Import Infrastructure Objects via Google Cloud

Import Infrastructure Objects from your IaaS account(s)

The Infrastructure Catalog allows you to import Infrastructure Objects across your various Google projects to get a view across your entire software ecosystem.

Once imported, you can see details about your objects (source account, region, storage size, etc), filter ("How many databases do I have cumulatively across all my accounts?"), and define relationships between Infrastructure Objects to Services, Systems, and other Infrastructure Objects.

Integrating a Google Cloud account with OpsLevel

Setup

Create a Google Cloud service account

To integrate your Google account with OpsLevel, you must first create a service account in any Google Cloud project:

  • Navigate to the IAM & Admin page
  • Navigate to Service Accounts in the left sidebar menu
  • Press "Create Service Account"
  • Enter a name and description for the service account, and copy the service account's email address
  • Press "Done"; we'll configure access using IAM Resource Manager

Configure service account access

Now, we'll configure the role to allow OpsLevel to list cloud assets for the projects you want to sync into your account.

  • As an organization admin, go to the IAM Resource Manager
  • Select the entire organization or whatever projects/folders you want OpsLevel's service account to have access to
  • Press "Add Principal"
  • Paste the service account's email into "New principals" and select it from the dropdown
  • Assign the "Cloud Asset Viewer" and "Viewer" roles, then press Save

⚠️

If you are integrating with multiple service accounts, ensure the project scopes are distinct to avoid issues with duplicated resources.

Create a service account key

A service account key is how to manage OpsLevel's access to this account safely. OpsLevel requires details from this key to actually connect with your Google Cloud account.

  • Return to the Service Accounts page in GCP.
  • Find your OpsLevel service account, press the 3 dots, and select "Manage Keys".
  1. Add Key -> Create new key -> JSON -> Create.
    1. A JSON file should automatically be downloaded. We'll need the contents of this file for the next step when integrating with OpsLevel.

Enable Google Cloud APIs

OpsLevel uses the Cloud Resource Manager API to fetch projects the service account has access to, and the Google Cloud asset API to sync the resources in each project. Both APIs must be enabled for OpsLevel to sync successfully.

❗️

Google Cloud IAM Policy changes take 2-7 minutes to take effect. We recommend waiting 7 minutes before moving on to integrating with OpsLevel.

Connect OpsLevel to Google Cloud

Finally, we're ready to make the connection to Google Cloud in the OpsLevel platform.

  • As an OpsLevel admin, navigate to the New Integration page.
  • Select the Google Cloud card.
  • Enter a name for the integration.
  • Upload the JSON file downloaded in the "Create a service account key" step:
  • Press "Integrate with Google".

OpsLevel will now start syncing your Google Cloud resources.

Verify the Google Cloud integration was successful

Once you have integrated with Google Cloud, you should now be able see it by navigating to Installed Integrations via Integrations on the side navigation. Once you've clicked on your integration, you will be able to see details about your integration such as the service email and when it was last synced.

If "Last Synced" does not change from "Never" within 10 minutes, you may have been affected by GCP's IAM policy delay. Try triggering a sync manually with "Update Infrastructure Resources" before reaching out to support.

### Inferring ownership/relationships via GCP labels

Google Cloud Integration page

Inferring ownership/relationships via Google Cloud labels

Many Google Cloud customers use labels within the admin console to assign ownership or relationships to Infrastructure Objects. Our Google Cloud Integration allows you to leverage these existing tags to make ownership or relationship assignment for Infrastructure Objects simple.

Note that certain characters (:, @, =, and +) in tags will be converted to underscores - so, for instance, the key infra:dependency will be converted to infra_dependency.

Ownership Tags

By default, when a new integration is created we set a default ownership defining tag key of owner. If the value of owner matches a Team alias we will automatically assign ownership of that Infrastructure Object to that Team. Ownership for these objects will be locked from the UI or API.

You can use GraphQL to update the array of tag keys. You can also use GraphQL to configure whether tags should override existing ownership using the tagsOverrideOwnership field. You can click here to go to the GraphiQL client with the query and mutation samples pre-filled.

Sample query to list out all Google Cloud integrations in the account with id for reference in the mutation below

query google_cloud_integrations {
  account {
    integrations(type: "googleCloud") {
      nodes {
        ... on GoogleCloudIntegration {
          name
          id
          createdAt
          ownershipTagKeys
        }
      }
    }
  }
}

Sample mutation updating the tags used for ownership inference on a Google Cloud integration:

mutation googleCloudIntegrationUpdate_override_tags {
  googleCloudIntegrationUpdate(
    integration: {id: "XXX"}
    input: {ownershipTagKeys: ["owner", "team"], tagsOverrideOwnership: true}
  ) {
    integration {
      id
      name
      ... on GoogleCloudIntegration {
        aliases
        ownershipTagKeys
        tagsOverrideOwnership
      }
    }
    errors {
      message
      path
    }
  }
}

Relationship Tags

By default, OpsLevel sets default relationship-defining tag keys for belongs_to (opslevel-belongs-to), dependency_of (opslevel-dependency-of) and depends_on (opslevel-depends-on) relationships. These labels can be used inside of your GCP account to manage relationships using tags.

You can use GraphQL or the Account Settings UI to update the array of tag keys used for each of these relationships. Modifying these tag keys/prefixes allows for the use of existing tagging schemes to infer different relationship types.

You can update the tags used for relationship inference on a GoogleCloud integration.

Card located on account settings showing the relationship tag keys/prefixes used by your AWS integration

View your current list of relationship tag keys/prefixes

If your prefer using GraphQL for configuration, here is a sample mutation for updating the tags used for relationship inference on a Google Cloud integration:

mutation assignUpdatedTagRelationships {
  tagRelationshipKeysAssign(input: {
    dependsOn: ["opslevel-depends-on", "depends-on"],
    dependencyOf: ["opslevel-dependency-of", "dependency-of"],
    belongsTo: "part-of"
  }) {
  	errors { message path }
    tagRelationshipKeys {
      belongsTo
      dependencyOf
      dependsOn
    }
  }
}

What Infrastructure objects and types are imported?

We support a wide range of commonly used Google Cloud Infrastructure Objects and Types as part of our integration, namely:

  • Cache
    • Memorystore Redis
    • Memorystore Memcache
  • Compute
    • Compute Engine
  • Database
    • CloudSQL
    • Firestore & Datastore
    • BigQuery Dataset
    • Bigtable Instance
    • Spanner Instance
  • Networking
    • Compute Networks
  • Serverless Function
    • Cloud Functions
  • Containerized Application
    • Cloud Run services
  • File Storage
    • Google Cloud Storage Buckets
  • Queue
    • Pub/Sub Topics
    • Pub/Sub Subscriptions

If there is an Object or Type not listed that you would be interested in importing, please reach out to our customer support team.

We synchronize changes from Google Cloud every 12 hours.

Accessing Infrastructure objects

You can access your imported infrastructure objects by selecting Infrastructure in Catalog from the side navigation.

Infrastructure List

Infrastructure table

You can discover even more information about your Infrastructure Objects by clicking the View Details icon in the table. This will open a drawer component that will display when the object was last synced along with a host of attributes we've pulled in from Google Cloud around that object.

"View Details" drawer

"View Details" drawer

For a full breakdown of what we've synced from your Google account, you can select the Raw JSON tab.

Raw JSON tab

Raw JSON tab