| admin_disable_polling |
Whether to disable polling for Admin API |
bool |
"false" |
no |
| admin_max_calls |
Maximum calls that can be made to Admin API |
string |
"14" |
no |
| admin_period |
The period of max calls for the Admin API (in seconds) |
string |
"1.0" |
no |
| appengine_disable_polling |
Whether to disable polling for App Engine API |
bool |
"false" |
no |
| appengine_max_calls |
Maximum calls that can be made to App Engine API |
string |
"18" |
no |
| appengine_period |
The period of max calls for the App Engine API (in seconds) |
string |
"1.0" |
no |
| audit_logging_enabled |
Audit Logging scanner enabled. |
bool |
"false" |
no |
| audit_logging_violations_should_notify |
Notify for Audit logging violations |
bool |
"true" |
no |
| bigquery_acl_violations_should_notify |
Notify for BigQuery ACL violations |
bool |
"true" |
no |
| bigquery_disable_polling |
Whether to disable polling for Big Query API |
bool |
"false" |
no |
| bigquery_enabled |
Big Query scanner enabled. |
bool |
"true" |
no |
| bigquery_max_calls |
Maximum calls that can be made to Big Query API |
string |
"160" |
no |
| bigquery_period |
The period of max calls for the Big Query API (in seconds) |
string |
"1.0" |
no |
| blacklist_enabled |
Blacklist scanner enabled. |
bool |
"true" |
no |
| blacklist_violations_should_notify |
Notify for Blacklist violations |
bool |
"true" |
no |
| bucket_acl_enabled |
Bucket ACL scanner enabled. |
bool |
"true" |
no |
| bucket_cai_lifecycle_age |
GCS CAI lifecycle age value |
string |
"14" |
no |
| bucket_cai_location |
GCS CAI storage bucket location |
string |
"us-central1" |
no |
| buckets_acl_violations_should_notify |
Notify for Buckets ACL violations |
bool |
"true" |
no |
| cai_api_timeout |
Timeout in seconds to wait for the exportAssets API to return success. |
string |
"3600" |
no |
| client_access_config |
Client instance 'access_config' block |
map(any) |
<map> |
no |
| client_boot_image |
GCE Forseti Client boot image |
string |
"ubuntu-os-cloud/ubuntu-1804-lts" |
no |
| client_enabled |
Enable Client VM |
bool |
"true" |
no |
| client_instance_metadata |
Metadata key/value pairs to make available from within the client instance. |
map(string) |
<map> |
no |
| client_private |
Private GCE Forseti Client VM (no public IP) |
bool |
"false" |
no |
| client_region |
GCE Forseti Client region |
string |
"us-central1" |
no |
| client_ssh_allow_ranges |
List of CIDRs that will be allowed ssh access to forseti client |
list(string) |
<list> |
no |
| client_tags |
GCE Forseti Client VM Tags |
list(string) |
<list> |
no |
| client_type |
GCE Forseti Client machine type |
string |
"n1-standard-2" |
no |
| cloud_profiler_enabled |
Enable the Cloud Profiler |
bool |
"false" |
no |
| cloudasset_disable_polling |
Whether to disable polling for Cloud Asset API |
bool |
"false" |
no |
| cloudasset_max_calls |
Maximum calls that can be made to Cloud Asset API |
string |
"1" |
no |
| cloudasset_period |
The period of max calls for the Cloud Asset API (in seconds) |
string |
"1.0" |
no |
| cloudbilling_disable_polling |
Whether to disable polling for Cloud Billing API |
bool |
"false" |
no |
| cloudbilling_max_calls |
Maximum calls that can be made to Cloud Billing API |
string |
"5" |
no |
| cloudbilling_period |
The period of max calls for the Cloud Billing API (in seconds) |
string |
"1.2" |
no |
| cloudsql_acl_enabled |
Cloud SQL scanner enabled. |
bool |
"true" |
no |
| cloudsql_acl_violations_should_notify |
Notify for CloudSQL ACL violations |
bool |
"true" |
no |
| cloudsql_db_name |
CloudSQL database name |
string |
"forseti_security" |
no |
| cloudsql_disk_size |
The size of data disk, in GB. Size of a running instance cannot be reduced but can be increased. |
string |
"25" |
no |
| cloudsql_net_write_timeout |
See MySQL documentation: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_net_write_timeout |
string |
"240" |
no |
| cloudsql_password |
CloudSQL password |
string |
"" |
no |
| cloudsql_private |
Whether to enable private network and not to create public IP for CloudSQL Instance |
bool |
"false" |
no |
| cloudsql_region |
CloudSQL region |
string |
"us-central1" |
no |
| cloudsql_type |
CloudSQL Instance size |
string |
"db-n1-standard-4" |
no |
| cloudsql_user |
CloudSQL user |
string |
"forseti_security_user" |
no |
| cloudsql_user_host |
The host the user can connect from. Can be an IP address or IP address range. Changing this forces a new resource to be created. |
string |
"%" |
no |
| composite_root_resources |
A list of root resources that Forseti will monitor. This supersedes the root_resource_id when set. |
list(string) |
<list> |
no |
| compute_disable_polling |
Whether to disable polling for Compute API |
bool |
"false" |
no |
| compute_max_calls |
Maximum calls that can be made to Compute API |
string |
"18" |
no |
| compute_period |
The period of max calls for the Compute API (in seconds) |
string |
"1.0" |
no |
| config_validator_enabled |
Config Validator scanner enabled. |
bool |
"false" |
no |
| config_validator_violations_should_notify |
Notify for Config Validator violations. |
bool |
"true" |
no |
| container_disable_polling |
Whether to disable polling for Container API |
bool |
"false" |
no |
| container_max_calls |
Maximum calls that can be made to Container API |
string |
"9" |
no |
| container_period |
The period of max calls for the Container API (in seconds) |
string |
"1.0" |
no |
| crm_disable_polling |
Whether to disable polling for CRM API |
bool |
"false" |
no |
| crm_max_calls |
Maximum calls that can be made to CRN API |
string |
"4" |
no |
| crm_period |
The period of max calls for the CRM API (in seconds) |
string |
"1.2" |
no |
| cscc_source_id |
Source ID for CSCC Beta API |
string |
"" |
no |
| cscc_violations_enabled |
Notify for CSCC violations |
bool |
"false" |
no |
| domain |
The domain associated with the GCP Organization ID |
string |
n/a |
yes |
| enable_cai_bucket |
Create a GCS bucket for CAI exports |
bool |
"true" |
no |
| enable_service_networking |
Create a global service networking peering connection at the VPC level |
bool |
"true" |
no |
| enable_write |
Enabling/Disabling write actions |
bool |
"false" |
no |
| enabled_apis_enabled |
Enabled APIs scanner enabled. |
bool |
"false" |
no |
| enabled_apis_violations_should_notify |
Notify for enabled APIs violations |
bool |
"true" |
no |
| excluded_resources |
A list of resources to exclude during the inventory phase. |
list(string) |
<list> |
no |
| external_project_access_violations_should_notify |
Notify for External Project Access violations |
bool |
"true" |
no |
| firewall_rule_enabled |
Firewall rule scanner enabled. |
bool |
"true" |
no |
| firewall_rule_violations_should_notify |
Notify for Firewall rule violations |
bool |
"true" |
no |
| folder_id |
GCP Folder that the Forseti project will be deployed into |
string |
"" |
no |
| forseti_email_recipient |
Email address that receives Forseti notifications |
string |
"" |
no |
| forseti_email_sender |
Email address that sends the Forseti notifications |
string |
"" |
no |
| forseti_home |
Forseti installation directory |
string |
"$USER_HOME/forseti-security" |
no |
| forseti_repo_url |
Git repo for the Forseti installation |
string |
"https://github.com/forseti-security/forseti-security" |
no |
| forseti_run_frequency |
Schedule of running the Forseti scans |
string |
"null" |
no |
| forseti_version |
The version of Forseti to install |
string |
"v2.25.1" |
no |
| forwarding_rule_enabled |
Forwarding rule scanner enabled. |
bool |
"false" |
no |
| forwarding_rule_violations_should_notify |
Notify for forwarding rule violations |
bool |
"true" |
no |
| git_sync_image |
The container image used by the config-validator git-sync side-car |
string |
"gcr.io/google-containers/git-sync" |
no |
| git_sync_private_ssh_key_file |
The file containing the private SSH key allowing the git-sync to clone the policy library repository. |
string |
"null" |
no |
| git_sync_wait |
The time number of seconds between git-syncs |
string |
"30" |
no |
| gke_node_pool_name |
The name of the GKE node-pool where Forseti is being deployed |
string |
"default-pool" |
no |
| group_enabled |
Group scanner enabled. |
bool |
"true" |
no |
| groups_settings_disable_polling |
Whether to disable polling for the G Suite Groups API |
bool |
"false" |
no |
| groups_settings_enabled |
Groups settings scanner enabled. |
bool |
"true" |
no |
| groups_settings_max_calls |
Maximum calls that can be made to the G Suite Groups API |
string |
"5" |
no |
| groups_settings_period |
the period of max calls to the G Suite Groups API |
string |
"1.1" |
no |
| groups_settings_violations_should_notify |
Notify for groups settings violations |
bool |
"true" |
no |
| groups_violations_should_notify |
Notify for Groups violations |
bool |
"true" |
no |
| gsuite_admin_email |
G-Suite administrator email address to manage your Forseti installation |
string |
"" |
no |
| helm_chart_version |
The version of the Helm chart to use |
string |
"2.2.0" |
no |
| helm_repository_url |
The Helm repository containing the 'forseti-security' Helm charts |
string |
"https://forseti-security-charts.storage.googleapis.com/release/" |
no |
| iam_disable_polling |
Whether to disable polling for IAM API |
bool |
"false" |
no |
| iam_max_calls |
Maximum calls that can be made to IAM API |
string |
"90" |
no |
| iam_period |
The period of max calls for the IAM API (in seconds) |
string |
"1.0" |
no |
| iam_policy_enabled |
IAM Policy scanner enabled. |
bool |
"true" |
no |
| iam_policy_violations_should_notify |
Notify for IAM Policy violations |
bool |
"true" |
no |
| iam_policy_violations_slack_webhook |
Slack webhook for IAM Policy violations |
string |
"" |
no |
| iap_enabled |
IAP scanner enabled. |
bool |
"true" |
no |
| iap_violations_should_notify |
Notify for IAP violations |
bool |
"true" |
no |
| instance_network_interface_enabled |
Instance network interface scanner enabled. |
bool |
"false" |
no |
| instance_network_interface_violations_should_notify |
Notify for instance network interface violations |
bool |
"true" |
no |
| inventory_email_summary_enabled |
Email summary for inventory enabled |
bool |
"false" |
no |
| inventory_gcs_summary_enabled |
GCS summary for inventory enabled |
bool |
"true" |
no |
| inventory_retention_days |
Number of days to retain inventory data. |
string |
"-1" |
no |
| k8s_config_validator_image |
The container image used by the config-validator |
string |
"gcr.io/forseti-containers/config-validator" |
no |
| k8s_config_validator_image_tag |
The tag for the config-validator image. |
string |
"e018e7c" |
no |
| k8s_forseti_namespace |
The Kubernetes namespace in which to deploy Forseti. |
string |
"forseti" |
no |
| k8s_forseti_orchestrator_image |
The container image for the Forseti orchestrator |
string |
"gcr.io/forseti-containers/forseti" |
no |
| k8s_forseti_orchestrator_image_tag |
The tag for the container image for the Forseti orchestrator |
string |
"v2.25.1" |
no |
| k8s_forseti_server_image |
The container image for the Forseti server |
string |
"gcr.io/forseti-containers/forseti" |
no |
| k8s_forseti_server_image_tag |
The tag for the container image for the Forseti server |
string |
"v2.25.1" |
no |
| k8s_forseti_server_ingress_cidr |
If network_policy is true, k8s_forseti_server_ingress_cidr will restrict connections to the Forseti Server service from the CIDR's specified |
string |
"" |
no |
| k8s_tiller_sa_name |
The Kubernetes Service Account used by Tiller |
string |
"tiller" |
no |
| ke_scanner_enabled |
KE scanner enabled. |
bool |
"false" |
no |
| ke_version_scanner_enabled |
KE version scanner enabled. |
bool |
"true" |
no |
| ke_version_violations_should_notify |
Notify for KE version violations |
bool |
"true" |
no |
| ke_violations_should_notify |
Notify for KE violations |
bool |
"true" |
no |
| kms_scanner_enabled |
KMS scanner enabled. |
bool |
"true" |
no |
| kms_violations_should_notify |
Notify for KMS violations |
bool |
"true" |
no |
| kms_violations_slack_webhook |
Slack webhook for KMS violations |
string |
"" |
no |
| lien_enabled |
Lien scanner enabled. |
bool |
"true" |
no |
| lien_violations_should_notify |
Notify for lien violations |
bool |
"true" |
no |
| load_balancer |
The type of load balancer to deploy for the forseti-server if desired: none, external, internal |
string |
"internal" |
no |
| location_enabled |
Location scanner enabled. |
bool |
"true" |
no |
| location_violations_should_notify |
Notify for location violations |
bool |
"true" |
no |
| log_sink_enabled |
Log sink scanner enabled. |
bool |
"true" |
no |
| log_sink_violations_should_notify |
Notify for log sink violations |
bool |
"true" |
no |
| logging_disable_polling |
Whether to disable polling for Logging API |
bool |
"false" |
no |
| logging_max_calls |
Maximum calls that can be made to Logging API |
string |
"9" |
no |
| logging_period |
The period of max calls for the Logging API (in seconds) |
string |
"1.0" |
no |
| manage_firewall_rules |
Create client firewall rules |
bool |
"true" |
no |
| manage_rules_enabled |
A toggle to enable or disable the management of rules |
bool |
"true" |
no |
| network |
The VPC where the Forseti client and server will be created |
string |
"default" |
no |
| network_policy |
Apply pod network policies |
bool |
"false" |
no |
| network_project |
The project containing the VPC and subnetwork where the Forseti client and server will be created |
string |
"" |
no |
| org_id |
GCP Organization ID that Forseti will have purview over |
string |
"" |
no |
| policy_library_repository_branch |
The specific git branch containing the policies. |
string |
"master" |
no |
| policy_library_repository_url |
The git repository containing the policy-library. |
string |
"" |
no |
| policy_library_sync_enabled |
Sync config validator policy library from private repository. |
bool |
"false" |
no |
| policy_library_sync_gcs_directory_name |
The directory name of the GCS folder used for the policy library sync config. |
string |
"policy_library_sync" |
no |
| policy_library_sync_git_sync_tag |
Tag for the git-sync image. |
string |
"v3.1.2" |
no |
| production |
Whether or not to deploy Forseti on GKE in a production configuration |
bool |
"true" |
no |
| project_id |
Google Project ID that you want Forseti deployed into |
string |
n/a |
yes |
| recreate_pods |
Instructs the helm_release resource to, on update, perform pod restarts for the resources if applicable. |
bool |
"true" |
no |
| resource_enabled |
Resource scanner enabled. |
bool |
"true" |
no |
| resource_name_suffix |
A suffix which will be appended to resource names. |
string |
"null" |
no |
| resource_violations_should_notify |
Notify for resource violations |
bool |
"true" |
no |
| retention_enabled |
Retention scanner enabled. |
bool |
"false" |
no |
| retention_violations_should_notify |
Notify for retention violations |
bool |
"true" |
no |
| retention_violations_slack_webhook |
Slack webhook for retention violations |
string |
"" |
no |
| role_enabled |
Role scanner enabled. |
bool |
"false" |
no |
| role_violations_should_notify |
Notify for role violations |
bool |
"true" |
no |
| role_violations_slack_webhook |
Slack webhook for role violations |
string |
"" |
no |
| securitycenter_disable_polling |
Whether to disable polling for Security Center API |
bool |
"false" |
no |
| securitycenter_max_calls |
Maximum calls that can be made to Security Center API |
string |
"14" |
no |
| securitycenter_period |
The period of max calls for the Security Center API (in seconds) |
string |
"1.0" |
no |
| sendgrid_api_key |
Sendgrid.com API key to enable email notifications |
string |
"" |
no |
| server_log_level |
The log level of the Forseti server container. |
string |
"info" |
no |
| service_account_key_enabled |
Service account key scanner enabled. |
bool |
"true" |
no |
| service_account_key_violations_should_notify |
Notify for service account key violations |
bool |
"true" |
no |
| servicemanagement_disable_polling |
Whether to disable polling for Service Management API |
bool |
"false" |
no |
| servicemanagement_max_calls |
Maximum calls that can be made to Service Management API |
string |
"2" |
no |
| servicemanagement_period |
The period of max calls for the Service Management API (in seconds) |
string |
"1.1" |
no |
| sqladmin_disable_polling |
Whether to disable polling for SQL Admin API |
bool |
"false" |
no |
| sqladmin_max_calls |
Maximum calls that can be made to SQL Admin API |
string |
"1" |
no |
| sqladmin_period |
The period of max calls for the SQL Admin API (in seconds) |
string |
"1.1" |
no |
| storage_bucket_location |
GCS storage bucket location |
string |
"us-central1" |
no |
| storage_disable_polling |
Whether to disable polling for Storage API |
bool |
"false" |
no |
| subnetwork |
The VPC subnetwork where the Forseti client and server will be created |
string |
"default" |
no |
| verify_policy_library |
Verify the Policy Library is setup correctly for the Config Validator scanner |
bool |
"false" |
no |
| violations_slack_webhook |
Slack webhook for any violation. Will apply to all scanner violation notifiers. |
string |
"" |
no |
| workload_identity_namespace |
Workload Identity namespace |
string |
"null" |
no |