You can add multiple projects, known as an "organization", into DivvyCloud. The Organizations tab is available from the Clouds page within DivvyCloud. Details on adding Organizations are below, for questions or issues contact us at [email protected]
Important Things To Note (Authentication & Enable API)
To authenticate against the Google Cloud Platform (GCP) API, a Service Account must be provisioned. Service Accounts can only be defined at the Project level, which is an individual account within a company's Google footprint. The steps below illustrate how to create this Service Account inside of a Project and then link it to the top level Organization. It is vital to link the Service Account or else DivvyCloud won't have visibility to the entire project/folder structure.
Before onboarding the organization, the "Cloud Resource Manager API" must be enabled on the project that will contain the Service Account. Be sure to search for the API in the GCP console and ensure that it shows as Enabled.
You can add a GCP organization to DivvyCloud, enabling automatic addition of all associated cloud accounts (projects) and badging by organizations or folder.
1. To create a service account at the project level in your Google Cloud platform, go to IAM & admin (navigation menu).
- Select the Service Accounts submenu and then select "Create Service Account."
2. Complete your service account details.
- Give the service account a (display) name.
- Give the service account an ID.
- Describe the service account.
- Select "Create."
3. Grant the service account project-level permissions by selecting "Editor" or "Viewer".
4. Add the domain name as a user for the service account, e.g., divvycloud.com.
5. Create the key.
- Use JSON as the key type.
- Save the JSON key generated on "Create".
- Select DONE.
6. Click back into the service account and copy the service account email address.
Store this JSON in a secure place; the JSON contains the only copy of the keys.
7. Select your organization from the top drop-down menu, then select your domain in the listing.
Make sure you switch to your Organization level here. It will not work if you go to IAM at the Project level.
8. To promote the service account inside the domain and grant members permissions for your GCP organization go to the IAM submenu under IAM & admin on the navigation bar.
- Select the Members tab.
- Select the Add tab.
- Paste the service account email address in the New member field.
- Select a role for these members, describing specific permissions you wish the member to have on the entirety of the domain. The roles needed for DivvyCloud for Organization visibility are as follows:
- Resource Manager -> Organization Viewer (Organization Administrator if you're setting up write permissions)
- Resource Manager -> Folder Viewer
- IAM -> Security Reviewer
9. Select Continue.
10. Confirm your selections on the IAM & admin/IAM/Members page. In the example below, the roles selected are IAM:Security Reviewer and Resource Manager:Organization Viewer (you'll need Folder Viewer also).
These steps allow you to add a GCP Organization to DivvyCloud.
1. Sign into your DivvyCloud account and go to the Clouds page (under Cloud on the left-side navigation menu).
2. Click on the Organizations tab, then click Add Organizations.
3. Enter Credentials
- Cloud Technology: GCP
- Domain Name: Will be fetched using the provided Service Account.
4. Paste in the JSON string credential you created on the GCP console above.
5. Select your desired Organization options as follows:
Select the "Limit import scope" checkbox if you would like to limit the import scope. This allows users to specify an individual folder from which to import.
The "Auto-Sync Projects" checkbox is enabled by default and allows DivvyCloud to auto-sync with Projects in your Organization. Note: if you deselect this option you will have to manually add your accounts.
The "Auto-Remove Deleted Accounts" checkbox is enabled by default. If you want to prevent DivvyCloud from removing accounts that are deleted from GCP you will need to uncheck this box.
The "Auto Badge Projects" is enabled by default and allows DivvyCloud to auto-badge your projects with the Organization Domain name.
Badging for Folders.
For GCP Organizations that have auto badging of projects enabled, all clouds corresponding with a project that do not have a parent folder will have a
cloud_org_pathbadge with a value of '/' to signify they are at the root.
Selecting the "Auto Badge Projects" option will also provide automatic badging for Organizations that utilize folders through the new
This badge can be extremely helpful for managing scope around Insights, Bots, and the Compliance Scorecard views for organizational units and lines of business within your cloud footprint.
6. Confirm Addition of Organization by navigating to the Clouds --> Organizations.
- Your organization should be listed. Initially, the listing will show '0' accounts. After an initial harvesting cycle, you should see the correct number of associated accounts for this organization displayed.
To change the import scope to a different folder, or to remove the scope entirely navigate to Clouds --> Organizations. Select the pencil next to the name of the Organization you want to modify. This should allow you to edit or remove the Folder ID associated with the "Limit import scope" function.
As an enhancement to support for provider-base organizations DivvyCloud includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of AWS account-level tags or GCP project-level labels to Badges in DivvyCloud. This allows Clouds to be scoped to a badge that maps to the account tag.
Auto badging takes place in two stages.
Periodically a process retrieves tags/labels from each account/project and compares them with ResourceTags associated with the corresponding cloud in the DivvyCloud database.
- If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list list of Badges and for each Key/Value pair of tags:
- Existing Badges with a Key prefix of
- If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
- If a tag Value changes the Badge with the corresponding Key will be updated to that value.
- If a Badge no longer has a tag with a corresponding Key, it will be deleted.
- All Badges that have a corresponding tag will have their
autogeneratedcolumn set to ‘true’ even if they were previously set to ‘false’.
- Existing Badges with a Key prefix of
Updated about a month ago