elastic · amirbenun · Jan 8, 2026 · Dec 18, 2025 · Dec 18, 2025 · Dec 18, 2025
@@ -0,0 +1,105 @@
+## Elastic Agent Infrastructure Manager (Terraform)
+
+Deploy Elastic Agent for CIS GCP integration using GCP Infrastructure Manager. Creates a compute instance with Elastic Agent pre-installed and configured with necessary permissions.
+
+### Prerequisites
+
+1. Elastic Stack with Fleet Server deployed
+2. GCP project with required permissions (Editor, IAM Admin)
+3. Fleet URL and enrollment token from Kibana
+
+### Quick Deploy
+
+#### Option 1: Cloud Shell (Recommended)
+
+[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/elastic/cloudbeat.git&cloudshell_workspace=deploy/infrastructure-manager&show=terminal&ephemeral=true)
+
+```bash
+# Enable required APIs
+gcloud services enable iam.googleapis.com config.googleapis.com compute.googleapis.com \
+    cloudresourcemanager.googleapis.com cloudasset.googleapis.com
+
+# Set variables from current session
+export PROJECT_ID=$(gcloud config get-value project)
+export ZONE=$(gcloud config get-value compute/zone 2>/dev/null || echo "us-central1-a")
+export LOCATION=$(echo $ZONE | sed 's/-[a-z]$//')  # Extract region from zone (e.g., us-central1-a -> us-central1)
+
+# Deploy
+gcloud infra-manager deployments apply elastic-agent-cspm \
+    --location=${LOCATION} \
+    --service-account="projects/${PROJECT_ID}/serviceAccounts/$(gcloud projects describe ${PROJECT_ID} --format='value(projectNumber)')@cloudservices.gserviceaccount.com" \
+    --git-source-repo="https://github.com/elastic/cloudbeat.git" \
+    --git-source-directory="deploy/infrastructure-manager" \
+    --git-source-ref="main" \
+    --input-values="\
+project_id=${PROJECT_ID},\
+deployment_name=elastic-agent-cspm,\
+zone=${ZONE},\
+fleet_url=YOUR_FLEET_URL,\
+enrollment_token=YOUR_TOKEN,\
+elastic_agent_version=8.19.0,\
+scope=projects,\
+parent_id=${PROJECT_ID},\
+allow_ssh=false"
+```
+
+Replace `YOUR_FLEET_URL` and `YOUR_TOKEN` with your actual values.
+
+For **organization-level** deployment, use `scope=organizations,parent_id=YOUR_ORG_ID`.
+
+#### Option 2: GCP Console
+
+1. Go to [Infrastructure Manager Console](https://console.cloud.google.com/infrastructure-manager/deployments/create)
-1. Go to [Infrastructure Manager Console](https://console.cloud.google.com/infrastructure-manager/deployments/create)
+1. Go to [Infrastructure Manager Console](https://console.cloud.google.com/infra-manager/deployments/create)
-1. Go to [Infrastructure Manager Console](https://console.cloud.google.com/infrastructure-manager/deployments/create)
+1. Go to [Infrastructure Manager Console](https://console.cloud.google.com/infra-manager/deployments/create)
+2. Configure:
+   - **Source**: Git repository
+   - **Repository URL**: `https://github.com/elastic/cloudbeat.git`
+   - **Branch**: `main`
+   - **Directory**: `deploy/infrastructure-manager`
+   - **Location**: `us-central1`
+3. Add input variables (see table below)
+4. Click **Create**
+
+### Input Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `project_id` | Yes | - | GCP Project ID |
+| `deployment_name` | Yes | - | Deployment name |
+| `fleet_url` | Yes | - | Fleet Server URL |
+| `enrollment_token` | Yes | - | Enrollment token (sensitive) |
+| `elastic_agent_version` | Yes | - | Agent version (e.g., `8.15.0`) |
+| `zone` | No | `us-central1-a` | GCP zone |
+| `scope` | No | `projects` | `projects` or `organizations` |
+| `parent_id` | Yes | - | Project ID or Organization ID |
+| `service_account_name` | No | `""` | Existing SA (creates new if empty) |
+| `allow_ssh` | No | `false` | Enable SSH firewall rule |
+
+### Resources Created
+
+- Compute instance (Ubuntu, n2-standard-4, 32GB disk)
+- Service account with `cloudasset.viewer` and `browser` roles
+- VPC network with auto-created subnets
+- IAM bindings (project or organization level)
+- Optional: SSH firewall rule
+
+### Management
+
+**View deployment:**
+```bash
+gcloud infra-manager deployments describe elastic-agent-cspm --location=us-central1
+```
+
+**Delete deployment:**
+```bash
+gcloud infra-manager deployments delete elastic-agent-cspm --location=us-central1
+```
+
+### Troubleshooting
+
+**Check agent logs:**
+```bash
+gcloud compute ssh elastic-agent-cspm --zone us-central1-a
+sudo journalctl -u google-startup-scripts.service
+```
+
+**Console:** [Infrastructure Manager Deployments](https://console.cloud.google.com/infrastructure-manager/deployments)
@@ -0,0 +1,144 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+}
+
+locals {
+  create_service_account = var.service_account_name == ""
+  sa_name                = local.create_service_account ? "${var.deployment_name}-sa" : var.service_account_name
+  sa_email               = local.create_service_account ? google_service_account.elastic_agent[0].email : "${var.service_account_name}@${var.project_id}.iam.gserviceaccount.com"
+  network_name           = "${var.deployment_name}-network"
+
+  # Determine install command based on version
+  install_command = startswith(var.elastic_agent_version, "9.") ? "sudo ./elastic-agent install --non-interactive --install-servers" : "sudo ./elastic-agent install --non-interactive"
+}
+
+# VPC Network
+resource "google_compute_network" "elastic_agent" {
+  name                    = local.network_name
+  auto_create_subnetworks = true
+  routing_mode            = "REGIONAL"
+}
+
+# Firewall rule for SSH (optional)
+resource "google_compute_firewall" "ssh" {
+  count   = var.allow_ssh ? 1 : 0
+  name    = "elastic-agent-firewall-rule"
+  network = google_compute_network.elastic_agent.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+}
+
+# Service Account (created only if not provided)
+resource "google_service_account" "elastic_agent" {
+  count        = local.create_service_account ? 1 : 0
+  account_id   = local.sa_name
+  display_name = "Elastic agent service account for CSPM"
+  project      = var.project_id
+}
+
+# IAM Bindings for Cloud Asset Viewer role
+resource "google_project_iam_member" "cloudasset_viewer" {
+  count   = local.create_service_account && var.scope == "projects" ? 1 : 0
+  project = var.parent_id
+  role    = "roles/cloudasset.viewer"
+  member  = "serviceAccount:${local.sa_email}"
+
+  depends_on = [google_service_account.elastic_agent]
+}
+
+resource "google_project_iam_member" "browser" {
+  count   = local.create_service_account && var.scope == "projects" ? 1 : 0
+  project = var.parent_id
+  role    = "roles/browser"
+  member  = "serviceAccount:${local.sa_email}"
+
+  depends_on = [google_service_account.elastic_agent]
+}
+
+# Organization-level IAM bindings
+resource "google_organization_iam_member" "cloudasset_viewer_org" {
+  count  = local.create_service_account && var.scope == "organizations" ? 1 : 0
+  org_id = var.parent_id
+  role   = "roles/cloudasset.viewer"
+  member = "serviceAccount:${local.sa_email}"
+
+  depends_on = [google_service_account.elastic_agent]
+}
+
+resource "google_organization_iam_member" "browser_org" {
+  count  = local.create_service_account && var.scope == "organizations" ? 1 : 0
+  org_id = var.parent_id
+  role   = "roles/browser"
+  member = "serviceAccount:${local.sa_email}"
+
+  depends_on = [google_service_account.elastic_agent]
+}
+
+# Compute Instance
+resource "google_compute_instance" "elastic_agent" {
+  name         = var.deployment_name
+  machine_type = var.machine_type
+  zone         = var.zone
+
+  labels = {
+    name = "elastic-agent"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-minimal-2204-lts"
+      size  = 32
+      type  = "pd-standard"
+    }
+    auto_delete = true
+  }
+
+  network_interface {
+    network = google_compute_network.elastic_agent.self_link
+
+    access_config {
+      # Ephemeral public IP
+    }
+  }
+
+  service_account {
+    email = local.sa_email
+    scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/cloudplatformorganizations",
+    ]
+  }
+
+  metadata_startup_script = <<-EOT
+    #!/bin/bash
+    set -x
+    ElasticAgentArtifact=elastic-agent-${var.elastic_agent_version}-linux-x86_64
+    curl -L -O ${var.elastic_artifact_server}/$ElasticAgentArtifact.tar.gz
+    tar xzvf $ElasticAgentArtifact.tar.gz
+    cd $ElasticAgentArtifact
+    ${local.install_command} --url=${var.fleet_url} --enrollment-token=${var.enrollment_token}
+  EOT
+
+  depends_on = [
+    google_service_account.elastic_agent,
+    google_project_iam_member.cloudasset_viewer,
+    google_project_iam_member.browser,
+    google_organization_iam_member.cloudasset_viewer_org,
+    google_organization_iam_member.browser_org,
+  ]
+}
@@ -0,0 +1,24 @@
+output "instance_name" {
+  description = "Name of the compute instance"
+  value       = google_compute_instance.elastic_agent.name
+}
+
+output "instance_id" {
+  description = "ID of the compute instance"
+  value       = google_compute_instance.elastic_agent.id
+}
+
+output "instance_zone" {
+  description = "Zone of the compute instance"
+  value       = google_compute_instance.elastic_agent.zone
+}
+
+output "network_name" {
+  description = "Name of the VPC network"
+  value       = google_compute_network.elastic_agent.name
+}
+
+output "service_account_email" {
+  description = "Email of the service account used by the instance"
+  value       = local.sa_email
+}
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/service_account.tf b/deploy/infrastructure-manager/gcp-elastic-agent/service_account.tf
@@ -0,0 +1,98 @@
+# This file is used for standalone service account deployment
+# It creates a service account with IAM roles and generates a key
+
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.sa_project_id
+}
+
+variable "sa_project_id" {
+  description = "GCP Project ID"
+  type        = string
+}
+
+variable "sa_deployment_name" {
+  description = "Name of the deployment"
+  type        = string
+  default     = "elastic-agent-cspm-user"
+}
+
+variable "sa_service_account_name" {
+  description = "Service account name"
+  type        = string
+  default     = "elastic-agent-cspm-user-sa"
+}
+
+variable "sa_scope" {
+  description = "Scope for IAM bindings (projects or organizations)"
+  type        = string
+  default     = "projects"
+}
+
+variable "sa_parent_id" {
+  description = "Parent ID (project ID or organization ID)"
+  type        = string
+}
+
+# Service Account
+resource "google_service_account" "cspm_user" {
+  account_id   = var.sa_service_account_name
+  display_name = "Elastic agent service account for CSPM"
+  project      = var.sa_project_id
+}
+
+# Service Account Key
+resource "google_service_account_key" "cspm_user_key" {
+  service_account_id = google_service_account.cspm_user.name
+}
+
+# Project-level IAM bindings
+resource "google_project_iam_member" "cloudasset_viewer" {
+  count   = var.sa_scope == "projects" ? 1 : 0
+  project = var.sa_parent_id
+  role    = "roles/cloudasset.viewer"
+  member  = "serviceAccount:${google_service_account.cspm_user.email}"
+}
+
+resource "google_project_iam_member" "browser" {
+  count   = var.sa_scope == "projects" ? 1 : 0
+  project = var.sa_parent_id
+  role    = "roles/browser"
+  member  = "serviceAccount:${google_service_account.cspm_user.email}"
+}
+
+# Organization-level IAM bindings
+resource "google_organization_iam_member" "cloudasset_viewer_org" {
+  count  = var.sa_scope == "organizations" ? 1 : 0
+  org_id = var.sa_parent_id
+  role   = "roles/cloudasset.viewer"
+  member = "serviceAccount:${google_service_account.cspm_user.email}"
+}
+
+resource "google_organization_iam_member" "browser_org" {
+  count  = var.sa_scope == "organizations" ? 1 : 0
+  org_id = var.sa_parent_id
+  role   = "roles/browser"
+  member = "serviceAccount:${google_service_account.cspm_user.email}"
+}
+
+# Output the service account key
+output "service_account_key" {
+  description = "Service account private key (base64 encoded)"
+  value       = google_service_account_key.cspm_user_key.private_key
+  sensitive   = true
+}
+
+output "service_account_email" {
+  description = "Service account email"
+  value       = google_service_account.cspm_user.email
+}
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/service_account.tfvars.example b/deploy/infrastructure-manager/gcp-elastic-agent/service_account.tfvars.example
@@ -0,0 +1,8 @@
+# Example tfvars file for service account deployment
+# Copy this to service_account.tfvars and fill in your values
+
+sa_project_id           = "your-gcp-project-id"
+sa_deployment_name      = "elastic-agent-cspm-user"
+sa_service_account_name = "elastic-agent-cspm-user-sa"
+sa_scope                = "projects"  # or "organizations"
+sa_parent_id            = "your-gcp-project-id"  # or organization ID
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/terraform.tfvars.example b/deploy/infrastructure-manager/gcp-elastic-agent/terraform.tfvars.example
@@ -0,0 +1,14 @@
+# Example terraform.tfvars file
+# Copy this to terraform.tfvars and fill in your values
+
+project_id             = "your-gcp-project-id"
+deployment_name        = "elastic-agent-cspm"
+zone                   = "us-central1-a"
+fleet_url              = "https://your-fleet-url:443"
+enrollment_token       = "your-enrollment-token"
+elastic_agent_version  = "8.15.0"
+elastic_artifact_server = "https://artifacts.elastic.co/downloads/beats/elastic-agent"
+scope                  = "projects"  # or "organizations"
+parent_id              = "your-gcp-project-id"  # or organization ID
+service_account_name   = ""  # leave empty to create new SA
+allow_ssh              = false