BLACKSHIELD

公开指南

Deploy the Cloud Scanner on GCP

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions. 受众: Cloud engineers, security engineers, platform teams. 典型配置时长: 5 minutes.

开始之前

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an ingestion API key in Settings → API Keys with Ingestion scope.

分步说明

步骤 1

Prerequisites and authentication

Install Terraform, authenticate with gcloud, and set your API key.

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an Ingestion API key in Settings → API Keys.
  • Set TF_VAR_secplatform_api_key=sp_xxxx in your environment.

步骤 2

Configure targets and deploy

Edit the targets map in main.tf, then apply to deploy all project+region pairs at once.

  • Bootstrap the local source bundle first, then edit deploy/gcp-cloud-scanner/main.tf — add your project IDs and regions to locals.targets.
  • Run: cd deploy/gcp-cloud-scanner && terraform init && terraform apply -auto-approve
  • Terraform creates: service account, Secret Manager secret, Cloud Run Job, Cloud Scheduler, and enables required APIs.
  • Each project+region pair is an independent deployment unit.

步骤 3

Verify and monitor

Trigger a manual job execution and confirm findings arrive in the platform.

  • Trigger manually: gcloud run jobs execute secplatform-cloud-scanner --project my-project --region us-central1
  • Stream logs: gcloud logging read 'resource.labels.job_name=secplatform-cloud-scanner' --project my-project
  • Confirm findings appear in the platform with scanner=cloud.
  • Check terraform output for all deployed job and scheduler names.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

GCP cloud scanner source

Creates the Terraform module under `deploy/gcp-cloud-scanner/` so the Cloud Run deployment commands on this page work unchanged.

deploy/gcp-cloud-scanner/
bash
bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)
cd deploy/gcp-cloud-scanner
Download source

运行命令

Deploy to multiple GCP projects (two commands)

bash
# Bootstrap the local source bundle first
bash <(curl -fsSL https://app.yourdomain.com/source-bundles/gcp-cloud-scanner.sh)

cd deploy/gcp-cloud-scanner

# Authenticate
gcloud auth application-default login

# Deploy all targets defined in main.tf locals.targets
TF_VAR_secplatform_api_key=sp_xxxx \
terraform init && terraform apply -auto-approve

# View deployed resources
terraform output -json cloud_run_job_names
terraform output -json scheduler_job_names

Trigger manual execution + stream logs

bash
# Trigger a one-off scan
gcloud run jobs execute secplatform-cloud-scanner \
  --project my-prod-project \
  --region us-central1

# Stream execution logs
gcloud logging read \
  'resource.type="cloud_run_job" AND resource.labels.job_name="secplatform-cloud-scanner"' \
  --project my-prod-project \
  --limit 50 \
  --format "table(timestamp,textPayload)"

成功检查

  • terraform apply completes with no errors and outputs Cloud Run Job and Scheduler names.
  • Manual job execution succeeds: gcloud run jobs execute secplatform-cloud-scanner
  • Cloud posture findings appear in the platform Findings view within 30 minutes.
Deploy the Cloud Scanner on GCP | BlackShield Docs