Forseti Visualizer — must-have.

  • The service account for the connection to Google CloudSQL and run a virtual machine.
  • Debian server for the application (NodeJs 10).
  • A certificate with associated DNS records.
  • Google HTTPS LoadBalancer.
  • Google IAP Proxy.
  1. The first step — let’s create a service account. You can use Google Web Console or Google Cloud SDK. I am showing how to do that using SDK:
gcloud iam service-accounts create forseti-visualiser --project [PROJECT_ID]
gcloud projects add-iam-policy-binding [PROJECT_ID] -- member serviceAccount:forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.com --role roles/cloudsql.clientgcloud iam service-accounts keys create key.json --iam-account=forseti-visualiser@forsetisecurityprod.iam.gserviceaccount.com
gcloud beta compute --project=[PROJECT_ID] \
instances create forseti-visualiser \
--zone=[ZONE] --machine-type=n1-standard-1 \
--service-account=forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.com \
--image-project=debian-cloud \
--no-address \
--image=debian-9-stretch-v20200618 \
--subnet=[SUBNET]
gcloud sql instances list
gcloud sql instances describe [DB_SERVER] |grep connectionName
gcloud beta compute ssh --zone [ZONE] forseti-visualiser --tunnel-through-iap --project [PROJECT_ID]
sudo su
mkdir /cloudsqlproxy
cd /cloudsqlproxy
gcloud beta compute scp key.json \ 
[YOUR_LOGIN]@forseti-visualiser:key.json \
--tunnel-through-iap --project [PROJECT_ID] \
--zone [ZONE]
mv /home/[YOUR_LOGIN]/key.json /cloudsqlproxy/
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxychmod +x cloud_sql_proxy
cat > /lib/systemd/system/cloud-sql-proxy.service << EOF
[Install]
WantedBy=multi-user.target
[Unit]
Description=Google Cloud Compute Engine SQL Proxy
Requires=networking.service
After=networking.service
[Service]
Type=simple
WorkingDirectory=/cloudsqlproxy
ExecStart=/cloudsqlproxy/cloud_sql_proxy -dir=/cloudsqlproxy/cloud-sql-proxy -instances=[DB_CONNECTION]=tcp:3306
-credential_file=/cloudsqlproxy/key.json
Restart=always
StandardOutput=journal
User=root
EOF
systemctl daemon-reload
systemctl enable cloud-sql-proxy.service
systemctl start cloud-sql-proxy
curl -sL https://deb.nodesource.com/setup_10.x | bash -
apt-get install -y nodejs
npm install -g @vue/cli
npm install d3
cd /
apt install git
git clone
https://github.com/forseti-security/forseti-visualizer.git
cd forseti-visualizer/forseti-visualizer-ui/
npm install
npm audit fix
npm update yargs-parser
npm audit
npm run build
sudo more /lib/systemd/system/forseti.service |grep forseti_security_user
cd ../forseti-api/cat > source.env << EOF
export API_HOST="0.0.0.0"
export API_PORT="80"
export CLOUDSQL_HOSTNAME="127.0.0.1"
export CLOUDSQL_USERNAME="forseti_security_user"
export CLOUDSQL_PASSWORD=[DB_PASSWORD]
export CLOUDSQL_SCHEMA="forseti_security"
export PROJECT_ID=[PROJECT_ID]
EOF
sudo npm install
sudo npm audit fix
source source.env
npm start
gcloud compute --project=[PROJECT_ID] instance-groups unmanaged create forseti-visualiser-ig --zone=[ZONE]gcloud compute --project=[PROJECT_ID] instance-groups unmanaged add-instances forseti-visualiser-ig --zone=[ZONE] --instances=forseti-visualiser
gcloud compute addresses create forseti-visualiser --global --project [PROJECT_ID]
gcloud compute addresses list
gcloud beta compute ssl-certificates create forseti-visualiser --domains=[FQDN] --global --project=[PROJECT_ID]
gcloud compute --project=[PROJECT_ID] \
firewall-rules create lb-to-forseti-visualiser \
--direction=INGRESS --priority=100 --network=[NETWORK] \
--action=ALLOW --rules=tcp:80 \
--source-ranges=130.211.0.0/22,35.191.0.0/16 \
--target-service-accounts=forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.com
gcloud compute health-checks create http forseti-visualiser-hc --port 80 --project [PROJECT_ID]gcloud compute backend-services create forseti-visualiser-backend \
--protocol HTTP \
--health-checks forseti-visualiser-hc \
--global \
--project [PROJECT_ID]
gcloud compute backend-services add-backend forseti-visualiser-backend \
--instance-group=forseti-visualiser-ig \
--instance-group-zone=[ZONE] \
--global \
--project [PROJECT_ID]
gcloud compute url-maps create forseti-https \
--default-service forseti-visualiser-backend \
--project [PROJECT_ID]
gcloud compute target-https-proxies create \
forseti-visualiser-proxy --url-map forseti-https \
--ssl-certificates forseti-visualiser \
--project [PROJECT_ID]
gcloud compute addresses listgcloud compute forwarding-rules create forseti-frontend \
--address=lb-ipv4-1 \
--global \
--target-https-proxy=forseti-visualiser-proxy \
--ports=443 \
--address=[IP_ADDRESS] \
--project=forsetisecurityprod
gcloud compute ssl-certificates list
gcloud services enable iap.googleapis.com --project [PROJECT_ID]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store