BLACKSHIELD

Guía pública

Deploy the Cloud Scanner on GCP

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions. Audiencia: Cloud engineers, security engineers, platform teams. Tiempo típico de configuración: 5 minutes.

quickstart

Úsalo si

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions.

Audience
Cloud engineers, security engineers, platform teams
Typical time
5 minutes

Antes de comenzar

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an ingestion API key in Settings → API Keys with Ingestion scope.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

GCP cloud scanner source

Creates the Terraform module under `deploy/gcp-cloud-scanner/` and prefills the current platform API URL so the Cloud Run deployment commands on this page work unchanged.

deploy/gcp-cloud-scanner/
bash
BLACKSHIELD_CLOUD_IMAGE=public.ecr.aws/blackshield-security/cloud-scanner:1.0.0 \
BLACKSHIELD_SITE_URL=https://blackshield.chaplau.com \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)
cd deploy/gcp-cloud-scanner
Descargar fuente

Ejecuta esto

Deploy to multiple GCP projects (two commands)

bash
# Bootstrap the local source bundle first
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)

cd deploy/gcp-cloud-scanner

# Authenticate
gcloud auth application-default login

# Deploy all targets defined in main.tf locals.targets
TF_VAR_blackshield_api_key=sp_xxxx \
terraform init && terraform apply -auto-approve

# View deployed resources
terraform output -json cloud_run_job_names
terraform output -json scheduler_job_names

Trigger manual execution + stream logs

bash
# Trigger a one-off scan
gcloud run jobs execute blackshield-cloud-scanner \
  --project my-prod-project \
  --region us-central1

# Stream execution logs
gcloud logging read \
  'resource.type="cloud_run_job" AND resource.labels.job_name="blackshield-cloud-scanner"' \
  --project my-prod-project \
  --limit 50 \
  --format "table(timestamp,textPayload)"

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Prerequisites and authentication

Install Terraform, authenticate with gcloud, and set your API key.

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an Ingestion API key in Settings → API Keys.
  • Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

Cómo se ve el éxito

Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

Open API Keys · Requiere inicio de sesión

Paso 2

Configure targets and deploy

Edit the targets map in main.tf, then apply to deploy all project+region pairs at once.

  • Bootstrap the local source bundle first. It prefills `BLACKSHIELD_API_URL` from the deployed platform and writes the Terraform module to `deploy/gcp-cloud-scanner/`.
  • Edit deploy/gcp-cloud-scanner/main.tf — add your project IDs and regions to locals.targets.
  • Run: cd deploy/gcp-cloud-scanner && terraform init && terraform apply -auto-approve
  • Terraform creates: service account, Secret Manager secret, Cloud Run Job, Cloud Scheduler, and enables required APIs.
  • Each project+region pair is an independent deployment unit.

Cómo se ve el éxito

Each project+region pair is an independent deployment unit.

All Deployment Guides

Paso 3

Verify and monitor

Trigger a manual job execution and confirm findings arrive in the platform.

  • Trigger manually: gcloud run jobs execute blackshield-cloud-scanner --project my-project --region us-central1
  • Stream logs: gcloud logging read 'resource.labels.job_name=blackshield-cloud-scanner' --project my-project
  • Confirm findings appear in the platform with scanner=cloud.
  • Check terraform output for all deployed job and scheduler names.

Cómo se ve el éxito

Check terraform output for all deployed job and scheduler names.

View Findings · Requiere inicio de sesión

Cómo se ve el éxito

  • terraform apply completes with no errors and outputs Cloud Run Job and Scheduler names.
  • Manual job execution succeeds: gcloud run jobs execute blackshield-cloud-scanner
  • Cloud posture findings appear in the platform Findings view within 30 minutes.
Deploy the Cloud Scanner on GCP | Docs de BlackShield