GCP Cloud Registration
This Terraform module provides automated registration and configuration of Google Cloud Platform (GCP) organizations, folders, and projects with CrowdStrike’s Cloud Security Posture Management (CSPM) platform. The module enables keyless authentication through GCP’s Workload Identity Federation and provides security monitoring capabilities including asset inventory and optional real-time log ingestion for threat detection.
Key Features
Section titled “Key Features”- Multi-Scope Registration: Support for organization, folder, and project-level registrations
- Workload Identity Federation: Secure, keyless authentication using GCP’s identity federation
- Asset Inventory: Monitoring of GCP resources for security posture assessment
- Real Time Visibility & Detection (Optional): Real-time log streaming for threat detection
Architecture Overview
Section titled “Architecture Overview”The module creates the following GCP resources:
- Workload Identity Pool and Provider for authentication
- IAM role bindings for CrowdStrike service principals across target scopes
- Pub/Sub topics and subscriptions for log ingestion (when RTV&D is enabled)
- Log sinks for audit log streaming (when RTV&D is enabled)
Prerequisites
Section titled “Prerequisites”Before using this module, ensure you have:
-
CrowdStrike Requirements:
- Falcon Console access with CSPM enabled
- API credentials with
CSPM registration (Read & Write)andCloud Security Google Cloud Registration (Read & Write)scopes
-
GCP Requirements:
- GCP project for CrowdStrike infrastructure resources
- Appropriate IAM permissions for the deployment service account
- Required GCP APIs enabled
terraform { required_version = ">= 1.5.0"
required_providers { google = { source = "hashicorp/google" version = ">= 6.22" } }}
provider "google" { project = "your-csmp-infrastructure-project"}
module "crowdstrike_gcp_registration" { source = "CrowdStrike/terraform-google-cloud-registration" falcon_client_id = "<Falcon API client ID>" falcon_client_secret = "<Falcon API client secret>"
# GCP Infrastructure Project infra_project_id = "your-csmp-infrastructure-project"
# Registration Scope - Organization Level registration_type = "organization" organization_id = "123456789012"
# CrowdStrike Role ARN role_arn = "arn:aws:sts::111111111111:assumed-role/CrowdStrikeConnectorRoleName"
# Optional: Enable Real Time Visibility & Detection enable_realtime_visibility = true
# Optional: Log Ingestion Configuration log_ingestion_settings = { message_retention_duration = "1209600s" # 14 days ack_deadline_seconds = 300 # 5 minutes topic_message_retention_duration = "2592000s" # 30 days audit_log_types = ["activity", "system_event", "policy"] exclusion_filters = [ "resource.labels.environment=\"test\"", "resource.labels.temporary=\"true\"" ] }
# Optional: Resource Naming resource_prefix = "cs-" resource_suffix = "-prod"
# Optional: Resource Labels labels = { environment = "production" project = "crowdstrike-integration" cstagvendor = "crowdstrike" }}Providers
Section titled “Providers”| Name | Version |
|---|---|
| crowdstrike | >= 0.0.55 |
| >= 6.22 |
Resources
Section titled “Resources”| Name | Type |
|---|---|
| crowdstrike_cloud_google_registration.main | resource |
| crowdstrike_cloud_google_registration_settings.main | resource |
| google_project.wif_project | data source |
Inputs
Section titled “Inputs”| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| deployment_method | Deployment method for the CrowdStrike GCP registration | string | "terraform-native" | no |
| enable_realtime_visibility | Enable Real Time Visibility and Detection (RTV&D) features via log ingestion | bool | false | no |
| excluded_project_patterns | List of shell-style patterns to exclude specific projects from CSPM registration. Supports wildcards (* and ?). Projects matching these patterns will be excluded from asset inventory and log ingestion. Examples: ‘sys-*’, ‘dev-?’. | list(string) | [] | no |
| folder_ids | List of Google Cloud folders being registered | list(string) | [] | no |
| infra_project_id | Google Cloud Project ID where CrowdStrike infrastructure resources will be deployed | string | n/a | yes |
| infrastructure_manager_region | The Google Cloud region for Infrastructure Manager. Required when deployment_method is infrastructure-manager | string | null | no |
| labels | Map of labels to be applied to all resources created by this module | map(string) | {} | no |
| log_ingestion_settings | Configuration settings for log ingestion. Controls Pub/Sub topic and subscription settings, audit log types, schema validation, and allows using existing resources. | object({ | {} | no |
| organization_id | GCP Organization ID for organization-level registration | string | null | no |
| project_ids | List of Google Cloud projects being registered | list(string) | [] | no |
| registration_name | Name for the CrowdStrike GCP registration | string | n/a | yes |
| registration_type | Type of registration: organization, folder, or project | string | n/a | yes |
| resource_prefix | Prefix to be added to all created resource names for identification | string | null | no |
| resource_suffix | Suffix to be added to all created resource names for identification | string | null | no |
| role_arn | AWS Role ARN used by CrowdStrike for authentication | string | n/a | yes |
| wif_project_id | Google Cloud Project ID where the CrowdStrike workload identity federation pool resources are deployed. Defaults to infra_project_id if not specified | string | null | no |
Outputs
Section titled “Outputs”| Name | Description |
|---|---|
| log_sink_names | Names of the created log sinks (if RTV&D enabled) |
| log_subscription_id | The ID of the Pub/Sub subscription for log ingestion (if RTV&D enabled) |
| log_topic_id | The ID of the Pub/Sub topic for log ingestion (if RTV&D enabled) |
| registration_id | The unique CrowdStrike registration ID for this GCP setup |
| wif_iam_principal | The IAM principal that CrowdStrike uses to access GCP resources |
| wif_pool_id | The ID of the created Workload Identity Pool |
| wif_pool_provider_id | The ID of the created Workload Identity Pool Provider |
| wif_project_id | The GCP Project ID where Workload Identity resources were created |
| wif_project_number | The GCP Project Number for the Workload Identity project |