deploy/gcp-cloud-scanner && terraform init && terraform apply -auto-approve
Terraform creates: service account, Secret Manager secret, Cloud Run Job, Cloud Scheduler, and enables required APIs.
Each project+region pair is an independent deployment unit.

Paso 3

Verify and monitor

Trigger a manual job execution and confirm findings arrive in the platform.

Trigger manually: gcloud run jobs execute secplatform-cloud-scanner --project my-project --region us-central1
Stream logs: gcloud logging read 'resource.labels.job_name=secplatform-cloud-scanner' --project my-project
Confirm findings appear in the platform with scanner=cloud.
Check terraform output for all deployed job and scheduler names.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

GCP cloud scanner source

Creates the Terraform module under `deploy/gcp-cloud-scanner/` so the Cloud Run deployment commands on this page work unchanged.

deploy/gcp-cloud-scanner/

bash

bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)
cd deploy/gcp-cloud-scanner

Descargar fuente

Ejecuta esto

Deploy to multiple GCP projects (two commands)

bash

# Bootstrap the local source bundle first
bash <(curl -fsSL https://app.yourdomain.com/source-bundles/gcp-cloud-scanner.sh)

cd deploy/gcp-cloud-scanner

# Authenticate
gcloud auth application-default login

# Deploy all targets defined in main.tf locals.targets
TF_VAR_secplatform_api_key=sp_xxxx \
terraform init && terraform apply -auto-approve

# View deployed resources
terraform output -json cloud_run_job_names
terraform output -json scheduler_job_names

Trigger manual execution + stream logs

bash

# Trigger a one-off scan
gcloud run jobs execute secplatform-cloud-scanner \
  --project my-prod-project \
  --region us-central1

# Stream execution logs
gcloud logging read \
  'resource.type="cloud_run_job" AND resource.labels.job_name="secplatform-cloud-scanner"' \
  --project my-prod-project \
  --limit 50 \
  --format "table(timestamp,textPayload)"

Comprobaciones de éxito

terraform apply completes with no errors and outputs Cloud Run Job and Scheduler names.
Manual job execution succeeds: gcloud run jobs execute secplatform-cloud-scanner
Cloud posture findings appear in the platform Findings view within 30 minutes.

Próximas acciones

Open API Keys View Findings All Deployment Guides

Guías relacionadas

Deploy the Cloud Scanner on GCP | Docs de BlackShield