Skip to content

@joecheuk joecheuk released this Aug 22, 2018 · 7 commits to release-2.2.0 since this release

Summary

Installer

  • Shared VPC Supports: Installer will now be able to handle deployment with shared VPC, by specifying the following flags at the start of the deployment:
    • vpc-host-project-id
    • vpc-host-network
    • vpc-host-subnetwork
  • G Suite updates: G Suite integration is now optional. Forseti will not inventory any G Suite groups/users if the G Suite super admin email is not provided. You can learn more about the details here.
  • Templatize Forseti server region and Zone.

Inventory

  • Compute Engine Disk Snapshots: Your Compute Engine Disk Snapshots information is now inventoried.
  • Container: masterAuth attribute for container clusters is now retained, but the actual data value is redacted.

Notifier

  • CSCC API Mode: Improved usability of Forseti findings in Cloud Security Command Center by including more useful information (e.g. rule name and db source) to the display item. You can find the instructions on how to setup CSCC integration here.

Scanner

  • Group Scanner: Updated to avoid scanning members with no rule.
  • BigQuery Scanner: Updated to respect resources.
  • IAM Scanner: Updated to audit allUsers correctly.

Enforcer

  • Enforcer is now updated to use the common gcp_api compute client.

Fixes/Updates

  • API client: Add mixins for Insert, Update, Delete actions
  • Logger: Updated to use exception() instead of error() when it's logging inside an except block, so the stack trace will also be produced.
  • Group scanner test is re-enabled.
  • Suppressed noisy app errors in unit tests.

Upgrade instructions

  • If you deployed version v2.0.0 or v2.1.0, due to a deployment script change in v2.2.0, you will need to be on the older git tag of your Forseti to run the deployment manager update command.
  • Complete instructions
    • Download the Forseti server deployment template from the Forseti server GCS bucket, the template is located under folder deployment_templates.
    • Update the fields in the deployment template according to the Forseti official website, look at section Change deployment properties under Upgrading 2.X installations.
      • Specifically, change these default values for the newly added fields in the deploy-forseti-server-{HASH}.yaml to:
        • vpc-host-project-id: {YOUR_PROJECT_ID}
        • vpc-host-network: default
        • vpc-host-subnetwork: default
    • Put the deployment template file under forseti-security/deployment-templates/ in your cloud shell.
    • Make sure the git tag of forseti-security is on the same Forseti version you ran the deployment on (e.g. if you deployed version v2.0.0, you will need to make sure forseti-security is on git tag v2.0.0).
    • You can verify the git tag by running command git status under the forseti-security folder.
    • Run command gcloud deployment-manager deployments update {DEPLOYMENT_NAME} --config path/to/deploy-forseti-server-{HASH}.yaml to do the update.

Thanks to our contributors!

All changes

ab2346b (tag: v2.2.0, origin/release-2.2.0, release-2.2.0) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into release-2.2.0
50db302 (origin/dev, origin/HEAD) Improve CSCC usability (#1907)
074769c Added space
b8418c3 Increment version to 2.2.0
30aff07 (dev) Merge stable to dev (#1940)
e08356c Updated Installer prompt that G Suite is optional (#1936)
cee4193 Updated Installer with G Suite optional (#1934)
402a22b [Issue 1848] Fix for more log pollution of tests. (#1921)
479bf7d Updated the group scanner to avoid scanning members with no rule (#1905)
94f60fc Removed unused variable in required section when generating the deployment template. (#1924)
5069400 [Fixes #1865] Fix bigquery scanner to respect resources (#1884)
6abf60a [Issue 1848] Mock out server errors for invalid arguments to eliminate log pollution in tests. (#1919)
088f46d Templatize Forseti server region and Zone (#1887)
639bd6d Removed sample from actual rule names (#1916)
5cf529d Fix dev installer (#1917)
e5ab500 [Fixes #1859] Remove dependency on the _metadata server module from google.auth (#1860)
f511cd2 Inventory and model compute snapshots (#1893)
33101ea Fixes #1871, Update Enforcer to use the common gcp_api compute client. (#1904)
f2a959a [Issue 1848] Mock out logger to fix almost all remaining instances of pollution of test logs. Remaining issus involve server and will likely require some production refactoring. (#1903)
03c81c6 [Issue 1848] Mock out logger to fix pollution of test logs. (#1899)
6249e00 Updated logger to use exception() instead of error() when it's logging inside an except block. (#1897)
6d82da4 Add a flake8 test (pycodestyle) to check for pep8 related stye (#1896)
b509dbc Added try catch before uploading files to gcs bucket. (#1895)
c1aae0f update stacktrace in broad excepts issue#1797 (#1836)
ad10bf6 Remove cluster auth data, but keep keys (#1888)
8af6b33 [Issue #1848] Fixing logging to use Forsetting logging infrastructure. (#1890)
181a559 Fixing CrawlerTest to use Forseti Logging infrastructure (#1889)
c0b783e Update docker_unittest_forseti.sh (#1886)
d4b907a Restore VPC Support (#1874)
705dc31 Collapse apt layers in base dockerfile (#1883)
e3e1116 Fix iam scanner so that it audits allUsers correctly (#1878)
26fdd51 Re-enable groups scanner test (#1873)
9fddb9b (break_down_query, alpha_role_handling) Add Compute client methods to insert, update and delete firewall rules. (#1872)
363ecb2 Add Billing Account log sinks to Inventory (#1839)
f1da48b Added requriemodel decorator to the scanner run method, pin the version of rumael.yaml library (#1870)
4fc6568 Fixing copy and paste error in test description (#1867)
0298934 [Issue 1848] Fix a test that is emitting errors and polluting the logs. (#1857)
3b1a974 Clean up test dependencies (#1858)
3a5f894 Refactor server.py to move config classes into base/config.py. (#1854)
6f942a0 Fixes to gcloud.py and Service Account Support (#1815)

Assets 2
You can’t perform that action at this time.