GCP Services Coverage¶

Version: v0.5.0+ Status: Production Ready Total Events: 100+ Total Services: 12+

TFDrift-Falco v0.5.0 introduces comprehensive Google Cloud Platform (GCP) support, enabling real-time drift detection for GCP resources through Falco's gcpaudit plugin.

Overview¶

TFDrift-Falco monitors GCP Audit Logs to detect infrastructure drift in real-time. The system:

1. Receives GCP Audit Log events via Falco's gcpaudit plugin
2. Parses events to extract resource changes
3. Compares changes against Terraform state (GCS, S3, or local)
4. Alerts on detected drift via configured channels (Slack, Discord, webhooks)

Supported Services¶

Compute (40+ events)¶

Learn more →

Storage (5+ events)¶

Learn more →

Databases (10+ events)¶

Learn more →

Security (12+ events)¶

Learn more → | Learn more → | Learn more →

Containers (9+ events)¶

Learn more → | Learn more →

Serverless (6+ events)¶

Learn more →

Data & Analytics (11+ events)¶

Learn more → | Learn more →

Event Types¶

Supported Operations¶

TFDrift-Falco detects the following types of infrastructure changes:

Example Events¶

# Compute Instance Metadata Change
gcp.methodName: "compute.instances.setMetadata"
gcp.resource.name: "projects/my-project/zones/us-central1-a/instances/web-server"
gcp.authenticationInfo.principalEmail: "admin@example.com"

# Firewall Rule Update
gcp.methodName: "compute.firewalls.update"
gcp.resource.name: "projects/my-project/global/firewalls/allow-http"
gcp.authenticationInfo.principalEmail: "terraform@my-project.iam.gserviceaccount.com"

# GCS Bucket IAM Change
gcp.methodName: "storage.buckets.setIamPolicy"
gcp.resource.name: "projects/_/buckets/my-app-data"
gcp.authenticationInfo.principalEmail: "admin@example.com"

Coverage Comparison¶

TFDrift-Falco v0.5.0 GCP Coverage¶

AWS vs GCP Coverage¶

Roadmap¶

Phase 1: Foundation (v0.5.0) ✅ Complete¶

• ✅ Core GCP services (Compute, Storage, SQL)
• ✅ GCS backend support
• ✅ Falco gcpaudit plugin integration
• ✅ Multi-provider architecture
• ✅ Comprehensive testing

Phase 2: Expansion (v0.6.0) 🔄 Planned¶

• 🔄 Cloud Dataflow
• 🔄 Cloud Dataproc
• 🔄 Cloud Composer
• 🔄 Memorystore (Redis, Memcached)
• 🔄 Cloud Spanner

Phase 3: Advanced (v0.7.0) 📋 Future¶

• 📋 Cloud Armor
• 📋 Cloud CDN
• 📋 Cloud DNS
• 📋 Cloud Load Balancing (advanced)
• 📋 Cloud Logging & Monitoring

Getting Started¶

Prerequisites¶

1. GCP Project with Audit Logs enabled
2. Falco with gcpaudit plugin installed
3. Pub/Sub subscription for Audit Logs
4. Terraform state in GCS, S3, or local

Quick Start¶

# Run the GCP quick-start script
./scripts/gcp-quick-start.sh

# Or follow the manual setup guide
# See: docs/gcp-setup.md

Configuration Example¶

providers:
  gcp:
    enabled: true
    projects:
      - my-gcp-project-123
    state:
      backend: "gcs"
      gcs_bucket: "my-terraform-state"
      gcs_prefix: "prod/terraform.tfstate"

drift_rules:
  - name: "GCP Firewall Rule Modification"
    resource_types:
      - "google_compute_firewall"
    watched_attributes:
      - "allowed"
      - "source_ranges"
    severity: "critical"

  - name: "GCS Bucket IAM Change"
    resource_types:
      - "google_storage_bucket_iam_binding"
    watched_attributes:
      - "members"
    severity: "high"

Documentation¶

• GCP Setup Guide - Complete setup instructions
• Architecture - Multi-cloud architecture details
• Release Notes v0.5.0 - Full release details
• Troubleshooting - Common issues and solutions

Support¶

• GitHub Issues: Report bugs and request features
• GitHub Discussions: Ask questions and share ideas
• Documentation: Complete documentation

Last Updated: 2025-01-18 Version: v0.5.0